SEC: fix insecure GitHub Actions settings and enable automated audits with zizmor + pre-commit

[neutrinoceros]

Fix a handful of insecure default settings from github actions.
I'm intentionally targetting the master branch here, though it should also be fixed on develop

contents:

• SEC: switch GHA refs to immutable hashes with pinact
• SEC: disable default gha permissions
• SEC: avoid leaking credentials
• SEC: enable security audits with zizmor + pre-commit

I also recommend updating a couple repo settings

• enable immutable releases (this is on the settings landing page)
• require actions to be pinned to a full-length commit SHA (this is on the settings/actions page)

Tools used in this PR:

• zizmor
• pinact

ref: https://astral.sh/blog/open-source-security-at-astral

[neutrinoceros]

for reference, I'm doing this not because of some specific known risk in idefix's repo, but rather as part of a much larger effort to try and reduce the risk of supply chain attacks in every package I'm involved in. Recent incidents tend to show that the costs of discovering and exploiting attack vectors is dropping for attackers, which means:

• even low profile repos might become targets
• the potential blast radius of compromising schemes is getting larger by the day

[glesur]

thanks!

[neutrinoceros]

@glesur would you like me to port this to the develop branch ?

[glesur]

yes, it will be needed, but first there is an issue with the setting "actions to be pinned to a full-length commit SHA", which prevents the linter from running. For some reason, a dependence calls action/cache@v3, which doesn't satisfy this requirement. eg https://github.com/idefix-code/idefix/actions/runs/24396705606/attempts/1

[neutrinoceros]

that seems to be pre-commit-ci/lite-action
The long term fix needs to happen upstream, but in the meantime you can just ignore this audit locally by adding an inline comment # zizmor: ignore[unpinned-uses]