Zizmor fixes

[Caritajoe18]

Fix Zizmor security findings in GitHub Actions workflows

deploy.yml changes:

• Pin actions to commit hashes
• Add persist-credentials: false to checkout
• Add explicit permissions blocks with comments:
  • workflow: permissions: {}
  • deploy job: pages: write, id-token: write
• Add job names
• Add concurrency limits (high severity):
  • group: pages, cancel-in-progress: false

test.yml changes:

• Pin actions/checkout@v4
• Add persist-credentials: false
• Add permissions: contents: read
• Add concurrency limits with cancel-in-progress: true

Add Zizmor security audit workflow to prevent Zizmor issues from happening again.

Security impact: Eliminates risks of:

• Compromised action tags executing malicious code
• Leaked GitHub tokens from credential persistence
• Overly broad workflow permissions enabling privilege escalation
• Concurrent workflow runs are causing race conditions or resource exhaustion.
• CI/CD regressions

[rustbot]

r? @jieyouxu

rustbot has assigned @jieyouxu.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

• Fallback group: @Mark-Simulacrum, internal-sites
• @Mark-Simulacrum, internal-sites expanded to Mark-Simulacrum, Urgau, ehuss, jieyouxu
• Random selection from Mark-Simulacrum, Urgau, ehuss, jieyouxu

[jieyouxu]

@rustbot reroll

[marcoieni]

r? me

[marcoieni]

you also downgraded the version here. Please review the PR yourself before asking others to review it 🙏

View changes since the review

[Caritajoe18]

I have updated to the action versions to latest releases.