Implement zizmor and actionlint for GitHub Actions auditing

[burnash]

Background

During the review of #3470, @rmuir pointed out that the dlt repository's GitHub Actions workflows are currently running with excessive privileges. This was the default org-level setting that grants full write access to GitHub tokens in use in workflows. This creates potential security risks.

Solution

Implement two tools for GitHub Actions analysis:

1. https://github.com/zizmorcore/zizmor
2. https://github.com/rhysd/actionlint

Tasks

1. Research current workflow permissions: audit all existing .github/workflows/* files.
2. Add explicit permissions to all workflows. e.g. permissions: {} at workflow level to deny by default. Add minimal required permissions at job level where needed
3. Create CI workflow for workflow validation. See example implementation (from Apache Lucene): https://github.com/apache/lucene/blob/main/.github/workflows/actions.yml
4. Configure triggers
   • on PRs that modify .github/** paths
   • on pushes to master/devel branches affecting .github/**

[rmuir]

if you run actionlint -init-config and let it make a config file, the tool gets even pickier as it knows the allowed variables and so on. It is an offline tool so it can't otherwise validate variables. Can also disable any shellcheck problems as TODOs there and so on. example: https://github.com/apache/lucene/blob/main/.github/actionlint.yaml

for zizmor you can use inline # zizmor: ignore[xxx] to disable problems. It also takes config file if you need to disable some rules: https://github.com/apache/lucene/blob/main/.github/zizmor.yml