Add zizmor GitHub Actions security scanner and harden workflows

[penso]

Summary

Integrate zizmor — a static analysis tool for GitHub Actions workflows — and harden all workflow files against common supply-chain and injection attacks.

Reference PR: left-curve/left-curve#1564

What needs to be done

1. Add a zizmor workflow

Create .github/workflows/zizmor.yml that:

• Runs zizmor against all .github/workflows/ files on push and PR
• Uploads SARIF results to the GitHub Security tab
• Fails CI if any finding is detected

2. Harden existing workflows (ci.yml and deb-packages.yml)

Apply the following security fixes to both workflow files:

Category	Change	Why
Action pinning	Pin all uses: to full SHA hashes (e.g. actions/checkout@<sha> # v4)	Prevents tag-hijacking attacks
Credential persistence	Add persist-credentials: false to all actions/checkout steps	Prevents token leakage to subsequent steps
Least-privilege permissions	Add top-level permissions: {} with explicit per-job permissions	Limits blast radius if any step is compromised
Template injection	Move any ${{ }} expressions out of run: blocks into step-level env: blocks	Prevents shell injection via crafted PR titles/branch names
Cache poisoning	If using actions/cache, split into cache/restore (always) + cache/save (push only)	PRs can read but not write poisoned cache entries

3. Add zizmor configuration

Create .github/zizmor.yml to suppress any intentional findings (e.g. if self-hosted runners are used later).

Affected files

• .github/workflows/ci.yml — harden and add zizmor gate
• .github/workflows/deb-packages.yml — harden (has ${{ matrix.* }} in run: blocks that need env-block treatment)
• .github/workflows/zizmor.yml — new
• .github/zizmor.yml — new

Verification

• zizmor .github/workflows/ passes locally with no findings
• CI zizmor job appears and passes
• SARIF results visible in GitHub Security tab
• All existing CI jobs still pass after hardening