[COPP-8605] Deploy zizmor to open source repos

[Lachlan Kidson (lachlankidson)]

COPP-8605

This PR:

• Adds zizmor for GitHub Actions scanning on this repo's default branch.
• Bumps @actions versions to latest.

Warning

New permission blocks were derived from the annotations of runs in #179 , however this has not been tested for the release workflow. We suspect the permissions are the same - you may want to merge that PR first and perform a release of a dev version in order to confirm the permissions are set appropriately.

---

Actions changelogs:

• https://github.com/actions/cache/releases
• https://github.com/actions/checkout/releases
• https://github.com/actions/create-github-app-token/releases
• https://github.com/release-drafter/release-drafter/releases
• https://github.com/actions/setup-node/releases

Resolves #179

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Copilot]

Pull request overview

This PR enhances GitHub Actions security by implementing zizmor security scanning and updating all action versions to their latest releases with SHA pinning for improved supply chain security.

Changes:

• Added zizmor workflow for automated GitHub Actions security analysis on the main branch
• Updated all @actions/* dependencies to latest versions (checkout v6.0.1, setup-node v6.1.0, cache v5.0.1, create-github-app-token v2.2.1, release-drafter v6.1.0)
• Added explicit permission blocks and persist-credentials: false to workflows for better security posture

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/zizmor.yml	New workflow file implementing zizmor security scanning for GitHub Actions
.github/workflows/release.yml	Updated action versions, added permissions block, and security hardening configurations
.github/workflows/pr.yml	Updated action versions, added permissions block, and removed secrets inheritance
.github/workflows/main.yml	Updated action versions, added permissions block, and removed secrets inheritance
.github/workflows/label-check.yml	Changed trigger from pull_request_target to pull_request, updated action version, and added permissions block
.github/workflows/_build.yml	Updated action versions and added persist-credentials configuration
.github/dependabot.yml	Added cooldown configuration to manage update frequency

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.