ci: add workflow auditing and fix the reported issues

[Saviq]

What's new?

Adds zizmor auditing to pre-commit and deals with the violations.

How to test

CI

Checklist

• Tests added and pass
• Adequate documentation added
• (optional) Added Screenshots or videos

[Copilot]

Pull request overview

This PR adds zizmor-based auditing to the repo’s tooling and applies GitHub Actions hardening changes (pinned action SHAs, least-privilege permissions, and reduced credential exposure) to address the resulting findings.

Changes:

• Add zizmor as a pre-commit hook and introduce .github/zizmor.yml to configure rule suppressions.
• Harden multiple GitHub workflows by setting default permissions: {}, adding minimal job-level permissions, pinning actions to SHAs, and disabling persisted checkout credentials.
• Refactor some workflow scripting to use environment variables instead of direct ${{ }} interpolation.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
.pre-commit-config.yaml	Adds zizmor auditing hook (with --fix) to pre-commit.
.github/zizmor.yml	Configures zizmor rule suppressions for specific workflows/locations.
.github/workflows/tics.yml	Applies least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/tarball.yml	Adds least-privilege permissions, pins actions, refactors version handling and release upload step.
.github/workflows/symbols-check.yml	Adds least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/start-release.yml	Pins actions, disables persisted checkout credentials, refactors inputs handling via env vars.
.github/workflows/spread.yml	Adds least-privilege permissions, pins actions, disables persisted checkout credentials, refactors matrix task usage via env var.
.github/workflows/snap.yml	Adds least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/pre-commit.yaml	Adds least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/ppa-upload.yml	Adds least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/finalize-release.yml	Pins actions, disables persisted checkout credentials, refactors version/name/email propagation via env vars.
.github/workflows/close-snap.yml	Adds least-privilege permissions, pins action SHA.
.github/workflows/automatic-doc-checks.yml	Adds least-privilege permissions and pins reusable workflow reference to a SHA.

[Copilot]

Pull request overview

This PR introduces automated auditing of GitHub Actions workflows via zizmor and updates existing workflows to satisfy the reported findings by tightening default token permissions, pinning actions to immutable SHAs, and reducing unsafe expression interpolation in shell/script steps.

Changes:

• Add zizmor as a pre-commit hook and introduce a .github/zizmor.yml configuration for rule ignores.
• Harden multiple GitHub Actions workflows by adding explicit permissions, pinning actions to commit SHAs, and disabling persisted checkout credentials.
• Refactor several workflow steps to pass values via env instead of direct ${{ ... }} interpolation in scripts.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
.pre-commit-config.yaml	Adds zizmor auditing to pre-commit.
.github/zizmor.yml	Configures zizmor rule ignores for specific workflows/lines.
.github/workflows/tics.yml	Pins actions, adds least-privilege permissions, disables persisted credentials.
.github/workflows/tarball.yml	Pins actions, adds permissions, refactors version handling and release upload logic.
.github/workflows/symbols-check.yml	Pins actions, adds least-privilege permissions, disables persisted credentials.
.github/workflows/start-release.yml	Pins actions, adds job permissions, refactors inputs usage, disables persisted credentials.
.github/workflows/spread.yml	Pins actions, adds least-privilege permissions, refactors matrix usage, disables persisted credentials.
.github/workflows/snap.yml	Pins actions, adds least-privilege permissions, disables persisted credentials.
.github/workflows/pre-commit.yaml	Pins actions, adds permissions, disables persisted credentials.
.github/workflows/ppa-upload.yml	Pins actions, adds least-privilege permissions, disables persisted credentials.
.github/workflows/finalize-release.yml	Pins actions, refactors awk usage and env passing, disables persisted credentials.
.github/workflows/close-snap.yml	Pins the Snapcraft action and adds workflow permissions.
.github/workflows/automatic-doc-checks.yml	Pins reusable workflow reference and adds least-privilege permissions.

[Copilot]

Pull request overview

This PR hardens the repository’s GitHub Actions security posture by adding zizmor auditing to pre-commit and updating workflows to address common audit findings (pinned action SHAs, least-privilege permissions, and reduced credential persistence).

Changes:

• Add zizmor as a pre-commit hook and introduce .github/zizmor.yml for rule configuration/ignores.
• Harden multiple GitHub Actions workflows with permissions: {} defaults + per-job permissions and pinned action SHAs.
• Refactor several workflow steps to avoid direct ${{ ... }} interpolation inside shell/scripts by passing values through environment variables.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.pre-commit-config.yaml	Adds zizmor pre-commit auditing (with --fix).
.github/zizmor.yml	Configures zizmor rule ignores for specific workflows/locations.
.github/workflows/tics.yml	Applies least-privilege permissions, pins actions to SHAs, disables persisted checkout credentials.
.github/workflows/tarball.yml	Applies least-privilege permissions, pins actions, and routes dynamic values through env vars.
.github/workflows/symbols-check.yml	Applies least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/start-release.yml	Applies least-privilege permissions, pins actions, and routes inputs through env vars.
.github/workflows/spread.yml	Applies least-privilege permissions, pins actions, disables persisted checkout credentials, minor env refactor.
.github/workflows/snap.yml	Applies least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/pre-commit.yaml	Applies least-privilege permissions and pins actions used for pre-commit execution/autofix.
.github/workflows/ppa-upload.yml	Applies least-privilege permissions, pins actions, disables persisted checkout credentials.
.github/workflows/finalize-release.yml	Pins actions, routes dynamic values through env vars, and changes push authentication approach.
.github/workflows/close-snap.yml	Adds workflow-level permission tightening and pins the Snapcraft action.
.github/workflows/automatic-doc-checks.yml	Pins reusable workflow reference and scopes permissions for the called workflow.