chore(ci): Move to zizmor action with stricter config

[npalm]

This pull request primarily improves the security, clarity, and maintainability of the project's GitHub Actions workflows. The most significant changes include replacing the custom zizmor lint workflow with the official zizmor GitHub Action, updating permissions with explicit comments for better documentation, and upgrading action versions for enhanced security and reliability.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/analyze	64d10c13136e1c5bce3e5fbde8d4906eeaafc885	Unknown	Unknown
actions/github/codeql-action/init	64d10c13136e1c5bce3e5fbde8d4906eeaafc885	Unknown	Unknown
actions/github/codeql-action/upload-sarif	dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7	Unknown	Unknown
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/zizmorcore/zizmor-action	e673c3917a1aef3c65c972347ed84ccd013ecda4	Unknown	Unknown

Scanned Files

• .github/workflows/actions.yml
• .github/workflows/codeql.yml
• .github/workflows/ossf-scorecard.yml
• .github/workflows/zizmor.yml

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[Copilot]

Pull Request Overview

This PR improves the security, clarity, and maintainability of GitHub Actions workflows by replacing a custom zizmor lint workflow with the official zizmor GitHub Action and enhancing configuration documentation.

• Replaced custom zizmor workflow with official zizmor-action for better maintainability
• Added explicit comments to all permissions declarations for improved documentation
• Updated action versions and enhanced security configurations

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/zizmor.yml	Updated configuration with stricter security rules and clearer ignore patterns
.github/workflows/zizmor.yml	New workflow using official zizmor-action with pedantic security analysis
.github/workflows/update-docs.yml	Added permission comments and security improvements
.github/workflows/terraform.yml	Fixed quoting and improved TFLint execution with environment variables
.github/workflows/stale.yml	Restructured permissions with explanatory comments
.github/workflows/semantic-check.yml	Added permission documentation comments
.github/workflows/release.yml	Enhanced with permission comments and improved variable handling
.github/workflows/ossf-scorecard.yml	Updated action version and improved permission documentation
.github/workflows/lambda.yml	Simplified matrix strategy and pinned container image with digest
.github/workflows/dependency-review.yml	Added job name and permission documentation
.github/workflows/codeql.yml	Updated CodeQL action versions and improved comments
.github/workflows/actions.yml	Removed custom zizmor workflow in favor of official action

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}