Use zizmor to lint workflows

[jku]

It would be good if our GitHub workflows were statically analyzed with zizmor: https://github.com/woodruffw/zizmor

Similar change was recently done in python-tuf: theupdateframework/python-tuf#2798
It's likely that the same approach will work:

• add zizmor (with current version) to requirements-lint.txt
• Add zizmor --persona=pedantic -q call in lint section of tox.ini
• fix issues reported by zizmor when tox -e lint runs:
  • looks like zizmor reports 18 findings currently: most are easy to fix
  • please paste specific error in a comment here if it's not obvious how to deal with it