ci: Run zizmor on GitHub Actions and fix security findings

[vdemeester]

Description

Run zizmor, a static analysis tool for GitHub Actions, on this repository's workflows to identify and fix security issues. Add zizmor as a CI check.

This follows the same work done in tektoncd/pipeline#9667.

What needs to be done

1. Run zizmor --fix=all . to auto-fix findings:

   • Add persist-credentials: false to all actions/checkout steps (artipacked)
   • Fix template injection by replacing ${{ }} in run: blocks with shell env vars (template-injection)

2. Add zizmor CI workflow (.github/workflows/zizmor.yaml) that runs on pushes to main and PRs, uploading SARIF results to GitHub Advanced Security

3. Fix remaining non-auto-fixable findings manually:

   • Scope permissions to job level instead of workflow level (excessive-permissions)
   • Fix template injection in github-script steps using process.env pattern (template-injection)
   • Replace third-party actions with gh CLI where possible (superfluous-actions)

4. File follow-up issues for any remaining findings that require broader changes (e.g., secrets-outside-env, secrets-inherit)

Reference

• zizmor docs: https://docs.zizmor.sh/
• Reference PR: ci: fix GitHub Actions security issues found by zizmor pipeline#9667

/kind cleanup

[anithapriyanatarajan]

/assign @ab-ghosh

[tekton-robot]

@anithapriyanatarajan: GitHub didn't allow me to assign the following users: ab-ghosh.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

Details

In response to this:

/assign @ab-ghosh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ab-ghosh]

/assign