Harden CI/CD pipeline

[bashonly]

This pull request adds a zizmor audit of GHA workflows via zizmor-action.

Many of the changes in this PR are to comply with zizmor's audit rules, including:

• Pin all actions to commit hashes instead of symbolic references

• Explicitly set GITHUB_TOKEN permissions at the job level

  • ...workflows should almost always set permissions: {} at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed.

• Add explanatory comments to permissions: blocks for any permission besides contents: read

• Use actions/checkout with persist-credentials: false whenever possible

  • Unless needed for git operations, actions/checkout should be used with persist-credentials: false. If the persisted credential is needed, it should be made explicit with persist-credentials: true.

• Set a name for all job definitions

• Remove all usage of actions/cache from our release pipeline

  • In general, you should avoid using previously cached CI state within workflows intended to publish build artifacts

  • https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
  • https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/

---

In addition, there are some changes unrelated to the zizmor audit rules:

• Explicitly set shell: bash for several steps, either to avoid pwsh on Windows runners or to ensure that pipefail is set (since it is not set without an explicit shell: bash)

• Set $ErrorActionPreference to "Stop" and $PSNativeCommandUseErrorActionPreference to $true in all pwsh code contexts to ensure the steps will fail on non-zero exit codes

• Rename the ruff-lint and ruff-format jobs to ruff_lint and ruff_format for consistency

[Grub4K]

idc