actions: Start linting with zizmor

Both actions and workflows get checked at the same time.

* Add lint workflow: this did not quite fit in the normal test matrix
  since it needs GH_TOKEN (and because the dependencies are tracked
  separately) so I added a separate workflow
* "tox -e lint-actions" works too (and this is included in "tox -m lint")
  although these miss a few checks because github token is not available
* A few workflow issues found by zizmor are fixed as well

Author: jku

.github/workflows/actions-lint.yml

@@ -0,0 +1,37 @@
+name: Lint actions & workflows
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  lint-actions-and-workflows:
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+
+    - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: '3.13'
+        cache: 'pip'
+        cache-dependency-path: |
+          actions/lint-requirements.txt
+
+    - name: Install zizmor
+      run: python -m pip install -r actions/lint-requirements.txt
+
+    - name: Run zizmor
+      run: zizmor --pedantic .

.github/workflows/ci.yml

@@ -34,6 +34,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:

.github/workflows/release.yml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:

.github/workflows/update-pinned-deps.yml

@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:

actions/lint-requirements.txt

@@ -0,0 +1 @@
+zizmor == 1.3.1

tox.ini

@@ -23,6 +23,13 @@ commands =
     ruff format --check --diff .
     mypy .
 
+[testenv:lint-actions]
+description = Actions Linting
+labels = lint
+deps = -r actions/lint-requirements.txt
+commands =
+    zizmor --pedantic .
+
 [testenv:test-repo]
 description = Repository unit tests
 labels = test