SEC: fix insecure GitHub Actions settings and enable automated audits with zizmor + pre-commit

[neutrinoceros]

Fix a handful of insecure default settings from github actions.
I'm intentionally targetting the master branch here, though it should also be fixed on develop

contents:

• SEC: switch GHA refs to immutable hashes with pinact
• SEC: disable default gha permissions
• SEC: avoid leaking credentials
• SEC: enable security audits with zizmor + pre-commit

I also recommend updating a couple repo settings

• enable immutable releases (this is on the settings landing page)
• require actions to be pinned to a full-length commit SHA (this is on the settings/actions page)

Tools used in this PR:

• zizmor
• pinact

ref: https://astral.sh/blog/open-source-security-at-astral

[neutrinoceros]

for reference, I'm doing this not because of some specific known risk in idefix's repo, but rather as part of a much larger effort to try and reduce the risk of supply chain attacks in every package I'm involved in. Recent incidents tend to show that the costs of discovering and exploiting attack vectors is dropping for attackers, which means:

• even low profile repos might become targets
• the potential blast radius of compromising schemes is getting larger by the day