Add zizmor

[martincostello]

Scan GitHub Actions workflows with zizmor and fix/suppress findings.

[Copilot]

Pull Request Overview

This PR integrates zizmor, a GitHub Actions workflow security scanner, to improve the security posture of the repository's CI/CD workflows. The changes address security findings by adjusting permissions and credentials settings while adding zizmor as a new linting tool.

• Added zizmor workflow linting with pedantic security checks
• Configured appropriate persist-credentials settings based on workflow requirements
• Adjusted permissions to follow principle of least privilege where possible

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/lint.yml	Added zizmor as a new linting step and refined job permissions
.github/workflows/release.yml	Explicitly enabled credential persistence with security comment
.github/workflows/bump-version.yml	Explicitly enabled credential persistence with security comment
.github/workflows/ossf-scorecard.yml	Added security comment explaining broad permissions requirement
.github/workflows/dependency-review.yml	Disabled credential persistence for security
.github/workflows/codeql.yml	Disabled credential persistence for security
.github/workflows/build.yml	Disabled credential persistence for security

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The zizmor rule name 'artipacked' appears to be misspelled. Based on the context of persisting credentials for pushing commits, this should likely be 'artipacked' corrected to 'artipacked' or the correct rule name.

Suggested change

	persist-credentials: true # zizmor: ignore[artipacked] Needed to push commits
	persist-credentials: true # zizmor: ignore[persist-credentials] Needed to push commits

[Copilot]

The zizmor rule name 'artipacked' appears to be misspelled. This should be verified against the correct zizmor rule name for credential persistence warnings.

Suggested change

	persist-credentials: true # zizmor: ignore[artipacked] Needed to push commits
	persist-credentials: true # zizmor: ignore[persist-credentials] Needed to push commits

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.59%. Comparing base (dd39e00) to head (d4034c9).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #994   +/-   ##
=======================================
  Coverage   98.59%   98.59%           
=======================================
  Files          16       16           
  Lines         284      284           
  Branches       37       37           
=======================================
  Hits          280      280           
  Misses          2        2           
  Partials        2        2           

Flag	Coverage Δ
linux	98.59% <ø> (?)
macos	97.88% <ø> (ø)
windows	98.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.