use zizmor to lint GitHub actions (#22294)

# Objective

- Improve security of Bevy CI

## Solution

- Use zizmor to lint actions https://github.com/zizmorcore/zizmor
- Fix a few lints
  - pin actions
  - specify `persist-credentials`
  - set write permissions at job level instead of workflow level
  - set target branch for `pull_request_target` workflows
- Add the linter as CI. With the proposed config, it should report
potential issues in the security center and not block merging. There are
still a few lints that fail and need more rework to fix

Author: mockersf

.github/workflows/action-on-PR-labeled.yml

@@ -7,19 +7,21 @@ on:
   pull_request_target:
     types:
       - labeled
-
-permissions:
-  pull-requests: 'write'
+    branches:
+      - "main"
 
 jobs:
   comment-on-migration-guide-label:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: github.event.label.name == 'M-Migration-Guide'
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 2
+          persist-credentials: false
       - name: Get changes
         id: get_changes
         shell: bash {0}
@@ -30,7 +32,7 @@ jobs:
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha }}
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: steps.get_changes.outputs.found_changes == '0'
         with:
           script: |
@@ -43,13 +45,16 @@ jobs:
               Please review the [instructions for writing migration guides](https://github.com/bevyengine/bevy/tree/main/release-content/migration_guides.md), then expand or revise the content in the [migration guides directory](https://github.com/bevyengine/bevy/tree/main/release-content/migration-guides) to reflect your changes.`
             })
   comment-on-release-note-label:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: github.event.label.name == 'M-Release-Note'
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 2
+          persist-credentials: false
       - name: Get changes
         id: get_changes
         shell: bash {0}
@@ -60,7 +65,7 @@ jobs:
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha }}
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: steps.get_changes.outputs.found_changes == '0'
         with:
           script: |

.github/workflows/ci-comment-failures.yml

@@ -1,11 +1,7 @@
 name: CI - PR Comments
 
- # This workflow has write permissions on the repo
- # It must not checkout a PR and run untrusted code
-
-# Also requesting write permissions on PR to be able to comment
-permissions:
-  pull-requests: 'write'
+# This workflow has write permissions on the repo
+# It must not checkout a PR and run untrusted code
 
 on:
   workflow_run:
@@ -14,16 +10,17 @@ on:
       - completed
 
 jobs:
-
   missing-examples:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'failure'
     steps:
-      - name: 'Download artifact'
+      - name: "Download artifact"
         id: find-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -63,7 +60,7 @@ jobs:
           fi
       - name: "Comment on PR"
         if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -87,14 +84,16 @@ jobs:
             }
 
   missing-features:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'failure'
     steps:
-      - name: 'Download artifact'
+      - name: "Download artifact"
         id: find-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -134,7 +133,7 @@ jobs:
           fi
       - name: "Comment on PR"
         if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -158,14 +157,16 @@ jobs:
             }
 
   msrv:
+    permissions:
+      pull-requests: "write"
     runs-on: ubuntu-latest
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'failure'
     steps:
-      - name: 'Download artifact'
+      - name: "Download artifact"
         id: find-artifact
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           result-encoding: string
           script: |
@@ -205,7 +206,7 @@ jobs:
           fi
       - name: "Comment on PR"
         if: ${{ steps.find-artifact.outputs.result == 'true' && steps.check-last-comment.outputs.result == 'false' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |