🔒️ Add zizmor and fix audit findings

[YuriiMotov]

Changes applied:

• Setup daily interval and 7 days cooldown period for Dependabot
• Ignored dangerous-triggers rule for pull_request_target (checked that they are used in a safe way)
• Specified minimal permissions on workflow level, moved permissions to the job level
• Ignored secrets-outside-env rule as using the environments would require approval for each run (and without required approvals it wouldn't make sense)
• Added persist-credentials: false for actions/checkout when persisting is not needed by other steps
• Specified run condition in latest-changes to make it clear that it only runs for merged PRs
• Specified the version of bun to install for oven-sh/setup-bun (otherwise it installs latest, that is not safe)
• Updated publish.yml to use specific locked versions of tools instead of latest versions
• Replaced docker://agilepathway/pull-request-label-checker:latest action with the action from GH marketplace to be able to pin it by SHA
• Use bun install with --frozen-lockfile option to ensure it fails if package.json disagrees with bun.lock
• Added zizmor workflow

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[savannahostrowski]

I don't think this should change anything with the publishing flow so LGTM! Thanks Yurii!

[YuriiMotov]

Version tag is still mutable, but it's better than latest.
I din't find a way to specify hash or checksum

[savannahostrowski]

I think that's okay. In theory we could download via curl instead of using setup-bun but IMO, that's probably very marginal gain.

[YuriiMotov]

Ideally, oven-sh/setup-bun should handle this.
For example, astral-sh/setup-uv does check the checksum: astral-sh/setup-uv#851 (comment) (still not ideal as we have to make sure that action knows this version)

[savannahostrowski]

Ah interesting. Maybe we should file an issue on setup-bun to support this?

[savannahostrowski]

I'll merge this for now and we can revisit the setup-bun SHA if we decide we want that later.