ci: add Zizmor pre-commit hook

[HastD]

Zizmor can flag many common security issues using static analysis of CI workflows. See https://docs.zizmor.sh/ for documentation.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[GideonBear]

I have zizmor on my list of pre-commit hooks to add:

- repo: https://github.com/zizmorcore/zizmor-pre-commit
  rev: v1.9.0
  hooks:
    - id: zizmor

Is there a big advantage to using it in a workflow?

[GideonBear]

In any case (workflow or pre-commit), you're welcome to create a PR with fixes (without adding zizmor)

[HastD]

Is there a big advantage to using it in a workflow?

I think the advantage is just that the workflow integrates with GitHub advanced security, so the recommendations show up in PR annotations and in the repo's "security" tab.

[GideonBear]

I've decided on using zizmor via pre-commit, for the following reasons:

1. Using it as a workflow spins up a whole runner, even when no workflow files are actually edited
2. With pre-commit, it is also easily ran locally
3. I would like to put everything I can into pre-commit, just to keep things clean.

Feel free to edit this PR, and make it as pedantic and annoying as possible please ;)

[HastD]

@GideonBear Okay, I added a Zizmor pre-commit hook with --persona=auditor, the most pedantic mode of operation. Note that this may sometimes have false positives.