[build] Harden CI/CD pipeline (#15387)

* NOTE: the release workflows' new handling of secrets
  may be a breaking change for forks that are using any secrets
  other than GPG_SIGNING_KEY or ARCHIVE_REPO_TOKEN.

  Previously, the release workflow would try to resolve a token
  secret name based on the `target` or `source` input,
  e.g. NIGHTLY_ARCHIVE_REPO_TOKEN or CUSTOM_ARCHIVE_REPO_TOKEN,
  and then fall back to using the ARCHIVE_REPO_TOKEN secret if the
  resolved token secret name was not found in the repository.

  This behavior has been replaced by the release workflow
  always using the ARCHIVE_REPO_TOKEN secret as the token
  for publishing releases to any external archive repository.

* Add zizmor CI job for auditing workflows

* Pin all actions to commit hashes instead of symbolic references

* Explicitly set GITHUB_TOKEN permissions at the job level

* Use actions/checkout with `persist-credentials: false` whenever possible

* Remove/replace template expansions in workflow scripts

* Remove all usage of actions/cache from build/release workflows

* Remove the cache-warmer.yml workflow

* Remove the unused download.yml workflow

* Set concurrency limits for any workflows that are triggered by PRs

* Avoid loading the entire secrets context

* Replace usage of `secrets: inherit` with explicit `secrets:` blocks

* Pin all external docker images to hash that are used by the build workflow

* Explicitly set `shell: bash` for some steps to avoid pwsh or set pipefail

* Ensure any pwsh steps will fail on non-zero exit codes

Authored by: bashonly

.github/workflows/test-workflows.yml

@@ -1,14 +1,18 @@
 name: Test and lint workflows
 on:
   push:
+    branches: [master]
     paths:
+      - .github/*.yml
       - .github/workflows/*
       - bundle/docker/linux/*.sh
       - devscripts/setup_variables.py
       - devscripts/setup_variables_tests.py
       - devscripts/utils.py
   pull_request:
+    branches: [master]
     paths:
+      - .github/*.yml
       - .github/workflows/*
       - bundle/docker/linux/*.sh
       - devscripts/setup_variables.py
@@ -17,6 +21,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: test-workflows-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 env:
   ACTIONLINT_VERSION: "1.7.9"
   ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4
@@ -29,15 +37,16 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
         with:
           python-version: "3.10"  # Keep this in sync with release.yml's prepare job
       - name: Install requirements
         env:
           ACTIONLINT_TARBALL: ${{ format('actionlint_{0}_linux_amd64.tar.gz', env.ACTIONLINT_VERSION) }}
+        shell: bash
         run: |
           python -m devscripts.install_deps --omit-default --include-extra test
           sudo apt -y install shellcheck
@@ -55,3 +64,20 @@ jobs:
       - name: Test GHA devscripts
         run: |
           pytest -Werror --tb=short --color=yes devscripts/setup_variables_tests.py
+
+  zizmor:
+    name: Run zizmor
+    permissions:
+      contents: read
+      actions: read  # Needed by zizmorcore/zizmor-action if repository is private
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4  # v0.3.0
+        with:
+          advanced-security: false
+          persona: pedantic
+          version: v1.19.0