Security scanning zizmor (infra)

[Hook25]

Description

This creates a new workflow to do sistematic vulnerability scanning of our PRs. This is not a silver bullet, as it will be ran only when new workflows are introduced or old ones are modified but its a good start.

This also adjusts all "problems" found by the tool so that it passes all the times now namely:

• checkout action -> do not persist token, we never pass the token implicitly around and this is an anti feature, disabled
• codecov action -> updated and mitigated a problem (codecov has a branch called v3, so we shouldn't use that reference because we trust an un-restricted branch that way)

Resolved issues

Fixes: CHECKBOX-1706

Documentation

N/A

Tests

Tested tox action to check that the new codecov action works: https://github.com/canonical/checkbox/actions/runs/12431986975

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 48.99%. Comparing base (4305ba1) to head (bb5ee97).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1668   +/-   ##
=======================================
  Coverage   48.99%   48.99%           
=======================================
  Files         372      372           
  Lines       40321    40321           
  Branches     6811     6811           
=======================================
  Hits        19757    19757           
  Misses      19842    19842           
  Partials      722      722           

Flag	Coverage Δ
checkbox-ng	69.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.