RATIS-2493. Check actions with zizmor

[adoroszlai]

What changes were proposed in this pull request?

• Validate GitHub Actions workflow with zizmor action
• Fix violations
  • increase dependabot cooldown period
  • pin actions by SHA
  • do not persist credentials
  • avoid template injection (see GitHub doc, also RATIS-2373)
  • restrict permissions
  • use secrets from apache org (see INFRA-27775 for details)
  • explicitly pass specific secrets to reusable workflow instead of inheriting all secrets

https://issues.apache.org/jira/browse/RATIS-2493

How was this patch tested?

• zizmor: https://github.com/adoroszlai/ratis/actions/runs/24119787627
• CI: https://github.com/adoroszlai/ratis/actions/runs/24119787661
• vulnerability check: https://github.com/adoroszlai/ratis/actions/runs/24120945037

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[adoroszlai]

I find this list of "deployments" in the PR a bit noisy, so we should probably suppress the secrets-outside-env check (we do not have control over our secrets, Apache Infra does). It will be configurable starting with the next release of zizmor, 1.24.0 (zizmorcore/zizmor#1750).

[szetszwo]

+1 the change looks good.