feat: static analysis job for gha workflows (#17688)

* fix: set persist-credentials explicitly for checkout

https://woodruffw.github.io/zizmor/audits/#artipacked

* fix: minimize permissions scope for workflows

https://woodruffw.github.io/zizmor/audits/#excessive-permissions

* fix: remove potential template injections

https://woodruffw.github.io/zizmor/audits/#template-injection

* fix: only pass needed secrets in workflow_call

https://woodruffw.github.io/zizmor/audits/#secrets-inherit

* fix: push perm for single-arch build jobs

I hadn't realised these push to the registry too :x

* chore: fix formatting

* fix: $

* fix: retag job quoting

* feat: static analysis job for gha workflows

* chore: fix formatting

* fix: clear last zizmor checks

* fix: broken merge

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

.github/workflows/pr-labeler.yml

@@ -1,6 +1,6 @@
 name: 'Pull Request Labeler'
 on:
-  - pull_request_target
+  - pull_request_target # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
 
 permissions: {}