ci: fix GitHub Actions security issues found by zizmor

[vdemeester]

Changes

Fix security findings reported by zizmor v1.23.1,
a static analysis tool for GitHub Actions, and add zizmor as a CI check.

Commit 1: Auto-fix findings

• Add persist-credentials: false to all actions/checkout steps (14 instances) to prevent
  credential persistence (artipacked)
• Fix template injection by replacing ${{ }} in run: blocks with shell env vars
  (template-injection):
  • ${{ github.base_ref }} → ${GITHUB_BASE_REF} (HIGH severity)
  • ${{ env.* }} → ${VAR_NAME} (env vars are already available as shell vars)
  • ${{ needs.*.result }} and ${{ steps.*.outputs.* }} → env vars via env: block

Commit 2: Add zizmor CI check

• Add zizmor.yaml workflow that runs on pushes to main and all PRs
• Uploads SARIF results to GitHub Advanced Security for stateful triage

Commit 3: Fix remaining non-secrets findings

• Scope checks: write permission to job level instead of workflow level in ci.yaml and e2e-matrix-extras.yaml (excessive-permissions)
• Fix template injection in github-script steps by passing values through process.env instead of ${{ }} expansion (template-injection)
• Replace peter-evans/create-or-update-comment action with gh CLI (superfluous-actions)

Results:

• Before: 56 findings (3 high, 29 medium, 10 low, 14 info)
• After: 13 findings (0 high, 13 medium, 0 low, 0 info)

Remaining findings (tracked in follow-up issues):

Rule	Count	Severity	Issue
secrets-outside-env	12	Medium	#9668
secrets-inherit	1	Medium	#9669

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
• Has Tests included if any functionality added or changed
• pre-commit Passed
• Follows the commit message standard
• Meets the Tekton contributor standards (including functionality, content, code)
• Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

[vdemeester]

/kind cleanup

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[afrittoli]

Nice!
/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [afrittoli]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment