Improve CI security posture: add CodeQL & zizmor workflows, fix dependabot config

[kevinjqliu]

Changes

• Add CodeQL workflow for GitHub Actions security scanning (codeql.yml)
• Add zizmor workflow for Actions-specific static analysis (zizmor.yml)
• Fix dependabot config: correct versions field to use list syntax, add license header formatting, add zizmor: ignore annotation for cooldown rule
• Fix actor check in verify_dependabot_action.yml: use github.event.pull_request.user.login instead of github.actor to avoid false negatives when non-dependabot users interact with the PR
• Pin matlab-actions/run-tests to v3.0.0 (zizmor fix)
• Harden pelican/action.yml: replace inline ${{ inputs.* }} expressions in run: blocks with environment variables to prevent script injection
• Harden stash/restore/action.yml: move ${{ inputs.clean }} into an INPUTS_CLEAN env var for the same reason
• Pin actions/upload-artifact in stash/save/action.yml to full SHA (v7)

Validated locally

GH_TOKEN=`gh auth token` uvx zizmor --min-severity medium --min-confidence medium .github/ --fix=all

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[dave2wave]

Harden pelican/action.yml: replace inline ${{ inputs.* }} expressions in run: blocks with environment variables to prevent script injection
Harden stash/restore/action.yml: move ${{ inputs.clean }} into an INPUTS_CLEAN env var for the same reason

These changes are breaking unless the environment variables are initialized from the action's inputs.

[potiuk]

Harden pelican/action.yml: replace inline ${{ inputs.* }} expressions in run: blocks with environment variables to prevent script injection
Harden stash/restore/action.yml: move ${{ inputs.clean }} into an INPUTS_CLEAN env var for the same reason

These changes are breaking unless the environment variables are initialized from the action's inputs.

No. All inputs are also automatically available as INPUT_ env variables https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepswith

[potiuk]

Looks good. But I think we need to look at the matlab things - were it came from.

[potiuk]

Ah - it seems we have pre-release version updatred by dependabot. We should disable pre-release upates.

[potiuk]

I think they changed release to "pre-release".

[potiuk]

@kevinjqliu -> the zizmor issues should be silenced. In this case we do not want to create separate env.

Issue was fixed

[kevinjqliu]

ci is green!

[potiuk]

Nice!