integrate zizmor

[jku]

zizmor is a GH actions audit tool, I'm hoping it works on actual actions yml as well (and not just workflow files): this would be very useful for the tuf-on-ci actions...

• see workflows: address zizmor findings sigstore/root-signing#1397
• some actions in this repo do use the git credentials so need to be careful WRT persist-credentials

[jku]

I'm hoping it works on actual actions yml as well (and not just workflow files)

Unfortunately it does not at this moment... Running it on our own workflows is still useful as it does find some issues.

[jku]

zizmor has some support for actions now