ci: add zizmor audit and consolidate gh-actions checks

[wadackel]

Summary

Introduce zizmor as a second static analyzer for GitHub Actions workflows and composite actions, focused on security-oriented checks (credential persistence, code injection, over-privileged GITHUB_TOKEN, etc.) that complement what actionlint already covers syntactically.

• Add zizmor = "1.25.2" to mise.toml so the runner picks it up via the existing setup composite action.
• Consolidate the prior actionlint.yaml workflow with the new zizmor audit into a single audit-actions.yaml workflow with two parallel jobs (actionlint, zizmor), sharing trigger, permissions, and concurrency declarations. The trigger now also watches action.yaml so the JS action manifest is covered by zizmor.
• Resolve the four artipacked warnings zizmor raised at baseline by adding persist-credentials: false to every actions/checkout step that lacked it across audit-actions.yaml, ci.yaml (commitlint + build_and_test), and e2e.yaml (dogfood). The publish job already had it.

Local verification:

$ mise install
mise all tools are installed

$ mise exec -- actionlint -color
(no output, exit 0)

$ mise exec -- zizmor .
 INFO zizmor: 🌈 zizmor v1.25.2
 INFO audit: zizmor: 🌈 completed ./.github/actions/setup/action.yaml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/audit-actions.yaml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/automerge-gate.yaml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci.yaml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/e2e.yaml
 INFO audit: zizmor: 🌈 completed ./action.yaml
No findings to report. Good job! (12 suppressed)

SARIF upload to GitHub Code Scanning is intentionally out of scope for this PR — fork PRs downgrade security-events: write to read-only, which would need an extra guard. The current console-output + non-zero exit code is enough to block merges on new findings.

References

• n/a