chore: Check GitHub Actions security

[timokoessler]

Type of change

• 🐛 Bug fix
• 🚀 New feature
• ❓ Other (please specify)

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR adds automated GitHub Actions security checking via zizmor, and tightens workflow security posture by reducing token exposure and permissions.

Changes:

• Add a new “Security” workflow that runs zizmor and (intends to) upload findings as security events.
• Configure zizmor rules (Dependabot cooldown) via .github/zizmor.yml.
• Harden existing workflows by setting persist-credentials: false, scoping id-token: write to the job that needs it, and updating a few action pins.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/zizmor.yml	Adds zizmor rule configuration (Dependabot cooldown).
.github/workflows/security.yml	Introduces a zizmor-based GitHub Actions security scan workflow.
.github/workflows/release.yml	Updates action pin, hardens checkout credentials usage, and refactors image signing to use an env var digest.
.github/workflows/labeler.yml	Documents pull_request_target security constraints and suppresses zizmor trigger warning.
.github/workflows/e2e-tests.yml	Hardens checkout credentials usage and bumps pnpm action pin.
.github/workflows/codeql.yml	Hardens checkout credentials usage.
.github/workflows/ci.yml	Removes unnecessary global id-token: write, scopes it to backend job, and hardens checkout credentials usage.
.github/dependabot.yml	Moves/sets cooldown configuration per ecosystem update entry.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.