Fix zizmor audits

[funnelfiasco]

Address most of the zizmor audits (except scorecard, which has an open question with the Scorecard project)

Fixes #2269 Fixes #2270 Fixes #2271 Fixes #2272 Fixes #2274

(Opened as a single PR because several of them involve changes to the new zizmor.yml file)

PR Checklist

• [x] All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• [ ] All new changes are covered by tests
• [ ] If GraphQL schema is changed, make generate has been run
• [ ] If GraphQL schema is changed, GraphQL client updates/additions have been made
• [ ] If OpenAPI spec is changed, make generate has been run
• [ ] If ent schema is changed, make generate has been run
• [ ] If collectsub protobuf has been changed, make proto has been run
• [ ] All CI checks are passing (tests and formatting)
• [ ] All dependent PRs have already been merged