Scan GitHub workflows with zizmor

[ncoghlan]

Static security analysis tool for GitHub action configs: https://github.com/woodruffw/zizmor

(discovered via one of the other Python core developers running it on the CPython repo and reporting the results)

[ncoghlan]

51 addresses the initial scan result, but keeping this issue open as any change to the workflows should automatically re-run the scan and upload the SARIF results.

[ncoghlan]

51 has been updated to also include an automated scan (as per https://github.com/woodruffw/zizmor/issues/69)

[ncoghlan]

While #51 mostly implemented this CI feature, it can only be fully resolved once the repository has been published:

• remove the only-needed-for-private-repos access in https://github.com/lmstudio-ai/venvstacks/blob/9da4e56a8389a5f3370c139c6916bbe1a8469d8d/.github/workflows/scan-workflows.yml#L20
• confirm the scan result passes