Fix zizmor security issues over Github Actions Workflows

[JC230903]

Description

This PR addresses multiple security and best practice issues identified by Zizmor in our GitHub Actions workflows. The changes improve the overall security posture of our CI/CD pipeline by eliminating hardcoded credentials, mitigating injection vulnerabilities, and implementing GitHub Actions best practices.
Fixes #4933

• Run zizmor over all workflow files with the --pedantic option
• Address all issues raised by it
• Add it as a pre-commit hoo

Zizmor identified 51 findings across our workflows (8 high, 42 medium, and 1 low severity issues). These issues posed potential security risks and didn’t follow GitHub Actions best practices, which could lead to unreliable CI/CD processes or potential security breaches.
Reduced it to:
0 findings: 0 unknown, 0 informational, 0 low, 0 medium, 0 high

Type of change

Please add a line in the relevant section of CHANGELOG.md to document the change (include PR #)

Important checks:

Please confirm the following before marking the PR as ready for review:

• No style issues: nox -s pre-commit
• All tests pass: nox -s tests
• The documentation builds: nox -s doctests
• Code is commented for hard-to-understand areas
• Tests added that prove fix is effective or that feature works

[agriyakhetarpal]

Thanks, @JC230903! This is a good start and is also almost there, I have a few comments. It would be better to leave the default permissions as {} outside the jobs, and add the relevant permissions in the context of the jobs themselves.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.71%. Comparing base (2e38ac4) to head (a50bbd9).
Report is 82 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #4935   +/-   ##
========================================
  Coverage    98.71%   98.71%           
========================================
  Files          304      304           
  Lines        23478    23478           
========================================
  Hits         23176    23176           
  Misses         302      302           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[agriyakhetarpal]

Thanks, @JC230903! This is getting closer. I've left a few more comments below. Also, the pre-commit run is failing, could you please take a look at what it says? Additionally, I notice that we use github.repository-owner in some places, and github.repository in others. Could you switch all those instances to github.repository?

[Saransh-cpp]

Amazing work on this! :)

Happy to merge once @agriyakhetarpal's comments are resolved.

[agriyakhetarpal]

Thanks, @JC230903 – just a few more changes and we're good to go!

[agriyakhetarpal]

Great work, thank you, @JC230903! I pushed a small fix to adjust the diff for the RTD and Sphinx config files. This is ready to go now.

[agriyakhetarpal]

@all-contributors please add @JC230903 for infra

[allcontributors]

@agriyakhetarpal

I've put up a pull request to add @JC230903! 🎉