Secure CI workflows with zizmor ahead of enforced rollout

[koverholt]

This PR hardens the GitHub Actions workflows using zizmor by remediating all medium+ findings from zizmor ahead of the org-wide rollout.

These changes lock our CI automation to exact, verified versions and give each workflow only the minimum permissions it needs, closing common supply-chain attack paths without changing what any workflow actually does.

Result

• Gate scan (zizmor regular persona, medium+): 46 blocking findings to 0
  • 30 high (unpinned-uses), 16 medium (excessive-permissions, template-injection)
• Also cleared 12 low artipacked and all template-injection code smells.

Changes (3 commits)

• ci: pin actions to SHAs and harden workflows with zizmor auto-fixes
• ci: set least-privilege GITHUB_TOKEN permissions on workflows
• ci: move PR/issue context into env vars to prevent template injection

Verification

uvx zizmor@latest .github/workflows/ → No findings to report. Good job!

[netlify]

✅ Deploy Preview for adk-docs-preview ready!

Name	Link
🔨 Latest commit	4ae4a7a
🔍 Latest deploy log	https://app.netlify.com/projects/adk-docs-preview/deploys/6a3eb76f00e7820008e19a20
😎 Deploy Preview	https://deploy-preview-1872--adk-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[joefernandez]

Thanks for the update.