security: apply best practices to GH Actions workflows

[mccutchen]

Following the guidance of zizmor, a security-focused linter for GitHub Actions workflows.

With these changes, zizmor now passes on non-pedantic mode:

$ zizmor .github/workflows
 INFO audit: zizmor: 🌈 completed .github/workflows/bench.yaml
 INFO audit: zizmor: 🌈 completed .github/workflows/lint.yaml
 INFO audit: zizmor: 🌈 completed .github/workflows/new-pull-request.yaml
 INFO audit: zizmor: 🌈 completed .github/workflows/test.yaml
No findings to report. Good job! (27 suppressed)

All of the 27 suppressed findings are about not pinning actions to hashes. I'll need to tackle that separately.

[github-actions]

🔥 Run benchmarks comparing e45611d against main:

gh workflow run bench.yaml -f pr_number=56

Note: this comment will update with each new commit.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.94%. Comparing base (658421b) to head (e45611d).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #56   +/-   ##
=======================================
  Coverage   92.94%   92.94%           
=======================================
  Files           2        2           
  Lines         496      496           
=======================================
  Hits          461      461           
  Misses         28       28           
  Partials        7        7           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

benchstats: 658421b...e45611d

View full benchmark output on the workflow summary.

goos: linux
goarch: amd64
pkg: github.com/mccutchen/websocket
cpu: AMD EPYC 7763 64-Core Processor                
                  │ ./baseline/bench-results.txt │      ./head/bench-results.txt      │
                  │            sec/op            │   sec/op     vs base               │
ReadFrame/1KiB-4                     889.2n ± 2%   888.8n ± 4%       ~ (p=0.753 n=10)
ReadFrame/1MiB-4                     549.5µ ± 1%   553.5µ ± 2%  +0.74% (p=0.002 n=10)
WriteFrame/1KiB-4                    945.5n ± 0%   947.1n ± 0%       ~ (p=0.363 n=10)
WriteFrame/1MiB-4                    588.9µ ± 1%   590.0µ ± 0%       ~ (p=0.912 n=10)
geomean                              22.84µ        22.90µ       +0.27%

                  │ ./baseline/bench-results.txt │      ./head/bench-results.txt       │
                  │             B/s              │     B/s       vs base               │
ReadFrame/1KiB-4                    1.082Gi ± 2%   1.082Gi ± 3%       ~ (p=0.796 n=10)
ReadFrame/1MiB-4                    1.777Gi ± 1%   1.764Gi ± 2%  -0.74% (p=0.002 n=10)
WriteFrame/1KiB-4                   1.018Gi ± 0%   1.016Gi ± 0%       ~ (p=0.393 n=10)
WriteFrame/1MiB-4                   1.658Gi ± 1%   1.655Gi ± 0%       ~ (p=0.912 n=10)
geomean                             1.342Gi        1.339Gi       -0.26%

                  │ ./baseline/bench-results.txt │       ./head/bench-results.txt        │
                  │             B/op             │     B/op      vs base                 │
ReadFrame/1KiB-4                    1.164Ki ± 0%   1.164Ki ± 0%       ~ (p=1.000 n=10) ¹
ReadFrame/1MiB-4                    1.008Mi ± 0%   1.008Mi ± 0%       ~ (p=0.701 n=10)
WriteFrame/1KiB-4                   1.125Ki ± 0%   1.125Ki ± 0%       ~ (p=1.000 n=10) ¹
WriteFrame/1MiB-4                   1.008Mi ± 0%   1.008Mi ± 0%       ~ (p=0.344 n=10)
geomean                             34.37Ki        34.37Ki       +0.00%
¹ all samples are equal

                  │ ./baseline/bench-results.txt │      ./head/bench-results.txt       │
                  │          allocs/op           │ allocs/op   vs base                 │
ReadFrame/1KiB-4                      5.000 ± 0%   5.000 ± 0%       ~ (p=1.000 n=10) ¹
ReadFrame/1MiB-4                      5.000 ± 0%   5.000 ± 0%       ~ (p=1.000 n=10) ¹
WriteFrame/1KiB-4                     1.000 ± 0%   1.000 ± 0%       ~ (p=1.000 n=10) ¹
WriteFrame/1MiB-4                     1.000 ± 0%   1.000 ± 0%       ~ (p=1.000 n=10) ¹
geomean                               2.236        2.236       +0.00%
¹ all samples are equal