Add pinact and zizmor workflow checks

[demeyerthom]

This PR adds two GitHub Actions workflow checks:

• pinact: Ensures all GitHub Actions are pinned to commit SHAs for supply chain security
• zizmor: Scans workflows for security issues

All existing actions have been pinned to their commit SHAs as part of this PR.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0a1cde0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

Adds GitHub Actions workflow security checks (pinact + zizmor) and updates existing workflows to pin all referenced actions to immutable commit SHAs for supply-chain hardening.

Changes:

• Add a new zizmor workflow to scan GitHub Actions workflows for security issues.
• Add a new pinact workflow to verify actions are pinned to commit SHAs.
• Update existing workflows to replace tag/branch-based uses: references with SHA-pinned references.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/zizmor.yaml	New workflow to run zizmor on workflow/action changes (and on main pushes).
.github/workflows/pinact.yaml	New workflow to verify action pinning via pinact.
.github/workflows/copilot-setup-steps.yaml	Pin actions/checkout and pnpm-install actions to SHAs.
.github/workflows/ci-cd.yaml	Pin checkout, pnpm-install, changesets, and Docker actions to SHAs.