Add zizmor checks on CI. (#5161)

* Add zizmor checks on CI.

* Fix zizmor credentials warnings

* Add persist-credentials: false to action-cached-lfs-checkout too.

* Add empty permissions by default.

* Ignore pull_request_target failure and add a warning.

.github/workflows/automatic-calendar-version.yml

@@ -7,6 +7,8 @@ on:
     - cron: '0 3 * * 2'
   workflow_dispatch:
 
+permissions: {}
+
 # Bumps the year and month, resetting the patch.
 # Patch bumps are handled by the release script.
 jobs:
@@ -18,7 +20,9 @@ jobs:
     if: github.repository == 'element-hq/element-x-ios'
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup environment
         run: