Add zizmor checks on CI. (#5161)

* Add zizmor checks on CI.

* Fix zizmor credentials warnings

* Add persist-credentials: false to action-cached-lfs-checkout too.

* Add empty permissions by default.

* Ignore pull_request_target failure and add a warning.

.github/workflows/compound-ios.yml

@@ -16,6 +16,8 @@ on:
     paths:
       - 'compound-ios/**'
 
+permissions: {}
+
 jobs:
   tests:
 
@@ -30,6 +32,8 @@ jobs:
 
     steps:
     - uses: nschloe/action-cached-lfs-checkout@f46300cd8952454b9f0a21a3d133d4bd5684cfc2 #v1.2.3
+      with:
+        persist-credentials: false
 
     - name: Configure Xcode 26
       run: sudo xcode-select -s /Applications/Xcode_26.1.1.app
@@ -54,7 +58,7 @@ jobs:
       run: zip -r Logs/CompoundTests.xcresult.zip Logs/CompoundTests.xcresult/
 
     - name: Archive artifacts
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       if: failure() # We only care about artefacts if the tests fail
       with:
         name: test-results