Add zizmor checks on CI. (#5161)

* Add zizmor checks on CI.

* Fix zizmor credentials warnings

* Add persist-credentials: false to action-cached-lfs-checkout too.

* Add empty permissions by default.

* Ignore pull_request_target failure and add a warning.

.github/workflows/post-release.yml

@@ -5,6 +5,8 @@ on:
     tags:
       - 'release/**'
 
+permissions: {}
+
 jobs:
   post-release:
     runs-on: ubuntu-latest
@@ -13,7 +15,7 @@ jobs:
 
     steps:
       - name: Trigger pipeline
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.ENTERPRISE_ACTIONS_TOKEN }}
           script: |