feat(ci): add zizmor security audit to checkout action

Adds zizmorcore/zizmor-action inline in the checkout action so every
job that checks out code automatically gets a GitHub Actions security
audit. Uses digest-pinned Docker images for supply chain integrity.

Author: jdalton

.github/actions/checkout/action.yml

@@ -31,3 +31,8 @@ runs:
         path: ${{ inputs.working-directory != '.' && inputs.working-directory || '' }}
         fetch-depth: ${{ inputs.fetch-depth }}
         persist-credentials: false
+
+    - name: Audit GitHub Actions
+      uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+      with:
+        min-severity: medium