Add zizmor and frizbee CI/CD security checks

Add two new reusable workflows alongside existing actionlint:
- zizmor: scans workflows for security vulnerabilities (injection risks,
  secret exposure, unsafe ${{}} expansion)
- frizbee: checks that all actions and container images are pinned to
  commit SHAs or image digests

Both run unconditionally in goCI.yml (no opt-out flags) and in the
workflows repo's own CI.

Also pins previously unpinned references:
- docker://rhysd/actionlint:latest → 1.7.11@sha256:digest
- actions/cache@v5 → @sha (v5.0.3) in goTest.yml and codeql-analysis.yml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/actionlint.yml

@@ -9,6 +9,6 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check workflow files
-        uses: docker://rhysd/actionlint:latest
+        uses: docker://rhysd/actionlint:1.7.11@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f
         with:
           args: -color

.github/workflows/ci.yml

@@ -20,6 +20,14 @@ jobs:
     name: Lint GitHub workflows
     uses: ./.github/workflows/actionlint.yml
 
+  zizmor:
+    name: Scan GitHub workflows
+    uses: ./.github/workflows/zizmor.yml
+
+  frizbee:
+    name: Check action pinning
+    uses: ./.github/workflows/frizbee.yml
+
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
     name: Lint dummy app
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -72,7 +72,7 @@ jobs:
             ~/go/pkg/mod || true
       -
         name: Action Cache
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cache/go-build

.github/workflows/frizbee.yml

@@ -0,0 +1,19 @@
+name: Frizbee pinning check
+on:
+  workflow_call:
+
+jobs:
+  frizbee:
+    name: Check action pinning
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Check pinning
+        uses: stacklok/frizbee-action@c7009cdb455a69ae0dab0c37f296e0f545b4211c # v0.0.5
+        with:
+          action: check
+          fail_on_unpinned: true

.github/workflows/goCI.yml

@@ -90,7 +90,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check workflow files
-        uses: docker://rhysd/actionlint:latest
+        uses: docker://rhysd/actionlint:1.7.11@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f
         with:
           args: -color
 
@@ -145,6 +145,12 @@ jobs:
       PAT: ${{ secrets.PAT }}
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
+  zizmor:
+    uses: ./.github/workflows/zizmor.yml
+
+  frizbee:
+    uses: ./.github/workflows/frizbee.yml
+
   build:
     uses: ./.github/workflows/goBuild.yml
     if: inputs.run-build

.github/workflows/goTest.yml

@@ -107,7 +107,7 @@ jobs:
             ~/go/pkg/mod || true
       -
         name: Action Cache
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cache/go-build

.github/workflows/zizmor.yml

@@ -0,0 +1,19 @@
+name: Zizmor security scan
+on:
+  workflow_call:
+
+jobs:
+  zizmor:
+    name: Scan GitHub workflows
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        with:
+          min-severity: medium
+          min-confidence: medium