[Workflows] Add Zizmor check (#187905)
The recent Trivy breach[^1] made me consider re-opening #117787.
Trivy was breached using an impostor commit[^2], which Zizmor can flag.
It's also much more widely used since my last PR.[^3]
The new workflow was taken from the example workflow in their
documentation.[^4]
[^1]: https://github.com/aquasecurity/trivy/discussions/10425
[^2]: https://docs.zizmor.sh/audits/#impostor-commit
[^3]: https://docs.zizmor.sh/trophy-case/
[^4]: https://docs.zizmor.sh/integrations/#via-zizmorcorezizmor-action
