Improve security of our GitHub Actions (#18413)
Recently CPython introduced this new tool:
https://github.com/python/cpython/blob/8eebe4e6d02bb4ad3f1ca6c52624186903dce893/.pre-commit-config.yaml#L64-L67
Which finds different security related problems with GitHub Actions.
I added this tool to our `.pre-commit-config.yaml` and followed all its
recommendations.
Changes:
- I added `persist-credentials: false` to all `checkout` actions, see `#
Whether to configure the token or SSH key with the local git config` in
https://github.com/actions/checkout
- I moved all permissions from workflow level to job level
- I changed `.github/workflows/mypy_primer_comment.yml` to be a reusable
workflow, see
https://woodruffw.github.io/zizmor/audits/#dangerous-triggers
