ci: harden GitHub Actions workflows with zizmor (#1623)

* ci: harden GitHub Actions workflows with zizmor

- Add `permissions: {}` defaults to ci, dependabot-rebase-stale,
  package-availability-check workflows
- Add `persist-credentials: false` to all checkout steps
- Move `${{ }}` interpolations in run blocks to env vars (release.yml)
- Replace `softprops/action-gh-release` with `gh release create`
- Switch claude-review from `pull_request_target` to `pull_request`
  with fork check
- Replace spoofable `github.actor` check with `user.id` for dependabot
- Add zizmor CI workflow for ongoing monitoring
- Add `lookup-only: true` to mypy cache (type-checking job)
- Disable uv cache in release workflow (publishes to PyPI)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ci: fix version comment inconsistencies

- zizmor.yml: align checkout comment to `# v6` matching other workflows
- ci.yml: fix actions/cache comment from `# v5` to `# v5.0.4` (actual tag)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>