security: pin GitHub Actions to commit SHAs and add audit workflow

[rogerkorantenng]

Summary

This PR fixes all HIGH severity zizmor security issues in crater's GitHub Actions workflows by pinning actions to commit SHAs and adds a preventive audit workflow.

Changes

Security Fixes (9 HIGH severity issues → 0)

• Pin actions/checkout@v6 to v6.0.2 SHA (7 instances across ci.yml, pr.yml, zizmor-audit.yml)
• Pin actions/upload-artifact@v4 to v4.6.2 SHA (ci.yml)
• Pin actions/download-artifact@v4 to v4.3.0 SHA (ci.yml)
• Pin rust-lang/simpleinfra@master to specific commit SHA (ci.yml) - Critical: this action receives AWS credentials
• Add persist-credentials: false to all 6 checkout actions to prevent credential leakage

Preventive Measures

• Add .github/workflows/zizmor-audit.yml workflow for continuous security monitoring
  • Runs on PRs, merge queue, daily schedule, and manual dispatch
  • Uses pedantic persona for comprehensive analysis
  • Provides PR annotations for first 10 findings
  • All actions SHA-pinned (dogfooding)

Code Quality

• Add name: Conclusion to conclusion jobs in ci.yml and pr.yml for better observability

Validation

• Tested locally with zizmor --pedantic (exit code 13, 0 HIGH issues)
• Tested with act to simulate GitHub Actions execution
• Follows rust-lang/team SHA pinning patterns
• Matches versions that @v6/@v4 mutable tags currently resolve to

Remaining Issues (Non-blocking)

13 MEDIUM severity issues remain (excessive-permissions, secrets-outside-env):

• excessive-permissions (11 issues): Requires careful per-job permission analysis, recommended for separate PR
• secrets-outside-env (2 issues): Requires org-level decision on environment strategy

These are documented but not fixed as they require architectural changes beyond the scope of security fixes.

This PR is part of an Outreachy contribution to improve GitHub Actions security across rust-lang repositories.