Add zizmor to checks.yaml; Address all zizmor --pedantic complaints

[jzimbel-mbta]

Part of the effort to add zizmor to all our projects for improved GitHub Actions security.

Specifying permissions on the reusable workflows defined in this project saves us the effort of specifying those permissions repeatedly in every place where they are used.

Testing:
I'm working on similar changes in rtr right now, so I'll check that these changes are safe by temporarily pointing rtr's usages of the asana and deploy-ecs workflows at the head of this branch.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[skyqrose]

^ I've never seen that GitHub bot comment before. I wonder if it's because of the advanced-security setting defaulting to true?

[jzimbel-mbta]

^ I've never seen that GitHub bot comment before. I wonder if it's because of the advanced-security setting defaulting to true?

Yeah, that would be my guess. My bad for missing that instruction from the docs.

Given this part:

or this pull request contains the workflow file for the Code Scanning tool.

it sounds like whatever I "staged" to be switched on will be un-staged when I change this setting in my next commit.

[jzimbel-mbta]

Thanks for the approval. I'm going to test the updated deploy-ecs workflow out on an rtr dev environment before merging this.