Add zizmor security analysis + harden workflows

[Seldaek]

Adds a zizmor GitHub Actions security-analysis workflow (pedantic, matching composer/packagist) and a dependabot.yml (github-actions, monthly + 7-day cooldown), and hardens the existing workflows so zizmor passes:

• Pinned actions to commit SHAs at their latest releases (actions/checkout, shivammathur/setup-php, actions/upload-artifact).
• Permissions: explicit contents: read; added concurrency limits and persist-credentials: false on checkouts.
• tests.yml: reference the workflow env vars via cmd %VAR% syntax instead of ${{ env.* }} in run blocks (avoids template injection; still cmd shell).
• builds.yml: switched the iscc / installer .exe / composer --version steps from shell: cmd to shell: pwsh (the .exe now uses a .\ prefix) so zizmor can analyze them.

Verified locally with zizmor (pedantic, incl. online audits): no findings. The Windows build steps that changed shells are worth a close look in review since they couldn't be tested locally.

[Seldaek]

Reverted the shell: cmd → pwsh change: iscc fails to compile under pwsh (Invalid number of parameters in userdata.iss). Those 3 steps are back on cmd, so zizmor still reports 3 help-level misfeature findings (cmd limits analysis) — left as-is since cmd is required for the Inno Setup build. All other hardening (pins, permissions, concurrency, template-injection fixes) stands.

[Seldaek]

Hmm that revert did not help fix the build.. so I'm not sure if it was already broken or not, will let you take a look first @johnstevenson as I am not very familiar here.

Anyway would need to get this merged to get CI running again as I enabled some Actions restrictions at the org level.

[johnstevenson]

I'll take a closer look.

[johnstevenson]

@Seldaek Most of your woes were caused by a breaking change in a more recent version of Inno Setup, although getting stuff to work in Powershell was a bit of a fight.

I cherry-picked your commits to #180