Add Zizmor for GHA security auditing

[mfisher87]

Description

Resolves #902

Zizmor can catch common security issues in GitHub Actions configurations. It reports in the security tab at the top of the repo. For example, a common attack vector is mutable refs used to pin actions, which we do (we use tags and branches, but should use SHAs).

See: https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise

Still, SHAs are not perfectly safe... they come with their own risk thanks to GitHub doing something totally unexpected (and IMO unsafe and uncool). my/repo@some-sha could refer to some-sha on a FORK of my/repo, e.g. malicious-person/repo@some-sha, and it would still just work despite being absolutely not what you intended or expected. For this reason, we should allow dependabot to update our actions and not trust any incoming PRs that alter SHAs. Thankfully, zizmor can detect this impostor commit pattern!

See: https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning/

Addressed:

• Add GHA security auditing
• Disable credential persistence
• Hashpin everything (using my tool https://github.com/mfisher87/gha-hashpinner 😁)
• Set a 7 day cooldown on dependabot updates

This uses the GH Code Scanning interface (see the security tab at the top) to report issues.

https://github.com/earthaccess-dev/earthaccess/security/code-scanning?query=pr%3A1268+is%3Aopen

---

"Ready for review" checklist

• Open PR as draft
• Please review our Pull Request Guide
• Mark "ready for review" after following instructions in the guide

Merge checklist

• PR title is descriptive
• PR body contains links to related and resolved issues (e.g. closes #1)
• If needed, CHANGELOG.md updated
• If needed, docs and/or README.md updated
• If needed, unit tests added
• All checks passing (comment pre-commit.ci autofix if pre-commit is failing)
• At least one approval

---

📚 Documentation preview 📚: https://earthaccess--1268.org.readthedocs.build/en/1268/

[github-actions]

👈 Launch a binder notebook on this branch for commit a94514e

I will automatically update this comment whenever this PR is modified

👈 Launch a binder notebook on this branch for commit da6116d

👈 Launch a binder notebook on this branch for commit 3b1fce9

👈 Launch a binder notebook on this branch for commit 8eef81a

👈 Launch a binder notebook on this branch for commit 05bc0b3

👈 Launch a binder notebook on this branch for commit 5bcb47f

👈 Launch a binder notebook on this branch for commit f76068a

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[mfisher87]

Integration tests are failing for reasons unrelated to this PR.

[chuckwondo]

Fantastic! Thank you @mfisher87.

Just a comment about cooldown days, and wondering if you have any suggestions for the 2 items that zizmor flagged?

[mfisher87]

if you have any suggestions for the 2 items that zizmor flagged?

Those are pre-existing issues that I guess zizmor flagged because I touched code around them. I think we should tackle those (and other alerts that Zizmor raised) in separate PRs -- I currently don't have thoughts on how to fix them :D

[mfisher87]

earthmover's website seems to be down causing the check links failure