security: run zizmor on GH actions, fix warnings

* https://woodruffw.github.io/zizmor/audits/#artipacked.
  actions/checkout will by default persist git configuration
  for the duration of the workflow, which is not necessary in this case.

Author: andrewpollack

.github/workflows/checks.yml

@@ -6,6 +6,8 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install Python dependencies
         uses: py-actions/py-dependency-install@v4
         with: