Lock down GitHub Actions Security

[briansmith]

Over the weekend, I merged PR #1253 which minimizes the permissions of the GitHub token. I also changed the default permission of the GitHub token from read-write to read-only in the repository settings, but I don't think people can see this.

Now we still need to follow the (rest of the) guidance in https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions to lock down our CI/CD.

Further, we need to ensure that all the dependencies of ring have implemented that guidance.

Further, we need to extend our CI/CD to ensure that no new dependencies without such hardening are added as dependencies of ring.

[briansmith]

• I audited the (use of) secrets in this repository. There were two secrets. One was a test secret; it was never used and I removed it. The other was a codecov token that I intended to use to make the codecov jobs more reliable; I never got around to using it and the reliability issues with codecov seem to have been fixed without it, so I removed it. Now there are no secrets in this repository.
• PR CI/CD: Remove optimization for repository owner's PRs. #1258 removes the optimization that I put in place to avoid mostly-duplicate CI job runs for my own PRs. See that PR for details.
• PR CI/CD: Use my own fork of (third-party) GitHub Actions. #1257 switches this repo to use forks of each (third-party) action I use. See Lock down GitHub Actions Security untrusted#50 (comment) for the reasoning behind this approach.
• Except for its (implicit) use by actions/checkout, I don't use the GitHub Token.
• I verified no deploy keys, GitHub app tokens, personal access tokens, or SSH keys are used.
• I verified no self-hosted runners are used.

See briansmith/untrusted#50 regarding TODOs; in general everything I wrote there applies to this repo too.