ci: add GitHub Actions workflow for Zig tests

[unliftedq]

Introduced a new test pipeline to make sure there's no unexpected regressions.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1f4b49d87b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Verify Zig download before executing in CI

In .github/workflows/zig-tests.yml (checked the Install Zig steps for both non-Windows and Windows), the workflow downloads Zig archives directly from the network and immediately extracts/runs them without any checksum or signature verification. This creates a supply-chain risk: if the download endpoint or transit path is compromised, attacker-controlled binaries can execute in CI (including push runs where secrets may be present). Add an integrity check (e.g., pinned SHA-256 per archive/version, or verified signature) before extraction in both install branches.

Useful? React with 👍 / 👎.

[justrach]

Thanks for wiring up the Zig test workflow. This is useful.

One blocking issue before merge: both Zig install branches currently download archives from the network and immediately extract/run them without any integrity verification. Please pin and verify the archive checksum (or another equivalent integrity mechanism) for both the Unix and Windows downloads before extraction.

Once that is in, rerun the workflow and tag @codex review again.