Secure some GH Actions and use ubuntu-slim for some workflows

[weiji14]

Gradually securing our GitHub Actions workflows a bit, tackling some low-hanging fruit for now identified by Zizmor:

• https://docs.zizmor.sh/audits/#dependabot-cooldown
• https://docs.zizmor.sh/audits/#template-injection
• https://docs.zizmor.sh/audits/#unpinned-uses
• there are more, but will tackle them in the future as they are more involved

Also switching from ubuntu-latest to ubuntu-slim for some lightweight workflows (https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/) to save a bit of energy.

Note: I've also changed some settings at https://github.com/pangeo-data/pangeo-docker-images/settings/actions to tighthen up the permissions, so it'll be harder for breaches in general.

[scottyhq]

Cool, had not heard of zizmor before! Agreed this seems like a good idea, especially for repositories like this that build on PRs and do things like slash commands :)

Also switching from ubuntu-latest to ubuntu-slim for some lightweight workflows (https://github.blog/changelog/2025-10-28-1-vcpu-linux-runner-now-available-in-github-actions-in-public-preview/) to save a bit of energy.

great!

[scottyhq]

I didn't realize at first that the inline semver (#0.1.4) comment is important:

Dependabot updates the version documentation of GitHub Actions when the comment is on the same line, such as actions/checkout@<commit> #<tag or link> or actions/checkout@<tag> #<tag or link>.

(from https://docs.github.com/en/actions/reference/security/secure-use#keeping-the-actions-in-your-workflows-secure-and-up-to-date)

[weiji14]

Yeah, it's pretty neat that dependabot updates the tag too!