fix: various actions workflow security improvements (#17651)

* fix: set persist-credentials explicitly for checkout

https://woodruffw.github.io/zizmor/audits/#artipacked

* fix: minimize permissions scope for workflows

https://woodruffw.github.io/zizmor/audits/#excessive-permissions

* fix: remove potential template injections

https://woodruffw.github.io/zizmor/audits/#template-injection

* fix: only pass needed secrets in workflow_call

https://woodruffw.github.io/zizmor/audits/#secrets-inherit

* fix: push perm for single-arch build jobs

I hadn't realised these push to the registry too :x

* chore: fix formatting

* fix: $

* fix: retag job quoting

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

.github/workflows/fix-format.yml

@@ -4,11 +4,14 @@ on:
   pull_request:
     types: [labeled]
 
+permissions: {}
+
 jobs:
   fix-formatting:
     runs-on: ubuntu-latest
     if: ${{ github.event.label.name == 'fix:formatting' }}
     permissions:
+      contents: write
       pull-requests: write
     steps:
       - name: Generate a token
@@ -23,6 +26,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: true
 
       - name: Setup Node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4