This PR includes changes from #15261 . So, if this PR gets merged, #15261 may be closed.

Changes applied:

• Pin actions by SHA
• Setup cooldown period for Dependabot (7 days)
• Ignored dangerous-triggers rule for pull_request_target and workflow_run (checked that they are used in a safe way)
• Specified minimal permissions on workflow level, moved permissions to the job level
• Ignored secrets-outside-env rule as using the environments would require approval for each run (and without required approvals it wouldn't make sense)
• Added persist-credentials: false for actions/checkout when persisting is not needed by other steps
• Specified version of uv to install for astral-sh/setup-uv (Note that Dependabot will not upgrade it, but Renovate can do it)
• Ignored template-injection rule when input comes from trusted source (workflow_dispatch or schedule)
• Fixed template-injection in other cases
• Disabled cache for deploy-docs workflow (see https://docs.zizmor.sh/audits/#cache-poisoning). Not completely sure we need this as uv has internal defense mechanism against cache poisoning
• Specified run condition in latest-changes to make it clear that it only runs for merged PRs
• Replaced uvx prek command with uv run prek - uvx uses latest version (unpinned), it's better to use locked version
• Added branch filter in notify-translations - it's recommended practice for pull_request_target triggers and in this case it shouldn't break anything
• Added zizmor pre-commit hook (there are multiple options, but I think this way is more convenient) - tested by introducing issue (see)