Harden CI workflows and actions

- SHA-pin all external actions (checkout v6.0.2, setup-node v6.4.0, foundry-toolchain v1.8.0, slither-action v0.4.2)
- Remove custom PAT (ZKEVM_BRIDGE_CONTRACTS_GITHUB_TOKEN), use native github.token scoped to the coverage publish step
- Add permissions: {} at workflow level with least-privilege job-level permissions
- Add persist-credentials: false to all checkout steps
- Collapse four on-push workflows (e2e, lint, static-analysis, test) into a single ci.yml with parallel jobs
- Extract setup-node and setup-foundry composite actions to centralize SHA pins
- Remove borales/actions-yarn (yarn is pre-installed on runners) and node-cache action (replaced by setup-node built-in caching)
- Harden yarn install with --frozen-lockfile --ignore-scripts --non-interactive
- Rewrite coverage action in TypeScript (node16 → node20), using context.repo instead of hardcoded owner/repo, with ESLint + Rollup build toolchain on pnpm
- Add Dependabot configuration for github-actions and npm ecosystems
- Resolves all zizmor findings

Author: mw-w

.github/actions/coverage/.gitignore

@@ -0,0 +1 @@
+node_modules

.github/actions/coverage/action.yml

@@ -1,12 +1,14 @@
----
-name: 'Publish coverage report'
-description: 'Create or update PR comment with coverage report'
+name: "Publish coverage report"
+description: "Create or update PR comment with coverage report"
 
 inputs:
-  coverage: 
+  coverage:
     description: The coverage report to publish
     required: true
+  github-token:
+    description: "GitHub token for PR comment access"
+    required: true
 
 runs:
-  using: 'node16'
-  main: 'index.js'
+  using: "node20"
+  main: "dist/index.js"