chore: cleanup gh actions (#46454)

## I have read the
[CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md)
file.

YES

## What kind of change does this PR introduce?

Chore, CI hardening


## Additional context

Hardens all GitHub actions to recommendations of
[zizmor](https://docs.zizmor.sh/audits/)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Disabled persistence of checkout credentials across many CI workflows
to reduce credential exposure.
* Upgraded GitHub App token tooling and tightened generated token
permissions for automation.
* Added cooldown/rate-limiting to dependency update automation to reduce
update churn.
* Adjusted workflow-level permissions, required secret inputs for
workflow callers, and refactored some job step logic.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46454?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Ali Waseem <waseema393@gmail.com>

.github/workflows/validate-pr.yml

@@ -5,8 +5,7 @@ on:
   pull_request:
     types: [opened, labeled, unlabeled, synchronize, ready_for_review]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   validate-pr: