Zizmor fixes

[weiji14]

Follow up to #754 to apply more security related fixes.

Will need to check https://github.com/icesat2py/icepyx/security/code-scanning?query=is%3Aopen+branch%3Adevelopment+tool%3Azizmor (after this PR is merged into the development branch) to ensure all issues have been resolved

TODO:

• Fix dependabot-cooldown
• Fix artipacked
• Fix unpinned-uses
• Fix excessive-permissions
• etc

[github-actions]

👈 Launch a binder notebook on this branch for commit 07914d0

I will automatically update this comment whenever this PR is modified

👈 Launch a binder notebook on this branch for commit 305ece3

👈 Launch a binder notebook on this branch for commit 42192b9

👈 Launch a binder notebook on this branch for commit c44c0f2

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.22%. Comparing base (31e208a) to head (c44c0f2).

Additional details and impacted files

@@             Coverage Diff              @@
##           development     #756   +/-   ##
============================================
  Coverage        77.22%   77.22%           
============================================
  Files               42       42           
  Lines             3231     3231           
  Branches           401      401           
============================================
  Hits              2495     2495           
  Misses             603      603           
  Partials           133      133           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[weiji14]

Ok, have fixed most issues except for one that is more complicated. See below.

[weiji14]

Secure way would be to use pull_request instead of pull_request_target trigger. E.g. following https://mybinder.readthedocs.io/en/latest/howto/gh-actions-badges.html#example-2-comment-with-a-binder-badge-in-response-to-a-comment

Yes, slightly more complicated, but I've done it before at pangeo-data/pangeo-docker-images#631. This will require a change in behaviour, in that someone (with the proper permissions) has to write a comment with /binder to have the Binder button show up. I can go ahead with this if that's ok?

[weiji14]

This workflow_run trigger is apparently dangerous, but also I'm not too sure how to avoid it 🙃. I think the key is that we want the unit tests to be re-ran after the UML diagram commit, need to think of how it can be done more safely.