Add zizmor to pre-commit and fix findings

[hugovk]

Follow on from #1811.

Add zizmor to pre-commit and fix findings.

Update other pre-commit hooks.

Add handy env vars:
FORCE_COLOR: 1
RUFF_OUTPUT_FORMAT: github

Replace pre-commit with prek to remove Node.js 20 deprecation warning and unpinned transitive dependencies.

[StanFromIreland]

I don't like the false sense of security this gives us, this comment makes this seem fail-safe.

[hugovk]

It's a copy-paste from python/cpython#141866 which references https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns.

Nothing is fail-safe in security, there are many things we can do to protect against these attacks, and this is a good one. They layer on top of each other.

[StanFromIreland]

Indeed, I find the comment additionally misleading. I suggest either:

• Removing it.
• Adding a link to the Dependabot issue highlighting the flaw in their cooldown system.

[hugovk]

Let's ask @gpshead who wrote the comment and @woodruffw who wrote the blog post.

[gpshead]

Dependency cooldowns are not a false sense of security. most supply chain attacks are found and fixed and yanked from the upstream package distribution ecosystems within a few days. I don't think we should block this PR on wanting the comment better, but we should apply any edit making it better to all places we've added this.

dependabot defaults to not having a cooldown - https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown- - this is simply how we enable the good thing. (it'd be great if they changed their default in light of the modern world, but that's not our problem to solve)

[StanFromIreland]

I’d like to clarify that I’m not against cooldowns (in fact, I support the idea). However, Dependabots implementation is poor, and any threat actor can easily circumvent it (dependabot/dependabot-core#13078).