GHA: misc maintenance

[vszakats]

Some workflows don't test in a PR. I tried making sure all modifications
were tested elsewhere or locally, but breaking something is not out of
possibility.

• add zizmor in pedantic mode.
• add actionlint and fix warnings found.
• add comment saying why we need package: write perms.
• avoid GHA macros in shell commands. Pass them as envs instead.
• build_master_dev: delete duplicate steps saving cosign keys.
• build*: delete steps extracting cosign.pub.
  The file is in the git repo root.
• add typos-cli spellcheck job.
• improve apt performance.
• reduce apt log noise.
• set/adjust concurrency.
• prefer secrets.GITHUB_TOKEN over github.token.
  To match other curl repos and highlight its a secret.
• fix typos.
• fix some issues reported by yamllint.
• 01-design.md: replace UTF-8 line-drawing chars with ASCII-7.
• install first, then checkout repo source.
• fixup whitespace.
• replace grype and trivy curl-to-shell installers with Linuxbrew installs.
• replace replace undefined matrix variables ${{ matrix.build.name }}
  with static names.
• pass cosign signing key via stdin, to avoid saving secrets to disk.
• pass secrets to podman and docker via stdin, also to avoid docker
  message:

  WARNING! Using --password via the CLI is insecure. Use --password-stdin.
  

• drop interim envs when passing creds to redhat-actions/podman-login.
  Tested OK via build_ci_multi_images.
• drop empty build matrices, with a single item and an unused value.
• build_ci_multi_images:
  • make it work in PRs, without secrets.
  • split login tests into their own workflow.
  • add login test for ghcr.io.
  • add login test for ghcr.io without redhat-actions/podman-login.

---

https://github.com/curl/curl-container/pull/94/files?w=1

A bunch of ideas I did not do in PR:

• think about a way to test the other steps in a PR (perhaps in a PR fork it'd work with the secrets set).
• replace redhat-actions/podman-login action with podman login command for ghcr.io logins.
  They do the same, though our command invocation is a bit more secure.
  The action logs out, which is a plus, though it's already not done for podman/docker acounts.
• maybe replace ghcr.io user github.actor with github.repository_owner (=curl)? GH token works with both.
• maybe replace sigstore/cosign-installer action with Linuxbrew. not pinned, with its upsides and downsides.
• add newlines between job steps? My editor gets syntax coloring wrong without one after multi-line items (selfish reason!)