Make CI a little bit safer (#13933)

This PR fixes two vulnerabilities in our CI, found with
[zizmor](https://github.com/woodruffw/zizmor). One could be exploited by
someone with tag-pushing permissions to execute arbitrary code in our CI
(see`deploy.yml`). The second vulnerability would expose our tokens to a
supply chain attack via a `build.rs` in one of the dependencies (See the
rest of the files, and https://github.com/actions/checkout/issues/485)

Pre-reviewed by @flip1995 in our DMs.

changelog:none

0 files changed, 0 insertions, 0 deletions