[Feat] Use secrets defined in an environment #7288
Description
Is your feature request related to a problem? Please describe.
A new zizmor rule triggers on using secrets used outside an environment.
It is generally a good thing. In most cases, it would make sense to have environments where the secret is defined only in it, and can have other restrictions for when it can be used. Some other cases, like for codecov upload token, that is used in different workflows, it might be better to wait a bit.
Changing the workflows is only part of the job. The other part is to actually define the environments, their rules and restrictions, add the tokens there, and remove the repo-wide tokens.
See the CI logs for the places where zizmor identifies such problems.
Note that due to how it works, that linter cannot know if the secret is actually defined in an environment. It will probably never know too.