Expand README with how to use some tools offline to maintain this repo

[rgommers]

We don't want to add more tools to this repo, as explained in the README under "This repository is minimal on purpose, for security reasons it contains only what is absolutely necessary. [...]". That includes no dependabot, no CodeQL, no zizmor, etc.

It'd be useful to expand a bit on that on how to use tools async (or possibly from another repo on a cron job) to perform regular maintenance and scanning for this repo. E.g.:

• gha-update or similar to bump all pins of actions (or is there a newer tool for that now?)
• zizmor to scan for common issues in workflow files
• probably a custom script or an AI tool to go through the repo to check for anything else that isn't pinned
• anything else?