Update nightly schedule to Tue/Thu at 2 AM PT and fix security issues

[brandonpage]

Summary

Implements W-22712082 — Cleanup CI for all Repos.

Schedule change: Nightly tests now run Tue/Thu at 2 AM PT (0 10 * * 2,4 UTC), up from Wed-only. Alternates with the Templates nightly's Mon/Wed/Fri 2 AM slot.

Security hardening: All workflows updated to follow the GitHub Actions injection-prevention best practices:

• All third-party actions SHA-pinned with the resolved tag in a comment.
• Top-level permissions: contents: read added to every workflow, plus per-job permissions: on each uses: reusable caller (zizmor enforces both top-level and job-level checks).
• Build logs archived on failure: each of the 12 jobs in ios-reusable-workflow.yaml and android-reusable-workflow.yaml now tees test_force.js output to build_logs/<cli>.log and uploads it as package-build-logs-${{ github.job }} on failure (with if-no-files-found: ignore, retention-days: 14).
• actions/checkout steps set with: persist-credentials: false.

This repo uses pull_request (not pull_request_target) and doesn't pass secrets to its reusables, so no secrets: inherit replacement was needed and no dangerous-triggers finding existed.

After this change, zizmor --offline reports 0 High-confidence findings across all four CI workflows.

Test plan

• Verified locally with python3 yaml.safe_load, actionlint -shellcheck=, zizmor --offline. All clean.
• CI verification: opened test PR on personal fork (brandonpage/SalesforceMobileSDK-Package#1) targeting the same cleanup-ci-w22712082 branch as this PR. The test PR triggers the new workflows against a real source change in shared/outputColors.js. No regressions observed — see linked PR for run details.
• Reviewer to confirm the permissions: blocks match the team's expected privilege levels for each workflow.

🤖 Generated with Claude Code