chore(ci): better zizmor (#190)

Configure zizmor to be simple pass/fail gate, and fix the couple lints
that snuck in.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

Author: willmurphyscode

.github/dependabot.yaml

@@ -7,6 +7,8 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -15,6 +17,8 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/.github/actions/bootstrap"
@@ -23,3 +27,5 @@ updates:
     open-pull-requests-limit: 10
     labels:
       - "dependencies"
+    cooldown:
+      default-days: 7

.github/workflows/validate-github-actions.yaml

@@ -21,7 +21,6 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      security-events: write  # for uploading SARIF results
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -30,6 +29,7 @@ jobs:
       - name: "Run zizmor"
         uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
         with:
-          config-file: .github/zizmor.yml
-          sarif-upload: true
+          config: .github/zizmor.yml
+          # Disable SARIF upload so the step is a simple pass/fail gate
+          advanced-security: false
           inputs: .github

.github/zizmor.yml

@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # anchore/workflows is an internal repository; using @main is acceptable
+        anchore/*: any