Add comments to zizmor suppression config

Explain why each rule is suppressed to aid future reviewers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/zizmor.yml

@@ -1,9 +1,15 @@
 rules:
+  # Internal reusable workflows (smallstep/*@main) intentionally track
+  # the main branch for centralized CI management. Pinning to a SHA
+  # would defeat the purpose of the shared workflows repo.
   unpinned-uses:
     ignore:
       - code-scan.yml:12
       - goreleaser.yml:133
       - goreleaser.yml:141
+  # These workflows either lack a top-level `permissions:` block
+  # (using GitHub defaults) or delegate to reusable workflows that
+  # declare their own minimal permissions internally.
   excessive-permissions:
     ignore:
       - ci.yml:1