Use local file ref in code-scan.yml instead of smallstep/workflows@main

code-scan.yml references codeql-analysis.yml within the same repo, so
use ./.github/workflows/ instead of the cross-repo @main ref. Removes
the corresponding unpinned-uses zizmor suppression.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/code-scan.yml

@@ -9,4 +9,4 @@ on:
 jobs:
   codeql:
     if: inputs.run-codeql
-    uses: smallstep/workflows/.github/workflows/codeql-analysis.yml@main
+    uses: ./.github/workflows/codeql-analysis.yml

.github/zizmor.yml

@@ -4,7 +4,6 @@ rules:
   # would defeat the purpose of the shared workflows repo.
   unpinned-uses:
     ignore:
-      - code-scan.yml:12
       - goreleaser.yml:133
       - goreleaser.yml:141
   # These workflows either lack a top-level `permissions:` block