Fix zizmor security findings and add suppression config

- Fix template injection in docker-buildx-push.yml (cosign step)
- Fix spoofable bot-conditions in dependabot-auto-merge.yml
- Add .github/zizmor.yml with targeted ignores for intentional patterns
  (internal unpinned-uses, excessive-permissions on reusable callers)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/dependabot-auto-merge.yml

@@ -11,7 +11,7 @@ permissions: {}
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     permissions:
       contents: write
       pull-requests: write

.github/workflows/docker-buildx-push.yml

@@ -69,5 +69,8 @@ jobs:
           build-args: ${{ inputs.docker_build_args }}
       - name: Cosign
         id: cosign
+        env:
+          DOCKER_IMAGE: ${{ inputs.docker_image }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
         run: |
-          cosign sign -r ${{ inputs.docker_image }}@${{ steps.build-and-push.outputs.digest }} --yes
+          cosign sign -r "${DOCKER_IMAGE}@${DIGEST}" --yes

.github/zizmor.yml

@@ -0,0 +1,18 @@
+rules:
+  unpinned-uses:
+    ignore:
+      - code-scan.yml:12
+      - goreleaser.yml:133
+      - goreleaser.yml:141
+  excessive-permissions:
+    ignore:
+      - ci.yml:1
+      - ci.yml:19
+      - ci.yml:35
+      - code-scan.yml:10
+      - goCI.yml:97
+      - goCI.yml:111
+      - goCI.yml:121
+      - goCI.yml:133
+      - goCI.yml:158
+      - sync-winget-fork.yml:9