chore: switch super-linter to allow-list format (#1149)

## Summary
- Switch `super-linter.env` from deny-list (`VALIDATE_X=false`) to
allow-list (`VALIDATE_X=true`)
- Makes explicit which linters run, avoids noise from irrelevant linters
- Drops high-cost/redundant linters: gitleaks (TruffleHog covers this),
checkov, trivy, jscpd, biome (prettier conflict)

## What's enabled
- **Shell**: shellcheck, shfmt
- **Markdown**: markdownlint, prettier
- **Data**: JSON prettier, YAML prettier, dotenv
- **Code**: C#, JavaScript prettier, google-java-format, Go modules,
Python (black, isort, ruff)
- **Cross-language**: editorconfig, actionlint, codespell, merge
conflict markers, renovate

## What's dropped
| Linter | Reason |
|--------|--------|
| gitleaks | TruffleHog workflow already covers secret scanning |
| checkov/trivy | security scanning not needed for examples repo |
| biome | conflicts with prettier |
| jscpd | too noisy for example code with intentional duplication |
| JSONC | covered by JSON prettier |

Happy to add back anything you think is valuable — the goal is to make
the list explicit and trim what doesn't earn its runtime cost.

## Test plan
- [ ] CI lint passes

---------

Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>

Author: zeitlinger

.github/config/super-linter.env

@@ -1,38 +1,42 @@
+DOTNET_GENERATE_ASPNET_CERTIFICATE=false
+DOTNET_NOLOGO=true
 FILTER_REGEX_EXCLUDE=mvnw|examples/dotnet/.gitignore|renovate-tracked-deps.json
 IGNORE_GITIGNORED_FILES=true
 JAVA_FILE_NAME=google_checks.xml
 LOG_LEVEL=ERROR
+NUGET_XMLDOC_MODE=skip
 
-# conflicts with prettier
-VALIDATE_BIOME_FORMAT=false
-# conflicts with prettier
-VALIDATE_BIOME_LINT=false
-# disable kubernetes linter - complains about resource limits, etc
-VALIDATE_CHECKOV=false
-VALIDATE_DOCKERFILE_HADOLINT=false
-VALIDATE_GIT_COMMITLINT=false
-# golangci-lint (non-module mode) can't handle two Go modules; GO_MODULES covers this
-VALIDATE_GO=false
-# we have many duplicate code in our codebase for demo purposes
-VALIDATE_JSCPD=false
-# conflicts with black
-VALIDATE_PYTHON_RUFF_FORMAT=false
+# Keys MUST be sorted alphabetically — dotenv-linter enforces this in CI.
 
-# Avoid redundant work linting C# files
-DOTNET_GENERATE_ASPNET_CERTIFICATE=false
-DOTNET_NOLOGO=true
-NUGET_XMLDOC_MODE=skip
-# excluding examples doesn't seem to work
-VALIDATE_TRIVY=false
+# --- Allow-list: only these linters run ---
+# (switching from deny-list to allow-list for clarity and performance)
+
+VALIDATE_BASH=true
+VALIDATE_CSHARP=true
+VALIDATE_EDITORCONFIG=true
+VALIDATE_ENV=true
+VALIDATE_GITHUB_ACTIONS=true
+VALIDATE_GIT_MERGE_CONFLICT_MARKERS=true
+VALIDATE_GOOGLE_JAVA_FORMAT=true
+VALIDATE_GO_MODULES=true
+VALIDATE_JAVASCRIPT_PRETTIER=true
+VALIDATE_JSON_PRETTIER=true
+VALIDATE_MARKDOWN=true
+VALIDATE_MARKDOWN_PRETTIER=true
+VALIDATE_PYTHON_BLACK=true
+VALIDATE_PYTHON_ISORT=true
+VALIDATE_PYTHON_RUFF=true
+VALIDATE_RENOVATE=true
+VALIDATE_SHELL_SHFMT=true
+VALIDATE_SPELL_CODESPELL=true
+VALIDATE_YAML_PRETTIER=true
 
+# --- Autofix ---
 FIX_CSHARP=true
 FIX_ENV=true
 FIX_GOOGLE_JAVA_FORMAT=true
 FIX_GO_MODULES=true
 FIX_JAVASCRIPT_PRETTIER=true
-FIX_JSON=true
-FIX_JSONC=true
-FIX_JSONC_PRETTIER=true
 FIX_JSON_PRETTIER=true
 FIX_MARKDOWN=true
 FIX_MARKDOWN_PRETTIER=true