Add zizmor and frizbee CI checks

Add caller workflows for zizmor (security scanning) and frizbee
(action pinning verification). Fix zizmor findings where applicable
and add suppression config for intentional patterns.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/frizbee.yml

@@ -0,0 +1,16 @@
+name: Frizbee pinning check
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  frizbee:
+    uses: smallstep/workflows/.github/workflows/frizbee.yml@main
+    secrets: inherit

.github/workflows/release.yml

@@ -31,9 +31,11 @@ jobs:
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"

.github/workflows/zizmor.yml

@@ -0,0 +1,16 @@
+name: Zizmor security scan
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    uses: smallstep/workflows/.github/workflows/zizmor.yml@main
+    secrets: inherit

.github/zizmor.yml

@@ -0,0 +1,52 @@
+rules:
+  # Internal reusable workflows (smallstep/*@main) intentionally track
+  # the main branch for centralized CI management. Pinning to a SHA
+  # would defeat the purpose of the shared workflows repo.
+  unpinned-uses:
+    ignore:
+      - actionlint.yml:16
+      - ci.yml:25
+      - code-scan-cron.yml:7
+      - dependabot-auto-merge.yml:10
+      - frizbee.yml:15
+      - release.yml:11
+      - release.yml:80
+      - release.yml:89
+      - release.yml:103
+      - release.yml:117
+      - release.yml:131
+      - triage.yml:19
+      - zizmor.yml:15
+  # Reusable workflow callers require `secrets: inherit` to pass
+  # credentials needed by the shared workflows (e.g. SSH keys, PATs).
+  secrets-inherit:
+    ignore:
+      - actionlint.yml:16
+      - ci.yml:25
+      - dependabot-auto-merge.yml:10
+      - frizbee.yml:15
+      - release.yml:11
+      - release.yml:80
+      - release.yml:89
+      - release.yml:103
+      - release.yml:117
+      - release.yml:131
+      - triage.yml:19
+      - zizmor.yml:15
+  # These workflows either lack a top-level `permissions:` block
+  # (using GitHub defaults) or delegate to reusable workflows that
+  # declare their own minimal permissions internally.
+  excessive-permissions:
+    ignore:
+      - code-scan-cron.yml:6
+      - release.yml:1
+      - release.yml:10
+      - release.yml:14
+  # The triage workflow uses `pull_request_target` to label PRs
+  # from forks. This is safe because the called reusable workflow
+  # does not checkout or execute code from the PR.
+  dangerous-triggers:
+    ignore:
+      - triage.yml:3
+
+