Replace zizmor line-number ignores with policies

Use unpinned-uses config.policies with org-level wildcard and
secrets-inherit disable instead of brittle per-line ignores that
break whenever workflow files change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/zizmor.yml

@@ -1,43 +1,10 @@
 rules:
-  # Internal reusable workflows (smallstep/*@main) intentionally track
-  # the main branch for centralized CI management. Pinning to a SHA
-  # would defeat the purpose of the shared workflows repo.
   unpinned-uses:
-    ignore:
-      - actionlint.yml:16
-      - ci.yml:25
-      - code-scan-cron.yml:7
-      - dependabot-auto-merge.yml:10
-      - frizbee.yml:15
-      - release.yml:11
-      - release.yml:80
-      - release.yml:89
-      - release.yml:103
-      - release.yml:117
-      - release.yml:131
-      - triage.yml:19
-      - zizmor.yml:15
-  # Reusable workflow callers require `secrets: inherit` to pass
-  # credentials needed by the shared workflows (e.g. SSH keys, PATs).
+    config:
+      policies:
+        "smallstep/*": ref-pin
   secrets-inherit:
-    ignore:
-      - actionlint.yml:16
-      - ci.yml:25
-      - dependabot-auto-merge.yml:10
-      - frizbee.yml:15
-      - release.yml:11
-      - release.yml:80
-      - release.yml:89
-      - release.yml:103
-      - release.yml:117
-      - release.yml:131
-      - triage.yml:19
-      - zizmor.yml:15
-  # The triage workflow uses `pull_request_target` to label PRs
-  # from forks. This is safe because the called reusable workflow
-  # does not checkout or execute code from the PR.
+    disable: true
   dangerous-triggers:
     ignore:
-      - triage.yml:3
-
-
+      - triage.yml