## Description
This PR adds a zizmor security scan to the CI pipeline to analyze new
and existing GitHub Actions workflows under .github/workflows/.
- Runs zizmor on PRs and fails the check when HIGH severity (or above)
issues are found, so they can block merges.
- Runs zizmor on main to produce security reporting (where applicable),
keeping visibility into findings over time.
- Intended to be added as a required status check so workflow-security
regressions can’t land unnoticed.
Reference: coder/registry#642 (comment) / zizmor-action
## Type of Change
- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [x] Other - CI / security tooling
## Testing & Validation
- Validation via PR check - opened a test PR with a deliberately risky
workflow and confirmed zizmor reports and blocks on HIGH findings
## Related Issues
coder/registry#642 (comment) / zizmor-action
01365fb61a