CI(zizmor): Add per-repo zizmor security audit workflow

.github/dependabot.yml

@@ -11,6 +11,8 @@ updates:
     commit-message:
       prefix: "Chore"
     open-pull-requests-limit: 15
+    cooldown:
+      default-days: 7
   - package-ecosystem: "uv"
     directory: "/"
     schedule:
@@ -20,3 +22,18 @@ updates:
     open-pull-requests-limit: 15
     exclude-paths:
       - "LICENSES/**"
+    cooldown:
+      default-days: 7
+  # Pip entry exists solely to keep the zizmor pin in
+  # .github/dependabot/zizmor-requirements.txt up to date; that
+  # file is consumed at run-time by .github/workflows/zizmor.yaml
+  # via grep, never installed via pip.
+  - package-ecosystem: "pip"
+    directory: "/.github/dependabot"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "Chore"
+    open-pull-requests-limit: 5
+    cooldown:
+      default-days: 7

.github/dependabot/zizmor-requirements.txt

@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Linux Foundation
+#
+# Pin for the zizmor static analyser used by
+# .github/workflows/zizmor.yaml.
+#
+# This file exists solely so Dependabot can keep the zizmor version
+# current via its pip ecosystem (see ../dependabot.yml). The
+# workflow reads the pin from this file at run-time with grep; it
+# is never installed by pip itself.
+#
+# Edit format: a single line of `zizmor==<version>`. Do not add
+# other packages here.
+zizmor==1.24.1

.github/workflows/autolabeler.yaml

@@ -12,8 +12,28 @@ on:
       - opened
       - synchronize
       - reopened
-  # pull_request_target is required for autolabeler on PRs from forks
-  pull_request_target:
+  # pull_request_target is required for autolabeler on PRs from forks.
+  #
+  # This use of pull_request_target is safe and does NOT need
+  # manual-approval gating because:
+  #
+  #   1. The workflow performs no checkout of PR code
+  #      (no actions/checkout step).
+  #   2. The workflow body is loaded from the base branch
+  #      (pull_request_target semantics), not from the PR head.
+  #   3. The only step is release-drafter/autolabeler, pinned to
+  #      a commit SHA, which is a pure GitHub-API consumer and
+  #      never executes PR-provided content.
+  #   4. Permissions are scoped to pull-requests: write and
+  #      contents: read; no secrets are exposed to the job.
+  #   5. The runner is hardened with an egress block.
+  #
+  # See the SECURITY block on the autolabel job below for the
+  # full rationale. The zizmor `dangerous-triggers` audit is
+  # silenced here because the conditions it warns about (PR
+  # head code running with elevated privileges) cannot occur in
+  # this workflow.
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types:
       - opened
       - synchronize