github/zizmor: ignore legitimate audit findings

[eriknordmark]

Description

Adds .github/zizmor.yml so the Zizmor workflow stops reporting the
ten audit findings that are legitimate by design.

The covered findings:

• dangerous-triggers (5 files) — close-master-pr.yml and
  request_codeowners_review.yml rely on pull_request_target to
  use the base-branch token for writing PR metadata; neither checks
  out PR-controlled code into a trusted context. pr-gate.yml,
  eden-trusted.yml, and cve-scan.yml run on workflow_run after
  a privileged PR build completes and need privileged context to
  write commit statuses and call same-org reusable workflows.

• unpinned-uses (5 references) — the four calls in
  eden-trusted.yml pin lf-edge/eden's reusable test workflow to
  the release tag aligned with the EVE branch (1.0.15 for current
  stable lines, master for master). Pinning to a commit SHA would
  force a cross-repo bump on every eden patch release. The single
  publish.yml:345 reference is to this repo's own assets.yml at
  @master, which is the documented entry point for tagged release
  builds.

• secrets-inherit (4 calls, all in eden-trusted.yml) — calls
  the same lf-edge/eden reusable test workflow, inside the
  org-controlled trust boundary. Enumerating the secrets explicitly
  is a cosmetic change and is tracked separately.

Mechanical findings (artipacked, excessive-permissions,
template-injection, secrets-outside-env) are not suppressed
here and will be addressed in dedicated PRs.

PR dependencies

None.

How to test and validate this PR

• Confirm the Zizmor workflow on this PR completes without reporting
  the listed audits.
• Spot-check the lf-edge/eve Security → Code scanning view after
  merge: the open-alert count should drop by the ten findings listed
  above (5 dangerous-triggers, 5 unpinned-uses references / 7
  alert rows minus the two we intentionally left open, and 4
  secrets-inherit). The cve-scan.yml:17 and claude-review.yml:46
unpinned-uses alerts are deliberately not suppressed.
• No runtime workflow change: the affected workflows still execute
  the same steps.

Changelog notes

None. CI-only change.

PR Backports

• 16.0-stable: No, master-only CI hygiene.
• 14.5-stable: No, master-only CI hygiene.
• 13.4-stable: No, master-only CI hygiene.

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device — n/a, CI config only
• I've tested my PR on arm64 device — n/a, CI config only
• I've written the test verification instructions
• I've set the proper labels to this PR
• I've checked the boxes above, or I've provided a good reason