fix(ci): add security-events permission and action.yml to zizmor paths

The zizmor-action uploads SARIF results via codeql-action/upload-sarif,
which requires security-events: write. Without it, every run fails with
"Resource not accessible by integration" even when zizmor itself finds
zero issues.

Also add action.yml to the path trigger so the composite action is
scanned on changes (it was previously only scanned on workflow_dispatch).

Author: jpr5

.github/workflows/zizmor.yml

@@ -7,16 +7,19 @@ on:
       - ".github/workflows/**"
       - ".github/actions/**"
       - ".github/zizmor.yml"
+      - "action.yml"
   push:
     branches: [main]
     paths:
       - ".github/workflows/**"
       - ".github/actions/**"
       - ".github/zizmor.yml"
+      - "action.yml"
   workflow_dispatch:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   zizmor: