fix(ci): make zizmor security audit configurable

Adds security-audit (default: true) and security-audit-advanced
(default: false) inputs to the checkout action. Repos can disable
the audit or opt into SARIF upload when they have security-events:
write permission.

Author: jdalton

.github/actions/checkout/action.yml

@@ -10,6 +10,14 @@ inputs:
     description: 'Git ref to checkout'
     required: false
     default: ''
+  security-audit:
+    description: 'Run zizmor security audit on GitHub Actions workflows'
+    required: false
+    default: 'true'
+  security-audit-advanced:
+    description: 'Upload SARIF results to GitHub Code Scanning (requires security-events: write permission)'
+    required: false
+    default: 'false'
   working-directory:
     description: 'Subdirectory to check out into'
     required: false
@@ -33,7 +41,8 @@ runs:
         persist-credentials: false
 
     - name: Audit GitHub Actions
-      if: runner.os != 'Windows'
+      if: inputs.security-audit == 'true' && runner.os != 'Windows'
       uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
       with:
+        advanced-security: ${{ inputs.security-audit-advanced }}
         min-severity: medium