ci: Switch from zizmor.yml to inline comments

Rather than recording which zizmor rules are being skipped in a separate
config file, inline that configuration into the workflows themselves as
comments, to avoid needing to constantly update an extra file as new
lines are added or removed from the workflow.

Signed-off-by: Matt Wozniski <mwozniski@bloomberg.net>

Author: godlygeek

.github/workflows/build_wheels.yml

@@ -289,7 +289,7 @@ jobs:
       fail-fast: false
 
     container:
-      image: alpine
+      image: alpine # zizmor: ignore[unpinned-images]
       options: --cap-add=SYS_PTRACE
 
     steps:
@@ -321,7 +321,7 @@ jobs:
       fail-fast: false
 
     container:
-      image: fedora
+      image: fedora # zizmor: ignore[unpinned-images]
       options: --cap-add=SYS_PTRACE
 
     steps:
@@ -359,7 +359,7 @@ jobs:
       fail-fast: false
 
     container:
-      image: archlinux
+      image: archlinux # zizmor: ignore[unpinned-images]
       options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -400,7 +400,7 @@ jobs:
       fail-fast: false
 
     container:
-      image: debian
+      image: debian # zizmor: ignore[unpinned-images]
       options: --cap-add=SYS_PTRACE
 
     steps:

.github/workflows/coverage.yml

@@ -71,12 +71,12 @@ jobs:
       - name: Upload Python report to Codecov
         uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
           files: pycoverage.lcov
           flags: python
       - name: Upload C++ report to Codecov
         uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
           files: cppcoverage.lcov
           flags: cpp