style: add zizmor config

[2bndy5]

This allows pinning first-party (CI) actions to their tag (instead of commit SHA). For local and cpp-linter org actions (and reusable workflows), this allows pinning to a tag or branch.

Because Zizmor changed their default policy to stricter rule about pinning actions or reusable workflows. See zizmor v1.20 release notes.

Summary by CodeRabbit

• Chores
  • Updated Dependabot configuration with cooldown periods for dependency updates across multiple package managers
  • Added security policy for GitHub Actions version pinning requirements
  • Refined clang installation tooling configuration for consistency
  • Updated spell-check word list

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[2bndy5]

This repo isn't actually using zizmor to lint the CI workflows. But having the config will help adoption later (or other cpp-linter projects that already adopted zizmor).

[coderabbitai]

Walkthrough

Configuration updates across GitHub workflows and tooling: Dependabot cooldown scheduling added to four update groups, CLANG_VERSION environment variable introduced in Clang installation workflow, Zizmor security policy for action pinning established, and spell-check dictionary extended with "cooldown".

Changes

Cohort / File(s)	Summary
GitHub Configuration .github/dependabot.yml, .github/install-clang-action/action.yml, .github/zizmor.yml	Dependabot: Added 7-day cooldown blocks to github-actions, uv, cargo, and npm update groups. Clang action: Introduced CLANG_VERSION environment variable to consolidate version references across Linux, macOS, and fallback installation steps. Zizmor: New policy configuration pinning action versions (actions/, github/, dependabot/) to exact refs while allowing flexibility for cpp-linter/.
Spell-Check Configuration cspell.config.yml	Added "cooldown" to word list for spell-check coverage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'style: add zizmor config' accurately describes the primary change, which is adding a new Zizmor configuration file (.github/zizmor.yml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}