fix: resolve Semgrep shell injection and zizmor warnings

- Use env var instead of inline ${{ inputs.mode }} in sync-settings
  composite action to prevent shell injection (Semgrep finding)
- Add if: always() to Trivy step so it runs regardless of Semgrep
  result, preventing missing SARIF upload
- Set zizmor secrets-outside-env to info level (acceptable for
  single-admin personal account without GitHub Environments)

Author: gamaware

.github/actions/security-scan/action.yml

@@ -16,6 +16,7 @@ runs:
         config: auto
 
     - name: Run Trivy vulnerability scanner
+      if: always()
       uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
       with:
         scan-type: fs

.github/actions/sync-settings/action.yml

@@ -36,8 +36,9 @@ runs:
       env:
         GH_TOKEN: ${{ inputs.github_token }}
         REPORT_FILE: reports/sync-report.md
+        SYNC_MODE: ${{ inputs.mode }}
       run: |
-        ./scripts/sync-repo-settings.sh "${{ inputs.mode }}"
+        ./scripts/sync-repo-settings.sh "$SYNC_MODE"
         echo "report_file=reports/sync-report.md" >> "$GITHUB_OUTPUT"
 
     - name: Parse report

zizmor.yml

@@ -3,3 +3,4 @@ rules:
     config:
       policies:
         "*": ref-pin
+  secrets-outside-env: info