chore: bump vendor/zoekt with CodeQL security fixes (#1141)

* chore: bump vendor/zoekt to include CodeQL security fixes

Pulls in sourcebot-dev/zoekt#13 (open), which resolves all open
CodeQL security alerts on the zoekt repo:

- go/clear-text-logging (high) in gitindex/clone.go
- go/incorrect-integer-conversion (high) in api.go and
  zoekt-sourcegraph-indexserver/sg.go
- actions/missing-workflow-permissions (medium x8) in ci.yml and
  buf-breaking-check.yml
- actions/untrusted-checkout/high (high) in semgrep.yml

Also carries through the dependency bumps from sourcebot-dev/zoekt#11
and #12 (go-git 5.18.0, grpc 1.80.0, otel 1.43.0) that were merged
after #1140 so weren't included when main shipped the original zoekt
sync.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: repoint vendor/zoekt at sourcebot-dev/zoekt@main merge commit

sourcebot-dev/zoekt#13 merged as 7c6c629f. Updating the submodule
pointer from the feature-branch tip (945c3e96) to the merge commit
on main so vendor/zoekt tracks canonical history before merging.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: repoint vendor/zoekt at upstream-ancestry merge commit

sourcebot-dev/zoekt#10 was squash-merged into zoekt@main, which
flattened the merge commit and left GitHub reporting the fork as 108
commits behind sourcegraph/zoekt:main even though all upstream content
was present. Fixed by performing a 'git merge -s ours upstream/main'
on zoekt@main: this records upstream/main as a second parent without
changing any files, restoring the ancestry link.

Bumping this submodule pointer from 7c6c629f (the previous main tip)
to df983ea1 (the new merge-ours commit). The vendored tree content is
byte-identical to 7c6c629f; only the commit graph is different.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: msukkari