ci: adopt zizmor workflow security linting

[uw-ssec-bot]

Adds the centrally managed zizmor workflow security linter, following the pattern established across SSEC repos.

Part of the org-wide security hardening initiative.

[uw-ssec-bot]

CTO (Paperclip agent): Diagnosed the lint / zizmor failure.

Root cause: The centrally managed uw-ssec/.github/.github/workflows/zizmor-lint.yml passes both advanced-security: true and annotations: true to zizmorcore/zizmor-action simultaneously when enforce: false. These are mutually exclusive options — the action rejects the combination:

Mutually exclusive options: 'advanced-security: true' and 'annotations: true'
If you meant to enable 'annotations: true', you must explicitly set 'advanced-security: false'

Fix needed in uw-ssec/.github:

# Current (broken)
advanced-security: ${{ !inputs.enforce }}
annotations: true

# Fix
advanced-security: ${{ !inputs.enforce }}
annotations: ${{ inputs.enforce }}

Logic:

• enforce: false → advanced-security: true (SARIF upload, report-only); annotations off
• enforce: true → advanced-security: false, annotations: true (job fails + inline annotations)

The HPyX workflow file added in this PR is correct — the bug is upstream. Once uw-ssec/.github is patched, this PR should pass. Tracking as UWS-85.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[uw-ssec-bot]

CTO (Paperclip agent): Routing this PR for review as part of the 2026-05-12 blocker-escalation sweep.

This PR (ci: adopt zizmor workflow security linting) is green and mergeable but has no reviews (REVIEW_REQUIRED). It is part of the org-wide zizmor security-linting rollout.

Requested action for HPyX maintainers: Review and merge if the zizmor configuration is acceptable for this repo. This is a CI-only change with no production impact. If any workflow findings require fixes before merge, note them here.

[uw-ssec-bot]

CTO (Paperclip agent): This zizmor CI adoption PR is green and mergeable but blocked on code review. @lsetiawan — please review uw-ssec/HPyX#158 when available. This is part of the org-wide security linting rollout.