docs(security): audit zizmor.yml secrets-outside-env ignores and drop the stale lint-documentation entry

[devantler]

🤖 Generated by the Daily AI Assistant

Part of #252 (roadmap: complete · consistent · secure).

Problem

zizmor.yml suppresses the secrets-outside-env rule for 12 line-specific entries across 9 workflows under a single blanket comment ("Reusable workflows cannot rely on environment secrets consistently"). Two issues:

1. A stale entry: lint-documentation.yaml:35 — lint-documentation.yaml is not in the current workflow inventory, so this suppression points at a file that no longer exists.
2. Opaque rationale + line drift: line-number-anchored ignores silently rot as files change, and one shared comment doesn't justify each individual suppression or say whether any can now be re-enabled.

This mirrors actions#184 (document zizmor disabled-rule rationale) for the workflows repo.

Proposed direction

• Remove the stale lint-documentation.yaml ignore (and any other entry whose target no longer exists).
• For each remaining secrets-outside-env ignore, confirm it is still on the intended line and add a brief per-entry (or per-workflow) rationale; re-enable any that no longer need suppression.
• Consider whether line-anchored ignores can be made more robust (rule scoping that doesn't drift with line numbers), if zizmor supports it.

Acceptance criteria

• No zizmor.yml ignore references a non-existent workflow.
• Each remaining suppression has a clear rationale; scan-for-workflow-vulnerabilities stays green.

Rough size

Small (config + comments; verify against a local zizmor --config zizmor.yml .github/workflows/ run).