test: pin zizmor reusable to fork SHA for vendor path excludes (#326)

Point self-zizmor at isaiah-grafana/shared-workflows@242628b for ruleset
testing of .github/zizmor-collection-ignore. Revert to grafana/shared-workflows
after upstream merge.

Made-with: Cursor

Author: isaiah-grafana

.github/workflows/self-zizmor.yaml

@@ -45,7 +45,9 @@ jobs:
       - zizmor-check
     if: ${{ needs.zizmor-check.outputs.found-files == 'true' }}
 
-    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@e7a3275d4c4978a3514801ec55708f1c599a6906
+    # Testing security-appsec#326: reusable with optional .github/zizmor-collection-ignore. Point org rulesets at
+    # branch test/zizmor-vendor-excludes-326 to validate; replace with grafana/shared-workflows@<merge SHA> for main.
+    uses: isaiah-grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@242628b1464cb1ecfb92b208f2bb8aaae795ec63
     with:
       runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}
       fail-severity: high