ci: fix zizmor workflow audit findings

[dunglas]

• Scope secret access in cd.yml (release) and cd-docs.yml (publish) to dedicated GitHub Actions environments, so repo owners can add protection rules (required reviewers, branch restrictions) without further workflow changes.
• Suppress dangerous-triggers on dependabot.yml: pull_request_target is required for Dependabot auto-merge to access write permissions, and the workflow already guards with an author check.

[Copilot]

Pull request overview

Scopes sensitive GitHub Actions workflows to dedicated environments and adjusts zizmor configuration to address workflow audit findings.

Changes:

• Add environment: release to the release workflow job.
• Add environment: docs to the docs publish workflow job.
• Suppress zizmor’s dangerous-triggers finding for dependabot.yml with an explanatory comment.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/cd.yml	Assigns the release job to the release environment to enable environment-based protection rules.
.github/workflows/cd-docs.yml	Assigns the docs publish job to the docs environment to enable environment-based protection rules.
.github/linters/zizmor.yaml	Ignores dangerous-triggers for dependabot.yml while keeping ref-pin policy.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

environment: release is applied to the job for all triggers (including pull_request and push to main). If repository owners add protection rules (required reviewers / wait timer) on the release environment, PR builds and main-branch snapshot builds will start gating on that environment, which can block normal CI unexpectedly. Consider splitting into two jobs: a snapshot/build job without an environment for PRs/main pushes, and a release job (conditioned on tag pushes) that uses the release environment for the steps that need secrets.