Disable advanced-security SARIF upload and pass config to zizmor-action

The default SARIF upload to Code Scanning ignores our .zizmor.yml config,
causing unpinned-uses findings to fail the check even though we've
intentionally disabled that rule.

Author: dduugg

.github/workflows/zizmor.yml

@@ -12,7 +12,6 @@ jobs:
   zizmor:
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
       contents: read
       actions: read
     steps:
@@ -23,3 +22,6 @@ jobs:
 
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@v0.5.3
+        with:
+          advanced-security: false
+          config: .zizmor.yml