ci(zizmor): remove broad zizmor ignores (#22199)

.github/workflows/build-docker.yml

@@ -20,6 +20,12 @@ on:
 env:
   RUFF_BASE_IMG: ghcr.io/${{ github.repository_owner }}/ruff
 
+permissions:
+  contents: read
+  # TODO(zanieb): Ideally, this would be `read` on dry-run but that will require
+  # significant changes to the workflow.
+  packages: write # zizmor: ignore[excessive-permissions]
+
 jobs:
   docker-build:
     name: Build Docker image (ghcr.io/astral-sh/ruff) for ${{ matrix.platform }}

.github/workflows/publish-docs.yml

@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   mkdocs:
     runs-on: ubuntu-latest

.github/zizmor.yml

@@ -1,23 +0,0 @@
-# Configuration for the zizmor static analysis tool, run via pre-commit in CI
-# https://docs.zizmor.sh/configuration/
-#
-# TODO: can we remove the ignores here so that our workflows are more secure?
-rules:
-  cache-poisoning:
-    ignore:
-      - build-docker.yml
-  excessive-permissions:
-    # it's hard to test what the impact of removing these ignores would be
-    # without actually running the release workflow...
-    ignore:
-      - build-docker.yml
-      - publish-docs.yml
-  secrets-inherit:
-    # `cargo dist` makes extensive use of `secrets: inherit`,
-    # and we can't easily fix that until an upstream release changes that.
-    disable: true
-  template-injection:
-    ignore:
-      # like with `secrets-inherit`, `cargo dist` introduces some
-      # template injections. We've manually audited these usages for safety.
-      - release.yml