fix(ci): disable zizmor advanced security to unblock releases (#1630)

* fix(ci): disable zizmor advanced security to unblock release pushes

With advanced-security enabled, zizmor uploads SARIF to GitHub Code Scanning.
The branch protection ruleset then requires those results before allowing pushes
to main. This blocks the release workflow because its version-bump commit doesn't
exist on GitHub yet, so code scanning can't produce results for it — a
chicken-and-egg problem.

Switching to advanced-security: false keeps zizmor as a regular CI check
(pass/fail) without uploading to Code Scanning, avoiding the branch protection
conflict. Also sets min-severity to medium to filter out noisy low-severity
findings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(ci): add comment explaining advanced-security: false

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>