ci: auto-enable zizmor GHAS upload for public repos

Move advanced-security auto-detection into zizmor.yml so any
caller benefits. Changes the input type from boolean to string
(default "") to distinguish "not set" from "false". When unset,
enables GHAS upload for public repos via
github.repository_visibility; explicit "true"/"false" overrides
still work via boolean coercion.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: dopey

.github/workflows/actionci.yml

@@ -14,10 +14,10 @@ on:
         type: boolean
         default: true
       zizmor-advanced-security:
-        description: Upload zizmor results to GitHub Advanced Security
+        description: Upload zizmor results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override.
         required: false
-        type: boolean
-        default: false
+        type: string
+        default: ""
 
 permissions:
   contents: read

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
     uses: ./.github/workflows/actionlint.yml
 
   zizmor:
-    name: Scan GitHub workflows
+    name: Security Scan GitHub workflows
     uses: ./.github/workflows/zizmor.yml
 
   frizbee:

.github/workflows/zizmor.yml

@@ -3,9 +3,9 @@ on:
   workflow_call:
     inputs:
       advanced-security:
-        description: Upload results to GitHub Advanced Security
-        type: boolean
-        default: false
+        description: Upload results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override.
+        type: string
+        default: ""
 
 jobs:
   zizmor:
@@ -20,4 +20,4 @@ jobs:
         with:
           min-severity: medium
           min-confidence: medium
-          advanced-security: ${{ inputs.advanced-security }}
+          advanced-security: ${{ (inputs.advanced-security == '' && github.repository_visibility == 'public') || inputs.advanced-security == 'true' }}