Apply suggestions from code review

Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

.github/workflows/zizmor.yml

@@ -7,6 +7,9 @@ on:
   pull_request:
     paths:
       - '.github/workflows/**'
+  push:
+    paths:
+      - ".github/workflows/**"
   schedule:
     # Every Saturday 00:00 UTC
     - cron: '0 0 * * 6'
@@ -21,7 +24,7 @@ jobs:
   zizmor:
     name: zizmor
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     permissions:
       contents: read
     steps:
@@ -34,5 +37,11 @@ jobs:
         # see https://github.com/zizmorcore/zizmor-action
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
         with:
+          # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
           advanced-security: false
           annotations: true