Add reusable security workflow

[GabrielBianconi]

Note

Low Risk
Low risk CI-only change that adjusts GitHub Actions workflow wiring and lints; main risk is inadvertently changing required-check behavior or failing PRs due to stricter security scanning.

Overview
Renames the main PR workflow to security and switches it to call the reusable .github/workflows/security.yml workflow as a single required job with the needed security-events/actions permissions.

Updates the zizmor job to generate and use a local zizmor.yml (adding a dependabot-cooldown rule with days: 3) and adds a new always-run summary job that fails the workflow if any required security job fails or is cancelled.

^{Reviewed by Cursor Bugbot for commit 4973f33. Bugbot is set up for automated code reviews on this repo. Configure here.}

[tensorzero-cla-bot]

✅ All contributors to this pull request have signed the TensorZero CLA. Thank you!

[GabrielBianconi]

I have read the Contributor License Agreement (CLA) and hereby sign the CLA.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.