ci: ignore known Zizmor findings

This avoids false positives from existing uses of `GITHUB_ENV` and
`pull_request_target` that are safe, as well as from cache usage in a
workflow that doesn't produce release artifacts.

.github/actions/cache/action.yml

@@ -3,22 +3,22 @@ description: "This action caches neovim dependencies"
 runs:
   using: "composite"
   steps:
-    - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV
+    - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
-    - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV
+    - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
     - if: ${{ matrix }}
       env:
         MATRIX_JOIN: ${{ join(matrix.*, '-') }}
-      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV
+      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
     - if: ${{ matrix.build }}
       env:
         MATRIX_JOIN: ${{ join(matrix.build.*, '-') }}
-      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV
+      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
     - id: image

.github/actions/setup/action.yml

@@ -10,7 +10,7 @@ runs:
   steps:
     - name: Set $BIN_DIR
       shell: bash
-      run: echo "$BIN_DIR" >> $GITHUB_PATH
+      run: echo "$BIN_DIR" >> $GITHUB_PATH # zizmor: ignore[github-env]
 
     - if: ${{ runner.os != 'Windows' }}
       name: Set ulimit

.github/zizmor.yml

@@ -1,4 +1,13 @@
 rules:
+  cache-poisoning:
+    ignore:
+      - test.yml
+  dangerous-triggers:
+    ignore:
+      - backport.yml
+      - labeler_pr.yml
+      - reviewers_add.yml
+      - reviewers_remove.yml
   unpinned-uses:
     config:
       policies: