dependabot leaves a stale version comment on uses: lines carrying a trailing # zizmor: ignore[...]

[potiuk]

Problem

When dependabot bumps an action whose uses: line carries a trailing # zizmor: ignore[...] after the version comment, its comment-updater skips the # vX.Y.Z version comment — it bumps the pinned hash but leaves the version stale. zizmor's ref-version-mismatch (medium) then fails the Run zizmor 🌈 check.

Concrete case

#932 (1Password/load-secrets-action 4.0.0 → 4.0.1). In .github/actions/for-dependabot-triggered-reviews/action.yml, the hash became v4.0.1 but the comment stayed # v4.0.0:

- uses: 1Password/load-secrets-action@3a12b0ab…  # v4.0.0  # zizmor: ignore[unpinned-tools] generated sentinel step is never executed

The sibling /configure line (no trailing ignore comment) was updated correctly. Fixed manually in #932, but it will recur.

Impact

Every future bump of an allowlisted action whose gateway-generated sentinel step carries a # zizmor: ignore[unpinned-tools] suffix will red the zizmor check and need a manual comment fix.

Possible fixes

1. Have the update/gateway tooling re-sync version comments after dependabot runs.
2. Emit the # zizmor: ignore[...] on its own line (or before the version comment) so dependabot's regex still updates the version.
3. Auto-apply zizmor's ref-version-mismatch autofix as a pre-merge step.

Surfaced while reviewing #932.