Feature: Do not scan directories that are gitignore'd

[lopopolo]

Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

For repos with large dep and artifact trees (Cargo's ./target/ dir, node_modules, vendor directories), zizmor spends a lot of time recursing into them and scanning for workflows and actions I do not want it to scan, even if they were found.

Describe the solution you'd like

Respect .gitignore (in all levels of the directory tree) to exclude directories from scanning automatically.

I'd prefer to use .gitignore (or something like pyproject.toml) for this to avoid yet another config file in the repo root.

Additional context

No response

[woodruffw]

Thanks @lopopolo! I agree completely, and I think .gitignore is ideal for this: it already communicates non-repo state and zizmor is mostly intended to be run on repos, so we should respect it by default.

Just leaving some notes:

• This will probably become the default. Users who want to opt into the old behavior (i.e. scan everything regardless of .gitignore files) will need to pass --no-gitignore or similar. One possibility here is to amend the existing --collect option, e.g. --collect=all becomes "really collect everything" and --collect=default becomes the new default ("collect everything but filter ignores").
• We need a decent gitignore parser for this. ripgrep's ignore crate is a good candidate (and already has the ideal walk API).