ci: resolve AquaSec/Trivy alert on `uses: ./` in test.yml

[oto-macenauer]

Follow-up from review of #25 (.github/workflows/test.yml:116, comment by @miroslavpojer).

Context

The integration test runs the local composite action via uses: ./. A security scanner (AquaSec/Trivy) flags this line.

Diagnosis

The alert is almost certainly the "action not pinned to a full-length commit SHA" rule (Trivy/Aqua CI misconfig; equivalent to zizmor unpinned-uses), not a script-injection finding:

• Workflow trigger is pull_request with permissions: contents: read, no secrets.
• Test inputs are hardcoded literals, so there is no ${{ }}-into-shell injection surface.
• The action itself (action.yml) already passes all inputs via env: vars into bash check.sh — the env-var mitigation is already in place.
• uses: ./ also appears in earlier jobs in the same file; only the new diff block was commented on.

A local ./ reference cannot be SHA-pinned — it is the in-repo action under test.

Acceptance criteria

• Confirm the exact rule ID from the scanner output.
• If it is the unpinned-uses rule, suppress it with an inline ignore + justification comment (e.g. Trivy #trivy:ignore:<ID> or zizmor # zizmor: ignore[unpinned-uses]: "local action under test, cannot pin"), or exclude .github/workflows/test.yml from that rule in scanner config.
• Apply the same treatment to every uses: ./ occurrence in test.yml for consistency.
• If the rule turns out to be a genuine injection finding instead, re-evaluate (unexpected given the above).

Ref: review comment by @miroslavpojer on .github/workflows/test.yml.