feat: add zizmor workflow checks for GitHub Actions (#662)

CommanderK5 · web-flow · commit 01365fb61a4e · 2026-01-21T11:52:26.000+01:00
## Description This PR adds a zizmor security scan to the CI pipeline to analyze new and existing GitHub Actions workflows under .github/workflows/. - Runs zizmor on PRs and fails the check when HIGH severity (or above) issues are found, so they can block merges. - Runs zizmor on main to produce security reporting (where applicable), keeping visibility into findings over time. - Intended to be added as a required status check so workflow-security regressions can’t land unnoticed. Reference: #642 (comment) / zizmor-action ## Type of Change - [ ] New module - [ ] New template - [ ] Bug fix - [ ] Feature/enhancement - [ ] Documentation - [x] Other - CI / security tooling ## Testing & Validation - Validation via PR check - opened a test PR with a deliberately risky workflow and confirmed zizmor reports and blocks on HIGH findings ## Related Issues #642 (comment) / zizmor-action
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -0,0 +1,55 @@
+name: GitHub Actions Security Analysis (zizmor)
+
+on:
+  pull_request:
+    branches: ["**"]
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor_pr_blocking:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (blocking, HIGH only)
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          advanced-security: false
+          annotations: true
+          min-severity: high
+          inputs: |
+            .github/workflows
+
+  zizmor_main_sarif:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (SARIF)
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          inputs: |
+            .github/workflows
