ci: add zizmor security scanning workflow (#58)

shaanmajid · j178 · web-flow · commit 72e26c9a0df6 · 2026-01-31T18:47:17.000+08:00
Add workflow for scanning GitHub Actions with zizmor, matching the
pattern used in the prek repository.

Although zizmor already exists as a prek/pre-commit hook, this is useful
for evaluating all contributions (regardless of individual contributor
setup) and uploading security reports.

---------

Co-authored-by: Jo &lt;10510431+j178@users.noreply.github.com&gt;
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,28 @@
+name: Run zizmor
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ['**']
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Upload SARIF results to GitHub Security tab
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,9 +5,3 @@ repos:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-yaml
-
-  - repo: https://github.com/zizmorcore/zizmor-pre-commit
-    rev: v1.22.0
-    hooks:
-      - id: zizmor
-        args: ["--no-progress", "--persona=auditor"]
