chore: add comment explaining advanced-security: false in zizmor workflow

Copilot · jkowalleck · web-flow · commit 51bc9a564ed2 · 2026-04-25T10:55:24.000Z
Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/b5733fc7-3e3a-4c62-a94c-54620cce9147 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -32,5 +32,11 @@ jobs:
         # see https://github.com/zizmorcore/zizmor-action
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
         with:
+          # false: emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
           advanced-security: false
           annotations: true
