Build/Test Tools: Add more workflow file linting with Zizmor.

This change introduces Zizmor, which is a tool for linting GitHub Actions workflow files for security weaknesses. This compliments the existing Actionlint scanning.

For more information about Actionlint and Zizmor, see the GitHub Actions Workflow Standards page in the developer handbook: https://developer.wordpress.org/coding-standards/wordpress-coding-standards/github-actions/

Some issues in workflow files that are reported by Zizmor will be addressed in follow-up commits.

Props johnbillion, desrosj.

See #64227


git-svn-id: https://develop.svn.wordpress.org/trunk@62250 602fd350-edb4-49c9-b593-d223f7449a82

Author: johnbillion

.github/workflows/reusable-workflow-lint.yml

@@ -32,3 +32,42 @@ jobs:
         uses: docker://rhysd/actionlint@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9 # v1.7.7
         with:
           args: "-color -verbose"
+
+  # Runs the Zizmor GitHub Action workflow file linter.
+  #
+  # See https://github.com/zizmorcore/zizmor
+  #
+  # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions,
+  # dangerous triggers, credential leaks, and sophisticated security vulnerabilities.
+  #
+  # Performs the following steps:
+  # - Checks out the repository.
+  # - Installs and configures uv.
+  # - Runs a zizmor scan.
+  # - Uploads the SARIF file to GitHub.
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+
+      - name: Run zizmor
+        run: uvx zizmor@1.24.1 --persona=regular --format=sarif --strict-collection . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        with:
+          sarif_file: results.sarif
+          category: zizmor