pin zizmor deps

Author: bckohan

.github/workflows/zizmor.yml

@@ -4,7 +4,8 @@ on:
   push:
     branches: [ main ]
   pull_request:
-    branches: [ main ]
+    paths:
+      - ".github/workflows/**/*.yml"
   schedule:
     # Run weekly
     - cron: '0 0 * * 0'
@@ -28,8 +29,11 @@ jobs:
           persist-credentials: false
 
       - name: Set up Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1
-
+        uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98
+      - name: Install jq
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
       - name: Install Zizmor
         run: |
           cargo install --locked zizmor
@@ -39,13 +43,22 @@ jobs:
           zizmor --format sarif .github/workflows/ > results.sarif
 
       - name: Upload analysis results
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: zizmor-results
           path: results.sarif
           retention-days: 7
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
         with:
           sarif_file: results.sarif
+
+      - name: Fail on Findings
+        run: |
+          count="$(
+            jq '([.runs[]? | (.results // [])[] | select(.level != "note")] | length) // 0' \
+              results.sarif
+          )"
+          echo "Zizmor findings: $count"
+          test "$count" -eq 0