ci: post zizmor findings as PR comment for visibility

[Onibenjo]

Done

• Post zizmor findings as a single auto-updating sticky PR comment so reviewers can see all security findings (rule, file, line, fix suggestion) without clicking through to the Security tab
• Link to the upstream audit catalog at https://docs.zizmor.sh/audits/ for each rule's full description and remediation guidance
• Keep the existing SARIF upload to Code Scanning unchanged (inline annotations still work as before)
• Grant pull-requests: write at the job level (workflow-level permissions stay {})

QA

• Open a PR (or push to any branch with an open PR)
• See the GitHub Actions Security Analysis with zizmor workflow run on the PR
• See a new comment from github-actions[bot] titled "zizmor security findings" with the readable list of findings; existing per-line annotations from the SARIF upload still appear in the Files changed view
• Push another commit; see the same comment update in place rather than a new one appearing

Issue / Card

n/a

[webteam-app]

Demo

Jenkins

demos.haus

[github-actions]

🛡️ zizmor findings on workflow/action files changed in this PR

Rule descriptions and remediation guidance: https://docs.zizmor.sh/audits/

Scanned:

• .github/workflows/zizmor-static-analysis.yaml

help[undocumented-permissions]: permissions without explanatory comments
  --> .github/workflows/zizmor-static-analysis.yaml:19:7
   |
19 |       security-events: write
   |       ^^^^^^^^^^^^^^^^^^^^^^ needs an explanatory comment
20 |       pull-requests: write
   |       ^^^^^^^^^^^^^^^^^^^^ needs an explanatory comment
   |
   = note: audit confidence → High
   = help: audit documentation → https://docs.zizmor.sh/audits/#undocumented-permissions

info[anonymous-definition]: workflow or action definition without a name
  --> .github/workflows/zizmor-static-analysis.yaml:16:3
   |
16 |   zizmor:
   |   ^^^^^^ this job
   |
   = note: audit confidence → High
   = tip: use 'name: ...' to give this job a name
   = help: audit documentation → https://docs.zizmor.sh/audits/#anonymous-definition

2 findings: 1 informational, 1 low, 0 medium, 0 high

[Copilot]

Pull request overview

This PR enhances the existing zizmor GitHub Actions security workflow by publishing zizmor findings directly into a single sticky PR comment, improving reviewer visibility while keeping the existing SARIF upload to GitHub Code Scanning intact.

Changes:

• Grant pull-requests: write permission at the job level to allow commenting on PRs.
• Add a PR-only step to run zizmor in plain format and write results to zizmor-report.md.
• Post/update a sticky PR comment from zizmor-report.md using marocchino/sticky-pull-request-comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.36%. Comparing base (07e79ed) to head (a4f5818).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #16405   +/-   ##
=======================================
  Coverage   48.36%   48.36%           
=======================================
  Files          37       37           
  Lines        5905     5905           
=======================================
  Hits         2856     2856           
  Misses       3049     3049           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.