first commit - add zizmor scan

Author: eredi93

.github/workflows/zizmor-scan.yml

@@ -0,0 +1,38 @@
+name: Zizmor Workflow Security Scan
+
+on:
+  pull_request:
+  merge_group:
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Detect workflow changes
+        id: changes
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.event.merge_group.head_sha }}
+        run: |
+          if git diff --name-only "$BASE_SHA" "$HEAD_SHA" | grep -q '^\.github/workflows/'; then
+            echo "workflows=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "workflows=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Install zizmor
+        if: steps.changes.outputs.workflows == 'true'
+        run: pip install zizmor==1.25.2
+
+      - name: Scan workflows
+        if: steps.changes.outputs.workflows == 'true'
+        run: zizmor --min-severity=medium .github/workflows/

README.md

@@ -0,0 +1,3 @@
+# github-action-workflows-public
+
+Org level workflows used in public repos