ci: adjust zizmor advanced security handling

[wochinge]

What changed

• Run zizmor-action with advanced-security: false for non-push events, including pull requests and merge queue runs.
• Keep Advanced Security/SARIF uploads enabled on push events.
• Set min-severity: low for the zizmor scan.

Why

Fork pull requests cannot upload code scanning results to GitHub Advanced Security, so requiring zizmor code scanning results blocks community PRs. This keeps the check usable for fork PRs while preserving SARIF upload on trusted pushes.

Validation

• YAML parse check for .github/workflows/zizmor.yml
• git diff --check -- .github/workflows/zizmor.yml

[github-actions]

Experiment Results: 4f56c83

Experiment	Status	Actions
Uppercase (py)	✅ Pass	View GitHub Action Run · View in Langfuse
Uppercase (ts)	✅ Pass	View GitHub Action Run · View in Langfuse
Mixed dir (node)	✅ Pass	View GitHub Action Run · View in Langfuse
Mixed dir (python)	✅ Pass	View GitHub Action Run · View in Langfuse
Regression fixture	❌ Regression	View GitHub Action Run · View in Langfuse

Details

✅ Uppercase (py) (Source)

Score	Value
avg_accuracy	1.000

Item results (3)

Item	Input	Expected	Output	exact_match
1	langfuse	LANGFUSE	LANGFUSE	1.000
2	world	WORLD	WORLD	1.000
3	hello	HELLO	HELLO	1.000

✅ Uppercase (ts) (Source)

Score	Value
avg_accuracy	1.000

Item results (3)

Item	Input	Expected	Output	exact_match
1	langfuse	LANGFUSE	LANGFUSE	1.000
2	world	WORLD	WORLD	1.000
3	hello	HELLO	HELLO	1.000

✅ Mixed dir (node) (Source)

Score	Value
avg_accuracy	1.000

Item results (3)

Item	Input	Expected	Output	exact_match
1	langfuse	LANGFUSE	LANGFUSE	1.000
2	world	WORLD	WORLD	1.000
3	hello	HELLO	HELLO	1.000

✅ Mixed dir (python) (Source)

Score	Value
avg_accuracy	1.000

Item results (3)

Item	Input	Expected	Output	exact_match
1	langfuse	LANGFUSE	LANGFUSE	1.000
2	world	WORLD	WORLD	1.000
3	hello	HELLO	HELLO	1.000

❌ Regression fixture (Source)

RegressionError: synthetic regression triggered by e2e fixture

Item results (3)

Item	Input	Expected	Output	exact_match
1	langfuse	LANGFUSE	LANGFUSE	1.000
2	world	WORLD	WORLD	1.000
3	hello	HELLO	HELLO	1.000

[github-actions]

@claude review

[claude]

LGTM — conditional advanced-security toggle is the standard pattern for letting fork PRs run code scanning workflows.

Extended reasoning...

Overview

This PR modifies only .github/workflows/zizmor.yml: it adds a merge_group trigger, passes advanced-security: ${{ github.event_name == 'push' && 'true' || 'false' }} to zizmor-action, and sets min-severity: low. No source code, no action logic, and no secrets handling are touched.

Security risks

None of concern. Disabling SARIF/Code Scanning upload on fork PRs is the established pattern — forks lack security-events: write against the base repo and cannot upload SARIF anyway, so this only removes a guaranteed failure. SARIF upload remains enabled on trusted push events to main, preserving the security signal. Lowering min-severity to low only makes the scan stricter (more findings reported), not laxer.

Level of scrutiny

Low. This is a CI-only configuration change confined to a single workflow file, addressing a well-known limitation of GitHub Advanced Security on fork PRs. The conditional expression is a standard GitHub Actions idiom.

Other factors

The bug hunting system found no issues. The pinned action SHA is unchanged. No outstanding reviewer comments to address.