ci: configure zizmor

See https://docs.zizmor.sh.

This runs on PRs and pushes to main. It uses the most basic "regular"
persona as a starting point.

Author: serhalp

.github/workflows/zizmor.yml

@@ -0,0 +1,38 @@
+# https://docs.zizmor.sh/
+name: zizmor
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  merge_group:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.sha }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: 🌈 GitHub Actions security analysis
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read # checkout repository
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          persona: pedantic
+          # Use annotations instead of SARIF as this doesn't need special permissions
+          annotations: true
+          advanced-security: false

.github/zizmor.yml

@@ -0,0 +1,10 @@
+# Existing privileged PR automation is intentionally isolated to these workflows:
+# they do not checkout pull request head code, and they only comment or set status.
+rules:
+  dangerous-triggers:
+    ignore:
+      - dependency-diff-comment.yml
+      - lunaria.yml
+      - semantic-pull-requests.yml
+      - welcome-close.yml
+      - welcome-open.yml

CONTRIBUTING.md

@@ -123,6 +123,7 @@ pnpm mock-connector   # Start the mock connector (no npm login needed)
 pnpm vp run lint      # Run linter (oxlint + oxfmt)
 pnpm lint:fix         # Auto-fix lint issues
 pnpm test:types       # TypeScript type checking
+pnpm vp run zizmor    # GitHub Actions security analysis
 
 # Testing
 pnpm test             # Run all Vitest tests
@@ -133,6 +134,28 @@ pnpm test:a11y        # Lighthouse accessibility audits
 pnpm test:perf        # Lighthouse performance audits (CLS)
 ```
 
+### GitHub Actions security analysis
+
+CI runs [zizmor](https://docs.zizmor.sh/) against the repository's GitHub Actions workflows. The shared policy lives in `.github/zizmor.yml`, and the `zizmor` task uses the same pedantic persona as CI.
+
+You may run it locally by [installing `zizmor`](https://docs.zizmor.sh/installation/) and running:
+
+```bash
+pnpm vp run zizmor
+```
+
+Some audits resolve action refs and vulnerability metadata through GitHub. To run those online checks locally, authenticate with the GitHub CLI and pass its token:
+
+```bash
+GH_TOKEN="$(gh auth token)" pnpm vp run zizmor
+```
+
+To fix audit findings automatically, run:
+
+```bash
+GH_TOKEN="$(gh auth token)" pnpm vp run zizmor:fix
+```
+
 ### Clearing caches during development
 
 Nitro persists `defineCachedEventHandler` results to disk at `.nuxt/cache/nitro/`. This cache **survives dev server restarts**. If you're iterating on a cached API route and want fresh results, delete the relevant cache directory:

vite.config.ts

@@ -31,6 +31,12 @@ export default defineConfig({
       'lint:css': {
         command: 'node scripts/unocss-checker.ts',
       },
+      'zizmor': {
+        command: 'zizmor --pedantic .',
+      },
+      'zizmor:fix': {
+        command: 'zizmor --pedantic --fix .',
+      },
       'build:lunaria': {
         command: 'node ./lunaria/lunaria.ts',
       },