ci: add zizmor github actions security scanner (google#4969)

another-rex · google-labs-jules[bot] · tymzd · commit 892da2c158a8 · 2026-04-13T21:40:33.000+10:00
Adds a new GitHub Actions workflow using `zizmor` to scan the repository's workflows for security issues and misconfigurations. The workflow is triggered on pushes to the `master` branch and on all pull requests, and uploads its findings to GitHub Advanced Security. --- *PR created automatically by Jules for task [7298380715651689528](https://jules.google.com/task/7298380715651689528) started by @another-rex* --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: ["master"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
