From 9b33786e0ed06f464b6d1e9c72a85aa29d543f42 Mon Sep 17 00:00:00 2001
From: Yann Pellegrini <mail@yann-p.fr>
Date: Mon, 30 Mar 2026 15:53:30 +0200
Subject: [PATCH] Add zizmor (github actions static analysis)

---
 .github/workflows/zizmor.yml | 43 ++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000000..8348f1d60a
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,43 @@
+# Performs static analysis in GitHub actions with https://github.com/woodruffw/zizmor
+name: Zizmor
+
+concurrency:
+  group: zizmor-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    branches:
+      - "*"
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: "Run Zizmor (github actions security)"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          persist-credentials: false
+
+      - name: "Install uv"
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b
+        with:
+          version: "latest"
+
+      - name: "Run zizmor"
+        run: uvx zizmor --format sarif . > results.sarif
+
+      - name: "Upload SARIF file"
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor