name: security lint GitHub Actions with zizmor on: push: branches: ["main"] paths: - ".github/workflows/**" pull_request: branches: ["**"] paths: - ".github/workflows/**" permissions: {} jobs: zizmor: runs-on: ubuntu-latest permissions: contents: read actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: min-severity: high advanced-security: false annotations: true