From fcecbe63dd427224e3b93fcc18f4791d672b49ff Mon Sep 17 00:00:00 2001
From: Kevin Liu <kevin.jq.liu@gmail.com>
Date: Tue, 24 Mar 2026 16:09:59 -0700
Subject: [PATCH 1/3] add zizmor to ci

---
 .github/workflows/zizmor.yml | 73 ++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 000000000000..b0d429fa7416
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Audits GitHub Actions workflows for unpinned third-party actions.
+#
+# Actions referenced by mutable tag (e.g. `actions/checkout@v4`) can be
+# silently replaced by a compromised or force-pushed tag, allowing arbitrary
+# code execution inside CI. Pinning to a full commit SHA makes the reference
+# immutable and auditable.
+#
+# This job runs zizmor (https://woodruffw.github.io/zizmor/) in offline mode
+# and fails if any `uses:` step references an action without a commit-SHA pin.
+
+name: "Zizmor Workflow Audit"
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+    - uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5
+    - name: Run zizmor audit
+      run: |
+        findings=$(uvx --from zizmor zizmor \
+          --offline \
+          --format json-v1 \
+          .github/workflows 2>/dev/null \
+        | jq -r '
+            [
+              .[]
+              | select(.ident == "unpinned-uses")
+              | .locations[]
+              | select(.symbolic.kind == "Primary")
+              | {
+                  path: .symbolic.key.Local.given_path,
+                  row: (.concrete.location.start_point.row + 1),
+                  col: (.concrete.location.start_point.column + 1),
+                  feature: .concrete.feature
+                }
+            ]
+            | sort_by(.feature)
+            | .[]
+            | "\(.path):\(.row):\(.col)\t\(.feature)"
+          ')
+
+        if [ -n "$findings" ]; then
+          echo "::error::Found unpinned GitHub Actions:"
+          echo "$findings"
+          exit 1
+        fi

From 0a7ea6bdc21f1c87313dd159256edd14868ea5d5 Mon Sep 17 00:00:00 2001
From: Kevin Liu <kevin.jq.liu@gmail.com>
Date: Tue, 24 Mar 2026 16:10:48 -0700
Subject: [PATCH 2/3] update doc link

---
 .github/workflows/zizmor.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index b0d429fa7416..9301dcd21583 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -24,7 +24,7 @@
 # code execution inside CI. Pinning to a full commit SHA makes the reference
 # immutable and auditable.
 #
-# This job runs zizmor (https://woodruffw.github.io/zizmor/) in offline mode
+# This job runs zizmor (https://docs.zizmor.sh/) in offline mode
 # and fails if any `uses:` step references an action without a commit-SHA pin.
 
 name: "Zizmor Workflow Audit"

From 1a5ebe24230537e2702fb7d9199fa0663bca37a3 Mon Sep 17 00:00:00 2001
From: Kevin Liu <kevin.jq.liu@gmail.com>
Date: Tue, 24 Mar 2026 16:11:44 -0700
Subject: [PATCH 3/3] update comments

---
 .github/workflows/zizmor.yml | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 9301dcd21583..060f8afa8084 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -17,16 +17,6 @@
 # under the License.
 #
 
-# Audits GitHub Actions workflows for unpinned third-party actions.
-#
-# Actions referenced by mutable tag (e.g. `actions/checkout@v4`) can be
-# silently replaced by a compromised or force-pushed tag, allowing arbitrary
-# code execution inside CI. Pinning to a full commit SHA makes the reference
-# immutable and auditable.
-#
-# This job runs zizmor (https://docs.zizmor.sh/) in offline mode
-# and fails if any `uses:` step references an action without a commit-SHA pin.
-
 name: "Zizmor Workflow Audit"
 on:
   pull_request:
@@ -43,6 +33,11 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5
     - name: Run zizmor audit
+      # Runs zizmor (https://docs.zizmor.sh/) in offline mode to detect
+      # unpinned third-party actions. Actions referenced by mutable tag
+      # (e.g. `actions/checkout@v4`) can be silently replaced by a
+      # compromised or force-pushed tag, allowing arbitrary code execution
+      # in CI. Pinning to a full commit SHA makes the reference immutable.
       run: |
         findings=$(uvx --from zizmor zizmor \
           --offline \