diff --git a/workflows/zizmor.yml b/workflows/zizmor.yml new file mode 100644 index 0000000..f1eb883 --- /dev/null +++ b/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: zizmor (report-only) + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: + contents: read # this workflow only reads code; nothing else + +jobs: + zizmor: + name: zizmor # remember this name -- it becomes your gate later (Rung 3) + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + + - name: Run zizmor 🌈 (report-only) + run: uvx "zizmor@1.26.1" --format=github --no-exit-codes --min-confidence=medium . + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}