name: Zizmor Static Analysis
on:
workflow_dispatch:
push:
paths: [.github/workflows/**]
branches:
- develop
pull_request:
paths: [.github/workflows/**]
branches: [develop]
schedule: [cron: "40 4 * * 1"]
permissions: {}
jobs:
zizmor:
runs-on: ubuntu-24.04
timeout-minutes: 10
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install uv
uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba - name: Install zizmor
run: uv tool install zizmor
- name: zizmor static analysis check
run: zizmor --format sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: zizmor