Add zizmor GitHub workflow integration

Author: jakob-keller

.github/workflows/ci-cd.yml

@@ -114,11 +114,17 @@ jobs:
         fail_ci_if_error: true  # optional (default = false)
         verbose: true  # optional (default = false)
 
+  zizmor:
+    uses: ./.github/workflows/reusable-zizmor.yml
+    permissions:
+      security-events: write
+
   check:  # This job does nothing and is only used for the branch protection
     if: always()
     needs:
     - build
     - test
+    - zizmor
     runs-on: ubuntu-24.04
     timeout-minutes: 5
 

.github/workflows/reusable-zizmor.yml

@@ -0,0 +1,39 @@
+---
+name: Reusable zizmor
+
+permissions: {}
+
+on:
+  workflow_call:
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+    timeout-minutes: 5
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Install uv
+      # yamllint disable-line rule:line-length
+      uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04  # v6.0.0
+      with:
+        # yamllint disable-line rule:line-length
+        enable-cache: | # zizmor: ignore[cache-poisoning] cache is disabled when publishing to prevent poisoning
+          ${{ github.ref_type == 'tag' && 'false' || 'auto' }}
+    - name: Run zizmor 🌈
+      run: uvx zizmor --format=sarif . > results.sarif
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
+        category: zizmor