From c3628084b15de5f88f73e0968c24a07569284818 Mon Sep 17 00:00:00 2001
From: Jose Storopoli <jose@storopoli.com>
Date: Wed, 16 Jul 2025 08:44:58 -0300
Subject: [PATCH] feat: add zizmor

zizmor is a static analysis for GitHub Actions focused on security
---
 README.md         | 1 +
 modules/hooks.nix | 8 ++++++++
 nix/tools.nix     | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 29c5a68c..8e0a7f52 100644
--- a/README.md
+++ b/README.md
@@ -450,6 +450,7 @@ use nix
 - [topiary](https://github.com/tweag/topiary)
 - [treefmt](https://github.com/numtide/treefmt)
 - [trim-trailing-whitespace](https://github.com/pre-commit/pre-commit-hooks/blob/main/pre_commit_hooks/trailing_whitespace_fixer.py)
+- [zizmor](https://github.com/zizmorcore/zizmor)
 
 ### Custom hooks
 
diff --git a/modules/hooks.nix b/modules/hooks.nix
index 04570508..80cad09e 100644
--- a/modules/hooks.nix
+++ b/modules/hooks.nix
@@ -4158,6 +4158,14 @@ lib.escapeShellArgs (lib.concatMap (ext: [ "--ghc-opt" "-X${ext}" ]) hooks.fourm
             in
             "${hooks.yamllint.package}/bin/yamllint ${cmdArgs}";
         };
+      zizmor = {
+        name = "zizmor";
+        description = "Static analysis for GitHub Actions";
+        files = "^.github/workflows/";
+        types = [ "yaml" ];
+        package = tools.zizmor;
+        entry = "${hooks.zizmor.package}/bin/zizmor";
+      };
       zprint =
         {
           name = "zprint";
diff --git a/nix/tools.nix b/nix/tools.nix
index 1102e556..56873f43 100644
--- a/nix/tools.nix
+++ b/nix/tools.nix
@@ -95,6 +95,7 @@
 , revive ? null
 , uv
 , vale
+, zizmor
 }:
 
 
@@ -177,6 +178,7 @@ in
     vale
     yamlfmt
     yamllint
+    zizmor
     zprint
     ;
   inherit (elmPackages) elm-format elm-review elm-test;