From 8ad9ab15792bd06de8ba9c7f40eb74e57c9cf32b Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 00:25:27 +0000
Subject: [PATCH 1/4] ci: add zizmor github actions security scanner

Adds a new GitHub Actions workflow using `zizmor` to scan the repository's workflows for security issues and misconfigurations.
The workflow is triggered on pushes to the `master` branch and on all pull requests, and uploads its findings to GitHub Advanced Security.

Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com>
---
 .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000000..961f9620b9f
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,25 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0

From 4836186d274609cf82f32813e8046b8c1a304776 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 01:06:42 +0000
Subject: [PATCH 2/4] ci: update zizmor action to run only on master branch

Removes pull request trigger for the new zizmor security scanner workflow, executing it exclusively on pushes to master.

Co-authored-by: another-rex <106129829+another-rex@users.noreply.github.com>

From c014e9f47c6a4da26c00146e587b455c650a42fc Mon Sep 17 00:00:00 2001
From: Rex P <106129829+another-rex@users.noreply.github.com>
Date: Thu, 5 Mar 2026 15:57:11 +1100
Subject: [PATCH 3/4] Update .github/workflows/zizmor.yml

---
 .github/workflows/zizmor.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 961f9620b9f..0a8b4d3bac8 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -3,8 +3,6 @@ name: GitHub Actions Security Analysis with zizmor 🌈
 on:
   push:
     branches: ["master"]
-  pull_request:
-    branches: ["**"]
 
 permissions: {}
 

From e7221bc594dac974bfe5f507d71047cc96663dfc Mon Sep 17 00:00:00 2001
From: Rex P <106129829+another-rex@users.noreply.github.com>
Date: Thu, 5 Mar 2026 15:57:58 +1100
Subject: [PATCH 4/4] Update .github/workflows/zizmor.yml

---
 .github/workflows/zizmor.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 0a8b4d3bac8..feabd038263 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,4 +1,4 @@
-name: GitHub Actions Security Analysis with zizmor 🌈
+name: GitHub Actions Security Analysis
 
 on:
   push: