diff --git a/.github/workflows/reusable-zizmor.yml b/.github/workflows/reusable-zizmor.yml
index 12822383a..c67ffa0f8 100644
--- a/.github/workflows/reusable-zizmor.yml
+++ b/.github/workflows/reusable-zizmor.yml
@@ -379,16 +379,18 @@ jobs:
           ZIZMOR_CONFIG: ${{ steps.setup-config.outputs.zizmor-config }}
           ZIZMOR_CACHE_DIR: ${{ runner.temp }}/.cache/zizmor
         shell: sh
-        run: >-
-          uvx zizmor@"${ZIZMOR_VERSION}"
-          --format sarif
-          --min-severity "${MIN_SEVERITY}"
-          --min-confidence "${MIN_CONFIDENCE}"
-          --cache-dir "${ZIZMOR_CACHE_DIR}"
-          ${ZIZMOR_CONFIG:+--config "${ZIZMOR_CONFIG}"}
-          ${RUNNER_DEBUG:+"--verbose"}
-          ${ZIZMOR_EXTRA_ARGS:+${ZIZMOR_EXTRA_ARGS}}
-          .
+        run: |
+          if [ -z "${ZIZMOR_CONFIG}" ]; then
+            unset ZIZMOR_CONFIG
+          fi
+          uvx zizmor@"${ZIZMOR_VERSION}" \
+          --format sarif \
+          --min-severity "${MIN_SEVERITY}" \
+          --min-confidence "${MIN_CONFIDENCE}" \
+          --cache-dir "${ZIZMOR_CACHE_DIR}" \
+          ${RUNNER_DEBUG:+"--verbose"} \
+          ${ZIZMOR_EXTRA_ARGS:+${ZIZMOR_EXTRA_ARGS}} \
+          . \
           > results.sarif
 
       - name: Upload artifact
@@ -419,13 +421,15 @@ jobs:
           # don't fail the build if zizmor fails - we want to capture the output
           # and the exit code
           set +e
+          if [ -z "${ZIZMOR_CONFIG}" ]; then
+            unset ZIZMOR_CONFIG
+          fi
           uvx zizmor@"${ZIZMOR_VERSION}" \
             --format plain \
             --min-severity "${MIN_SEVERITY}" \
             --min-confidence "${MIN_CONFIDENCE}" \
             --cache-dir "${ZIZMOR_CACHE_DIR}" \
             ${RUNNER_DEBUG:+"--verbose"} \
-            ${ZIZMOR_CONFIG:+--config "${ZIZMOR_CONFIG}"} \
             ${ZIZMOR_EXTRA_ARGS:+${ZIZMOR_EXTRA_ARGS}} \
             . \
             | tee -a "${GITHUB_OUTPUT}"