Add github actions static analysis

[kingbuzzman]

TODO: change --persona=regular -> --persona=pedantic (in another PR)

[Copilot]

Pull Request Overview

Adds Zizmor static analysis to the CI pipeline by installing the tool, wiring it into tox, and defining GitHub Actions pinning policies.

• Integrate zizmor into tox.ini for workflow scans
• Pin zizmor==1.9.0 in pyproject.toml alongside existing linters
• Introduce a Zizmor rules file to enforce action ref-pinning

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
tox.ini	Added zizmor command with --persona=regular flag
pyproject.toml	Added zizmor==1.9.0 to the linting dependencies
.github/zizmor.yml	Defined unpinned-uses policy for GitHub Actions pins

Comments suppressed due to low confidence (1)

.github/zizmor.yml:1

• Zizmor looks for its config in .zizmor.yml at the repo root by default. Either move this file to the root or pass --config .github/zizmor.yml when invoking zizmor so the rules are actually applied.

rules:

[Copilot]

The PR description notes switching --persona=regular to --persona=pedantic, but the command still uses regular. Update the flag to --persona=pedantic to apply the stricter analysis.

Suggested change

	zizmor --persona=regular .github/workflows/deploy.yml .github/workflows/main.yml
	zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml

[kingbuzzman]

LOL close. I'll do this in another PR to keep the changes to a minimum

[webknjaz]

@kingbuzzman you could also stick this into GHA (additionally) to have Zizmor report its findings through into the GH Security Analysis UI and they'd show up in PRs too.

---

name: GitHub Actions Security Analysis with zizmor 🌈

on:  # yamllint disable-line rule:truthy
  push:
  pull_request:

jobs:
  zizmor:
    name: 🌈 zizmor

    permissions:
      security-events: write

    # yamllint disable-line rule:line-length
    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@3bb5e95068d0f44b6d2f3f7e91379bed1d2f96a8

...

[kingbuzzman]

@webknjaz I noticed this—I didn’t include it because I think it makes more sense to be able to run everything locally. If both options are available, I worry there could be a version conflict, where one tool reports something different from the other. Personally, I prefer to see everything locally for consistency.
That’s just my perspective, though—what do you think?

[kingbuzzman]

LOL I just noticed you wrote that 😄

i can format it out to sarif and display it...

[webknjaz]

As for having a shared behavior — I prefer using a config file so all different invocations would pick it up. But the CLI toggles you use aren't available like that. Apparently, @woodruffw wanted people to use CLI args. Though, I would argue there's a case for allowing the defaults in the config too.

[woodruffw]

Apparently, @woodruffw wanted people to use CLI args. Though, I would argue there's a case for allowing the defaults in the config too.

Not exactly wanted -- it's more that zizmor's config serves too many different purposes (it's both per-repo and can be used globally for policies), which has made me hesitant to add more features/knobs until I do a larger refactor. I'm not opposed to having configurations for these kinds of things, I just want to get them right since there's a long (and growing) compat tail with zizmor's users 🙂