From b7d0266bcc888d73bfd5e385009133c0837179da Mon Sep 17 00:00:00 2001
From: Santiago Soler <santisoler@fastmail.com>
Date: Fri, 12 Sep 2025 11:06:12 -0700
Subject: [PATCH] Use zizmor to lint GH Actions in the template repo

Add workflow to lint GH Actions using Zizmor for common vulnerabilities.
---
 .github/workflows/zizmor.yml | 41 ++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..616a11d
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,41 @@
+# Lint GitHub Actions for common security issues using zizmor.
+# Docs: https://woodruffw.github.io/zizmor
+
+name: zizmor
+
+# Only run on PRs and the main branch.
+# Pushes to branches will only trigger a run when a PR is opened.
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.13"
+
+      - name: Install Zizmor
+        run: python -m pip install zizmor
+
+      - name: List installed packages
+        run: python -m pip freeze
+
+      - name: Lint GitHub Actions with Zizmor
+        run: zizmor .github/workflows
+        env:
+          # Set GH_TOKEN to allow zizmor to check online vulnerabilities
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+