From 46d3ee6d1cff75959b63b2fe4dd69164e175ae45 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Mon, 19 May 2025 17:37:49 +0200
Subject: [PATCH 1/2] CI: Declare minimal set of permissions

---
 .github/workflows/ci.yml         | 2 ++
 .github/workflows/smoke-test.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b07ec647551..362a92df72c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,8 @@ on:
 
   pull_request:
 
+permissions: {}
+
 concurrency:
   group: ci-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml
index 46a3daac7a5..30af2352579 100644
--- a/.github/workflows/smoke-test.yml
+++ b/.github/workflows/smoke-test.yml
@@ -3,6 +3,8 @@ name: Smoke Test
 on:
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: smoke-test
   cancel-in-progress: true

From bc359db05731d97795cb8e2c8bf32b04dd0c75c1 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Mon, 19 May 2025 17:44:17 +0200
Subject: [PATCH 2/2] CI: Add `zizmor` job

---
 .github/workflows/ci.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 362a92df72c..a790eed2484 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,6 +24,8 @@ env:
   PNPM_VERSION: 10.11.0
   # renovate: datasource=docker depName=postgres
   POSTGRES_VERSION: 16
+  # renovate: datasource=pypi depName=zizmor
+  ZIZMOR_VERSION: 1.7.0
 
 jobs:
   changed-files:
@@ -71,10 +73,16 @@ jobs:
         with:
           files: Cargo.lock
 
+      - uses: tj-actions/changed-files@6cb76d07bee4c9772c6882c06c37837bf82a04d3 # v46.0.4
+        id: changed-files-ci
+        with:
+          files: .github/workflows/**
+
     outputs:
       non-js: ${{ steps.changed-files-non-js.outputs.any_modified }}
       non-rust: ${{ steps.changed-files-non-rust.outputs.any_modified }}
       rust-lockfile: ${{ steps.changed-files-rust-lockfile.outputs.any_modified }}
+      ci: ${{ steps.changed-files-ci.outputs.any_modified }}
 
   percy-nonce:
     name: Frontend / Percy Nonce
@@ -302,3 +310,25 @@ jobs:
           name: playwright-report
           path: playwright-report/
           retention-days: 14
+
+  zizmor:
+    name: CI / Lint
+    runs-on: ubuntu-24.04
+    needs: changed-files
+    if: needs.changed-files.outputs.ci == 'true'
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+      - run: uvx zizmor@${ZIZMOR_VERSION} --format=sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          sarif_file: results.sarif
+          category: zizmor