DLC/hnefatafl: .github/workflows/zizmor.yml

0
on: push
name: Security Analysis with zizmor 🌈

permissions:
  actions: read # An explanation.

jobs:
  zizmor:
    name: zizmor latest via PyPI
    runs-on: ubuntu-latest

    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}

    permissions:
      security-events: write # An explanation.
      actions: read # An explanation.

    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          persist-credentials: false

      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5

      - name: Run zizmor 🌈
        run: |
          cd "$GITHUB_WORKSPACE"
          uvx zizmor --pedantic --gh-token "$GH_TOKEN" .github/workflows/*

        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}