From b6d9f92a944fd917906c182b586129c9e53d49cf Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Fri, 3 Jul 2026 13:39:11 +1000 Subject: [PATCH] UID2-7011: add zizmor workflow-security scan (report-only) Bare caller of the shared scan: severity floors inherit central defaults (report-only, High) and are overridable per-repo via ZIZMOR_* Actions variables. Part of the UID2-7011 org-wide rollout. Co-Authored-By: Claude Fable 5 --- .github/workflows/zizmor.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..68e3622 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,16 @@ +name: Zizmor Scan + +on: + pull_request: + # Must cover everywhere scannable files live; the scan covers the whole repo. + paths: + - '.github/**' + workflow_dispatch: + +permissions: + contents: read + +jobs: + zizmor: + # Bare call: severity floors come from the shared workflow's defaults. + uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-zizmor-scan.yaml@v3