name: "Validate GitHub Actions" on: workflow_dispatch: pull_request: push: branches: - main paths: - '.github/workflows/**' - '.github/actions/**' permissions: {} jobs: zizmor: name: "Lint" runs-on: ubuntu-latest permissions: contents: read security-events: write # for uploading SARIF results steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: "Run zizmor" uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 with: # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default) advanced-security: true inputs: .github