From a90f583e7a11703aab50bdc5ece8717e089c69da Mon Sep 17 00:00:00 2001
From: Carlo Cabrera <github@carlo.cab>
Date: Mon, 23 Mar 2026 22:42:12 +0800
Subject: [PATCH] [Workflows] Add Zizmor check (#187905)

The recent Trivy breach[^1] made me consider re-opening #117787.

Trivy was breached using an impostor commit[^2], which Zizmor can flag.

It's also much more widely used since my last PR.[^3]

The new workflow was taken from the example workflow in their
documentation.[^4]

[^1]: https://github.com/aquasecurity/trivy/discussions/10425
[^2]: https://docs.zizmor.sh/audits/#impostor-commit
[^3]: https://docs.zizmor.sh/trophy-case/
[^4]: https://docs.zizmor.sh/integrations/#via-zizmorcorezizmor-action
---
 .github/workflows/zizmor.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 000000000000..4b1ee3c7c7c1
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,29 @@
+name: Zizmor GitHub Actions Analysis
+
+on:
+  push:
+    branches: ["main"]
+    paths: [".github/**"]
+  pull_request:
+    paths: [".github/**"]
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    if: github.repository_owner == 'llvm'
+    name: Run zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2