From 158e9d28e950e990823b615419f9b080bd2b6d9d Mon Sep 17 00:00:00 2001
From: Stephen Rosen <sirosen@globus.org>
Date: Tue, 16 Jun 2026 15:30:27 -0500
Subject: [PATCH] Enable zizmor linting on pushes and PRs

This is a new workflow which has a single job, calling the zizmor
reusable workflow.
It publishes findings as SARIF data to GitHub security findings APIs.

The workflow will not fail on pull requests or pushes, but will flag new
and existing usages which fail zizmor checking.
---
 .github/workflows/zizmor.yaml                      | 12 ++++++++++++
 changelog.d/20260616_152921_sirosen_add_zizmor.rst |  5 +++++
 2 files changed, 17 insertions(+)
 create mode 100644 .github/workflows/zizmor.yaml
 create mode 100644 changelog.d/20260616_152921_sirosen_add_zizmor.rst

diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
new file mode 100644
index 000000000..69aef6465
--- /dev/null
+++ b/.github/workflows/zizmor.yaml
@@ -0,0 +1,12 @@
+name: zizmor
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  zizmor:
+    permissions:
+      security-events: write
+
+    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@465600191822382e76d26abf77772f21262ecdb6  # main
diff --git a/changelog.d/20260616_152921_sirosen_add_zizmor.rst b/changelog.d/20260616_152921_sirosen_add_zizmor.rst
new file mode 100644
index 000000000..99fe9796b
--- /dev/null
+++ b/changelog.d/20260616_152921_sirosen_add_zizmor.rst
@@ -0,0 +1,5 @@
+Security
+--------
+
+- GitHub Actions security is now checked with `zizmor <https://zizmor.sh>`_
+  (:pr:`NUMBER`)