From 7c0b93f2d5c41f8021d757057a6c51b38a024ebc Mon Sep 17 00:00:00 2001
From: Vitaliy <vitaliyf@users.noreply.github.com>
Date: Wed, 2 Jul 2025 11:20:47 -0400
Subject: [PATCH] Run zizmor for static analysis of .github/workflows/

See https://github.com/zizmorcore/zizmor
---
 .github/workflows/ci-gha-workflows.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/ci-gha-workflows.yaml

diff --git a/.github/workflows/ci-gha-workflows.yaml b/.github/workflows/ci-gha-workflows.yaml
new file mode 100644
index 0000000000..53b0b68021
--- /dev/null
+++ b/.github/workflows/ci-gha-workflows.yaml
@@ -0,0 +1,23 @@
+name: GitHub Actions - Security Analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    paths:
+      - ".github/workflows/*"
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1