EMT PTL and UBUNTU PTL RC2 #991

	# SPDX-FileCopyrightText: (C) 2025 Intel Corporation
	# SPDX-License-Identifier: MIT
	---
	name: Security zizmor 🌈

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main

	permissions: {}

	jobs:
	run-zizmor-scan:
	name: Run Zizmor scan
	runs-on: ubuntu-latest
	permissions:
	contents: read
	env:
	ZIZMOR_VERSION: 1.5.2
	steps:
	- name: Checkout repository
	uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
	with:
	persist-credentials: false

	- name: Install the latest version of uv
	uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0

	- name: Install jq
	run: sudo apt-get update && sudo apt-get install -y jq

	- name: Run zizmor 🌈
	run: uvx zizmor=="$ZIZMOR_VERSION" "$GITHUB_WORKSPACE" --format sarif > zizmor_scan_report.sarif

	- name: Parse SARIF results
	run: \|
	# Check if SARIF file has any results
	RESULT_COUNT=$(jq '[.runs[].results] \| add \| length' zizmor_scan_report.sarif)
	echo "Total security issues found: $RESULT_COUNT"

	if [ "$RESULT_COUNT" -eq 0 ]; then
	echo "✅ No security issues found in GitHub Actions workflows"
	else
	echo "⚠️ Found $RESULT_COUNT security issue(s) in GitHub Actions workflows"
	echo "Details:"
	jq -r '.runs[].results[] \|
	"📄 File: " + (.locations[0].physicalLocation.artifactLocation.uri // "unknown") +
	"\n🔍 Rule: " + .ruleId +
	"\n📝 Issue: " + .message.text +
	"\n" + (if .locations[0].physicalLocation.region.startLine then "📍 Line: " + (.locations[0].physicalLocation.region.startLine \| tostring) else "" end) +
	"\n---"' zizmor_scan_report.sarif
	exit 1
	fi

Provide feedback