Merge pull request #359 from python-jsonschema/dependabot/github_acti… #168

	name: GitHub Actions Security Analysis with zizmor 🌈

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["**"]

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	permissions: {}

	jobs:
	zizmor:
	name: Run zizmor
	runs-on: ubuntu-latest
	permissions:
	security-events: write # for uploading SARIF results

	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	persist-credentials: false

	- name: Install uv
	uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b

	- name: Run zizmor 🌈
	run: uvx zizmor --pedantic --format=sarif .github > results.sarif

	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
	with:
	sarif_file: results.sarif
	category: zizmor

Provide feedback