CI: Add zizmor job

Author: Turbo87

.github/workflows/ci.yml

@@ -24,6 +24,8 @@ env:
   PNPM_VERSION: 10.11.0
   # renovate: datasource=docker depName=postgres
   POSTGRES_VERSION: 16
+  # renovate: datasource=pypi depName=zizmor
+  ZIZMOR_VERSION: 1.7.0
 
 jobs:
   changed-files:
@@ -71,10 +73,16 @@ jobs:
         with:
           files: Cargo.lock
 
+      - uses: tj-actions/changed-files@6cb76d07bee4c9772c6882c06c37837bf82a04d3 # v46.0.4
+        id: changed-files-ci
+        with:
+          files: .github/workflows/**
+
     outputs:
       non-js: ${{ steps.changed-files-non-js.outputs.any_modified }}
       non-rust: ${{ steps.changed-files-non-rust.outputs.any_modified }}
       rust-lockfile: ${{ steps.changed-files-rust-lockfile.outputs.any_modified }}
+      ci: ${{ steps.changed-files-ci.outputs.any_modified }}
 
   percy-nonce:
     name: Frontend / Percy Nonce
@@ -302,3 +310,25 @@ jobs:
           name: playwright-report
           path: playwright-report/
           retention-days: 14
+
+  zizmor:
+    name: CI / Lint
+    runs-on: ubuntu-24.04
+    needs: changed-files
+    if: needs.changed-files.outputs.ci == 'true'
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+      - run: uvx zizmor@${ZIZMOR_VERSION} --format=sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        with:
+          sarif_file: results.sarif
+          category: zizmor