Consider `zizmor` for static analysis of GitHub Actions

[2bndy5]

I just came across a project named zizmor.

The latest pypa/gh-action-pypi-publish release (v1.13.0) recommends it, and I'm inclined to consider it in this project.

[shenxianpeng]

Hmm, it looks interesting to try

[2bndy5]

I tried on the cpp-linter (python) repo. Most of the violations were about inheriting default permissions. Where the solution was simply:

on:
  # ...

permissions: {}

jobs:
  # ...

This of course forces one to explicitly enable certain permission where needed:

permissions: {}

jobs:
  codeql:
    permissions:
      actions: read
      security-events: write
      contents: read
    uses: cpp-linter/.github/.github/workflows/codeql.yml@main
    with:
      language: python

[2bndy5]

It looks like zizmor is now being used to explain security violations in GH Actions. See https://github.com/nRF24/CircuitPython_nRF24L01/security/dependabot/1 (in another project of mine)