From 56d12da97e3e46f895b7d21aa9ff8713f7f12acc Mon Sep 17 00:00:00 2001
From: Carlo Cabrera <30379873+carlocab@users.noreply.github.com>
Date: Wed, 30 Oct 2024 00:50:31 +0800
Subject: [PATCH] workflows/actionlint: run `zizmor`

This seems like it would be useful.
---
 .github/workflows/actionlint.yml | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
index f91e59724b25..6958bb116be6 100644
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -26,7 +26,7 @@ env:
 jobs:
   workflow_syntax:
     if: github.repository_owner == 'Homebrew'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     container:
       image: ghcr.io/homebrew/ubuntu22.04:master
     steps:
@@ -57,3 +57,31 @@ jobs:
           echo "::add-matcher::$HOME/actionlint-matcher.json"
 
       - run: actionlint
+
+  zizmor:
+    if: github.repository_owner == 'Homebrew'
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/homebrew/ubuntu22.04:master
+    steps:
+      - name: Set up Homebrew
+        id: setup-homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+        with:
+          core: true
+          cask: false
+          test-bot: false
+
+      - name: Install zizmor
+        run:  brew install zizmor
+
+      - name: Run zizmor
+        run: zizmor --format sarif "${HOMEBREW_TAP_REPOSITORY}" | tee results.sarif
+        env:
+          HOMEBREW_TAP_REPOSITORY: ${{ steps.setup-homebrew.outputs.repository-path }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor