From 0c0823c11c84247abefbae4b9d5df7f3734b89b0 Mon Sep 17 00:00:00 2001
From: malmans2 <m.almansi@bopen.eu>
Date: Fri, 15 May 2026 10:48:24 +0200
Subject: [PATCH 1/3] add zizmor action

---
 .github/zizmor.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/zizmor.yml

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 0000000..aa8259d
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

From 006527decb70eefef2069bb16ea6ff03d207dd8d Mon Sep 17 00:00:00 2001
From: malmans2 <m.almansi@bopen.eu>
Date: Fri, 15 May 2026 10:52:12 +0200
Subject: [PATCH 2/3] mv to workflows

---
 .github/{ => workflows}/zizmor.yml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename .github/{ => workflows}/zizmor.yml (100%)

diff --git a/.github/zizmor.yml b/.github/workflows/zizmor.yml
similarity index 100%
rename from .github/zizmor.yml
rename to .github/workflows/zizmor.yml

From ab5c32c084ffcb58f57e4b8715f26737026a4d61 Mon Sep 17 00:00:00 2001
From: malmans2 <m.almansi@bopen.eu>
Date: Fri, 15 May 2026 11:16:52 +0200
Subject: [PATCH 3/3] fix some zizmor findings

---
 git-clone/action.yml    | 2 +-
 setup-deploy/action.yml | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/git-clone/action.yml b/git-clone/action.yml
index 2b8b742..338fb25 100644
--- a/git-clone/action.yml
+++ b/git-clone/action.yml
@@ -12,7 +12,7 @@ runs:
   using: "composite"
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@v5
+      uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
     - name: Run cloning script
       shell: bash
       env:
diff --git a/setup-deploy/action.yml b/setup-deploy/action.yml
index accdf65..d8dbfda 100644
--- a/setup-deploy/action.yml
+++ b/setup-deploy/action.yml
@@ -19,16 +19,19 @@ runs:
   using: "composite"
   steps:
     - name: Clone ${{ inputs.repo }} repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         token: ${{ inputs.git-pat }}
         path: ${{ inputs.repo }}
+        persist-credentials: false
     - name: Load environment variables from ${{ inputs.deps-version-file }} file
       shell: bash
       run: |
         # grep -v '^#' ignores comment lines
         # grep -v '^$' ignores empty lines
-        grep -v '^#' ${{ inputs.deps-version-file }} | grep -v '^$' >> $GITHUB_ENV
+        grep -v '^#' ${INPUTS_DEPS_VERSION_FILE} | grep -v '^$' >> $GITHUB_ENV
+      env:
+        INPUTS_DEPS_VERSION_FILE: ${{ inputs.deps-version-file }}
     - name: Clone edh-catalogue-api and edh-catalogue-manager repositories
       uses: bopen/ci-cd/git-clone@main
       with: