From cb44e0fd396817ab7569fec73354425b17f0913d Mon Sep 17 00:00:00 2001
From: malmans2 <m.almansi@bopen.eu>
Date: Fri, 15 May 2026 11:34:40 +0200
Subject: [PATCH] add zizmor action

---
 .github/workflows/zizmor.yml | 24 ++++++++++++++++++++++++
 git-clone/action.yml         |  2 +-
 setup-deploy/action.yml      |  9 ++++++---
 3 files changed, 31 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..e9dc5a5
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
\ No newline at end of file
diff --git a/git-clone/action.yml b/git-clone/action.yml
index 2b8b742..338fb25 100644
--- a/git-clone/action.yml
+++ b/git-clone/action.yml
@@ -12,7 +12,7 @@ runs:
   using: "composite"
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@v5
+      uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
     - name: Run cloning script
       shell: bash
       env:
diff --git a/setup-deploy/action.yml b/setup-deploy/action.yml
index 7d40d80..05b7d2f 100644
--- a/setup-deploy/action.yml
+++ b/setup-deploy/action.yml
@@ -19,18 +19,21 @@ runs:
   using: "composite"
   steps:
     - name: Clone ${{ inputs.repo }} repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       with:
         token: ${{ inputs.git-pat }}
         path: ${{ inputs.repo }}
+        persist-credentials: false
     - name: Load environment variables from ${{ inputs.deps-versions-file }} file
       shell: bash
       run: |
         # grep -v '^#' ignores comment lines
         # grep -v '^$' ignores empty lines
-        grep -v '^#' ${{ inputs.deps-versions-file }} | grep -v '^$' >> $GITHUB_ENV
+        grep -v '^#' ${INPUTS_DEPS_VERSIONS_FILE} | grep -v '^$' >> $GITHUB_ENV
+      env:
+        INPUTS_DEPS_VERSIONS_FILE: ${{ inputs.deps-versions-file }}
     - name: Clone edh-catalogue-api and edh-catalogue-manager repositories
-      uses: bopen/ci-cd/git-clone@main
+      uses: ./git-clone
       with:
         repo-list: ${{ inputs.deps-list }}
         git-pat: ${{ inputs.git-pat }}