From 4a3522e1f4f6d347da4959f02f4b9a2a21951b09 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 7 Apr 2026 13:53:23 -0400
Subject: [PATCH] fix: use zizmor-action with digest-pinned Docker images

Replaces pip install with the official zizmorcore/zizmor-action
(SHA-pinned) which uses digest-pinned Docker images. Disables
SARIF upload since this workflow lacks security-events: write.
---
 .github/workflows/audit-gha-workflows.yml | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/audit-gha-workflows.yml b/.github/workflows/audit-gha-workflows.yml
index abd5cf3..726a0d6 100644
--- a/.github/workflows/audit-gha-workflows.yml
+++ b/.github/workflows/audit-gha-workflows.yml
@@ -15,12 +15,8 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Install zizmor
-        run: pip install zizmor==1.23.1
       - name: Run zizmor
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          if [ -d .github ]; then
-            zizmor .github --gh-token "${GITHUB_TOKEN}" --min-severity medium
-          fi
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          advanced-security: false
+          min-severity: medium