From ab2b52b85753d2f8902069b0311afd84181b8809 Mon Sep 17 00:00:00 2001
From: Nathan McDougall <nathan.j.mcdougall@gmail.com>
Date: Tue, 14 Oct 2025 08:43:27 +1300
Subject: [PATCH 1/3] Add `zizmor` GitHub actions config

---
 .github/workflows/zizmor.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000..88761973
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: zizmor GitHub Actions Security Analysis
+
+on:
+    push:
+        branches: ["main"]
+    pull_request:
+        branches: ["**"]
+
+permissions: {}
+
+jobs:
+    zizmor:
+        name: Run zizmor
+        runs-on: ubuntu-latest
+        permissions:
+            security-events: write # needed to upload results
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              with:
+                  persist-credentials: false
+
+            - name: Run zizmor
+              uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0

From ca73ae88124ab6d297314d6ac2387931b410ed3f Mon Sep 17 00:00:00 2001
From: Nathan McDougall <nathan.j.mcdougall@gmail.com>
Date: Tue, 14 Oct 2025 08:48:19 +1300
Subject: [PATCH 2/3] Use consistent naming convention for actions with CodeQL
 config

---
 .github/workflows/zizmor.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 88761973..cdfac0bc 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -10,7 +10,7 @@ permissions: {}
 
 jobs:
     zizmor:
-        name: Run zizmor
+        name: zizmor
         runs-on: ubuntu-latest
         permissions:
             security-events: write # needed to upload results
@@ -20,5 +20,5 @@ jobs:
               with:
                   persist-credentials: false
 
-            - name: Run zizmor
+            - name: Analyze
               uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0

From 90fe2abac4d59d0190b5031da95603d86d4c62dd Mon Sep 17 00:00:00 2001
From: Nathan McDougall <nathan.j.mcdougall@gmail.com>
Date: Tue, 14 Oct 2025 09:57:11 +1300
Subject: [PATCH 3/3] Use consistent naming convention for actions with CodeQL
 config

---
 .github/workflows/zizmor.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index cdfac0bc..f11edf34 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,4 +1,4 @@
-name: zizmor GitHub Actions Security Analysis
+name: zizmor
 
 on:
     push:
@@ -10,7 +10,7 @@ permissions: {}
 
 jobs:
     zizmor:
-        name: zizmor
+        name: Analyze
         runs-on: ubuntu-latest
         permissions:
             security-events: write # needed to upload results
@@ -20,5 +20,5 @@ jobs:
               with:
                   persist-credentials: false
 
-            - name: Analyze
+            - name: Run zizmor
               uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0