ci: Add zizimor as workflow to get GH-native alerts

[MaxymVlasov]

Description of your changes

Another bit of security improvements.
Addressing #818 (comment)

Workflow body: https://github.com/zizmorcore/workflow/blob/main/.github/workflows/reusable-zizmor.yml

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Added an automated CI job to lint GitHub Actions workflows, validating workflow definitions on every run.
  • Enhances pipeline reliability and security by catching configuration issues early and reporting findings.
  • Uses a pinned reusable workflow for consistent, auditable results.
  • No changes to existing jobs or application behavior; this introduces an additional quality gate in CI.

Walkthrough

Adds a new GitHub Actions job lint-github-actions to .github/workflows/ci-cd.yml, invoking a reusable workflow pinned to a specific commit, with security-events: write permissions and an inline yamllint line-length disable. No existing jobs modified or removed.

Changes

Cohort / File(s)	Summary of Changes
CI workflow \.github/workflows/ci-cd.yml	Added job lint-github-actions using zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@3bb5e95068d0f44b6d2f3f7e91379bed1d2f96a8; set permissions: { security-events: write }; included # yamllint disable-line rule:line-length. No other job changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant WF as CI Workflow (ci-cd.yml)
  participant Lint as Job: lint-github-actions
  participant Reuse as Reusable Workflow (zizmor)
  participant Sec as Security Events

  Dev->>GH: Push/PR event
  GH->>WF: Trigger workflow
  WF->>Lint: Start job
  Lint->>Reuse: Invoke reusable workflow (pinned commit)
  Reuse->>Reuse: Lint GitHub Actions definitions
  alt Findings reported
    Reuse-->>Sec: Write security events (permission: write)
  end
  Reuse-->>Lint: Job status
  Lint-->>WF: Result
  WF-->>GH: CI status update

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• antonbabenko
• yermulnik

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add_zizimor_as_gha

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

Adds a security-focused workflow to lint GitHub Actions using the zizmorcore/workflow reusable workflow, which integrates with GitHub's native security alerts system.

• Introduces a new lint-github-actions job with security-events write permissions
• Uses a pinned commit hash for the external reusable workflow
• Includes a yamllint disable comment for the long workflow reference line

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci-cd.yml (2)

509-515: Decide whether this job should gate the branch-protection “check”.

Right now, the “check” aggregator doesn’t include this job in needs, so failures won’t block merges. If intentional, ignore. If not, add it to needs and allowed-skips.

   check:  # This job does nothing and is only used for the branch protection
@@
-    needs:
-    - lint
-    - tests
+    needs:
+    - lint
+    - tests
+    - lint-github-actions
@@
-            && 'lint, tests'
+            && 'lint, tests, lint-github-actions'

---

514-514: Yamllint disable is fine here.

uses: must be single-line; disabling line-length locally is the right call. Consider adding a brief comment “long SHA pin” for future readers.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2e591ea and 539cb3a.

📒 Files selected for processing (1)

• .github/workflows/ci-cd.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 🧪 Tests / pytest@🐍3.11@macos-13
• GitHub Check: 🧪 Tests / pytest@🐍3.13@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-13
• GitHub Check: pre-commit

[antonbabenko]

This PR is included in version 1.100.1 🎉