name: Zizmor Actions Scanner

on:
  push:
    branches:
      - main
    paths:
      - '.github/workflows/**'
  pull_request:
    branches:
      - main
    paths:
      - '.github/workflows/**'

permissions:
  contents: read

jobs:
  detect-noop:
    permissions:
      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
      contents: read  # for fkirc/skip-duplicate-actions to read and compare commits
    runs-on: ubuntu-latest
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit
      - name: Detect No-op Changes
        id: noop
        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
          concurrent_skipping: false

  zizmor:
    name: Run zizmor 🌈
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    permissions:
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Run zizmor 🌈
        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
        with:
          inputs: |
            .github/
          token: ${{ github.token }}
          # min-severity: medium
          # min-confidence: medium