helm-external-secrets/.github/workflows/zizmor.yml

name: Zizmor Actions Scanner

on:
  push:
    branches:
      - main
    paths:
      - '.github/workflows/**'
  pull_request:
    branches:
      - main
    paths:
      - '.github/workflows/**'

permissions:
  contents: read

jobs:
  detect-noop:
    permissions:
      actions: write  # for fkirc/skip-duplicate-actions to skip or stop workflow runs
      contents: read  # for fkirc/skip-duplicate-actions to read and compare commits
    runs-on: ubuntu-latest
    outputs:
      noop: ${{ steps.noop.outputs.should_skip }}
    steps:
      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit
      - name: Detect No-op Changes
        id: noop
        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          paths_ignore: '["**.md", "**.png", "**.jpg"]'
          do_not_skip: '["workflow_dispatch", "schedule", "push"]'
          concurrent_skipping: false

  zizmor:
    name: Run zizmor 🌈
    runs-on: ubuntu-latest
    needs: detect-noop
    if: needs.detect-noop.outputs.noop != 'true'
    permissions:
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Run zizmor 🌈
        uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1
        with:
          inputs: |
            .github/
          token: ${{ github.token }}
          # min-severity: medium
          # min-confidence: medium