add zizmor scanning to workflows

Author: bckohan

.github/workflows/zizmor.yml

@@ -0,0 +1,51 @@
+name: Zizmor
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run weekly
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor-analysis:
+    name: Run Zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Install Zizmor
+        run: |
+          cargo install zizmor
+
+      - name: Run Zizmor analysis
+        run: |
+          zizmor --format sarif .github/workflows/ > results.sarif
+
+      - name: Upload analysis results
+        uses: actions/upload-artifact@v4
+        with:
+          name: zizmor-results
+          path: results.sarif
+          retention-days: 7
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

SECURITY.md

@@ -1,6 +1,7 @@
 # Security Policy
 
 [![CodeQL](https://github.com/bckohan/django-enum/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/bckohan/django-enum/actions/workflows/github-code-scanning/codeql?query=branch:main)
+[![Zizmor](https://github.com/bckohan/django-enum/actions/workflows/zizmor.yml/badge.svg?branch=main)](https://woodruffw.github.io/zizmor)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/bckohan/django-enum/badge)](https://securityscorecards.dev/viewer/?uri=github.com/bckohan/django-enum)
 
 ## Supported Versions