feat(ci): add zizmor

[avivkeller]

Ref: nodejs/web-team#113
Ref: https://openjs-foundation.slack.com/archives/C0ALRN98G8K/p1773689960844809 (🔒)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nodejs-org	Ready	Preview	Mar 17, 2026 0:10am

[github-actions]

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/web-infra

Please review the changes when you have a chance. Thank you! 🙏

[Copilot]

Pull request overview

Adds a dedicated GitHub Actions workflow to run zizmor for security analysis of this repository’s GitHub Actions configuration, aligning with the referenced web-team security initiative.

Changes:

• Introduces a new workflow that runs on push and pull_request to main.
• Uses pinned SHAs for actions/checkout and zizmorcore/zizmor-action.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[github-actions]

📦 Build Size Comparison

Summary

Metric	Value
Old Total Size	3.51 MB
New Total Size	3.51 MB
Delta	0 B (0.00%)

Changes

➕ Added Assets (1)

Name	Size
.next/static/chunks/f00cedf873194794.js	208.66 KB

➖ Removed Assets (1)

Name	Size
.next/static/chunks/e684faf1add96583.js	208.66 KB

[flakey5]

lgtm other than https://github.com/nodejs/nodejs.org/pull/8728/changes#r2943202991

[MattIPv4]

🤔 I don't see this having run on this PR? I would imagine there will be a lot of changes to other workflows required before Zizmor can pass?

[MattIPv4]

This seems like an excessively long title to show up in our PR checks?

[avivkeller]

🤔 I don't see this having run on this PR? I would imagine there will be a lot of changes to other workflows required before Zizmor can pass?

I copied this workflow from Zizmor's documentation, I can, of course, remove that trigger.

Im not sure if it will fail PRs, or just report them as having security concerns.

Perhaps I should push another commit with the fixes to the issues it would find?

[MattIPv4]

We're also going to want a branch ruleset change I imagine to block PRs where we have Zizmor failings if we're using the advanced security mode?

[MattIPv4]

Im not sure if it will fail PRs, or just report them as having security concerns.

It will just report them unless we add a new rule. But, I don't see it running at all? It would show up as a passing Actions check still as it is being run on the PR trigger?

[avivkeller]

Im not sure if it will fail PRs, or just report them as having security concerns.

It will just report them unless we add a new rule. But, I don't see it running at all? It would show up as a passing Actions check still as it is being run on the PR trigger?

It won't run on this PR, since it's the one that added it (GitHub is weird that way)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.07%. Comparing base (783305e) to head (5177592).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8728      +/-   ##
==========================================
- Coverage   75.12%   75.07%   -0.06%     
==========================================
  Files         104      104              
  Lines        9167     9167              
  Branches      315      316       +1     
==========================================
- Hits         6887     6882       -5     
- Misses       2278     2283       +5     
  Partials        2        2              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.