name: zizmor

# Always runs on PRs so the "Require code scanning results" ruleset rule
# always has a SARIF to inspect. Real analysis only runs when workflow files
# changed; otherwise we upload an empty SARIF so locale-only / code-only PRs
# aren't blocked waiting for a check that never reports.

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions: {}

jobs:
  zizmor:
    name: Run zizmor
    runs-on: ubuntu-latest
    permissions:
      security-events: write # upload SARIF to code scanning
      contents: read
      actions: read
      pull-requests: read # dorny/paths-filter calls the PRs API on pull_request events
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          persist-credentials: false

      - name: Detect workflow changes
        id: changes
        if: github.event_name == 'pull_request'
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        with:
          filters: |
            workflows:
              - '.github/workflows/**'
              - '.github/actions/**'
              - '.github/zizmor.yml'

      - name: Decide whether to analyze
        id: decide
        env:
          EVENT_NAME: ${{ github.event_name }}
          CHANGED: ${{ steps.changes.outputs.workflows }}
        run: |
          if [ "$EVENT_NAME" != "pull_request" ] || [ "$CHANGED" = "true" ]; then
            echo "analyze=true" >> "$GITHUB_OUTPUT"
          else
            echo "analyze=false" >> "$GITHUB_OUTPUT"
          fi

      - name: Run zizmor
        if: steps.decide.outputs.analyze == 'true'
        uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
        with:
          # Pin the tool version (the action defaults to `latest`) so a new
          # zizmor release can't surface findings that block unrelated PRs.
          version: "1.26.1"

      # When skipped, upload an empty SARIF so the ruleset rule passes.
      - name: Write empty SARIF
        if: steps.decide.outputs.analyze != 'true'
        run: |
          cat > zizmor.sarif <<'EOF'
          {
            "version": "2.1.0",
            "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
            "runs": [
              {
                "tool": {
                  "driver": {
                    "name": "zizmor",
                    "semanticVersion": "0.0.0",
                    "rules": []
                  }
                },
                "results": [],
                "automationDetails": {
                  "id": "zizmor/"
                }
              }
            ]
          }
          EOF

      - name: Upload empty SARIF
        if: steps.decide.outputs.analyze != 'true'
        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          sarif_file: zizmor.sarif
          category: zizmor
