From 252a4d3c69e118d685ce55c666af4db059dbd4de Mon Sep 17 00:00:00 2001
From: RodrigoSobral2000 <rodrigosobral@sapo.pt>
Date: Wed, 22 Apr 2026 12:03:51 +0200
Subject: [PATCH] ci: Implement security analysis job for both workflows before
 running their actions.

Using `zyzmor`, all low level warnings will be tracked in order to keep track of the security status of each workflow.
---
 .github/workflows/security-analysis.yml | 36 +++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 .github/workflows/security-analysis.yml

diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml
new file mode 100644
index 0000000..70c925c
--- /dev/null
+++ b/.github/workflows/security-analysis.yml
@@ -0,0 +1,36 @@
+name: Security Analysis (zizmor)
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read # Required to read the code for analysis
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  security-analysis:
+    name: Run Zizmor Security Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required to create security events from the analysis results
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      - name: Run zizmor security analysis
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          inputs: .github/workflows/*.yml # Don't specify just the folder. Otherwise, it won't load the preview in the results
+          token: ${{ secrets.GITHUB_TOKEN }}
+          min-severity: low
+          min-confidence: low
+          persona: auditor
\ No newline at end of file