Adds zizmor sarif (#1214)

Co-authored-by: Ran Benita <ran@unusedvar.com>

Author: kingbuzzman

.github/workflows/main.yml

@@ -25,6 +25,7 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+      security-events: write
     env:
       TOXENV: ${{ matrix.name }}
     steps:
@@ -57,6 +58,13 @@ jobs:
       - name: Run tox
         run: tox
 
+      - name: Upload zizmor SARIF report into the GitHub repo code scanning
+        if: contains(matrix.name, 'linting')
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
+
       - name: Report coverage
         if: contains(matrix.name, 'coverage')
         uses: codecov/codecov-action@v5

.github/zizmor.yml

@@ -4,3 +4,4 @@ rules:
       policies:
         actions/*: ref-pin
         codecov/codecov-action: ref-pin
+        github/*: ref-pin

.gitignore

@@ -18,3 +18,4 @@ _build
 *.egg
 # autogenerated by setuptools-scm
 /pytest_django/_version.py
+zizmor.sarif

tox.ini

@@ -48,7 +48,7 @@ commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
-    zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml
+    python -c "import subprocess, sys; sys.exit(subprocess.call('zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif', shell=True))"
 
 [testenv:doc8]
 basepython = python3