GHA CI: add checking for GHA workflows

PR #22200.

---------

Co-authored-by: userdocs <16525024+userdocs@users.noreply.github.com>

.github/workflows/ci_file_health.yaml

@@ -12,11 +12,15 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      - name: Install tools
+      - name: Setup python
         uses: actions/setup-python@v5
         with:
           python-version: "*"
@@ -42,3 +46,26 @@ jobs:
           done
           # check diff, ignore "Automatically generated by ..." part
           git diff -I '\.\\".*' --exit-code
+
+      - name: Check GitHub Actions workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+          IGNORE_RULEID='(.ruleId != "template-injection")
+            and (.ruleId != "unpinned-uses")'
+          IGNORE_ID='(.id != "template-injection")
+            and (.id != "unpinned-uses")'
+          zizmor \
+            --format sarif \
+            --pedantic \
+            ./ \
+            | jq "(.runs[].results |= map(select($IGNORE_RULEID)))
+              | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \
+            > "${{ runner.temp }}/zizmor_results.sarif"
+
+      - name: Upload zizmor results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: zizmor
+          sarif_file: "${{ runner.temp }}/zizmor_results.sarif"