Revert back to GitHub Actions

.github/workflows/ci_file_health.yaml

@@ -12,11 +12,13 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Install tools
+      - name: Setup python
         uses: actions/setup-python@v5
         with:
           python-version: "*"
@@ -42,3 +44,26 @@ jobs:
           done
           # check diff, ignore "Automatically generated by ..." part
           git diff -I '\.\\".*' --exit-code
+
+      - name: Check GitHub Actions workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+          IGNORE_RULEID='(.ruleId != "template-injection")
+            and (.ruleId != "unpinned-uses")'
+          IGNORE_ID='(.id != "template-injection")
+            and (.id != "unpinned-uses")'
+          zizmor \
+            --format sarif \
+            --pedantic \
+            ./ \
+            | jq "(.runs[].results |= map(select($IGNORE_RULEID)))
+              | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \
+            > "${{ runner.temp }}/zizmor_results.sarif"
+
+      - name: Upload zizmor results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: zizmor
+          sarif_file: "${{ runner.temp }}/zizmor_results.sarif"

.pre-commit-config.yaml

@@ -108,8 +108,3 @@ repos:
       exclude_types:
         - svg
         - ts
-
-  - repo: https://github.com/woodruffw/zizmor-pre-commit
-    rev: v1.0.1
-    hooks:
-    - id: zizmor