From 1dd4e20f25ad30f8c458e445cb75a667989cb41a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Thu, 25 Sep 2025 09:45:25 -0500
Subject: [PATCH] gha: Run Zizmor without Advanced Security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This does not change the security of the analysis, this is just to work
around zizmorcore/zizmor-action#43.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
---
 .github/workflows/zizmor.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
index e2c5439b2a..d396fa752f 100644
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -1,7 +1,6 @@
 name: GHA security analysis
 
 on:
-  push:
   pull_request:
 
 permissions: {}
@@ -13,9 +12,6 @@ concurrency:
 jobs:
   zizmor:
     runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -24,6 +20,9 @@ jobs:
           persist-credentials: false
 
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
         with:
+          advanced-security: false
+          annotations: true
           persona: auditor
+          version: v1.13.0