From d94085916e624a7aea7749973320e65c0da31cad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Thu, 26 Jun 2025 12:36:41 -0500
Subject: [PATCH] ci: set Zizmor as required test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This adds Zizmor GHA security scanning as a PR gate.

Note that this does NOT require that Zizmor returns 0 alerts, but rather
that Zizmor's invocation completes successfully (regardless of how many
alerts it raises).

I will set up the former after this commit is merged (through the GH UI).

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
---
 tools/testing/gatekeeper/required-tests.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/gatekeeper/required-tests.yaml b/tools/testing/gatekeeper/required-tests.yaml
index 3fc88816f5..f8d508bfff 100644
--- a/tools/testing/gatekeeper/required-tests.yaml
+++ b/tools/testing/gatekeeper/required-tests.yaml
@@ -6,7 +6,7 @@ required_tests:
   - Shellcheck required / shellcheck-required
   # TODO: cargo-deny-runner.yaml not yet treated as conditional
   - Cargo Crates Check Runner / cargo-deny-runner
-
+  - GHA security analysis / zizmor
 
 required_regexps:
   # Always required regexps