Add checking for GitHub Actions workflows

.github/workflows/ci_file_health.yaml

@@ -12,6 +12,8 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -23,3 +25,22 @@ jobs:
 
       - name: Check files
         uses: pre-commit/action@v3.0.1
+
+      - name: Check GitHub Actions workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+          zizmor \
+            --format sarif \
+            --pedantic \
+            ./ \
+            | jq '(.runs[].results |= map(select(.ruleId != "unpinned-uses")))
+              | (.runs[].tool.driver.rules |= map(select(.id != "unpinned-uses")))' \
+            > "${{ runner.temp }}/zizmor_results.sarif"
+
+      - name: Upload zizmor results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: zizmor
+          sarif_file: "${{ runner.temp }}/zizmor_results.sarif"