✨ Add zizmor to permissions allowlist

.github/workflows/slsa-goreleaser.yml

@@ -7,9 +7,6 @@ on:
 
 permissions: read-all
 
-env:
-  GO_VERSION: 1.24
-
 jobs:
   # Generate ldflags dynamically.
   args:
@@ -34,7 +31,7 @@ jobs:
     needs: args
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] #7f4fdb871876c23e455853d694197440c5a91506
     with:
-      go-version: ${{ env.GO_VERSION }}
+      go-version: '1.24'
       evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
 
   verification:

checks/permissions_test.go

@@ -352,7 +352,7 @@ func TestGithubTokenPermissions(t *testing.T) {
 				Score:         checker.MaxResultScore,
 				NumberOfWarn:  0,
 				NumberOfInfo:  2, // This is constant.
-				NumberOfDebug: 8, // This is 4 + (number of actions)
+				NumberOfDebug: 9, // This is 4 + (number of actions)
 			},
 		},
 		{

checks/raw/permissions.go

@@ -379,6 +379,10 @@ func isAllowedWorkflow(workflow *actionlint.Workflow, fp string, pdata *permissi
 		// Code scanning with HLint uploads a SARIF file to GitHub.
 		// https://github.com/haskell-actions/hlint-scan
 		"haskell-actions/hlint-scan": true,
+
+		// Code scanning with zizmor uploads a SARIF file to GitHub.
+		// https://github.com/zizmorcore/zizmor-action
+		"zizmorcore/zizmor-action": true,
 	}
 
 	tokenPermissions := checker.TokenPermission{

checks/testdata/.github/workflows/github-workflow-permissions-secevent-known-actions.yaml

@@ -46,3 +46,10 @@ jobs:
       security-events: write
     steps:
       - uses: haskell-actions/hlint-scan@v1
+
+  zizmorcore-zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: zizmorcore/[email protected]