From b8ea4448d698158ab144171098ed20ea4620a032 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90=E1=BB=97=20Tr=E1=BB=8Dng=20H=E1=BA=A3i?=
 <41283691+hainenber@users.noreply.github.com>
Date: Sat, 30 May 2026 10:15:14 +0700
Subject: [PATCH] feat(ci): perform static security analysis for GHA workflows 
 (#40510)

Signed-off-by: hainenber <dotronghai96@gmail.com>
---
 .github/workflows/github-action-validator.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/github-action-validator.yml b/.github/workflows/github-action-validator.yml
index 4d4a7030683..712911f8c6a 100644
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -6,7 +6,8 @@ on:
       - "master"
       - "[0-9].[0-9]*"
   pull_request:
-    types: [synchronize, opened, reopened, ready_for_review]
+    branches:
+      - "**"
 
 permissions:
   contents: read
@@ -17,10 +18,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '20'
 
@@ -29,3 +32,6 @@ jobs:
 
       - name: Run Script
         run: bash .github/workflows/github-action-validator.sh
+
+      - name: Check for security issues on GHA workflows
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6