[CI] should we use zizmor in CI to scan jobs for problems?

[thisisnic]

Describe the enhancement

We could use zizmor to scan CI for problems.

Some of the findings on an initial scan were false positives or no-ops when looked at in the context of other mitigations, so we'd need to think about this if we go ahead with it to make sure we're not triggering a ton of unnecessary notifications.

We can disable certain rules if they're annoying though: https://docs.zizmor.sh/configuration/#rulesiddisable

Component(s)

Continuous Integration

[thisisnic]

CC @raulcd

[raulcd]

I've never used zizmor but this sounds like a good idea to me. It seems iceberg-python added a similar job:
https://github.com/apache/iceberg-python/blob/0615eb4d2578838893da1bc3fd10a903ab5c3a41/.github/workflows/zizmor.yml#L20

Maybe that's why they are enforcing some pinning on checkout actions, etcetera 🤔

[thisisnic]

Yeah, I opened the parent ticket here based on the email on the private mailing list and then scanning things myself with zizmor - I think it's a nice tool though a bit of a blunt instrument without configuration.