diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
index f8bb8488..09dedde8 100644
--- a/.github/workflows/self-zizmor.yaml
+++ b/.github/workflows/self-zizmor.yaml
@@ -45,7 +45,8 @@ jobs:
       - zizmor-check
     if: ${{ needs.zizmor-check.outputs.found-files == 'true' }}
 
-    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@e6c831d1106c11504502ef164409b2d5479daefe
+    # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2 (PR #1945)
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@a0ded699096e4939468a229648b0268340a90c99
     with:
       runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}
       fail-severity: high
diff --git a/.github/zizmor-collection-ignore b/.github/zizmor-collection-ignore
new file mode 100644
index 00000000..014e71cd
--- /dev/null
+++ b/.github/zizmor-collection-ignore
@@ -0,0 +1,2 @@
+# security-appsec#326
+vendor-fixture
diff --git a/vendor-fixture/.github/workflows/should-not-scan.yml b/vendor-fixture/.github/workflows/should-not-scan.yml
new file mode 100644
index 00000000..d17f8ccb
--- /dev/null
+++ b/vendor-fixture/.github/workflows/should-not-scan.yml
@@ -0,0 +1,7 @@
+name: vendor fixture
+on: workflow_dispatch
+jobs:
+  noop:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ok