From e6d758fb668f65363a2af362b5a05ae7b5f9b7af Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:31:01 +0100
Subject: [PATCH 1/2] Poutine

---
 .github/workflows/lint-workflows.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml
index c9e4e5b..e0de9ae 100644
--- a/.github/workflows/lint-workflows.yml
+++ b/.github/workflows/lint-workflows.yml
@@ -39,3 +39,24 @@ jobs:
           sarif_file: "${{steps.octoscan.outputs.sarif_output}}"
           category: octoscan
           wait-for-processing: false
+
+  poutine:
+    name: Poutine
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for codeql-action/upload-sarif to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run Poutine
+        uses: boostsecurityio/poutine-action@v0.15.2
+
+      - name: Upload poutine SARIF file
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
+          category: poutine
+          wait-for-processing: false

From 4245f8aeaf77829da3f1c0ad4253594d86d37b5e Mon Sep 17 00:00:00 2001
From: Ondrej Mirtes <ondrej@mirtes.cz>
Date: Tue, 24 Feb 2026 14:32:43 +0100
Subject: [PATCH 2/2] Zizmor

---
 .github/workflows/lint-workflows.yml | 31 ++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml
index e0de9ae..10bc798 100644
--- a/.github/workflows/lint-workflows.yml
+++ b/.github/workflows/lint-workflows.yml
@@ -1,3 +1,6 @@
+# Configuration from:
+# https://github.com/johnbillion/plugin-infrastructure/blob/571cba96190304963285181e2b928d941b9ec7c4/.github/workflows/reusable-workflow-lint.yml
+
 name: Lint GitHub Actions workflows
 on:
   pull_request:
@@ -60,3 +63,31 @@ jobs:
           sarif_file: results.sarif
           category: poutine
           wait-for-processing: false
+
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for codeql-action/upload-sarif to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v7.3.0
+        with:
+          enable-cache: false
+
+      - name: Run zizmor
+        run: uvx zizmor@1.20.0 --persona=auditor --format=sarif --strict-collection . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v4.31.9
+        with:
+          sarif_file: results.sarif
+          category: zizmor
+          wait-for-processing: false