From 1b03da05ef1cd48807b89801920570e97d810af0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Apr 2026 14:01:56 +0000
Subject: [PATCH 1/2] Initial plan


From a8758f60391b3d283e4c86af97a2bfdf72a9d698 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 28 Apr 2026 14:03:49 +0000
Subject: [PATCH 2/2] chore(ci): add push trigger to zizmor workflow for main
 branch

Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/ad223ac9-fbc0-4750-9711-fd32f92cf099

Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
---
 .github/workflows/zizmor.yml | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 00000000..e776d380
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,47 @@
+# Analyzes all GitHub Actions workflows for security issues using zizmor.
+# docs: https://docs.zizmor.sh/
+name: Workflow Security Analysis (zizmor)
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+  schedule:
+    # Every Saturday at 00:00 UTC
+    - cron: "0 0 * * 6"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        # see https://github.com/zizmorcore/zizmor-action
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
+          advanced-security: false
+          annotations: true