Add zizmor as a CI check for GitHub Actions workflows (#163161)

.github/workflows/ci.yaml

@@ -280,9 +280,29 @@ jobs:
       - name: Run prek
         uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1
         env:
-          PREK_SKIP: no-commit-to-branch,mypy,pylint,gen_requirements_all,hassfest,hassfest-metadata,hassfest-mypy-config
+          PREK_SKIP: no-commit-to-branch,mypy,pylint,gen_requirements_all,hassfest,hassfest-metadata,hassfest-mypy-config,zizmor
           RUFF_OUTPUT_FORMAT: github
 
+  zizmor:
+    name: Check GitHub Actions workflows
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read # To check out the repository
+    needs: [info]
+    if: |
+      github.event.inputs.pylint-only != 'true'
+      && github.event.inputs.mypy-only != 'true'
+      && github.event.inputs.audit-licenses-only != 'true'
+    steps:
+      - name: Check out code from GitHub
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: j178/prek-action@0bb87d7f00b0c99306c8bcb8b8beba1eb581c037 # v1.1.1
+        with:
+          extra-args: --all-files zizmor
+
   lint-hadolint:
     name: Check ${{ matrix.file }}
     runs-on: ubuntu-24.04

.pre-commit-config.yaml

@@ -17,6 +17,12 @@ repos:
           - --quiet-level=2
         exclude_types: [csv, json, html]
         exclude: ^tests/fixtures/|homeassistant/generated/|tests/components/.*/snapshots/
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
+        args:
+          - --pedantic
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:

requirements_test_pre_commit.txt

@@ -3,3 +3,4 @@
 codespell==2.4.1
 ruff==0.15.1
 yamllint==1.37.1
+zizmor==1.22.0