Add Zizmor to bwwl

[mandreko-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/VULN-285

📔 Objective

Implement Zizmor, similar to ActionLint to perform security checks on GitHub workflow files.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 99634d80-d8aa-4856-8eac-49c0730db743

Great job! No new security vulnerabilities introduced in this pull request

[Copilot]

Pull Request Overview

This PR integrates Zizmor, a security-focused GitHub workflow linter, into the bitwarden workflow linter (bwwl) to perform security checks on GitHub workflow files similar to how ActionLint is currently integrated.

• Adds a new RunZizmor rule with configurable installation and execution
• Implements comprehensive test coverage for the new functionality
• Updates configuration files to enable the new rule with appropriate settings

Reviewed Changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
zizmor.yml	Configuration file for zizmor with pinning policies and disabled dangerous triggers
tests/rules/test_run_zizmor.py	Comprehensive test suite covering installation, execution, and error scenarios
src/bitwarden_workflow_linter/zizmor_version.yaml	Version specification file for zizmor dependency
src/bitwarden_workflow_linter/utils.py	Settings class updates to support zizmor version and config URL
src/bitwarden_workflow_linter/rules/run_zizmor.py	Main rule implementation with installation, validation, and execution logic
src/bitwarden_workflow_linter/default_settings.yaml	Default configuration enabling zizmor rule at warning level
settings.yaml	Local settings with commented zizmor rule and config URL
Taskfile.yml	Task runner updates with zizmor installation and execution tasks
.github/workflows/examples/*.yaml	Example workflow files updated with zizmor-compatible security practices

[Copilot]

This change appears to be unrelated to adding Zizmor support and should be in a separate commit. The comment "for testing help" suggests this is a workaround rather than a proper solution.

Suggested change

	# Handle both dict[str, dict] and dict[str, Action]
	# for approved_actions for testing help
	self.approved_actions = {}
	for name, action in approved_actions.items():
	if isinstance(action, Action):
	# Already an Action object, use it directly
	self.approved_actions[name] = action
	else:
	# Dictionary, create Action object
	self.approved_actions[name] = Action(**action)
	self.approved_actions = approved_actions

[mandreko-bitwarden]

This could be a hack? I had to modify it to allow the copying of a mock value. I'm unsure.

[vgrassia]

Tabs should be set to 2 spaces to be consistent with other workflows.