[4.2.x] Added GitHub Actions linter (zizmor).

At the direction of the Security Team. Thanks Markus Holtermann,
Jake Howard, and Natalia Bidart for reviews.

Backport of 09d4bf5cd9c95c588d3ec22edea5db1f5f146900 from main.

5 files changed, 28 insertions, 3 deletions

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index 197b962889..08a404fcc0 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -60,3 +60,14 @@ jobs:
         uses: actions/checkout@v4
       - name: black
         uses: psf/black@23.12.1
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: false
+          annotations: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0e65e53e3f..10c6581b75 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -22,3 +22,7 @@ repos:
     rev: v8.36.0
     hooks:
       - id: eslint
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.16.3 
+    hooks:
+    - id: zizmor
diff --git a/docs/internals/contributing/writing-code/submitting-patches.txt b/docs/internals/contributing/writing-code/submitting-patches.txt
index be031f1f68..0a9d6b0d14 100644
--- a/docs/internals/contributing/writing-code/submitting-patches.txt
+++ b/docs/internals/contributing/writing-code/submitting-patches.txt
@@ -320,8 +320,8 @@ All code changes
 
 * Does the :doc:`coding style
   </internals/contributing/writing-code/coding-style>` conform to our
-  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``, or
-  ``isort`` errors? You can install the :ref:`pre-commit
+  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``,
+  ``isort``, or ``zizmor`` errors? You can install the :ref:`pre-commit
   <coding-style-pre-commit>` hooks to automatically catch these errors.
 * If the change is backwards incompatible in any way, is there a note
   in the release notes (``docs/releases/A.B.txt``)?
diff --git a/docs/internals/contributing/writing-code/unit-tests.txt b/docs/internals/contributing/writing-code/unit-tests.txt
index 7d5a98812e..d9f8a276e8 100644
--- a/docs/internals/contributing/writing-code/unit-tests.txt
+++ b/docs/internals/contributing/writing-code/unit-tests.txt
@@ -69,7 +69,7 @@ command from any place in the Django source tree:
     $ tox
 
 By default, ``tox`` runs the test suite with the bundled test settings file for
-SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, and the
+SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, ``zizmor``, and the
 documentation spelling checker. In addition to the system dependencies noted
 elsewhere in this documentation, the command ``python3`` must be on your path
 and linked to the appropriate version of Python. A list of default environments
@@ -84,6 +84,7 @@ can be seen as follows:
     flake8>=3.7.0
     docs
     isort>=5.1.0
+    zizmor>=1.16.3
 
 Testing other Python versions and database backends
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/tox.ini b/tox.ini
index b5c3fedd55..12c60921cd 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,6 +13,7 @@ envlist =
     flake8
     docs
     isort
+    zizmor
 
 # Add environment to use the default python3 installation
 [testenv:py3]
@@ -86,3 +87,11 @@ allowlist_externals =
 commands =
     npm install
     npm test
+
+[testenv:zizmor]
+basepython = python3
+usedevelop = false
+deps = zizmor >= 1.16.3
+changedir = {toxinidir}
+commands =
+    zizmor .