[5.2.x] Added GitHub Actions linter (zizmor).

At the direction of the Security Team. Thanks Markus Holtermann,
Jake Howard, and Natalia Bidart for reviews.

Backport of 09d4bf5cd9c95c588d3ec22edea5db1f5f146900 from main.

5 files changed, 28 insertions, 3 deletions

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index 0f64cae681..d6e939d2ae 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -60,3 +60,14 @@ jobs:
         uses: actions/checkout@v4
       - name: black
         uses: psf/black@stable
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: false
+          annotations: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0bd515f100..1453e08b13 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -24,3 +24,7 @@ repos:
     rev: v9.12.0
     hooks:
       - id: eslint
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.16.3 
+    hooks:
+    - id: zizmor
diff --git a/docs/internals/contributing/writing-code/submitting-patches.txt b/docs/internals/contributing/writing-code/submitting-patches.txt
index 173c0a56c7..de3d3c2571 100644
--- a/docs/internals/contributing/writing-code/submitting-patches.txt
+++ b/docs/internals/contributing/writing-code/submitting-patches.txt
@@ -421,8 +421,8 @@ All code changes
 
 * Does the :doc:`coding style
   </internals/contributing/writing-code/coding-style>` conform to our
-  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``, or
-  ``isort`` errors? You can install the :ref:`pre-commit
+  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``,
+  ``isort``, or ``zizmor`` errors? You can install the :ref:`pre-commit
   <coding-style-pre-commit>` hooks to automatically catch these errors.
 * If the change is backwards incompatible in any way, is there a note
   in the release notes (``docs/releases/A.B.txt``)?
diff --git a/docs/internals/contributing/writing-code/unit-tests.txt b/docs/internals/contributing/writing-code/unit-tests.txt
index 03218e26cc..7448e05102 100644
--- a/docs/internals/contributing/writing-code/unit-tests.txt
+++ b/docs/internals/contributing/writing-code/unit-tests.txt
@@ -69,7 +69,7 @@ command from any place in the Django source tree:
     $ tox
 
 By default, ``tox`` runs the test suite with the bundled test settings file for
-SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, and the
+SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, ``zizmor``, and the
 documentation spelling checker. In addition to the system dependencies noted
 elsewhere in this documentation, the command ``python3`` must be on your path
 and linked to the appropriate version of Python. A list of default environments
@@ -84,6 +84,7 @@ can be seen as follows:
     flake8>=3.7.0
     docs
     isort>=5.1.0
+    zizmor>=1.16.3
 
 Testing other Python versions and database backends
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/tox.ini b/tox.ini
index 9d4bab43b4..c402171c16 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,6 +13,7 @@ envlist =
     flake8
     docs
     isort
+    zizmor
 
 # Add environment to use the default python3 installation
 [testenv:py3]
@@ -87,3 +88,11 @@ allowlist_externals =
 commands =
     npm install
     npm test
+
+[testenv:zizmor]
+basepython = python3
+usedevelop = false
+deps = zizmor >= 1.16.3
+changedir = {toxinidir}
+commands =
+    zizmor .