pixi chore: Add zizmor linter

I was reading https://words.filippo.io/standard-of-care/ and discovered this tool, thought I'd see if we could integrate it here.

https://zizmor.sh/

Oct 23 '25 17:10 benmoss

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Oct 23 '25 17:10 github-advanced-security[bot]

Thanks for your contribution @benmoss. We already use actionlint. Do you have reason to believe that this is better?

Dec 05 '25 14:12 Hofer-Julian

(I'm the maintainer of zizmor).

FWIW, zizmor and actionlint have two pretty different scopes: actionlint mostly detects errors and quality issues in workflows, while zizmor finds security issues. I would generally recommend using both of them, particularly if you make lots of manual modifications to your workflows.

By analogy: actionlint is to zizmor as black is to flake8 🙂

Dec 05 '25 16:12 woodruffw

Thanks for chiming in @woodruffw, will check it out then :)

Dec 05 '25 16:12 Hofer-Julian

Cool! Let me know if you have any questions or run into any rough edges! I'm a huge fan of the work you all are doing with pixi 🙂

Dec 05 '25 16:12 woodruffw

haha amazing, i was feeling not particularly strongly about pushing this change forward and explaining how actionlint was different from what zizmor does, so sorry for just closing this, but thanks for the great explanation @woodruffw 😄

Dec 05 '25 19:12 benmoss