From ef3dde927d2488e23d509d0a343162ab7a45e1df Mon Sep 17 00:00:00 2001
From: Jordan Ritter <jpr5@darkridge.com>
Date: Fri, 15 May 2026 11:49:21 -0700
Subject: [PATCH] fix(ci): add security-events permission and action.yml to
 zizmor paths

The zizmor-action uploads SARIF results via codeql-action/upload-sarif,
which requires security-events: write. Without it, every run fails with
"Resource not accessible by integration" even when zizmor itself finds
zero issues.

Also add action.yml to the path trigger so the composite action is
scanned on changes (it was previously only scanned on workflow_dispatch).
---
 .github/workflows/zizmor.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index cf0c2a9..4dbe768 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -7,16 +7,19 @@ on:
       - ".github/workflows/**"
       - ".github/actions/**"
       - ".github/zizmor.yml"
+      - "action.yml"
   push:
     branches: [main]
     paths:
       - ".github/workflows/**"
       - ".github/actions/**"
       - ".github/zizmor.yml"
+      - "action.yml"
   workflow_dispatch:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   zizmor: