workflows/actionlint: run zizmor

Port of Homebrew/homebrew-core#195961.

See https://github.com/woodruffw/zizmor.

.github/workflows/actionlint.yml

@@ -26,10 +26,12 @@ concurrency:
   group: "actionlint-${{ github.ref }}"
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions: {}
+
 jobs:
   workflow_syntax:
     if: github.repository_owner == 'Homebrew'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - name: Set up Homebrew
         id: setup-homebrew
@@ -39,12 +41,13 @@ jobs:
           cask: false
           test-bot: false
 
-      - name: Set up actionlint
+      - name: Install tools
+        run: brew install actionlint shellcheck zizmor
+
+      - name: Set up GITHUB_WORKSPACE
         env:
           HOMEBREW_REPOSITORY: ${{ steps.setup-homebrew.outputs.repository-path }}
         run: |
-          brew install actionlint shellcheck
-
           # Annotations work only relative to GITHUB_WORKSPACE
           (shopt -s dotglob; rm -rf "${GITHUB_WORKSPACE:?}"/*; mv "${HOMEBREW_REPOSITORY:?}"/* "$GITHUB_WORKSPACE")
           rmdir "$HOMEBREW_REPOSITORY"
@@ -52,4 +55,31 @@ jobs:
 
           echo "::add-matcher::.github/actionlint-matcher.json"
 
+      - run: zizmor --format sarif . >results.sarif
+
+      - name: Upload SARIF file
+        uses: actions/upload-artifact@v4
+        with:
+          name: results.sarif
+          path: results.sarif
+
       - run: actionlint
+
+  upload_sarif:
+    needs: workflow_syntax
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Download SARIF file
+        uses: actions/download-artifact@v4
+        with:
+          name: results.sarif
+          path: results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor