Add zizmor as a CI check

[joerick]

I'm curious about adding this tool, so experimenting with it here...

See #2770 for the impetus.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[henryiii]

I've added it in the past to packaging: pypa/packaging#1035

[agriyakhetarpal]

Yes, I also find it useful as a pre-commit hook, with the --pedantic and --fix=safe arguments.

[henryiii]

I would much rather this in precommit, that's where we put all of our tools, so they can be run locally and fixed locally.

[joerick]

Only problem with running it in pre-commit right now is that there are a lot of errors/warnings currently, we'd have to get to zero before running in pre-commit. But yeah I'd be happy in pre-commit once we get there. (I do like the fancy inline code-review error messages but I can live without that :) )

[agriyakhetarpal]

Perhaps we could fix some of them in the time being with --fix=all (or --fix=safe)?

[joerick]

Most (that aren't fixed with open PRs) look to be variable injection. Especially in action.yml. Which will need some manual work to fix, as I think we'll have to move some logic from the workflow file into the shell.

[agriyakhetarpal]

I think we shoul proceed with this as is, then – this should be a net win!