Add zizmor (github actions static analysis)

[Yann-P]

References

#7879

Code changes

Add one github action triggered when a PR is open

This action is taken from this other jupyter project https://github.com/pydata/pydata-sphinx-theme/blob/main/.github/workflows/zizmor.yml.

User-facing changes

None

Backwards-incompatible changes

None.

[github-actions]

👈 Launch a Binder on branch Yann-P/notebook/add-zizmor

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[jtpio]

Thanks @Yann-P for working on this!

Should we expect CI to fail when the next PR will be opened, since we have not pinned GitHub Actions with hashes on this repo yet?

Curious in which order things should be done, and also whether pinned GitHub Actions can easily be updated later.

[Yann-P]

Hello @jtpio, it will not block anything because zizmor is only set to trigger when you open a new merge request.

It only alerts about changes that are introduced in the merge request (see screenshot in linked issue)

This means this PR does not address the current security concerns that zizmor found in this repository (I had a quick look and there is nothing too bad).