From 8e549fbdd36be99a62019218cd171ec225f25506 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 21 May 2026 19:09:35 +0200
Subject: [PATCH] GHA/checksrc: add auditor-level zizmor (warning-only)

CI time cost is 1s.

It may replace existing pedantic check, if this level isn't bringing
false-positives or annoyance. Officially it's not meant for CI, but curl
has been passing this in the last couple of months when checked locally.

Closes #21718
---
 .github/workflows/checksrc.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
index c05a48d6a0..18e9f1ba65 100644
--- a/.github/workflows/checksrc.yml
+++ b/.github/workflows/checksrc.yml
@@ -165,6 +165,13 @@ jobs:
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
           zizmor --persona pedantic .github/workflows/*.yml .github/dependabot.yml
 
+      - name: 'zizmor GHA (auditor, warning-only)'
+        env:
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          zizmor --persona auditor .github/workflows/*.yml .github/dependabot.yml || true
+
       - name: 'actionlint'
         run: |
           eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"