chore(ci): update zizmor and use zizmor-action in workflow

.github/workflows/ci_lint.yml

@@ -35,11 +35,17 @@ jobs:
         run: |
           make lint_workflow
 
-      - name: Check workflows security
+      - name: Get Zimzor version to use
+        id: get_zizmor
         run: |
-          make check_workflow_security
-        env:
-          GH_TOKEN: ${{ env.CHECKOUT_TOKEN }}
+          echo "version=$(make zizmor_version)" >> "${GITHUB_OUTPUT}"
+
+      - name: Check workflows security
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: 'false' # Print results directly in logs
+          persona: pedantic
+          version: ${{ steps.get_zizmor.outputs.version }}
 
       - name: Ensure SHA pinned actions
         uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0

Makefile

@@ -31,6 +31,7 @@ WASM_BINDGEN_VERSION:=$(shell cargo tree --target wasm32-unknown-unknown -e all
 WEB_RUNNER_DIR=web-test-runner
 WEB_SERVER_DIR=tfhe/web_wasm_parallel_tests
 TYPOS_VERSION=1.39.0
+ZIZMOR_VERSION=1.16.2
 # This is done to avoid forgetting it, we still precise the RUSTFLAGS in the commands to be able to
 # copy paste the command in the terminal and change them if required without forgetting the flags
 export RUSTFLAGS?=-C target-cpu=native
@@ -188,9 +189,12 @@ install_typos_checker: install_rs_build_toolchain
 
 .PHONY: install_zizmor # Install zizmor workflow security checker
 install_zizmor: install_rs_build_toolchain
-	@zizmor --version > /dev/null 2>&1 || \
-	cargo $(CARGO_RS_BUILD_TOOLCHAIN) install --locked zizmor --version ~1.9 || \
-	( echo "Unable to install zizmor, unknown error." && exit 1 )
+	@./scripts/install_zizmor.sh --rust-toolchain $(CARGO_RS_BUILD_TOOLCHAIN) \
+	--zizmor-version $(ZIZMOR_VERSION)
+
+.PHONY: zizmor_version  # Return zizmor version that will be installed
+zizmor_version:
+	@echo "$(ZIZMOR_VERSION)"
 
 .PHONY: install_cargo_cross # Install cross for big endian tests
 install_cargo_cross: install_rs_build_toolchain

scripts/install_zizmor.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+set -e
+
+rust_toolchain=""
+required_typos_version=""
+
+function usage() {
+    echo "$0: install zizmor"
+    echo
+    echo "--help                    Print this message"
+    echo "--rust-toolchain          The toolchain to check the version for with leading"
+    echo "--zizmor-version           Version of zizmor to install"
+    echo
+}
+
+while [ -n "$1" ]
+do
+    case "$1" in
+        "--rust-toolchain" )
+            shift
+            rust_toolchain="$1"
+            ;;
+
+        "--zizmor-version" )
+            shift
+            required_zizmor_version="$1"
+            ;;
+
+        *)
+            echo "Unknown param : $1"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [[ "${rust_toolchain::1}" != "+" ]]; then
+    rust_toolchain="+${rust_toolchain}"
+fi
+
+if ! which zizmor ; then
+    cargo "${rust_toolchain}" install --locked zizmor --version ~"${required_zizmor_version}" || \
+    ( echo "Unable to install zizmor, unknown error." && exit 1 )
+
+    exit 0
+fi
+
+ver_string="$(zizmor --version | cut -d ' ' -f 2)"
+
+ver_major="$(echo "${ver_string}" | cut -d '.' -f 1)"
+ver_minor="$(echo "${ver_string}" | cut -d '.' -f 2)"
+
+min_ver_major="$(echo "${required_zizmor_version}" | cut -d '.' -f 1)"
+min_ver_minor="$(echo "${required_zizmor_version}" | cut -d '.' -f 2)"
+
+if [[ "${ver_major}" -gt "${min_ver_major}" ]]; then
+    exit 0
+elif [[ "${ver_major}" -eq "${min_ver_major}" ]] && [[ "${ver_minor}" -ge "${min_ver_minor}" ]]; then
+    exit 0
+else
+    cargo "${rust_toolchain}" install --locked zizmor --version ~"${required_zizmor_version}" || \
+    ( echo "Unable to install zizmor, unknown error." && exit 1 )
+fi