chore: add ci-security workflow

ioannisj · ioannisj · commit 0ae048d1b8a2 · 2025-11-26T15:23:07.000+02:00
diff --git a/.github/workflows/ci-security.yml b/.github/workflows/ci-security.yml
@@ -0,0 +1,29 @@
+on:
+    push:
+        branches:
+            - main
+    pull_request:
+    merge_group:
+
+name: Security
+
+permissions:
+    contents: read
+    actions: read
+    security-events: write
+
+env:
+    SEMGREP_ENABLE_VERSION_CHECK: 'false'
+
+jobs:
+    ensure-pinned-actions:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+            - name: Ensure SHA pinned actions
+              uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0
+              with:
+                  allowlist: |
+                      actions/
+                      PostHog/
