gha: add zizmor workflow

[thaJeztah]

Similar to moby/moby#52362, moby/buildkit#6623

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

Should this include PR number (for PR flows) for reasons similar to docker/docs#25236 ?

[crazy-max]

It makes sense in docker/docs#25236 because there is only a pull_request_target event but not here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[crazy-max]

Looks like we need to fix this one:

warning[template-injection]: code injection via template expansion
  --> ./.github/workflows/build.yml:81:24
   |
79 |         run: |
   |         --- this run block
80 |           mkdir /tmp/out
81 |           platform=${{ matrix.platform }}
   |                        ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |

[thaJeztah]

Interesting; why didn't it fail on that one?

[crazy-max]

Interesting; why didn't it fail on that one?

Because it's not new code and therefore not flagged in your PR, but you can see it in SARIF report: https://github.com/docker/cli/actions/runs/26877863807/job/79269874595#step:7:92

Also in code scanning:

• https://github.com/docker/cli/security/code-scanning?query=is%3Aopen+pr%3A7024
• https://github.com/docker/cli/security/code-scanning/92

[thaJeztah]

Because it's not new code and therefore not flagged in your PR

Ah; is that configurable, or was that intentional (to not expose possible mis-configurations on a PR)?

[crazy-max]

Because it's not new code and therefore not flagged in your PR

Ah; is that configurable, or was that intentional (to not expose possible mis-configurations on a PR)?

I don't think that is configurable

[thaJeztah]

Pushed a commit with fixes from zizmor