From 789df4331b39342197bc01b57b1e46cbd742fb0d Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 18:47:45 -0800
Subject: [PATCH 1/2] Add advanced-security input to zizmor workflow

Allow callers to disable SARIF upload for private repos that
don't have GitHub Advanced Security enabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/zizmor.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index bf7799d..decbc85 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -1,6 +1,11 @@
 name: Zizmor security scan
 on:
   workflow_call:
+    inputs:
+      advanced-security:
+        description: Upload results to GitHub Advanced Security (requires GHAS)
+        type: boolean
+        default: true
 
 jobs:
   zizmor:
@@ -18,3 +23,4 @@ jobs:
         with:
           min-severity: medium
           min-confidence: medium
+          advanced-security: ${{ inputs.advanced-security }}

From 78344edc05320f9348754dd9a47717590b16f119 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 18:50:58 -0800
Subject: [PATCH 2/2] Update description for advanced-security input

---
 .github/workflows/zizmor.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index decbc85..2c6805c 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -3,7 +3,7 @@ on:
   workflow_call:
     inputs:
       advanced-security:
-        description: Upload results to GitHub Advanced Security (requires GHAS)
+        description: Upload results to GitHub Advanced Security
         type: boolean
         default: true