From 713854a6952def3133d2046b10ab22fe4943bba7 Mon Sep 17 00:00:00 2001
From: shroffk <kunalshroff9@gmail.com>
Date: Thu, 18 Jun 2026 15:54:51 -0400
Subject: [PATCH 1/4] creating a ci audit workflow

---
 .github/workflows/ci-audit.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/ci-audit.yml

diff --git a/.github/workflows/ci-audit.yml b/.github/workflows/ci-audit.yml
new file mode 100644
index 0000000000..6d7f7874e2
--- /dev/null
+++ b/.github/workflows/ci-audit.yml
@@ -0,0 +1,30 @@
+name: ci-audit
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - run: pip install zizmor
+      - run: zizmor --format sarif . > zizmor.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
+
+  ci-doctor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: depmedicdev-byte/ci-doctor-action@v1
+

From 27c4fc2200127a411f618ec003b08b9484029c2d Mon Sep 17 00:00:00 2001
From: shroffk <kunalshroff9@gmail.com>
Date: Thu, 18 Jun 2026 15:57:41 -0400
Subject: [PATCH 2/4] update version for actions

---
 .github/workflows/ci-audit.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci-audit.yml b/.github/workflows/ci-audit.yml
index 6d7f7874e2..8bb3549007 100644
--- a/.github/workflows/ci-audit.yml
+++ b/.github/workflows/ci-audit.yml
@@ -11,10 +11,10 @@ jobs:
   zizmor:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.13'
       - run: pip install zizmor
       - run: zizmor --format sarif . > zizmor.sarif
       - uses: github/codeql-action/upload-sarif@v3
@@ -25,6 +25,5 @@ jobs:
   ci-doctor:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: depmedicdev-byte/ci-doctor-action@v1
-

From 11b628b347ad77a9c402ec4ffd9c2e93ac20b4bf Mon Sep 17 00:00:00 2001
From: shroffk <kunalshroff9@gmail.com>
Date: Thu, 18 Jun 2026 16:10:51 -0400
Subject: [PATCH 3/4] trying to address some of zizmor concerns

---
 .github/workflows/ci-audit.yml | 35 ++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci-audit.yml b/.github/workflows/ci-audit.yml
index 8bb3549007..e0bec85a24 100644
--- a/.github/workflows/ci-audit.yml
+++ b/.github/workflows/ci-audit.yml
@@ -1,29 +1,36 @@
 name: ci-audit
 
 on:
+  push:
+    branches: ["master"]
   pull_request:
 
-permissions:
-  contents: read
-  security-events: write
+permissions: {}
 
 jobs:
   zizmor:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-python@v6
+      - name: Checkout repository
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
         with:
-          python-version: '3.13'
-      - run: pip install zizmor
-      - run: zizmor --format sarif . > zizmor.sarif
-      - uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: zizmor.sarif
-          category: zizmor
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
 
   ci-doctor:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      actions: read
     steps:
-      - uses: actions/checkout@v5
-      - uses: depmedicdev-byte/ci-doctor-action@v1
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+        with:
+          persist-credentials: false
+      - uses: depmedicdev-byte/ci-doctor-action@549380d0aded54ccd20d032c28a3a25c732e31f4 # v1

From 6d2ca75ffed5128404b492e0cb4f1291946d9cfd Mon Sep 17 00:00:00 2001
From: shroffk <kunalshroff9@gmail.com>
Date: Thu, 18 Jun 2026 16:13:11 -0400
Subject: [PATCH 4/4] defining concurrency behaviours

---
 .github/workflows/ci-audit.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci-audit.yml b/.github/workflows/ci-audit.yml
index e0bec85a24..ae223f6bf3 100644
--- a/.github/workflows/ci-audit.yml
+++ b/.github/workflows/ci-audit.yml
@@ -5,6 +5,10 @@ on:
     branches: ["master"]
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs: