From ddf31d4a58122bd911a3edd9ae142d8870129231 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Wed, 20 May 2026 17:53:02 -0400
Subject: [PATCH] chore(ci): remove audit-gha-workflows org-required workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The audit-gha-workflows.yml was injected into every fleet repo as
an org-level required workflow. It ran a zizmor scan on every PR
and push — which is already covered by:

- pnpm run check (local dev + pre-commit)
- the zizmor invocation in setup-security-tools/install.mts
- the shared SocketDev/socket-registry CI workflow consumers

Three redundant zizmor passes is wasted runner time + adds noise
to every PR's checks panel. Removing the org-required surface so
each repo can opt into zizmor where it makes sense.
---
 .github/workflows/audit-gha-workflows.yml | 26 -----------------------
 1 file changed, 26 deletions(-)
 delete mode 100644 .github/workflows/audit-gha-workflows.yml

diff --git a/.github/workflows/audit-gha-workflows.yml b/.github/workflows/audit-gha-workflows.yml
deleted file mode 100644
index abd5cf3..0000000
--- a/.github/workflows/audit-gha-workflows.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Audit GHA Workflows
-on:
-  pull_request:
-  push:
-    branches: [master, main]
-permissions:
-  contents: read
-jobs:
-  zizmor:
-    name: Audit GitHub Actions
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Install zizmor
-        run: pip install zizmor==1.23.1
-      - name: Run zizmor
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          if [ -d .github ]; then
-            zizmor .github --gh-token "${GITHUB_TOKEN}" --min-severity medium
-          fi