Remove /fin/escalate from Fin Agent API Preview spec #17

	name: Zizmor Workflow Security Scan

	on:
	pull_request:
	merge_group:

	permissions:
	contents: read

	jobs:
	zizmor-scan:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	fetch-depth: 0

	- name: Detect workflow changes
	id: changes
	env:
	BASE_SHA: ${{ github.event.pull_request.base.sha \|\| github.event.merge_group.base_sha }}
	HEAD_SHA: ${{ github.event.pull_request.head.sha \|\| github.event.merge_group.head_sha }}
	run: \|
	if git diff --name-only "$BASE_SHA" "$HEAD_SHA" \| grep -q '^\.github/workflows/'; then
	echo "workflows=true" >> "$GITHUB_OUTPUT"
	else
	echo "workflows=false" >> "$GITHUB_OUTPUT"
	fi

	- name: Install zizmor
	if: steps.changes.outputs.workflows == 'true'
	run: pip install zizmor==1.25.2

	- name: Scan workflows
	if: steps.changes.outputs.workflows == 'true'
	run: zizmor --min-severity=medium .github/workflows/

Provide feedback