Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

Not sure if this is in the realm of what zizmor aspires to address, but I was thinking that GHA workflows have so many potential sources of bugs, maybe zizmor could try to find general correctness errors.

E.g. doing

env:
  FOO: 123
  BAR: $FOO-456

Won't produce expected results since env vars only expand in bash. Maybe this results in a security issue since the correctness of your workflow is wrong.

Describe the solution you'd like

Zizmor could flag things like apparent use of env var in non-shell context or any other potential errors which GitHub will accept but not error / warn about.

Additional context

No response