zizmor 0.8.0__tar.gz → 0.9.1__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of zizmor might be problematic. Click here for more details.

Files changed (110) hide show
  1. {zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/ci.yml +11 -0
  2. {zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/pypi.yml +1 -1
  3. {zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/zizmor.yml +4 -6
  4. {zizmor-0.8.0 → zizmor-0.9.1}/Cargo.lock +221 -70
  5. {zizmor-0.8.0 → zizmor-0.9.1}/Cargo.toml +13 -10
  6. zizmor-0.9.1/Makefile +21 -0
  7. {zizmor-0.8.0 → zizmor-0.9.1}/PKG-INFO +1 -1
  8. {zizmor-0.8.0 → zizmor-0.9.1}/docs/audits.md +23 -4
  9. {zizmor-0.8.0 → zizmor-0.9.1}/docs/development.md +32 -6
  10. {zizmor-0.8.0 → zizmor-0.9.1}/docs/installation.md +25 -0
  11. {zizmor-0.8.0 → zizmor-0.9.1}/docs/snippets/help.txt +0 -2
  12. zizmor-0.9.1/docs/snippets/render-trophies.py +27 -0
  13. zizmor-0.9.1/docs/snippets/trophies.md +246 -0
  14. zizmor-0.9.1/docs/snippets/trophies.txt +46 -0
  15. zizmor-0.9.1/docs/trophy-case.md +18 -0
  16. {zizmor-0.8.0 → zizmor-0.9.1}/docs/usage.md +15 -8
  17. {zizmor-0.8.0 → zizmor-0.9.1}/mkdocs.yml +1 -0
  18. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/artipacked.rs +3 -3
  19. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/dangerous_triggers.rs +1 -1
  20. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/excessive_permissions.rs +2 -2
  21. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/github_env.rs +2 -2
  22. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/hardcoded_container_credentials.rs +1 -1
  23. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/impostor_commit.rs +3 -3
  24. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/insecure_commands.rs +49 -13
  25. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/known_vulnerable_actions.rs +1 -1
  26. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/mod.rs +12 -2
  27. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/ref_confusion.rs +2 -2
  28. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/self_hosted_runner.rs +33 -14
  29. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/template_injection.rs +9 -50
  30. {zizmor-0.8.0 → zizmor-0.9.1}/src/config.rs +2 -2
  31. {zizmor-0.8.0 → zizmor-0.9.1}/src/finding/locate.rs +1 -1
  32. {zizmor-0.8.0 → zizmor-0.9.1}/src/github_api.rs +14 -3
  33. {zizmor-0.8.0 → zizmor-0.9.1}/src/main.rs +67 -60
  34. {zizmor-0.8.0 → zizmor-0.9.1}/src/models.rs +175 -6
  35. {zizmor-0.8.0 → zizmor-0.9.1}/src/registry.rs +3 -0
  36. {zizmor-0.8.0 → zizmor-0.9.1}/tests/acceptance.rs +2 -2
  37. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshot.rs +78 -0
  38. zizmor-0.8.0/tests/snapshots/snapshot__artipacked.snap → zizmor-0.9.1/tests/snapshots/snapshot__artipacked-3.snap +1 -1
  39. zizmor-0.9.1/tests/snapshots/snapshot__artipacked.snap +14 -0
  40. zizmor-0.9.1/tests/snapshots/snapshot__insecure_commands-2.snap +15 -0
  41. zizmor-0.9.1/tests/snapshots/snapshot__insecure_commands.snap +23 -0
  42. zizmor-0.9.1/tests/snapshots/snapshot__self_hosted-3.snap +14 -0
  43. zizmor-0.9.1/tests/snapshots/snapshot__self_hosted-4.snap +15 -0
  44. zizmor-0.9.1/tests/snapshots/snapshot__self_hosted-5.snap +19 -0
  45. zizmor-0.9.1/tests/snapshots/snapshot__self_hosted-6.snap +21 -0
  46. zizmor-0.9.1/tests/snapshots/snapshot__self_hosted-7.snap +6 -0
  47. zizmor-0.9.1/tests/snapshots/snapshot__self_hosted-8.snap +6 -0
  48. zizmor-0.9.1/tests/snapshots/snapshot__template_injection-2.snap +17 -0
  49. zizmor-0.9.1/tests/snapshots/snapshot__template_injection.snap +6 -0
  50. zizmor-0.9.1/tests/test-data/insecure-commands.yml +22 -0
  51. zizmor-0.9.1/tests/test-data/self-hosted/issue-283-repro.yml +13 -0
  52. zizmor-0.9.1/tests/test-data/self-hosted/self-hosted-matrix-dimension.yml +12 -0
  53. zizmor-0.9.1/tests/test-data/self-hosted/self-hosted-matrix-exclusion.yml +16 -0
  54. zizmor-0.9.1/tests/test-data/self-hosted/self-hosted-matrix-inclusion.yml +14 -0
  55. zizmor-0.9.1/tests/test-data/self-hosted/self-hosted-runner-group.yml +10 -0
  56. zizmor-0.9.1/tests/test-data/self-hosted/self-hosted-runner-label.yml +9 -0
  57. zizmor-0.9.1/tests/test-data/template-injection/template-injection-dynamic-matrix.yml +19 -0
  58. zizmor-0.9.1/tests/test-data/template-injection/template-injection-static-matrix.yml +18 -0
  59. zizmor-0.8.0/.pre-commit-hooks.yaml +0 -6
  60. zizmor-0.8.0/Makefile +0 -22
  61. zizmor-0.8.0/tests/test-data/insecure-commands.yml +0 -11
  62. {zizmor-0.8.0 → zizmor-0.9.1}/.github/FUNDING.yml +0 -0
  63. {zizmor-0.8.0 → zizmor-0.9.1}/.github/ISSUE_TEMPLATE/bug-report.yml +0 -0
  64. {zizmor-0.8.0 → zizmor-0.9.1}/.github/ISSUE_TEMPLATE/config.yml +0 -0
  65. {zizmor-0.8.0 → zizmor-0.9.1}/.github/ISSUE_TEMPLATE/feature-request.yml +0 -0
  66. {zizmor-0.8.0 → zizmor-0.9.1}/.github/dependabot.yml +0 -0
  67. {zizmor-0.8.0 → zizmor-0.9.1}/.github/release.yml +0 -0
  68. {zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/release.yml +0 -0
  69. {zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/site.yml +0 -0
  70. {zizmor-0.8.0 → zizmor-0.9.1}/.gitignore +0 -0
  71. {zizmor-0.8.0 → zizmor-0.9.1}/CONTRIBUTING.md +0 -0
  72. {zizmor-0.8.0 → zizmor-0.9.1}/LICENSE +0 -0
  73. {zizmor-0.8.0 → zizmor-0.9.1}/README.md +0 -0
  74. {zizmor-0.8.0 → zizmor-0.9.1}/docs/assets/favicon48x48.png +0 -0
  75. {zizmor-0.8.0 → zizmor-0.9.1}/docs/assets/rainbow.svg +0 -0
  76. {zizmor-0.8.0 → zizmor-0.9.1}/docs/assets/zizmor-demo.gif +0 -0
  77. {zizmor-0.8.0 → zizmor-0.9.1}/docs/configuration.md +0 -0
  78. {zizmor-0.8.0 → zizmor-0.9.1}/docs/index.md +0 -0
  79. {zizmor-0.8.0 → zizmor-0.9.1}/docs/magiclink.css +0 -0
  80. {zizmor-0.8.0 → zizmor-0.9.1}/docs/quickstart.md +0 -0
  81. {zizmor-0.8.0 → zizmor-0.9.1}/pyproject.toml +0 -0
  82. {zizmor-0.8.0 → zizmor-0.9.1}/site-requirements.txt +0 -0
  83. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/unpinned_uses.rs +0 -0
  84. {zizmor-0.8.0 → zizmor-0.9.1}/src/audit/use_trusted_publishing.rs +0 -0
  85. {zizmor-0.8.0 → zizmor-0.9.1}/src/expr/expr.pest +0 -0
  86. {zizmor-0.8.0 → zizmor-0.9.1}/src/expr/mod.rs +0 -0
  87. {zizmor-0.8.0 → zizmor-0.9.1}/src/finding/mod.rs +0 -0
  88. {zizmor-0.8.0 → zizmor-0.9.1}/src/render.rs +0 -0
  89. {zizmor-0.8.0 → zizmor-0.9.1}/src/sarif.rs +0 -0
  90. {zizmor-0.8.0 → zizmor-0.9.1}/src/state.rs +0 -0
  91. {zizmor-0.8.0 → zizmor-0.9.1}/src/utils.rs +0 -0
  92. {zizmor-0.8.0 → zizmor-0.9.1}/tests/common.rs +0 -0
  93. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__artipacked-2.snap +0 -0
  94. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__cant_retrieve.snap +0 -0
  95. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__conflicting_online_options-2.snap +0 -0
  96. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__conflicting_online_options-3.snap +0 -0
  97. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__conflicting_online_options.snap +0 -0
  98. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__self_hosted-2.snap +0 -0
  99. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__self_hosted.snap +0 -0
  100. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__unpinned_uses-2.snap +0 -0
  101. {zizmor-0.8.0 → zizmor-0.9.1}/tests/snapshots/snapshot__unpinned_uses.snap +0 -0
  102. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/artipacked.yml +0 -0
  103. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/excessive-permissions.yml +0 -0
  104. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/github_env.yml +0 -0
  105. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/hardcoded-credentials.yml +0 -0
  106. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/inlined-ignores.yml +0 -0
  107. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/self-hosted.yml +0 -0
  108. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/template-injection.yml +0 -0
  109. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/unpinned-uses.yml +0 -0
  110. {zizmor-0.8.0 → zizmor-0.9.1}/tests/test-data/use-trusted-publishing.yml +0 -0
{zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/ci.yml RENAMED
@@ -34,3 +34,14 @@ jobs:
34
34
  run: |
35
35
  make snippets
36
36
  git diff --exit-code
37
+
38
+ all-tests-pass:
39
+ if: always()
40
+ needs: [lint, test]
41
+ runs-on: ubuntu-latest
42
+
43
+ steps:
44
+ - name: check test jobs
45
+ uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
46
+ with:
47
+ jobs: ${{ toJSON(needs) }}
{zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/pypi.yml RENAMED
@@ -163,7 +163,7 @@ jobs:
163
163
  steps:
164
164
  - uses: actions/download-artifact@v4
165
165
  - name: Generate artifact attestation
166
- uses: actions/attest-build-provenance@v1
166
+ uses: actions/attest-build-provenance@v2
167
167
  with:
168
168
  subject-path: 'wheels-*/*'
169
169
  - name: Publish to PyPI
{zizmor-0.8.0 → zizmor-0.9.1}/.github/workflows/zizmor.yml RENAMED
@@ -18,16 +18,14 @@ jobs:
18
18
  uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
19
19
  with:
20
20
  persist-credentials: false
21
- - name: Setup Rust
22
- uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1
23
- - name: Get zizmor
24
- run: cargo install zizmor
21
+ - name: Install the latest version of uv
22
+ uses: astral-sh/setup-uv@v4
25
23
  - name: Run zizmor 🌈
26
- run: zizmor --format sarif . > results.sarif
24
+ run: uvx zizmor --format sarif . > results.sarif
27
25
  env:
28
26
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
29
27
  - name: Upload SARIF file
30
- uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
28
+ uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
31
29
  with:
32
30
  sarif_file: results.sarif
33
31
  category: zizmor
{zizmor-0.8.0 → zizmor-0.9.1}/Cargo.lock RENAMED
@@ -38,12 +38,12 @@ dependencies = [
38
38
 
39
39
  [[package]]
40
40
  name = "annotate-snippets"
41
- version = "0.11.4"
41
+ version = "0.11.5"
42
42
  source = "registry+https://github.com/rust-lang/crates.io-index"
43
- checksum = "24e35ed54e5ea7997c14ed4c70ba043478db1112e98263b3b035907aa197d991"
43
+ checksum = "710e8eae58854cdc1790fcb56cca04d712a17be849eeb81da2a724bf4bae2bc4"
44
44
  dependencies = [
45
45
  "anstyle",
46
- "unicode-width 0.1.14",
46
+ "unicode-width 0.2.0",
47
47
  ]
48
48
 
49
49
  [[package]]
@@ -97,9 +97,15 @@ dependencies = [
97
97
 
98
98
  [[package]]
99
99
  name = "anyhow"
100
- version = "1.0.93"
100
+ version = "1.0.94"
101
+ source = "registry+https://github.com/rust-lang/crates.io-index"
102
+ checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7"
103
+
104
+ [[package]]
105
+ name = "arrayvec"
106
+ version = "0.7.6"
101
107
  source = "registry+https://github.com/rust-lang/crates.io-index"
102
- checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775"
108
+ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
103
109
 
104
110
  [[package]]
105
111
  name = "assert_cmd"
@@ -166,7 +172,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
166
172
  checksum = "1a68f1f47cdf0ec8ee4b941b2eee2a80cb796db73118c0dd09ac63fbe405be22"
167
173
  dependencies = [
168
174
  "memchr",
169
- "regex-automata",
175
+ "regex-automata 0.4.9",
170
176
  "serde",
171
177
  ]
172
178
 
@@ -214,9 +220,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
214
220
 
215
221
  [[package]]
216
222
  name = "clap"
217
- version = "4.5.21"
223
+ version = "4.5.23"
218
224
  source = "registry+https://github.com/rust-lang/crates.io-index"
219
- checksum = "fb3b4b9e5a7c7514dfa52869339ee98b3156b0bfb4e8a77c4ff4babb64b1604f"
225
+ checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84"
220
226
  dependencies = [
221
227
  "clap_builder",
222
228
  "clap_derive",
@@ -229,14 +235,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
229
235
  checksum = "54381ae56ad222eea3f529c692879e9c65e07945ae48d3dc4d1cb18dbec8cf44"
230
236
  dependencies = [
231
237
  "clap",
232
- "log",
238
+ "tracing-core",
233
239
  ]
234
240
 
235
241
  [[package]]
236
242
  name = "clap_builder"
237
- version = "4.5.21"
243
+ version = "4.5.23"
238
244
  source = "registry+https://github.com/rust-lang/crates.io-index"
239
- checksum = "b17a95aa67cc7b5ebd32aa5370189aa0d79069ef1c64ce893bd30fb24bff20ec"
245
+ checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838"
240
246
  dependencies = [
241
247
  "anstream",
242
248
  "anstyle",
@@ -258,9 +264,9 @@ dependencies = [
258
264
 
259
265
  [[package]]
260
266
  name = "clap_lex"
261
- version = "0.7.3"
267
+ version = "0.7.4"
262
268
  source = "registry+https://github.com/rust-lang/crates.io-index"
263
- checksum = "afb84c814227b90d6895e01398aee0d8033c00e7466aca416fb6a8e0eb19d8a7"
269
+ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
264
270
 
265
271
  [[package]]
266
272
  name = "colorchoice"
@@ -375,29 +381,6 @@ version = "0.3.6"
375
381
  source = "registry+https://github.com/rust-lang/crates.io-index"
376
382
  checksum = "a357d28ed41a50f9c765dbfe56cbc04a64e53e5fc58ba79fbc34c10ef3df831f"
377
383
 
378
- [[package]]
379
- name = "env_filter"
380
- version = "0.1.2"
381
- source = "registry+https://github.com/rust-lang/crates.io-index"
382
- checksum = "4f2c92ceda6ceec50f43169f9ee8424fe2db276791afde7b2cd8bc084cb376ab"
383
- dependencies = [
384
- "log",
385
- "regex",
386
- ]
387
-
388
- [[package]]
389
- name = "env_logger"
390
- version = "0.11.5"
391
- source = "registry+https://github.com/rust-lang/crates.io-index"
392
- checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d"
393
- dependencies = [
394
- "anstream",
395
- "anstyle",
396
- "env_filter",
397
- "humantime",
398
- "log",
399
- ]
400
-
401
384
  [[package]]
402
385
  name = "equivalent"
403
386
  version = "1.0.1"
@@ -498,9 +481,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
498
481
 
499
482
  [[package]]
500
483
  name = "github-actions-models"
501
- version = "0.12.0"
484
+ version = "0.14.0"
502
485
  source = "registry+https://github.com/rust-lang/crates.io-index"
503
- checksum = "0102922a92566de8ff25ff79144d6b30516efe941bc34ff849f01b4979add8e2"
486
+ checksum = "ef734b63e241501835d10e69e9479f35995dc7bece8fd64934f227841ddd3a16"
504
487
  dependencies = [
505
488
  "indexmap",
506
489
  "serde",
@@ -581,12 +564,6 @@ dependencies = [
581
564
  "uuid",
582
565
  ]
583
566
 
584
- [[package]]
585
- name = "humantime"
586
- version = "2.1.0"
587
- source = "registry+https://github.com/rust-lang/crates.io-index"
588
- checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4"
589
-
590
567
  [[package]]
591
568
  name = "hyper"
592
569
  version = "1.5.1"
@@ -803,6 +780,7 @@ dependencies = [
803
780
  "number_prefix",
804
781
  "portable-atomic",
805
782
  "unicode-width 0.2.0",
783
+ "vt100",
806
784
  "web-time",
807
785
  ]
808
786
 
@@ -900,6 +878,15 @@ version = "0.4.22"
900
878
  source = "registry+https://github.com/rust-lang/crates.io-index"
901
879
  checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
902
880
 
881
+ [[package]]
882
+ name = "matchers"
883
+ version = "0.1.0"
884
+ source = "registry+https://github.com/rust-lang/crates.io-index"
885
+ checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558"
886
+ dependencies = [
887
+ "regex-automata 0.1.10",
888
+ ]
889
+
903
890
  [[package]]
904
891
  name = "memchr"
905
892
  version = "2.7.4"
@@ -954,7 +941,7 @@ dependencies = [
954
941
  "rustc_version",
955
942
  "smallvec",
956
943
  "tagptr",
957
- "thiserror",
944
+ "thiserror 1.0.69",
958
945
  "triomphe",
959
946
  "uuid",
960
947
  ]
@@ -969,6 +956,16 @@ dependencies = [
969
956
  "minimal-lexical",
970
957
  ]
971
958
 
959
+ [[package]]
960
+ name = "nu-ansi-term"
961
+ version = "0.46.0"
962
+ source = "registry+https://github.com/rust-lang/crates.io-index"
963
+ checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84"
964
+ dependencies = [
965
+ "overload",
966
+ "winapi",
967
+ ]
968
+
972
969
  [[package]]
973
970
  name = "number_prefix"
974
971
  version = "0.4.0"
@@ -1001,6 +998,12 @@ dependencies = [
1001
998
  "windows-sys 0.52.0",
1002
999
  ]
1003
1000
 
1001
+ [[package]]
1002
+ name = "overload"
1003
+ version = "0.1.1"
1004
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1005
+ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
1006
+
1004
1007
  [[package]]
1005
1008
  name = "owo-colors"
1006
1009
  version = "4.1.0"
@@ -1038,20 +1041,20 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
1038
1041
 
1039
1042
  [[package]]
1040
1043
  name = "pest"
1041
- version = "2.7.14"
1044
+ version = "2.7.15"
1042
1045
  source = "registry+https://github.com/rust-lang/crates.io-index"
1043
- checksum = "879952a81a83930934cbf1786752d6dedc3b1f29e8f8fb2ad1d0a36f377cf442"
1046
+ checksum = "8b7cafe60d6cf8e62e1b9b2ea516a089c008945bb5a275416789e7db0bc199dc"
1044
1047
  dependencies = [
1045
1048
  "memchr",
1046
- "thiserror",
1049
+ "thiserror 2.0.6",
1047
1050
  "ucd-trie",
1048
1051
  ]
1049
1052
 
1050
1053
  [[package]]
1051
1054
  name = "pest_derive"
1052
- version = "2.7.14"
1055
+ version = "2.7.15"
1053
1056
  source = "registry+https://github.com/rust-lang/crates.io-index"
1054
- checksum = "d214365f632b123a47fd913301e14c946c61d1c183ee245fa76eb752e59a02dd"
1057
+ checksum = "816518421cfc6887a0d62bf441b6ffb4536fcc926395a69e1a85852d4363f57e"
1055
1058
  dependencies = [
1056
1059
  "pest",
1057
1060
  "pest_generator",
@@ -1059,9 +1062,9 @@ dependencies = [
1059
1062
 
1060
1063
  [[package]]
1061
1064
  name = "pest_generator"
1062
- version = "2.7.14"
1065
+ version = "2.7.15"
1063
1066
  source = "registry+https://github.com/rust-lang/crates.io-index"
1064
- checksum = "eb55586734301717aea2ac313f50b2eb8f60d2fc3dc01d190eefa2e625f60c4e"
1067
+ checksum = "7d1396fd3a870fc7838768d171b4616d5c91f6cc25e377b673d714567d99377b"
1065
1068
  dependencies = [
1066
1069
  "pest",
1067
1070
  "pest_meta",
@@ -1072,9 +1075,9 @@ dependencies = [
1072
1075
 
1073
1076
  [[package]]
1074
1077
  name = "pest_meta"
1075
- version = "2.7.14"
1078
+ version = "2.7.15"
1076
1079
  source = "registry+https://github.com/rust-lang/crates.io-index"
1077
- checksum = "b75da2a70cf4d9cb76833c990ac9cd3923c9a8905a8929789ce347c84564d03d"
1080
+ checksum = "e1e58089ea25d717bfd31fb534e4f3afcc2cc569c70de3e239778991ea3b7dea"
1078
1081
  dependencies = [
1079
1082
  "once_cell",
1080
1083
  "pest",
@@ -1192,7 +1195,7 @@ dependencies = [
1192
1195
  "rustc-hash",
1193
1196
  "rustls",
1194
1197
  "socket2",
1195
- "thiserror",
1198
+ "thiserror 1.0.69",
1196
1199
  "tokio",
1197
1200
  "tracing",
1198
1201
  ]
@@ -1209,7 +1212,7 @@ dependencies = [
1209
1212
  "rustc-hash",
1210
1213
  "rustls",
1211
1214
  "slab",
1212
- "thiserror",
1215
+ "thiserror 1.0.69",
1213
1216
  "tinyvec",
1214
1217
  "tracing",
1215
1218
  ]
@@ -1292,8 +1295,17 @@ checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
1292
1295
  dependencies = [
1293
1296
  "aho-corasick",
1294
1297
  "memchr",
1295
- "regex-automata",
1296
- "regex-syntax",
1298
+ "regex-automata 0.4.9",
1299
+ "regex-syntax 0.8.5",
1300
+ ]
1301
+
1302
+ [[package]]
1303
+ name = "regex-automata"
1304
+ version = "0.1.10"
1305
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1306
+ checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
1307
+ dependencies = [
1308
+ "regex-syntax 0.6.29",
1297
1309
  ]
1298
1310
 
1299
1311
  [[package]]
@@ -1304,9 +1316,15 @@ checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
1304
1316
  dependencies = [
1305
1317
  "aho-corasick",
1306
1318
  "memchr",
1307
- "regex-syntax",
1319
+ "regex-syntax 0.8.5",
1308
1320
  ]
1309
1321
 
1322
+ [[package]]
1323
+ name = "regex-syntax"
1324
+ version = "0.6.29"
1325
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1326
+ checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
1327
+
1310
1328
  [[package]]
1311
1329
  name = "regex-syntax"
1312
1330
  version = "0.8.5"
@@ -1508,7 +1526,7 @@ dependencies = [
1508
1526
  "strum",
1509
1527
  "strum_macros",
1510
1528
  "syn 2.0.89",
1511
- "thiserror",
1529
+ "thiserror 1.0.69",
1512
1530
  "typed-builder",
1513
1531
  ]
1514
1532
 
@@ -1548,7 +1566,7 @@ dependencies = [
1548
1566
  "serde_json",
1549
1567
  "serde_json_path_core",
1550
1568
  "serde_json_path_macros",
1551
- "thiserror",
1569
+ "thiserror 1.0.69",
1552
1570
  ]
1553
1571
 
1554
1572
  [[package]]
@@ -1560,7 +1578,7 @@ dependencies = [
1560
1578
  "inventory",
1561
1579
  "serde",
1562
1580
  "serde_json",
1563
- "thiserror",
1581
+ "thiserror 1.0.69",
1564
1582
  ]
1565
1583
 
1566
1584
  [[package]]
@@ -1630,6 +1648,15 @@ dependencies = [
1630
1648
  "digest",
1631
1649
  ]
1632
1650
 
1651
+ [[package]]
1652
+ name = "sharded-slab"
1653
+ version = "0.1.7"
1654
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1655
+ checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
1656
+ dependencies = [
1657
+ "lazy_static",
1658
+ ]
1659
+
1633
1660
  [[package]]
1634
1661
  name = "shlex"
1635
1662
  version = "1.3.0"
@@ -1776,7 +1803,16 @@ version = "1.0.69"
1776
1803
  source = "registry+https://github.com/rust-lang/crates.io-index"
1777
1804
  checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
1778
1805
  dependencies = [
1779
- "thiserror-impl",
1806
+ "thiserror-impl 1.0.69",
1807
+ ]
1808
+
1809
+ [[package]]
1810
+ name = "thiserror"
1811
+ version = "2.0.6"
1812
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1813
+ checksum = "8fec2a1820ebd077e2b90c4df007bebf344cd394098a13c563957d0afc83ea47"
1814
+ dependencies = [
1815
+ "thiserror-impl 2.0.6",
1780
1816
  ]
1781
1817
 
1782
1818
  [[package]]
@@ -1790,6 +1826,27 @@ dependencies = [
1790
1826
  "syn 2.0.89",
1791
1827
  ]
1792
1828
 
1829
+ [[package]]
1830
+ name = "thiserror-impl"
1831
+ version = "2.0.6"
1832
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1833
+ checksum = "d65750cab40f4ff1929fb1ba509e9914eb756131cef4210da8d5d700d26f6312"
1834
+ dependencies = [
1835
+ "proc-macro2",
1836
+ "quote",
1837
+ "syn 2.0.89",
1838
+ ]
1839
+
1840
+ [[package]]
1841
+ name = "thread_local"
1842
+ version = "1.1.8"
1843
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1844
+ checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c"
1845
+ dependencies = [
1846
+ "cfg-if",
1847
+ "once_cell",
1848
+ ]
1849
+
1793
1850
  [[package]]
1794
1851
  name = "tinystr"
1795
1852
  version = "0.7.6"
@@ -1882,14 +1939,26 @@ checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
1882
1939
 
1883
1940
  [[package]]
1884
1941
  name = "tracing"
1885
- version = "0.1.40"
1942
+ version = "0.1.41"
1886
1943
  source = "registry+https://github.com/rust-lang/crates.io-index"
1887
- checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef"
1944
+ checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
1888
1945
  dependencies = [
1889
1946
  "pin-project-lite",
1947
+ "tracing-attributes",
1890
1948
  "tracing-core",
1891
1949
  ]
1892
1950
 
1951
+ [[package]]
1952
+ name = "tracing-attributes"
1953
+ version = "0.1.28"
1954
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1955
+ checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d"
1956
+ dependencies = [
1957
+ "proc-macro2",
1958
+ "quote",
1959
+ "syn 2.0.89",
1960
+ ]
1961
+
1893
1962
  [[package]]
1894
1963
  name = "tracing-core"
1895
1964
  version = "0.1.33"
@@ -1897,6 +1966,48 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
1897
1966
  checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c"
1898
1967
  dependencies = [
1899
1968
  "once_cell",
1969
+ "valuable",
1970
+ ]
1971
+
1972
+ [[package]]
1973
+ name = "tracing-indicatif"
1974
+ version = "0.3.8"
1975
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1976
+ checksum = "74ba258e9de86447f75edf6455fded8e5242704c6fccffe7bf8d7fb6daef1180"
1977
+ dependencies = [
1978
+ "indicatif",
1979
+ "tracing",
1980
+ "tracing-core",
1981
+ "tracing-subscriber",
1982
+ ]
1983
+
1984
+ [[package]]
1985
+ name = "tracing-log"
1986
+ version = "0.2.0"
1987
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1988
+ checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
1989
+ dependencies = [
1990
+ "log",
1991
+ "once_cell",
1992
+ "tracing-core",
1993
+ ]
1994
+
1995
+ [[package]]
1996
+ name = "tracing-subscriber"
1997
+ version = "0.3.19"
1998
+ source = "registry+https://github.com/rust-lang/crates.io-index"
1999
+ checksum = "e8189decb5ac0fa7bc8b96b7cb9b2701d60d48805aca84a238004d665fcc4008"
2000
+ dependencies = [
2001
+ "matchers",
2002
+ "nu-ansi-term",
2003
+ "once_cell",
2004
+ "regex",
2005
+ "sharded-slab",
2006
+ "smallvec",
2007
+ "thread_local",
2008
+ "tracing",
2009
+ "tracing-core",
2010
+ "tracing-log",
1900
2011
  ]
1901
2012
 
1902
2013
  [[package]]
@@ -1907,7 +2018,7 @@ checksum = "0203df02a3b6dd63575cc1d6e609edc2181c9a11867a271b25cfd2abff3ec5ca"
1907
2018
  dependencies = [
1908
2019
  "cc",
1909
2020
  "regex",
1910
- "regex-syntax",
2021
+ "regex-syntax 0.8.5",
1911
2022
  "tree-sitter-language",
1912
2023
  ]
1913
2024
 
@@ -2059,12 +2170,51 @@ dependencies = [
2059
2170
  "getrandom",
2060
2171
  ]
2061
2172
 
2173
+ [[package]]
2174
+ name = "valuable"
2175
+ version = "0.1.0"
2176
+ source = "registry+https://github.com/rust-lang/crates.io-index"
2177
+ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
2178
+
2062
2179
  [[package]]
2063
2180
  name = "version_check"
2064
2181
  version = "0.9.5"
2065
2182
  source = "registry+https://github.com/rust-lang/crates.io-index"
2066
2183
  checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
2067
2184
 
2185
+ [[package]]
2186
+ name = "vt100"
2187
+ version = "0.15.2"
2188
+ source = "registry+https://github.com/rust-lang/crates.io-index"
2189
+ checksum = "84cd863bf0db7e392ba3bd04994be3473491b31e66340672af5d11943c6274de"
2190
+ dependencies = [
2191
+ "itoa",
2192
+ "log",
2193
+ "unicode-width 0.1.14",
2194
+ "vte",
2195
+ ]
2196
+
2197
+ [[package]]
2198
+ name = "vte"
2199
+ version = "0.11.1"
2200
+ source = "registry+https://github.com/rust-lang/crates.io-index"
2201
+ checksum = "f5022b5fbf9407086c180e9557be968742d839e68346af7792b8592489732197"
2202
+ dependencies = [
2203
+ "arrayvec",
2204
+ "utf8parse",
2205
+ "vte_generate_state_changes",
2206
+ ]
2207
+
2208
+ [[package]]
2209
+ name = "vte_generate_state_changes"
2210
+ version = "0.1.2"
2211
+ source = "registry+https://github.com/rust-lang/crates.io-index"
2212
+ checksum = "2e369bee1b05d510a7b4ed645f5faa90619e05437111783ea5848f28d97d3c2e"
2213
+ dependencies = [
2214
+ "proc-macro2",
2215
+ "quote",
2216
+ ]
2217
+
2068
2218
  [[package]]
2069
2219
  name = "wait-timeout"
2070
2220
  version = "0.2.0"
@@ -2337,7 +2487,7 @@ version = "0.12.0"
2337
2487
  source = "registry+https://github.com/rust-lang/crates.io-index"
2338
2488
  checksum = "177289048180e31992753549e5533b80c87caa285f1ed74085a55ebc5a664062"
2339
2489
  dependencies = [
2340
- "thiserror",
2490
+ "thiserror 1.0.69",
2341
2491
  "tree-sitter",
2342
2492
  "tree-sitter-yaml",
2343
2493
  ]
@@ -2444,7 +2594,7 @@ dependencies = [
2444
2594
 
2445
2595
  [[package]]
2446
2596
  name = "zizmor"
2447
- version = "0.8.0"
2597
+ version = "0.9.1"
2448
2598
  dependencies = [
2449
2599
  "annotate-snippets",
2450
2600
  "anstream",
@@ -2453,14 +2603,12 @@ dependencies = [
2453
2603
  "camino",
2454
2604
  "clap",
2455
2605
  "clap-verbosity-flag",
2456
- "env_logger",
2457
2606
  "github-actions-models",
2458
2607
  "human-panic",
2459
2608
  "indexmap",
2460
2609
  "indicatif",
2461
2610
  "insta",
2462
2611
  "itertools",
2463
- "log",
2464
2612
  "moka",
2465
2613
  "owo-colors",
2466
2614
  "pest",
@@ -2474,6 +2622,9 @@ dependencies = [
2474
2622
  "serde_json_path",
2475
2623
  "serde_yaml",
2476
2624
  "terminal-link",
2625
+ "tracing",
2626
+ "tracing-indicatif",
2627
+ "tracing-subscriber",
2477
2628
  "tree-sitter",
2478
2629
  "tree-sitter-bash",
2479
2630
  "yamlpath",
{zizmor-0.8.0 → zizmor-0.9.1}/Cargo.toml RENAMED
@@ -1,7 +1,7 @@
1
1
  [package]
2
2
  name = "zizmor"
3
3
  description = "Static analysis for GitHub Actions"
4
- version = "0.8.0"
4
+ version = "0.9.1"
5
5
  edition = "2021"
6
6
  repository = "https://github.com/woodruffw/zizmor"
7
7
  homepage = "https://github.com/woodruffw/zizmor"
@@ -13,23 +13,23 @@ categories = ["command-line-utilities"]
13
13
  rust-version = "1.80.1"
14
14
 
15
15
  [dependencies]
16
- annotate-snippets = "0.11.4"
16
+ annotate-snippets = "0.11.5"
17
17
  anstream = "0.6.18"
18
- anyhow = "1.0.93"
18
+ anyhow = "1.0.94"
19
19
  camino = { version = "1.1.9", features = ["serde1"] }
20
- clap = { version = "4.5.21", features = ["derive", "env"] }
21
- clap-verbosity-flag = "3.0.0"
22
- env_logger = "0.11.5"
23
- github-actions-models = "0.12.0"
20
+ clap = { version = "4.5.23", features = ["derive", "env"] }
21
+ clap-verbosity-flag = { version = "3.0.0", features = [
22
+ "tracing",
23
+ ], default-features = false }
24
+ github-actions-models = "0.14.0"
24
25
  human-panic = "2.0.1"
25
26
  indexmap = "2.7.0"
26
27
  indicatif = "0.17.9"
27
28
  itertools = "0.13.0"
28
- log = "0.4.22"
29
29
  moka = { version = "0.12.8", features = ["sync"] }
30
30
  owo-colors = "4.1.0"
31
- pest = "2.7.14"
32
- pest_derive = "2.7.14"
31
+ pest = "2.7.15"
32
+ pest_derive = "2.7.15"
33
33
  regex = "1.11.1"
34
34
  reqwest = { version = "0.12.9", features = [
35
35
  "blocking",
@@ -41,6 +41,9 @@ serde-sarif = "0.6.5"
41
41
  serde_json = "1.0.133"
42
42
  serde_yaml = "0.9.34"
43
43
  terminal-link = "0.1.0"
44
+ tracing = "0.1.41"
45
+ tracing-indicatif = "0.3.8"
46
+ tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
44
47
  tree-sitter = "0.23.2"
45
48
  tree-sitter-bash = "0.23.3"
46
49
  yamlpath = "0.12.0"
zizmor-0.9.1/Makefile ADDED
@@ -0,0 +1,21 @@
1
+ .PHONY: all
2
+ all:
3
+ @echo "Run my targets individually!"
4
+
5
+ .PHONY: site
6
+ site: site-requirements.txt
7
+ uvx --with-requirements $< mkdocs build
8
+
9
+ .PHONY: site-live
10
+ site-live: site-requirements.txt
11
+ uvx --with-requirements $< mkdocs serve
12
+
13
+ .PHONY: snippets
14
+ snippets: trophies
15
+ cargo run -- -h > docs/snippets/help.txt
16
+
17
+ .PHONY: trophies
18
+ trophies: docs/snippets/trophies.md
19
+
20
+ docs/snippets/trophies.md: docs/snippets/trophies.txt docs/snippets/render-trophies.py
21
+ uv run --no-project docs/snippets/render-trophies.py > $@
{zizmor-0.8.0 → zizmor-0.9.1}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: zizmor
3
- Version: 0.8.0
3
+ Version: 0.9.1
4
4
  Summary: Static analysis for GitHub Actions
5
5
  Keywords: cli,github-actions,static-analysis,security
6
6
  Home-Page: https://github.com/woodruffw/zizmor