zizmor 1.13.0__tar.gz → 1.14.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of zizmor might be problematic. Click here for more details.

Files changed (468) hide show
  1. {zizmor-1.13.0 → zizmor-1.14.0}/Cargo.lock +44 -32
  2. {zizmor-1.13.0 → zizmor-1.14.0}/Cargo.toml +11 -11
  3. {zizmor-1.13.0 → zizmor-1.14.0}/PKG-INFO +8 -1
  4. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/lib.rs +4 -1
  5. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/Cargo.toml +1 -1
  6. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/README.md +7 -0
  7. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/cache_poisoning.rs +10 -6
  8. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/excessive_permissions.rs +1 -1
  9. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/known_vulnerable_actions.rs +9 -8
  10. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/mod.rs +1 -8
  11. zizmor-1.14.0/crates/zizmor/src/audit/ref_version_mismatch.rs +162 -0
  12. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/self_hosted_runner.rs +4 -4
  13. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/template_injection.rs +4 -4
  14. zizmor-1.14.0/crates/zizmor/src/audit/unsound_condition.rs +528 -0
  15. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/use_trusted_publishing.rs +54 -12
  16. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/config.rs +119 -62
  17. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/finding/location.rs +17 -8
  18. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/finding.rs +4 -34
  19. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/github_api.rs +148 -100
  20. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/lsp.rs +11 -5
  21. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/main.rs +219 -27
  22. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/models/action.rs +3 -5
  23. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/models/coordinate.rs +4 -1
  24. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/models/uses.rs +25 -0
  25. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/models/workflow.rs +3 -5
  26. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/github.rs +0 -1
  27. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/plain.rs +1 -3
  28. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/sarif.rs +0 -2
  29. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/registry/input.rs +128 -107
  30. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/registry.rs +2 -2
  31. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/utils.rs +7 -5
  32. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/acceptance.rs +1 -1
  33. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/config.rs +42 -0
  34. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/e2e.rs +33 -0
  35. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshot.rs +50 -1
  36. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_dotgithub.snap +1 -1
  37. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_dotgithub_from_file_input.snap +1 -1
  38. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_root.snap +1 -1
  39. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_root_from_child_dir.snap +1 -1
  40. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__ignores_config_in_root_from_file_input.snap +1 -1
  41. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__config__invalid_configs-2.snap +14 -0
  42. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__config__invalid_configs-3.snap +11 -0
  43. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__config__invalid_configs.snap +14 -0
  44. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__gha_hazmat.snap +3 -2
  45. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_config_file.snap +14 -0
  46. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-10.snap +0 -1
  47. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-2.snap +0 -1
  48. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-3.snap +0 -1
  49. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-4.snap +0 -1
  50. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-5.snap +0 -1
  51. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-6.snap +0 -1
  52. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-7.snap +0 -1
  53. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-8.snap +0 -1
  54. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs-9.snap +0 -1
  55. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_inputs.snap +0 -1
  56. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1065.snap +2 -1
  57. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1116_strict_collection_remote_input.snap +10 -0
  58. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_569.snap +2 -1
  59. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_726.snap +1 -1
  60. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__menagerie-2.snap +2 -1
  61. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__menagerie.snap +1 -1
  62. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__pr_960_backstop.snap +1 -1
  63. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__e2e__warn_on_min_confidence_unknown.snap +6 -0
  64. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__e2e__warn_on_min_severity_unknown.snap +6 -0
  65. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__anonymous_definition.snap +1 -1
  66. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-2.snap +1 -1
  67. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-3.snap +1 -1
  68. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-4.snap +1 -1
  69. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked-5.snap +1 -1
  70. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__artipacked.snap +1 -1
  71. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__bot_conditions.snap +1 -1
  72. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap +1 -1
  73. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap +1 -1
  74. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap +1 -1
  75. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap +1 -1
  76. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-15.snap +1 -1
  77. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-16.snap +1 -1
  78. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-17.snap +39 -0
  79. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap +1 -1
  80. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap +1 -1
  81. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap +1 -1
  82. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap +1 -1
  83. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap +1 -1
  84. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap +1 -1
  85. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__cant_retrieve-2.snap +8 -0
  86. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cant_retrieve.snap +2 -2
  87. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__cant_retrieve_no_gh_token.snap +11 -0
  88. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__cant_retrieve_offline.snap +11 -0
  89. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap +1 -1
  90. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap +1 -1
  91. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap +1 -1
  92. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap +1 -1
  93. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap +1 -1
  94. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap +1 -1
  95. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap +1 -1
  96. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap +1 -1
  97. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap +2 -2
  98. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-2.snap +1 -1
  99. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-3.snap +1 -1
  100. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-4.snap +1 -1
  101. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-5.snap +1 -1
  102. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses-6.snap +1 -1
  103. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__github_env-2.snap +1 -1
  104. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__github_env-3.snap +1 -1
  105. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__github_env.snap +1 -1
  106. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__github_output.snap +1 -2
  107. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap +1 -1
  108. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap +1 -1
  109. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands-4.snap +1 -1
  110. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__insecure_commands.snap +1 -1
  111. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__obfuscation-2.snap +1 -1
  112. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__obfuscation-3.snap +5 -0
  113. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__obfuscation.snap +1 -1
  114. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap +1 -1
  115. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap +1 -1
  116. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__ref_confusion.snap +1 -1
  117. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__ref_version_mismatch.snap +15 -0
  118. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__secrets_inherit.snap +1 -1
  119. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-3.snap +2 -2
  120. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-4.snap +2 -2
  121. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-5.snap +2 -2
  122. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-6.snap +2 -2
  123. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted.snap +2 -2
  124. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__stale_action_refs.snap +1 -1
  125. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-11.snap +1 -1
  126. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-12.snap +1 -1
  127. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-13.snap +3 -3
  128. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-14.snap +5 -5
  129. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-15.snap +5 -5
  130. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-2.snap +3 -3
  131. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-4.snap +1 -1
  132. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-5.snap +1 -1
  133. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-6.snap +1 -1
  134. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-8.snap +1 -1
  135. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection.snap +3 -3
  136. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions-3.snap +1 -1
  137. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions-6.snap +1 -1
  138. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions-7.snap +1 -1
  139. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions.snap +1 -1
  140. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned-uses-composite-config-2.snap +1 -1
  141. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned-uses-composite-config.snap +1 -1
  142. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned-uses-default-config.snap +1 -1
  143. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned-uses-empty-config.snap +1 -1
  144. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned-uses-hash-pin-everything-config.snap +1 -1
  145. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_images.snap +1 -1
  146. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-10.snap +14 -0
  147. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-11.snap +14 -0
  148. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-12.snap +4 -4
  149. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap +1 -1
  150. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap +1 -1
  151. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-5.snap +1 -1
  152. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-6.snap +14 -0
  153. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-7.snap +14 -0
  154. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-8.snap +14 -0
  155. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-9.snap +14 -0
  156. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses.snap +1 -1
  157. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap +1 -1
  158. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unsound_condition.snap +38 -1
  159. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unsound_contains.snap +1 -1
  160. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__use_trusted_publishing-2.snap +1 -1
  161. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__use_trusted_publishing-3.snap +9 -9
  162. zizmor-1.14.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__use_trusted_publishing-4.snap +179 -0
  163. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__use_trusted_publishing.snap +1 -1
  164. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/cache-poisoning/issue-1152-repro.yml +45 -0
  165. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/config-scenarios/zizmor.invalid-schema-1.yml +10 -0
  166. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/config-scenarios/zizmor.invalid-schema-2.yml +8 -0
  167. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/config-scenarios/zizmor.invalid-schema-3.yml +8 -0
  168. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/neutral.yml +13 -0
  169. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/obfuscation/issue-1177-repro.yml +16 -0
  170. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/ref-version-mismatch.yml +28 -0
  171. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unsound-condition.yml +10 -0
  172. zizmor-1.14.0/crates/zizmor/tests/integration/test-data/use-trusted-publishing/npm-publish.yml +136 -0
  173. {zizmor-1.13.0 → zizmor-1.14.0}/pyproject.toml +0 -1
  174. zizmor-1.13.0/crates/zizmor/src/audit/unsound_condition.rs +0 -125
  175. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_config_file.snap +0 -12
  176. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1116_strict_collection_remote_input.snap +0 -13
  177. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__anonymous_definition-2.snap +0 -28
  178. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-10.snap +0 -11
  179. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-11.snap +0 -11
  180. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-6.snap +0 -11
  181. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-7.snap +0 -11
  182. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-8.snap +0 -11
  183. zizmor-1.13.0/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-9.snap +0 -11
  184. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/Cargo.toml +0 -0
  185. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/README.md +0 -0
  186. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/call.rs +0 -0
  187. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/context.rs +0 -0
  188. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/expr.pest +0 -0
  189. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/identifier.rs +0 -0
  190. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/literal.rs +0 -0
  191. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/op.rs +0 -0
  192. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/Cargo.toml +0 -0
  193. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/LICENSE +0 -0
  194. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/README.md +0 -0
  195. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/action.rs +0 -0
  196. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/common/expr.rs +0 -0
  197. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/common.rs +0 -0
  198. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/dependabot/mod.rs +0 -0
  199. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/dependabot/v2.rs +0 -0
  200. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/lib.rs +0 -0
  201. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/workflow/event.rs +0 -0
  202. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/workflow/job.rs +0 -0
  203. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/src/workflow/mod.rs +0 -0
  204. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-actions/gh-action-pip-audit.yml +0 -0
  205. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-actions/gh-action-pypi-publish.yml +0 -0
  206. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-actions/gh-action-sigstore-python.yml +0 -0
  207. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-actions/no-input-output-descriptions.yml +0 -0
  208. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-actions/setup-python.yml +0 -0
  209. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-dependabot/v2/pip-audit.yml +0 -0
  210. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-dependabot/v2/sigstore-python.yml +0 -0
  211. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/adafruit-circuitpython-run-tests.yml +0 -0
  212. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/false-condition.yml +0 -0
  213. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/gh-action-sigstore-python-selftest.yml +0 -0
  214. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/git-annex-built-windows.yaml +0 -0
  215. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/guacsec-guac-ci.yml +0 -0
  216. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/homebrew-core-automerge-triggers.yml +0 -0
  217. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/homebrew-core-dispatch-rebottle.yml +0 -0
  218. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/intel-llvm-sycl-linux-run-tests.yml +0 -0
  219. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/issue-35.yml +0 -0
  220. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/jazzband-tablib-docs-lint.yml +0 -0
  221. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/letsencrypt-boulder-boulder-ci.yml +0 -0
  222. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/mhils-workflows-python-deploy.yml +0 -0
  223. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/openbao-openbao-test-go.yml +0 -0
  224. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/pip-api-test.yml +0 -0
  225. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/pip-audit-ci.yml +0 -0
  226. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/pip-audit-scorecards.yml +0 -0
  227. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/pwn-requests.yml +0 -0
  228. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/pyca-cryptography-ci.yml +0 -0
  229. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/pypi-attestations-release.yml +0 -0
  230. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/reusable-workflow-unpinned.yml +0 -0
  231. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/rnpgp-rnp-centos-and-fedora.yml +0 -0
  232. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/runs-on-expr.yml +0 -0
  233. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/runs-on-group-only.yml +0 -0
  234. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/scalar-trigger-type.yml +0 -0
  235. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/vil02-puzzle_generator-check_examples.yml +0 -0
  236. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/zizmor-issue-646.yml +0 -0
  237. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/sample-workflows/zizmor-issue-650.yml +0 -0
  238. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/test_action.rs +0 -0
  239. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/test_dependabot_v2.rs +0 -0
  240. {zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-models/tests/test_workflow.rs +0 -0
  241. {zizmor-1.13.0 → zizmor-1.14.0}/crates/subfeature/.gitignore +0 -0
  242. {zizmor-1.13.0 → zizmor-1.14.0}/crates/subfeature/Cargo.toml +0 -0
  243. {zizmor-1.13.0 → zizmor-1.14.0}/crates/subfeature/LICENSE +0 -0
  244. {zizmor-1.13.0 → zizmor-1.14.0}/crates/subfeature/README.md +0 -0
  245. {zizmor-1.13.0 → zizmor-1.14.0}/crates/subfeature/src/lib.rs +0 -0
  246. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpatch/Cargo.toml +0 -0
  247. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpatch/LICENSE +0 -0
  248. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpatch/README.md +0 -0
  249. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpatch/src/lib.rs +0 -0
  250. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpatch/tests/unit_tests.rs +0 -0
  251. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/Cargo.toml +0 -0
  252. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/LICENSE +0 -0
  253. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/README.md +0 -0
  254. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/src/lib.rs +0 -0
  255. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/integration_test.rs +0 -0
  256. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/basic.yml +0 -0
  257. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/comments.yml +0 -0
  258. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/directives.yml +0 -0
  259. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/exact-features.yml +0 -0
  260. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/flow.yml +0 -0
  261. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/interceding-comment.yml +0 -0
  262. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/key-only-features.yml +0 -0
  263. {zizmor-1.13.0 → zizmor-1.14.0}/crates/yamlpath/tests/testcases/quoted-key.yml +0 -0
  264. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/build.rs +0 -0
  265. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/data/codeql-injection-sinks.json +0 -0
  266. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/data/context-capabilities.csv +0 -0
  267. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/anonymous_definition.rs +0 -0
  268. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/artipacked.rs +0 -0
  269. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/bot_conditions.rs +0 -0
  270. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/dangerous_triggers.rs +0 -0
  271. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/forbidden_uses.rs +0 -0
  272. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/github_env.rs +0 -0
  273. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/hardcoded_container_credentials.rs +0 -0
  274. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/impostor_commit.rs +0 -0
  275. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/insecure_commands.rs +0 -0
  276. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/obfuscation.rs +0 -0
  277. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/overprovisioned_secrets.rs +0 -0
  278. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/ref_confusion.rs +0 -0
  279. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/secrets_inherit.rs +0 -0
  280. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/stale_action_refs.rs +0 -0
  281. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/undocumented_permissions.rs +0 -0
  282. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/unpinned_images.rs +0 -0
  283. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/unpinned_uses.rs +0 -0
  284. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/unredacted_secrets.rs +0 -0
  285. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/unsound_contains.rs +0 -0
  286. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/data/github-action.json +0 -0
  287. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/data/github-workflow.json +0 -0
  288. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/models/inputs.rs +0 -0
  289. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/models.rs +0 -0
  290. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/fix.rs +0 -0
  291. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/json/mod.rs +0 -0
  292. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/json/v1.rs +0 -0
  293. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/output/mod.rs +0 -0
  294. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/state.rs +0 -0
  295. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/common.rs +0 -0
  296. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/e2e/json_v1.rs +0 -0
  297. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/e2e/snapshots/integration__e2e__json_v1__json_v1.snap +0 -0
  298. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/main.rs +0 -0
  299. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__disablement.snap +0 -0
  300. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_dotgithub.snap +0 -0
  301. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_dotgithub_from_file_input.snap +0 -0
  302. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_root.snap +0 -0
  303. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_root_from_child_dir.snap +0 -0
  304. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__config__discovers_config_in_root_from_file_input.snap +0 -0
  305. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_input_not_strict-2.snap +0 -0
  306. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__invalid_input_not_strict.snap +0 -0
  307. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1116_strict_collection_remote_input-2.snap +0 -0
  308. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_612_repro.snap +0 -0
  309. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap +0 -0
  310. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap +0 -0
  311. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap +0 -0
  312. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap +0 -0
  313. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap +0 -0
  314. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap +0 -0
  315. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap +0 -0
  316. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__forbidden_uses.snap +0 -0
  317. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap +0 -0
  318. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap +0 -0
  319. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap +0 -0
  320. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-10.snap +0 -0
  321. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-3.snap +0 -0
  322. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-7.snap +0 -0
  323. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__template_injection-9.snap +0 -0
  324. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions-2.snap +0 -0
  325. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions-4.snap +0 -0
  326. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__undocumented_permissions-5.snap +0 -0
  327. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned-uses-ref-pin-everything-config.snap +0 -0
  328. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap +0 -0
  329. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/anonymous-definition.yml +0 -0
  330. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/artipacked/demo-action/action.yml +0 -0
  331. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/artipacked/issue-447-repro.yml +0 -0
  332. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/artipacked.yml +0 -0
  333. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/bot-conditions.yml +0 -0
  334. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-disabled-by-default.yml +0 -0
  335. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-enabled-by-default.yml +0 -0
  336. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-not-configurable.yml +0 -0
  337. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml +0 -0
  338. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml +0 -0
  339. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml +0 -0
  340. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml +0 -0
  341. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/caching-opt-out.yml +0 -0
  342. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/issue-1081-repro.yml +0 -0
  343. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/issue-343-repro.yml +0 -0
  344. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/issue-378-repro.yml +0 -0
  345. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/issue-642-repro.yml +0 -0
  346. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/no-cache-aware-steps.yml +0 -0
  347. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/publisher-step.yml +0 -0
  348. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/workflow-release-branch-trigger.yml +0 -0
  349. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning/workflow-tag-trigger.yml +0 -0
  350. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/cache-poisoning.yml +0 -0
  351. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/config-scenarios/config-in-dotgithub/.github/workflows/hackme.yml +0 -0
  352. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/config-scenarios/config-in-dotgithub/.github/zizmor.yml +0 -0
  353. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/config-scenarios/config-in-root/.github/workflows/hackme.yml +0 -0
  354. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/config-scenarios/config-in-root/zizmor.yml +0 -0
  355. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/config-scenarios/disablement/.github/workflows/hackme.yml +0 -0
  356. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/config-scenarios/disablement/zizmor.yml +0 -0
  357. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/.github/dummy-action-2/action.yml +0 -0
  358. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/.github/workflows/another-dummy.yml +0 -0
  359. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/.github/workflows/dummy.yml +0 -0
  360. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/.github/workflows/ignored.yaml +0 -0
  361. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/.gitignore +0 -0
  362. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/README.md +0 -0
  363. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/e2e-menagerie/dummy-action-1/action.yaml +0 -0
  364. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/issue-336-repro.yml +0 -0
  365. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/issue-472-repro.yml +0 -0
  366. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/jobs-broaden-permissions.yml +0 -0
  367. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/reusable-workflow-call.yml +0 -0
  368. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/reusable-workflow-other-triggers.yml +0 -0
  369. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml +0 -0
  370. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/workflow-default-perms.yml +0 -0
  371. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/workflow-empty-perms.yml +0 -0
  372. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/workflow-read-all.yml +0 -0
  373. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/workflow-write-all.yml +0 -0
  374. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions/workflow-write-explicit.yml +0 -0
  375. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/excessive-permissions.yml +0 -0
  376. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/configs/allow-all.yml +0 -0
  377. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/configs/allow-some-refs.yml +0 -0
  378. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/configs/allow-some.yml +0 -0
  379. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/configs/deny-all.yml +0 -0
  380. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/configs/deny-some-refs.yml +0 -0
  381. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/configs/deny-some.yml +0 -0
  382. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/forbidden-uses/forbidden-uses-menagerie.yml +0 -0
  383. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/github-env/action.yml +0 -0
  384. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/github-env/github-path.yml +0 -0
  385. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/github-env/issue-397-repro.yml +0 -0
  386. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/github_env.yml +0 -0
  387. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/hardcoded-credentials.yml +0 -0
  388. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/inlined-ignores.yml +0 -0
  389. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/insecure-commands/action.yml +0 -0
  390. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/insecure-commands/issue-839-repro.yml +0 -0
  391. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/insecure-commands.yml +0 -0
  392. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/bad-yaml-1.yml +0 -0
  393. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/bad-yaml-2.yml +0 -0
  394. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/blank.yml +0 -0
  395. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/comment-only.yml +0 -0
  396. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/empty-action/action.yml +0 -0
  397. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/empty.yml +0 -0
  398. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/invalid-action-1/action.yml +0 -0
  399. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/invalid-action-2/action.yml +0 -0
  400. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/invalid-workflow-2.yml +0 -0
  401. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/invalid/invalid-workflow.yml +0 -0
  402. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/issue-1065.yml +0 -0
  403. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/issue-612-repro/action.yml +0 -0
  404. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/obfuscation/computed-indices.yml +0 -0
  405. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/obfuscation.yml +0 -0
  406. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/overprovisioned-secrets.yml +0 -0
  407. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/pr-960-backstop/action.yml +0 -0
  408. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/ref-confusion/issue-518-repro.yml +0 -0
  409. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/ref-confusion.yml +0 -0
  410. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/secrets-inherit.yml +0 -0
  411. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted/issue-283-repro.yml +0 -0
  412. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted/self-hosted-matrix-dimension.yml +0 -0
  413. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted/self-hosted-matrix-exclusion.yml +0 -0
  414. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted/self-hosted-matrix-inclusion.yml +0 -0
  415. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted/self-hosted-runner-group.yml +0 -0
  416. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted/self-hosted-runner-label.yml +0 -0
  417. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/self-hosted.yml +0 -0
  418. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/several-vulnerabilities.yml +0 -0
  419. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/stale-action-refs.yml +0 -0
  420. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/addnab-docker-run-action.yml +0 -0
  421. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/codeql-sinks.yml +0 -0
  422. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/dataflow.yml +0 -0
  423. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/false-positive-menagerie.yml +0 -0
  424. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/input-caps.yml +0 -0
  425. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/issue-22-repro.yml +0 -0
  426. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/issue-339-repro.yml +0 -0
  427. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/issue-418-repro.yml +0 -0
  428. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/issue-749-repro.yml +0 -0
  429. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/issue-883-repro/action.yml +0 -0
  430. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/issue-988-repro.yml +0 -0
  431. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/multiline-expression.yml +0 -0
  432. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/patterns.yml +0 -0
  433. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/pr-317-repro.yml +0 -0
  434. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/pr-425-backstop/action.yml +0 -0
  435. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/pwsh-script.yml +0 -0
  436. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/static-env.yml +0 -0
  437. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/template-injection-dynamic-matrix.yml +0 -0
  438. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection/template-injection-static-matrix.yml +0 -0
  439. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/template-injection.yml +0 -0
  440. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/undocumented-permissions/contents-read-only.yml +0 -0
  441. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/undocumented-permissions/contents-read-with-other.yml +0 -0
  442. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/undocumented-permissions/documented.yml +0 -0
  443. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/undocumented-permissions/empty-permissions.yml +0 -0
  444. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/undocumented-permissions/partially-documented.yml +0 -0
  445. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/undocumented-permissions.yml +0 -0
  446. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-images.yml +0 -0
  447. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/action.yml +0 -0
  448. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/composite-2.yml +0 -0
  449. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/composite.yml +0 -0
  450. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/empty.yml +0 -0
  451. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/hash-pin-everything.yml +0 -0
  452. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-1.yml +0 -0
  453. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-2.yml +0 -0
  454. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-3.yml +0 -0
  455. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-4.yml +0 -0
  456. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-5.yml +0 -0
  457. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-6.yml +0 -0
  458. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/invalid-wrong-policy-object.yml +0 -0
  459. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/configs/ref-pin-everything.yml +0 -0
  460. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/issue-433-repro.yml +0 -0
  461. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/issue-659-repro.yml +0 -0
  462. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses/menagerie-of-uses.yml +0 -0
  463. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unpinned-uses.yml +0 -0
  464. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unredacted-secrets.yml +0 -0
  465. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/unsound-contains.yml +0 -0
  466. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/use-trusted-publishing/cargo-publish.yml +0 -0
  467. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/use-trusted-publishing/demo-action/action.yml +0 -0
  468. {zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/tests/integration/test-data/use-trusted-publishing.yml +0 -0
{zizmor-1.13.0 → zizmor-1.14.0}/Cargo.lock RENAMED
@@ -52,9 +52,9 @@ dependencies = [
52
52
 
53
53
  [[package]]
54
54
  name = "annotate-snippets"
55
- version = "0.12.3"
55
+ version = "0.12.4"
56
56
  source = "registry+https://github.com/rust-lang/crates.io-index"
57
- checksum = "4b0f1e2f8ec4bff67c7e1867001ec452595daf315cce10c393b7d4274024f878"
57
+ checksum = "a8ee2f071d418442e50c643c4e7a4051ce3abd9dba11713cc6cdf4f4a3f3cca5"
58
58
  dependencies = [
59
59
  "anstyle",
60
60
  "unicode-width 0.2.0",
@@ -112,9 +112,9 @@ dependencies = [
112
112
 
113
113
  [[package]]
114
114
  name = "anyhow"
115
- version = "1.0.99"
115
+ version = "1.0.100"
116
116
  source = "registry+https://github.com/rust-lang/crates.io-index"
117
- checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
117
+ checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
118
118
 
119
119
  [[package]]
120
120
  name = "arrayvec"
@@ -302,11 +302,11 @@ dependencies = [
302
302
 
303
303
  [[package]]
304
304
  name = "camino"
305
- version = "1.1.12"
305
+ version = "1.2.0"
306
306
  source = "registry+https://github.com/rust-lang/crates.io-index"
307
- checksum = "dd0b03af37dad7a14518b7691d81acb0f8222604ad3d1b02f6b4bed5188c0cd5"
307
+ checksum = "e1de8bc0aa9e9385ceb3bf0c152e3a9b9544f6c4a912c8ae504e80c1f0368603"
308
308
  dependencies = [
309
- "serde",
309
+ "serde_core",
310
310
  ]
311
311
 
312
312
  [[package]]
@@ -332,9 +332,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
332
332
 
333
333
  [[package]]
334
334
  name = "clap"
335
- version = "4.5.47"
335
+ version = "4.5.48"
336
336
  source = "registry+https://github.com/rust-lang/crates.io-index"
337
- checksum = "7eac00902d9d136acd712710d71823fb8ac8004ca445a89e73a41d45aa712931"
337
+ checksum = "e2134bb3ea021b78629caa971416385309e0131b351b25e01dc16fb54e1b5fae"
338
338
  dependencies = [
339
339
  "clap_builder",
340
340
  "clap_derive",
@@ -352,9 +352,9 @@ dependencies = [
352
352
 
353
353
  [[package]]
354
354
  name = "clap_builder"
355
- version = "4.5.47"
355
+ version = "4.5.48"
356
356
  source = "registry+https://github.com/rust-lang/crates.io-index"
357
- checksum = "2ad9bbf750e73b5884fb8a211a9424a1906c1e156724260fdae972f31d70e1d6"
357
+ checksum = "c2ba64afa3c0a6df7fa517765e31314e983f51dda798ffba27b988194fb65dc9"
358
358
  dependencies = [
359
359
  "anstream",
360
360
  "anstyle",
@@ -364,9 +364,9 @@ dependencies = [
364
364
 
365
365
  [[package]]
366
366
  name = "clap_complete"
367
- version = "4.5.57"
367
+ version = "4.5.58"
368
368
  source = "registry+https://github.com/rust-lang/crates.io-index"
369
- checksum = "4d9501bd3f5f09f7bbee01da9a511073ed30a80cd7a509f1214bb74eadea71ad"
369
+ checksum = "75bf0b32ad2e152de789bb635ea4d3078f6b838ad7974143e99b99f45a04af4a"
370
370
  dependencies = [
371
371
  "clap",
372
372
  ]
@@ -1230,13 +1230,14 @@ dependencies = [
1230
1230
 
1231
1231
  [[package]]
1232
1232
  name = "indexmap"
1233
- version = "2.11.0"
1233
+ version = "2.11.4"
1234
1234
  source = "registry+https://github.com/rust-lang/crates.io-index"
1235
- checksum = "f2481980430f9f78649238835720ddccc57e52df14ffce1c6f37391d61b563e9"
1235
+ checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
1236
1236
  dependencies = [
1237
1237
  "equivalent",
1238
1238
  "hashbrown 0.15.2",
1239
1239
  "serde",
1240
+ "serde_core",
1240
1241
  ]
1241
1242
 
1242
1243
  [[package]]
@@ -1684,9 +1685,9 @@ checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
1684
1685
 
1685
1686
  [[package]]
1686
1687
  name = "pest"
1687
- version = "2.8.1"
1688
+ version = "2.8.2"
1688
1689
  source = "registry+https://github.com/rust-lang/crates.io-index"
1689
- checksum = "1db05f56d34358a8b1066f67cbb203ee3e7ed2ba674a6263a1d5ec6db2204323"
1690
+ checksum = "21e0a3a33733faeaf8651dfee72dd0f388f0c8e5ad496a3478fa5a922f49cfa8"
1690
1691
  dependencies = [
1691
1692
  "memchr",
1692
1693
  "thiserror 2.0.16",
@@ -1695,9 +1696,9 @@ dependencies = [
1695
1696
 
1696
1697
  [[package]]
1697
1698
  name = "pest_derive"
1698
- version = "2.8.1"
1699
+ version = "2.8.2"
1699
1700
  source = "registry+https://github.com/rust-lang/crates.io-index"
1700
- checksum = "bb056d9e8ea77922845ec74a1c4e8fb17e7c218cc4fc11a15c5d25e189aa40bc"
1701
+ checksum = "bc58706f770acb1dbd0973e6530a3cff4746fb721207feb3a8a6064cd0b6c663"
1701
1702
  dependencies = [
1702
1703
  "pest",
1703
1704
  "pest_generator",
@@ -1705,9 +1706,9 @@ dependencies = [
1705
1706
 
1706
1707
  [[package]]
1707
1708
  name = "pest_generator"
1708
- version = "2.8.1"
1709
+ version = "2.8.2"
1709
1710
  source = "registry+https://github.com/rust-lang/crates.io-index"
1710
- checksum = "87e404e638f781eb3202dc82db6760c8ae8a1eeef7fb3fa8264b2ef280504966"
1711
+ checksum = "6d4f36811dfe07f7b8573462465d5cb8965fffc2e71ae377a33aecf14c2c9a2f"
1711
1712
  dependencies = [
1712
1713
  "pest",
1713
1714
  "pest_meta",
@@ -1718,9 +1719,9 @@ dependencies = [
1718
1719
 
1719
1720
  [[package]]
1720
1721
  name = "pest_meta"
1721
- version = "2.8.1"
1722
+ version = "2.8.2"
1722
1723
  source = "registry+https://github.com/rust-lang/crates.io-index"
1723
- checksum = "edd1101f170f5903fde0914f899bb503d9ff5271d7ba76bbb70bea63690cc0d5"
1724
+ checksum = "42919b05089acbd0a5dcd5405fb304d17d1053847b81163d09c4ad18ce8e8420"
1724
1725
  dependencies = [
1725
1726
  "pest",
1726
1727
  "sha2",
@@ -2201,10 +2202,11 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
2201
2202
 
2202
2203
  [[package]]
2203
2204
  name = "serde"
2204
- version = "1.0.219"
2205
+ version = "1.0.226"
2205
2206
  source = "registry+https://github.com/rust-lang/crates.io-index"
2206
- checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
2207
+ checksum = "0dca6411025b24b60bfa7ec1fe1f8e710ac09782dca409ee8237ba74b51295fd"
2207
2208
  dependencies = [
2209
+ "serde_core",
2208
2210
  "serde_derive",
2209
2211
  ]
2210
2212
 
@@ -2228,11 +2230,20 @@ dependencies = [
2228
2230
  "typed-builder",
2229
2231
  ]
2230
2232
 
2233
+ [[package]]
2234
+ name = "serde_core"
2235
+ version = "1.0.226"
2236
+ source = "registry+https://github.com/rust-lang/crates.io-index"
2237
+ checksum = "ba2ba63999edb9dac981fb34b3e5c0d111a69b0924e253ed29d83f7c99e966a4"
2238
+ dependencies = [
2239
+ "serde_derive",
2240
+ ]
2241
+
2231
2242
  [[package]]
2232
2243
  name = "serde_derive"
2233
- version = "1.0.219"
2244
+ version = "1.0.226"
2234
2245
  source = "registry+https://github.com/rust-lang/crates.io-index"
2235
- checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
2246
+ checksum = "8db53ae22f34573731bafa1db20f04027b2d25e02d8205921b569171699cdb33"
2236
2247
  dependencies = [
2237
2248
  "proc-macro2",
2238
2249
  "quote",
@@ -2241,15 +2252,16 @@ dependencies = [
2241
2252
 
2242
2253
  [[package]]
2243
2254
  name = "serde_json"
2244
- version = "1.0.143"
2255
+ version = "1.0.145"
2245
2256
  source = "registry+https://github.com/rust-lang/crates.io-index"
2246
- checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
2257
+ checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
2247
2258
  dependencies = [
2248
2259
  "indexmap",
2249
2260
  "itoa",
2250
2261
  "memchr",
2251
2262
  "ryu",
2252
2263
  "serde",
2264
+ "serde_core",
2253
2265
  ]
2254
2266
 
2255
2267
  [[package]]
@@ -2983,9 +2995,9 @@ checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"
2983
2995
 
2984
2996
  [[package]]
2985
2997
  name = "tree-sitter-powershell"
2986
- version = "0.25.8"
2998
+ version = "0.25.9"
2987
2999
  source = "registry+https://github.com/rust-lang/crates.io-index"
2988
- checksum = "d76347b6c5300ae20622847aa53c88005d13b6999708ffbe4618b509ddb45178"
3000
+ checksum = "ae0e37101b110badaf99aa40460915a8797ceba15fc0ed22773280377a8dffb6"
2989
3001
  dependencies = [
2990
3002
  "cc",
2991
3003
  "tree-sitter-language",
@@ -3789,7 +3801,7 @@ dependencies = [
3789
3801
 
3790
3802
  [[package]]
3791
3803
  name = "zizmor"
3792
- version = "1.13.0"
3804
+ version = "1.14.0"
3793
3805
  dependencies = [
3794
3806
  "annotate-snippets",
3795
3807
  "anstream",
{zizmor-1.13.0 → zizmor-1.14.0}/Cargo.toml RENAMED
@@ -11,20 +11,20 @@ license = "MIT"
11
11
  rust-version = "1.88.0"
12
12
 
13
13
  [workspace.dependencies]
14
- anyhow = "1.0.99"
14
+ anyhow = "1.0.100"
15
15
  github-actions-expressions = { path = "crates/github-actions-expressions", version = "0.0.10" }
16
16
  github-actions-models = { path = "crates/github-actions-models", version = "0.32.0" }
17
17
  itertools = "0.14.0"
18
- pest = "2.8.1"
19
- pest_derive = "2.8.1"
18
+ pest = "2.8.2"
19
+ pest_derive = "2.8.2"
20
20
  pretty_assertions = "1.4.1"
21
- annotate-snippets = "0.12.3"
21
+ annotate-snippets = "0.12.4"
22
22
  anstream = "0.6.20"
23
23
  assert_cmd = "2.0.17"
24
- camino = "1.1.12"
25
- clap = "4.5.47"
24
+ camino = "1.2.0"
25
+ clap = "4.5.48"
26
26
  clap-verbosity-flag = { version = "3.0.4", default-features = false }
27
- clap_complete = "4.5.57"
27
+ clap_complete = "4.5.58"
28
28
  clap_complete_nushell = "4.5.8"
29
29
  csv = "1.3.1"
30
30
  etcetera = "0.10.0"
@@ -33,7 +33,7 @@ fst = "0.4.7"
33
33
  http-cache-reqwest = "0.16"
34
34
  human-panic = "2.0.3"
35
35
  ignore = "0.4.23"
36
- indexmap = { version = "2.11.0", features = ["serde"] }
36
+ indexmap = { version = "2.11.4", features = ["serde"] }
37
37
  indicatif = "0.18"
38
38
  insta = "1.43.2"
39
39
  jsonschema = "0.30.0"
@@ -43,9 +43,9 @@ owo-colors = "4.2.2"
43
43
  regex = "1.11.2"
44
44
  reqwest = { version = "0.12.23", default-features = false }
45
45
  reqwest-middleware = "0.4.2"
46
- serde = { version = "1.0.219", features = ["derive"] }
46
+ serde = { version = "1.0.226", features = ["derive"] }
47
47
  serde-sarif = "0.8.0"
48
- serde_json = "1.0.143"
48
+ serde_json = "1.0.145"
49
49
  serde_json_path = "0.7.2"
50
50
  serde_yaml = "0.9.34"
51
51
  subfeature = { path = "crates/subfeature", version = "0.0.3" }
@@ -59,7 +59,7 @@ tracing-indicatif = "0.3.13"
59
59
  tracing-subscriber = "0.3.20"
60
60
  tree-sitter = "0.25.9"
61
61
  tree-sitter-bash = "0.23.3"
62
- tree-sitter-powershell = "0.25.8"
62
+ tree-sitter-powershell = "0.25.9"
63
63
  yamlpath = { path = "crates/yamlpath", version = "0.25.0" }
64
64
  yamlpatch = { path = "crates/yamlpatch", version = "0.3.0" }
65
65
  tree-sitter-yaml = "0.7.1"
{zizmor-1.13.0 → zizmor-1.14.0}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: zizmor
3
- Version: 1.13.0
3
+ Version: 1.14.0
4
4
  License-File: LICENSE
5
5
  Home-Page: https://docs.zizmor.sh
6
6
  Requires-Python: >=3.9
@@ -79,6 +79,13 @@ Grafana Labs
79
79
  Trail of Bits
80
80
  </a>
81
81
  </td>
82
+ <td align="center" valign="top" width="15%">
83
+ <a href="https://www.shipfox.io">
84
+ <img src="https://avatars.githubusercontent.com/u/163036520?s=100&v=4" width="100px">
85
+ <br>
86
+ Shipfox
87
+ </a>
88
+ </td>
82
89
  </tr>
83
90
  </tbody>
84
91
  </table>
{zizmor-1.13.0 → zizmor-1.14.0}/crates/github-actions-expressions/src/lib.rs RENAMED
@@ -304,7 +304,10 @@ impl<'src> Expr<'src> {
304
304
  || func == "startsWith"
305
305
  || func == "endsWith"
306
306
  || func == "toJSON"
307
- || func == "fromJSON"
307
+ // TODO(ww): `fromJSON` *is* frequently reducible, but
308
+ // doing so soundly with subexpressions is annoying.
309
+ // We overapproximate for now and consider it non-reducible.
310
+ // || func == "fromJSON"
308
311
  || func == "join"
309
312
  {
310
313
  args.iter().all(|e| e.constant_reducible())
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/Cargo.toml RENAMED
@@ -1,7 +1,7 @@
1
1
  [package]
2
2
  name = "zizmor"
3
3
  description = "Static analysis for GitHub Actions"
4
- version = "1.13.0"
4
+ version = "1.14.0"
5
5
  repository = "https://github.com/zizmorcore/zizmor"
6
6
  documentation = "https://docs.zizmor.sh"
7
7
  keywords = ["cli", "github-actions", "static-analysis", "security"]
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/README.md RENAMED
@@ -71,6 +71,13 @@ Grafana Labs
71
71
  Trail of Bits
72
72
  </a>
73
73
  </td>
74
+ <td align="center" valign="top" width="15%">
75
+ <a href="https://www.shipfox.io">
76
+ <img src="https://avatars.githubusercontent.com/u/163036520?s=100&v=4" width="100px">
77
+ <br>
78
+ Shipfox
79
+ </a>
80
+ </td>
74
81
  </tr>
75
82
  </tbody>
76
83
  </table>
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/cache_poisoning.rs RENAMED
@@ -50,12 +50,16 @@ static KNOWN_CACHE_AWARE_ACTIONS: LazyLock<Vec<ActionCoordinate>> = LazyLock::ne
50
50
  // https://github.com/actions/setup-node/blob/main/action.yml
51
51
  ActionCoordinate::Configurable {
52
52
  uses_pattern: "actions/setup-node".parse().unwrap(),
53
- control: ControlExpr::single(
54
- Toggle::OptIn,
55
- "cache",
56
- ControlFieldType::FreeString,
57
- false,
58
- ),
53
+ control: ControlExpr::any([
54
+ ControlExpr::single(Toggle::OptIn, "cache", ControlFieldType::FreeString, false),
55
+ // NOTE: Added with `setup-node@v5`.
56
+ ControlExpr::single(
57
+ Toggle::OptIn,
58
+ "package-manager-cache",
59
+ ControlFieldType::Boolean,
60
+ true,
61
+ ),
62
+ ]),
59
63
  },
60
64
  // https://github.com/actions/setup-python/blob/main/action.yml
61
65
  ActionCoordinate::Configurable {
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/excessive_permissions.rs RENAMED
@@ -180,7 +180,7 @@ impl ExcessivePermissions {
180
180
  let severity = KNOWN_PERMISSIONS.get(name.as_str()).unwrap_or_else(|| {
181
181
  tracing::warn!("unknown permission: {name}");
182
182
 
183
- &Severity::Unknown
183
+ &Severity::Medium
184
184
  });
185
185
 
186
186
  results.push((
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/known_vulnerable_actions.rs RENAMED
@@ -99,11 +99,12 @@ impl KnownVulnerableActions {
99
99
 
100
100
  for vuln in vulns {
101
101
  let severity = match vuln.severity.as_str() {
102
- "low" => Severity::Unknown,
102
+ "low" => Severity::Low,
103
103
  "medium" => Severity::Medium,
104
104
  "high" => Severity::High,
105
105
  "critical" => Severity::High,
106
- _ => Severity::Unknown,
106
+ // Seems like a safe fallback.
107
+ _ => Severity::High,
107
108
  };
108
109
 
109
110
  // Get the first patched version from the first vulnerability in the advisory
@@ -303,8 +304,8 @@ mod tests {
303
304
  false,
304
305
  Some(
305
306
  github_api::Client::new(
306
- github_api::GitHubHost::default(),
307
- github_api::GitHubToken::new("fake").unwrap(),
307
+ &github_api::GitHubHost::default(),
308
+ &github_api::GitHubToken::new("fake").unwrap(),
308
309
  "/tmp".into(),
309
310
  )
310
311
  .unwrap(),
@@ -748,8 +749,8 @@ jobs:
748
749
  false,
749
750
  Some(
750
751
  github_api::Client::new(
751
- github_api::GitHubHost::default(),
752
- github_api::GitHubToken::new(&std::env::var("GH_TOKEN").unwrap()).unwrap(),
752
+ &github_api::GitHubHost::default(),
753
+ &github_api::GitHubToken::new(&std::env::var("GH_TOKEN").unwrap()).unwrap(),
753
754
  "/tmp".into(),
754
755
  )
755
756
  .unwrap(),
@@ -803,8 +804,8 @@ jobs:
803
804
  false,
804
805
  Some(
805
806
  github_api::Client::new(
806
- github_api::GitHubHost::default(),
807
- github_api::GitHubToken::new(&std::env::var("GH_TOKEN").unwrap()).unwrap(),
807
+ &github_api::GitHubHost::default(),
808
+ &github_api::GitHubToken::new(&std::env::var("GH_TOKEN").unwrap()).unwrap(),
808
809
  "/tmp".into(),
809
810
  )
810
811
  .unwrap(),
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/mod.rs RENAMED
@@ -1,6 +1,5 @@
1
1
  //! Core namespace for zizmor's audits.
2
2
 
3
- use line_index::LineIndex;
4
3
  use thiserror::Error;
5
4
  use tracing::instrument;
6
5
  use yamlpath::Document;
@@ -32,6 +31,7 @@ pub(crate) mod known_vulnerable_actions;
32
31
  pub(crate) mod obfuscation;
33
32
  pub(crate) mod overprovisioned_secrets;
34
33
  pub(crate) mod ref_confusion;
34
+ pub(crate) mod ref_version_mismatch;
35
35
  pub(crate) mod secrets_inherit;
36
36
  pub(crate) mod self_hosted_runner;
37
37
  pub(crate) mod stale_action_refs;
@@ -58,13 +58,6 @@ impl AuditInput {
58
58
  }
59
59
  }
60
60
 
61
- pub(crate) fn line_index(&self) -> &LineIndex {
62
- match self {
63
- AuditInput::Workflow(workflow) => workflow.as_document().line_index(),
64
- AuditInput::Action(action) => action.as_document().line_index(),
65
- }
66
- }
67
-
68
61
  pub(crate) fn link(&self) -> Option<&str> {
69
62
  match self {
70
63
  AuditInput::Workflow(workflow) => workflow.link.as_deref(),
zizmor-1.14.0/crates/zizmor/src/audit/ref_version_mismatch.rs ADDED
@@ -0,0 +1,162 @@
1
+ use std::sync::LazyLock;
2
+
3
+ use anyhow::{Result, anyhow};
4
+ use github_actions_models::common::Uses;
5
+ use regex::Regex;
6
+ use subfeature::Subfeature;
7
+
8
+ use crate::{
9
+ audit::{Audit, AuditLoadError, AuditState, audit_meta},
10
+ config::Config,
11
+ finding::{
12
+ Confidence, Finding, Severity,
13
+ location::{Comment, Feature, Location},
14
+ },
15
+ github_api,
16
+ models::{StepCommon, action::CompositeStep, uses::RepositoryUsesExt, workflow::Step},
17
+ };
18
+
19
+ pub(crate) struct RefVersionMismatch {
20
+ client: github_api::Client,
21
+ }
22
+
23
+ audit_meta!(
24
+ RefVersionMismatch,
25
+ "ref-version-mismatch",
26
+ "detects commit SHAs that don't match their version comment tags"
27
+ );
28
+
29
+ static VERSION_COMMENT_PATTERNS: LazyLock<Vec<Regex>> = LazyLock::new(|| {
30
+ vec![
31
+ // Matches "# tag=v2.8.0" or "# tag=v1.2.3"
32
+ Regex::new(r"#\s*tag\s*=\s*(v\d+(?:\.\d+)*(?:\.\d+)?)").unwrap(),
33
+ // Matches "# v2.8.0"
34
+ Regex::new(r"#\s*(v\d+(?:\.\d+)*(?:\.\d+)?)").unwrap(),
35
+ // Matches version without 'v' prefix: "# tag=2.8.0"
36
+ Regex::new(r"#\s*tag\s*=\s*(\d+(?:\.\d+)*(?:\.\d+)?)").unwrap(),
37
+ // More flexible: "# version: 2.8.0"
38
+ Regex::new(r"#\s*(?:version|ver)\s*[:=]\s*(v?\d+(?:\.\d+)*(?:\.\d+)?)").unwrap(),
39
+ ]
40
+ });
41
+
42
+ impl RefVersionMismatch {
43
+ fn extract_version_from_comments<'doc>(
44
+ &self,
45
+ comments: &'doc [Comment<'doc>],
46
+ ) -> Option<&'doc str> {
47
+ for comment in comments {
48
+ for pattern in VERSION_COMMENT_PATTERNS.iter() {
49
+ if let Some(captures) = pattern.captures(comment.as_ref())
50
+ && let Some(version_match) = captures.get(1)
51
+ {
52
+ return Some(version_match.as_str());
53
+ }
54
+ }
55
+ }
56
+ None
57
+ }
58
+
59
+ fn audit_step_common<'doc, S: StepCommon<'doc>>(
60
+ &self,
61
+ step: &S,
62
+ ) -> anyhow::Result<Vec<Finding<'doc>>> {
63
+ let mut findings = vec![];
64
+
65
+ let Some(Uses::Repository(uses)) = step.uses() else {
66
+ return Ok(findings);
67
+ };
68
+
69
+ // Only check steps that have commit refs (not symbolic refs like v1.0.0)
70
+ let Some(commit_sha) = uses.commit_ref() else {
71
+ return Ok(findings);
72
+ };
73
+
74
+ let step_location = step.location();
75
+ let uses_location = step_location
76
+ .with_keys(["uses".into()])
77
+ .concretize(step.document())?;
78
+
79
+ let Some(version_from_comment) =
80
+ self.extract_version_from_comments(&uses_location.concrete.comments)
81
+ else {
82
+ return Ok(findings);
83
+ };
84
+
85
+ let Some(commit_for_ref) =
86
+ self.client
87
+ .commit_for_ref(&uses.owner, &uses.repo, version_from_comment)?
88
+ else {
89
+ // TODO(ww): Does it make sense to flag this as well?
90
+ // This indicates a completely bogus version comment,
91
+ // rather than a mismatch.
92
+ return Ok(findings);
93
+ };
94
+
95
+ if commit_for_ref != commit_sha {
96
+ let subfeature = Subfeature::new(
97
+ uses_location.concrete.location.offset_span.end,
98
+ version_from_comment,
99
+ );
100
+
101
+ let mut builder = Self::finding()
102
+ .severity(Severity::Medium)
103
+ .confidence(Confidence::High)
104
+ .add_raw_location(Location::new(
105
+ // NOTE(ww): We trim the commit SHA to 12 characters
106
+ // for display purposes; 12 is a conservative length
107
+ // that avoids collisions in Linux-sized repositories.
108
+ uses_location.symbolic.clone().primary().annotated(format!(
109
+ "points to commit {short_commit}",
110
+ short_commit = &commit_sha[..12]
111
+ )),
112
+ Feature::from_subfeature(&subfeature, step),
113
+ ));
114
+
115
+ if let Some(suggestion) =
116
+ self.client
117
+ .longest_tag_for_commit(&uses.owner, &uses.repo, commit_sha)?
118
+ {
119
+ builder = builder.add_location(
120
+ uses_location
121
+ .symbolic
122
+ .annotated(format!("is pointed to by tag {tag}", tag = suggestion.name)),
123
+ );
124
+ }
125
+ findings.push(builder.build(step)?);
126
+ }
127
+
128
+ Ok(findings)
129
+ }
130
+ }
131
+
132
+ impl Audit for RefVersionMismatch {
133
+ fn new(state: &AuditState) -> Result<Self, AuditLoadError> {
134
+ if state.no_online_audits {
135
+ return Err(AuditLoadError::Skip(anyhow!(
136
+ "offline audits only requested"
137
+ )));
138
+ }
139
+
140
+ state
141
+ .gh_client
142
+ .clone()
143
+ .ok_or_else(|| AuditLoadError::Skip(anyhow!("can't run without a GitHub API token")))
144
+ .map(|client| Self { client })
145
+ }
146
+
147
+ fn audit_step<'doc>(
148
+ &self,
149
+ step: &Step<'doc>,
150
+ _config: &Config,
151
+ ) -> anyhow::Result<Vec<Finding<'doc>>> {
152
+ self.audit_step_common(step)
153
+ }
154
+
155
+ fn audit_composite_step<'doc>(
156
+ &self,
157
+ step: &CompositeStep<'doc>,
158
+ _config: &Config,
159
+ ) -> anyhow::Result<Vec<Finding<'doc>>> {
160
+ self.audit_step_common(step)
161
+ }
162
+ }
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/self_hosted_runner.rs RENAMED
@@ -59,7 +59,7 @@ impl Audit for SelfHostedRunner {
59
59
  results.push(
60
60
  Self::finding()
61
61
  .confidence(Confidence::High)
62
- .severity(Severity::Unknown)
62
+ .severity(Severity::Medium)
63
63
  .persona(Persona::Auditor)
64
64
  .add_location(
65
65
  job.location()
@@ -77,7 +77,7 @@ impl Audit for SelfHostedRunner {
77
77
  results.push(
78
78
  Self::finding()
79
79
  .confidence(Confidence::Low)
80
- .severity(Severity::Unknown)
80
+ .severity(Severity::Medium)
81
81
  .persona(Persona::Auditor)
82
82
  .add_location(
83
83
  job.location()
@@ -100,7 +100,7 @@ impl Audit for SelfHostedRunner {
100
100
  LoE::Literal(RunsOn::Group { .. }) => results.push(
101
101
  Self::finding()
102
102
  .confidence(Confidence::Low)
103
- .severity(Severity::Unknown)
103
+ .severity(Severity::Medium)
104
104
  .persona(Persona::Auditor)
105
105
  .add_location(
106
106
  job.location()
@@ -127,7 +127,7 @@ impl Audit for SelfHostedRunner {
127
127
  results.push(
128
128
  Self::finding()
129
129
  .confidence(Confidence::High)
130
- .severity(Severity::Unknown)
130
+ .severity(Severity::Medium)
131
131
  .persona(Persona::Auditor)
132
132
  .add_location(
133
133
  job.location()
{zizmor-1.13.0 → zizmor-1.14.0}/crates/zizmor/src/audit/template_injection.rs RENAMED
@@ -378,8 +378,8 @@ impl TemplateInjection {
378
378
  Subfeature::new(expr_span.start, &parsed),
379
379
  // Intentionally not providing a fix here.
380
380
  None,
381
- Severity::Unknown,
382
- Confidence::Unknown,
381
+ Severity::Low,
382
+ Confidence::High,
383
383
  Persona::Pedantic,
384
384
  ));
385
385
 
@@ -440,7 +440,7 @@ impl TemplateInjection {
440
440
  (Severity::High, Confidence::High, Persona::default())
441
441
  }
442
442
  None => {
443
- (Severity::Unknown, Confidence::Low, Persona::default())
443
+ (Severity::Low, Confidence::Low, Persona::default())
444
444
  }
445
445
  };
446
446
 
@@ -477,7 +477,7 @@ impl TemplateInjection {
477
477
  origin.raw,
478
478
  ),
479
479
  self.attempt_fix(&expr, &parsed, step),
480
- Severity::Unknown,
480
+ Severity::Low,
481
481
  Confidence::High,
482
482
  Persona::Pedantic,
483
483
  ));