zizmor 1.2.0__tar.gz → 1.2.2__tar.gz

{zizmor-1.2.0 → zizmor-1.2.2}/.github/workflows/ci.yml

@@ -33,7 +33,7 @@ jobs:
 
     - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
 
-    - uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v5.1.0
+    - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
 
     - name: Test
       run: cargo test
@@ -43,9 +43,21 @@ jobs:
         make snippets
         git diff --exit-code
 
+  test-site:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+
+      - name: Test site
+        run: make site
+
   all-tests-pass:
     if: always()
-    needs: [lint, test]
+    needs: [lint, test, test-site]
     runs-on: ubuntu-latest
 
     steps:

{zizmor-1.2.0 → zizmor-1.2.2}/.github/workflows/site.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v3
+        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
 
       - name: build site
         run: make site

{zizmor-1.2.0 → zizmor-1.2.2}/.github/workflows/zizmor.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: ["*"]
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via Cargo
@@ -19,7 +21,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v4
+        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
         env:

{zizmor-1.2.0 → zizmor-1.2.2}/Cargo.lock

@@ -616,9 +616,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 
 [[package]]
 name = "github-actions-models"
-version = "0.21.0"
+version = "0.22.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "768ea1269c648e6eb2e2fc9143e609609a1587150f0ad3342305ae2ae2d217ca"
+checksum = "ea4c30fa8bf11e002d3ca72233e7a7bac33ffce4dc50877d63a8f5a161e0cd84"
 dependencies = [
  "indexmap",
  "serde",
@@ -3108,7 +3108,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.2.0"
+version = "1.2.2"
 dependencies = [
  "annotate-snippets",
  "anstream",

{zizmor-1.2.0 → zizmor-1.2.2}/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.2.0"
+version = "1.2.2"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
@@ -23,7 +23,7 @@ clap-verbosity-flag = { version = "3.0.2", features = [
 ], default-features = false }
 etcetera = "0.8.0"
 flate2 = "1.0.35"
-github-actions-models = "0.21.0"
+github-actions-models = "0.22.0"
 http-cache-reqwest = "0.15.0"
 human-panic = "2.0.1"
 indexmap = "2.7.0"

{zizmor-1.2.0 → zizmor-1.2.2}/Makefile

@@ -3,12 +3,12 @@ all:
 	@echo "Run my targets individually!"
 
 .PHONY: site
-site: site-requirements.txt
-	uvx --with-requirements $< mkdocs build
+site:
+	uv run --only-group docs mkdocs build
 
 .PHONY: site-live
-site-live: site-requirements.txt
-	uvx --with-requirements $< mkdocs serve
+site-live:
+	uv run --only-group docs mkdocs serve
 
 .PHONY: snippets
 snippets: trophies sponsors

{zizmor-1.2.0 → zizmor-1.2.2}/PKG-INFO

@@ -1,12 +1,14 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 1.2.0
+Version: 1.2.2
+License-File: LICENSE
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security
 Home-Page: https://github.com/woodruffw/zizmor
 Author: William Woodruff <william@yossarian.net>
 Author-email: William Woodruff <william@yossarian.net>
 License: MIT
+Requires-Python: >=3.9
 Description-Content-Type: text/markdown; charset=UTF-8; variant=GFM
 Project-URL: Source Code, https://github.com/woodruffw/zizmor
 

{zizmor-1.2.0 → zizmor-1.2.2}/docs/release-notes.md

@@ -11,6 +11,27 @@ of `zizmor`.
 
 Nothing to see here (yet!)
 
+## v1.2.2
+
+### Bug Fixes 🐛
+
+* The [excessive-permissions] audit is now more precise about both
+  reusable workflows and reusable workflow calls (#473)
+
+### Improvements 🌱
+
+* Fetch failures when running `zizmor org/repo` are now more informative (#475)
+
+## v1.2.1
+
+This is a small corrective release for some SARIF behavior that
+changed with v1.2.0.
+
+### Bug Fixes 🐛
+
+* SARIF outputs now use relative paths again, but more correctly
+  than before [v1.2.0](#v120) (#469)
+
 ## v1.2.0
 
 This release comes with one new audit ([bot-conditions]), plus a handful

{zizmor-1.2.0 → zizmor-1.2.2}/docs/usage.md

@@ -457,7 +457,7 @@ To do so, add the following to your `.pre-commit-config.yaml` `repos` section:
 
 ```yaml
 - repo: https://github.com/woodruffw/zizmor-pre-commit
-  rev: v1.2.0 # (1)!
+  rev: v1.2.2 # (1)!
   hooks:
   - id: zizmor
 ```

zizmor-1.2.2/pyproject.toml

@@ -0,0 +1,17 @@
+[build-system]
+requires = ["maturin>=1.0,<2.0"]
+build-backend = "maturin"
+
+# NOTE: This section is a stub; needed to prevent
+# `uv run --only-group docs` from failing.
+[project]
+name = "zizmor"
+dynamic = ["version"]
+# Arbitrarily set to the oldest non-EOL Python.
+requires-python = ">=3.9"
+
+[tool.maturin]
+bindings = "bin"
+
+[dependency-groups]
+docs = ["mkdocs ~= 1.6", "mkdocs-material[imaging] ~= 9.5"]

{zizmor-1.2.0 → zizmor-1.2.2}/src/audit/bot_conditions.rs

@@ -1,13 +1,12 @@
 use github_actions_models::common::{expr::ExplicitExpr, If};
 
+use super::{audit_meta, Audit};
 use crate::{
     expr::{self, Expr},
     finding::{Confidence, Severity},
     models::JobExt,
 };
 
-use super::{audit_meta, Audit};
-
 pub(crate) struct BotConditions;
 
 audit_meta!(BotConditions, "bot-conditions", "spoofable bot actor check");
@@ -152,7 +151,7 @@ impl BotConditions {
             // We have a bot condition but it doesn't dominate the expression.
             (true, false) => Some(Confidence::Medium),
             // No bot condition.
-            (_, _) => None,
+            (..) => None,
         }
     }
 }

{zizmor-1.2.0 → zizmor-1.2.2}/src/audit/excessive_permissions.rs

@@ -57,12 +57,9 @@ impl Audit for ExcessivePermissions {
 
         let all_jobs_have_permissions = workflow
             .jobs()
-            .filter_map(|job| {
-                let Job::NormalJob(job) = job else {
-                    return None;
-                };
-
-                Some(&job.permissions)
+            .map(|job| match job {
+                Job::NormalJob(job) => &job.permissions,
+                Job::ReusableWorkflowCallJob(job) => &job.permissions,
             })
             .all(|perm| !matches!(perm, Permissions::Base(BasePermission::Default)));
 
@@ -71,17 +68,21 @@ impl Audit for ExcessivePermissions {
             Permissions::Base(BasePermission::Default)
         );
 
-        // Top-level permissions are a minor issue if there's only one
-        // job in the workflow, since they're equivalent to job-level
-        // permissions in that case. Emit only pedantic findings in
-        // that case.
-        // Similarly, if all jobs in the workflow have their own explicit
-        // permissions, then any permissions set at the top-level are moot.
-        let persona = if workflow.jobs.len() == 1 || all_jobs_have_permissions {
-            Persona::Pedantic
-        } else {
-            Persona::Regular
-        };
+        let workflow_is_reusable_only =
+            workflow.has_workflow_call() && workflow.has_single_trigger();
+
+        // Top-level permissions are a pedantic finding under the following
+        // conditions:
+        //
+        // 1. The workflow has only one job.
+        // 2. All jobs in the workflow have their own explicit permissions.
+        // 3. The workflow is reusable and has only one trigger.
+        let workflow_finding_persona =
+            if workflow.jobs.len() == 1 || all_jobs_have_permissions || workflow_is_reusable_only {
+                Persona::Pedantic
+            } else {
+                Persona::Regular
+            };
 
         // Handle top-level permissions.
         let location = workflow.location().primary();
@@ -93,20 +94,35 @@ impl Audit for ExcessivePermissions {
                 Self::finding()
                     .severity(severity)
                     .confidence(confidence)
-                    .persona(persona)
+                    .persona(workflow_finding_persona)
                     .add_location(perm_location)
                     .build(workflow)?,
             );
         }
 
         for job in workflow.jobs() {
-            let Job::NormalJob(job) = &job else {
-                continue;
+            let (permissions, job_location, job_finding_persona) = match job {
+                Job::NormalJob(job) => {
+                    // For normal jobs: if the workflow is reusable-only, we
+                    // emit pedantic findings.
+                    let persona = if workflow_is_reusable_only {
+                        Persona::Pedantic
+                    } else {
+                        Persona::Regular
+                    };
+
+                    (&job.permissions, job.location(), persona)
+                }
+                Job::ReusableWorkflowCallJob(job) => {
+                    // For reusable jobs: the caller is always responsible for
+                    // permissions, so we emit regular findings even if
+                    // the workflow is reusable-only.
+                    (&job.permissions, job.location(), Persona::Regular)
+                }
             };
 
-            let job_location = job.location();
             if let Some((severity, confidence, perm_location)) = self.check_job_permissions(
-                &job.permissions,
+                permissions,
                 explicit_parent_permissions,
                 job_location.clone(),
             ) {
@@ -114,6 +130,7 @@ impl Audit for ExcessivePermissions {
                     Self::finding()
                         .severity(severity)
                         .confidence(confidence)
+                        .persona(job_finding_persona)
                         .add_location(job_location)
                         .add_location(perm_location.primary())
                         .build(workflow)?,

{zizmor-1.2.0 → zizmor-1.2.2}/src/github_api.rs

@@ -12,6 +12,7 @@ use github_actions_models::common::RepositoryUses;
 use http_cache_reqwest::{
     CACacheManager, Cache, CacheMode, CacheOptions, HttpCache, HttpCacheOptions,
 };
+use owo_colors::OwoColorize;
 use reqwest::{
     header::{HeaderMap, ACCEPT, AUTHORIZATION, USER_AGENT},
     StatusCode,
@@ -399,7 +400,16 @@ impl Client {
         // TODO: Could probably make this slightly faster by
         // streaming asynchronously into the decompression,
         // probably with the async-compression crate.
-        let contents = self.http.get(url).send().await?.bytes().await?;
+        let resp = self.http.get(&url).send().await?;
+
+        if !resp.status().is_success() {
+            return Err(anyhow!(
+                "failed to fetch {url}: {status}",
+                status = resp.status().red()
+            ));
+        }
+
+        let contents = resp.bytes().await?;
         let tar = GzDecoder::new(contents.deref());
 
         let mut archive = Archive::new(tar);

{zizmor-1.2.0 → zizmor-1.2.2}/src/main.rs

@@ -160,17 +160,18 @@ fn tip(err: impl AsRef<str>, tip: impl AsRef<str>) -> String {
 
 #[instrument(skip(mode, registry))]
 fn collect_from_repo_dir(
-    repo_dir: &Utf8Path,
+    top_dir: &Utf8Path,
+    current_dir: &Utf8Path,
     mode: &CollectionMode,
     registry: &mut InputRegistry,
 ) -> Result<()> {
     // The workflow directory might not exist if we're collecting from
     // a repository that only contains actions.
     if mode.workflows() {
-        let workflow_dir = if repo_dir.ends_with(".github/workflows") {
-            repo_dir.into()
+        let workflow_dir = if current_dir.ends_with(".github/workflows") {
+            current_dir.into()
         } else {
-            repo_dir.join(".github/workflows")
+            current_dir.join(".github/workflows")
         };
 
         if workflow_dir.is_dir() {
@@ -180,7 +181,7 @@ fn collect_from_repo_dir(
                 match input_path.extension() {
                     Some(ext) if ext == "yml" || ext == "yaml" => {
                         registry
-                            .register_by_path(input_path)
+                            .register_by_path(input_path, Some(top_dir))
                             .with_context(|| format!("failed to register input: {input_path}"))?;
                     }
                     _ => continue,
@@ -192,18 +193,18 @@ fn collect_from_repo_dir(
     }
 
     if mode.actions() {
-        for entry in repo_dir.read_dir_utf8()? {
+        for entry in current_dir.read_dir_utf8()? {
             let entry = entry?;
             let entry_path = entry.path();
 
             if entry_path.is_file()
                 && matches!(entry_path.file_name(), Some("action.yml" | "action.yaml"))
             {
-                let action = Action::from_file(entry_path)?;
+                let action = Action::from_file(entry_path, Some(top_dir))?;
                 registry.register_input(action.into())?;
             } else if entry_path.is_dir() && !entry_path.ends_with(".github/workflows") {
                 // Recurse and limit the collection mode to only actions.
-                collect_from_repo_dir(entry_path, &CollectionMode::ActionsOnly, registry)?;
+                collect_from_repo_dir(top_dir, entry_path, &CollectionMode::ActionsOnly, registry)?;
             }
         }
     }
@@ -257,7 +258,16 @@ fn collect_from_repo_slug(
             registry.register_input(workflow.into())?;
         }
     } else {
-        let inputs = client.fetch_audit_inputs(&slug)?;
+        let inputs = client.fetch_audit_inputs(&slug).with_context(|| {
+            tip(
+                format!(
+                    "couldn't collect inputs from https://github.com/{owner}/{repo}",
+                    owner = slug.owner,
+                    repo = slug.repo
+                ),
+                "confirm the repository exists and that you have access to it",
+            )
+        })?;
 
         tracing::info!(
             "collected {len} inputs from {owner}/{repo}",
@@ -266,7 +276,7 @@ fn collect_from_repo_slug(
             repo = slug.repo
         );
 
-        for input in client.fetch_audit_inputs(&slug)? {
+        for input in inputs {
             registry.register_input(input)?;
         }
     }
@@ -285,13 +295,13 @@ fn collect_inputs(
     for input in inputs {
         let input_path = Utf8Path::new(input);
         if input_path.is_file() {
+            // When collecting individual files, we don't know which part
+            // of the input path is the prefix.
             registry
-                .register_by_path(input_path)
+                .register_by_path(input_path, None)
                 .with_context(|| format!("failed to register input: {input_path}"))?;
         } else if input_path.is_dir() {
-            // TODO: walk directory to discover composite actions.
-            let absolute = input_path.canonicalize_utf8()?;
-            collect_from_repo_dir(&absolute, mode, &mut registry)?;
+            collect_from_repo_dir(input_path, input_path, mode, &mut registry)?;
         } else {
             // If this input isn't a file or directory, it's probably an
             // `owner/repo(@ref)?` slug.
@@ -387,7 +397,10 @@ fn run() -> Result<ExitCode> {
                 })?);
                 Span::current().pb_inc(1);
             }
-            tracing::info!("🌈 completed {input}", input = input.key().path());
+            tracing::info!(
+                "🌈 completed {input}",
+                input = input.key().best_effort_relative_path()
+            );
         }
     }
 

{zizmor-1.2.0 → zizmor-1.2.2}/src/models.rs

@@ -101,7 +101,7 @@ impl Workflow {
             InputKey::Local(_) => None,
             InputKey::Remote(_) => {
                 // NOTE: InputKey's Display produces a URL, hence `key.to_string()`.
-                Some(Link::new(key.path(), &key.to_string()).to_string())
+                Some(Link::new(key.best_effort_relative_path(), &key.to_string()).to_string())
             }
         };
 
@@ -114,11 +114,9 @@ impl Workflow {
     }
 
     /// Load a workflow from the given file on disk.
-    pub(crate) fn from_file<P: AsRef<Utf8Path>>(p: P) -> Result<Self> {
-        let contents = std::fs::read_to_string(p.as_ref())?;
-        let path = p.as_ref().canonicalize_utf8()?;
-
-        Self::from_string(contents, InputKey::local(path)?)
+    pub(crate) fn from_file<P: AsRef<Utf8Path>>(path: P, prefix: Option<P>) -> Result<Self> {
+        let contents = std::fs::read_to_string(path.as_ref())?;
+        Self::from_string(contents, InputKey::local(path, prefix)?)
     }
 
     /// This workflow's [`SymbolicLocation`].
@@ -137,7 +135,7 @@ impl Workflow {
         Jobs::new(self)
     }
 
-    /// Whether this workflow's is triggered by pull_request_target.
+    /// Whether this workflow is triggered by pull_request_target.
     pub(crate) fn has_pull_request_target(&self) -> bool {
         match &self.on {
             Trigger::BareEvent(event) => *event == BareEvent::PullRequestTarget,
@@ -146,7 +144,7 @@ impl Workflow {
         }
     }
 
-    /// Whether this workflow's is triggered by workflow_run.
+    /// Whether this workflow is triggered by workflow_run.
     pub(crate) fn has_workflow_run(&self) -> bool {
         match &self.on {
             Trigger::BareEvent(event) => *event == BareEvent::WorkflowRun,
@@ -154,6 +152,24 @@ impl Workflow {
             Trigger::Events(events) => !matches!(events.workflow_run, OptionalBody::Missing),
         }
     }
+
+    /// Whether this workflow is triggered by workflow_call.
+    pub(crate) fn has_workflow_call(&self) -> bool {
+        match &self.on {
+            Trigger::BareEvent(event) => *event == BareEvent::WorkflowCall,
+            Trigger::BareEvents(events) => events.contains(&BareEvent::WorkflowCall),
+            Trigger::Events(events) => !matches!(events.workflow_call, OptionalBody::Missing),
+        }
+    }
+
+    /// Whether this workflow is triggered by exactly one event.
+    pub(crate) fn has_single_trigger(&self) -> bool {
+        match &self.on {
+            Trigger::BareEvent(_) => true,
+            Trigger::BareEvents(events) => events.len() == 1,
+            Trigger::Events(events) => events.count() == 1,
+        }
+    }
 }
 
 /// Common behavior across both normal and reusable jobs.
@@ -716,13 +732,10 @@ impl Debug for Action {
 
 impl Action {
     /// Load an action from the given file on disk.
-    pub(crate) fn from_file<P: AsRef<Utf8Path>>(p: P) -> Result<Self> {
+    pub(crate) fn from_file<P: AsRef<Utf8Path>>(path: P, prefix: Option<P>) -> Result<Self> {
         let contents =
-            std::fs::read_to_string(p.as_ref()).with_context(|| "couldn't read action file")?;
-
-        let path = p.as_ref().canonicalize_utf8()?;
-
-        Self::from_string(contents, InputKey::local(path)?)
+            std::fs::read_to_string(path.as_ref()).with_context(|| "couldn't read action file")?;
+        Self::from_string(contents, InputKey::local(path, prefix)?)
     }
 
     /// Load a workflow from a buffer, with an assigned name.
@@ -736,7 +749,7 @@ impl Action {
             InputKey::Local(_) => None,
             InputKey::Remote(_) => {
                 // NOTE: InputKey's Display produces a URL, hence `key.to_string()`.
-                Some(Link::new(key.path(), &key.to_string()).to_string())
+                Some(Link::new(key.best_effort_relative_path(), &key.to_string()).to_string())
             }
         };