zizmor 1.2.2__tar.gz → 1.3.0__tar.gz

{zizmor-1.2.2 → zizmor-1.3.0}/.github/workflows/ci.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
 
       - name: Lint
-        run: cargo clippy -- -D warnings
+        run: cargo clippy -- -D warnings -D clippy::dbg_macro
 
   test:
     runs-on: ubuntu-latest

{zizmor-1.2.2 → zizmor-1.3.0}/.github/workflows/pypi.yml

@@ -23,7 +23,7 @@ jobs:
           - runner: ubuntu-24.04
             target: x86
             manylinux: auto
-          - runner: ubuntu-24.04-arm
+          - runner: ubuntu-24.04
             target: aarch64
             manylinux: "2_24"
           - runner: ubuntu-24.04
@@ -40,7 +40,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -70,7 +70,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -96,7 +96,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -121,7 +121,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -139,7 +139,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build sdist
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           command: sdist
           args: --out dist
@@ -167,12 +167,12 @@ jobs:
     steps:
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2
         with:
           subject-path: 'wheels-*/*'
       - name: Publish to PyPI
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           command: upload
           args: --non-interactive --skip-existing wheels-*/*

{zizmor-1.2.2 → zizmor-1.3.0}/.github/workflows/zizmor.yml

@@ -27,7 +27,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
         with:
           sarif_file: results.sarif
           category: zizmor

{zizmor-1.2.2 → zizmor-1.3.0}/Cargo.lock

@@ -273,9 +273,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
 [[package]]
 name = "clap"
-version = "4.5.26"
+version = "4.5.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8eb5e908ef3a6efbe1ed62520fb7287959888c88485abe072543190ecc66783"
+checksum = "769b0145982b4b48713e01ec42d61614425f27b7058bda7180a3a41f30104796"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -293,9 +293,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.26"
+version = "4.5.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96b01801b5fc6a0a232407abc821660c9c6d25a1cafc0d4f85f29fb8d9afc121"
+checksum = "1b26884eb4b57140e4d2d93652abfa49498b938b3c9179f9fc487b0acc3edad7"
 dependencies = [
  "anstream",
  "anstyle",
@@ -616,9 +616,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 
 [[package]]
 name = "github-actions-models"
-version = "0.22.0"
+version = "0.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea4c30fa8bf11e002d3ca72233e7a7bac33ffce4dc50877d63a8f5a161e0cd84"
+checksum = "f2269402e4d8fe06d41aa858a0fe15a49842764334d0aacc52f5f41e11466e30"
 dependencies = [
  "indexmap",
  "serde",
@@ -972,9 +972,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.7.0"
+version = "2.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f"
+checksum = "8c9c992b02b5b4c94ea26e32fe5bccb7aa7d9f390ab5c1221ff895bc7ea8b652"
 dependencies = [
  "equivalent",
  "hashbrown",
@@ -983,9 +983,9 @@ dependencies = [
 
 [[package]]
 name = "indicatif"
-version = "0.17.9"
+version = "0.17.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cbf675b85ed934d3c67b5c5469701eec7db22689d0a2139d856e0925fa28b281"
+checksum = "183b3088984b400f4cfac3620d5e076c84da5364016b4f49473de574b2586235"
 dependencies = [
  "console",
  "number_prefix",
@@ -997,13 +997,14 @@ dependencies = [
 
 [[package]]
 name = "insta"
-version = "1.42.0"
+version = "1.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6513e4067e16e69ed1db5ab56048ed65db32d10ba5fc1217f5393f8f17d8b5a5"
+checksum = "71c1b125e30d93896b365e156c33dadfffab45ee8400afcbba4752f59de08a86"
 dependencies = [
  "console",
  "linked-hash-map",
  "once_cell",
+ "pin-project",
  "similar",
 ]
 
@@ -1072,6 +1073,16 @@ dependencies = [
  "redox_syscall",
 ]
 
+[[package]]
+name = "line-index"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e27e0ed5a392a7f5ba0b3808a2afccff16c64933312c84b57618b49d1209bd2"
+dependencies = [
+ "nohash-hasher",
+ "text-size",
+]
+
 [[package]]
 name = "linked-hash-map"
 version = "0.5.6"
@@ -1176,6 +1187,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "nohash-hasher"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451"
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -1297,6 +1314,26 @@ dependencies = [
  "sha2",
 ]
 
+[[package]]
+name = "pin-project"
+version = "1.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e2ec53ad785f4d35dac0adea7f7dc6f1bb277ad84a680c7afefeae05d1f5916"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d56a66c0c55993aa927429d0f8a0abfd74f084e4d9c192cffed01e418d83eefb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.15"
@@ -1766,9 +1803,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.135"
+version = "1.0.137"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b0d7ba2887406110130a978386c4e1befb98c674b4fba677954e4db976630d9"
+checksum = "930cfb6e6abf99298aaad7d29abbef7a9999a9a8806a40088f55f0dcec03146b"
 dependencies = [
  "itoa",
  "memchr",
@@ -2083,6 +2120,12 @@ version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
 
+[[package]]
+name = "text-size"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f18aa187839b2bdb1ad2fa35ead8c4c2976b64e4363c386d45ac0f7ee85c9233"
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
@@ -2332,9 +2375,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-indicatif"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74ba258e9de86447f75edf6455fded8e5242704c6fccffe7bf8d7fb6daef1180"
+checksum = "8201ca430e0cd893ef978226fd3516c06d9c494181c8bf4e5b32e30ed4b40aa1"
 dependencies = [
  "indicatif",
  "tracing",
@@ -3108,7 +3151,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.2.2"
+version = "1.3.0"
 dependencies = [
  "annotate-snippets",
  "anstream",
@@ -3126,6 +3169,7 @@ dependencies = [
  "indicatif",
  "insta",
  "itertools",
+ "line-index",
  "owo-colors",
  "pest",
  "pest_derive",

{zizmor-1.2.2 → zizmor-1.3.0}/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.2.2"
+version = "1.3.0"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
@@ -17,18 +17,19 @@ annotate-snippets = "0.11.5"
 anstream = "0.6.18"
 anyhow = "1.0.95"
 camino = { version = "1.1.9", features = ["serde1"] }
-clap = { version = "4.5.26", features = ["derive", "env"] }
+clap = { version = "4.5.27", features = ["derive", "env"] }
 clap-verbosity-flag = { version = "3.0.2", features = [
     "tracing",
 ], default-features = false }
 etcetera = "0.8.0"
 flate2 = "1.0.35"
-github-actions-models = "0.22.0"
+github-actions-models = "0.23.0"
 http-cache-reqwest = "0.15.0"
 human-panic = "2.0.1"
-indexmap = "2.7.0"
-indicatif = "0.17.9"
+indexmap = "2.7.1"
+indicatif = "0.17.11"
 itertools = "0.14.0"
+line-index = "0.1.2"
 owo-colors = "4.1.0"
 pest = "2.7.15"
 pest_derive = "2.7.15"
@@ -41,7 +42,7 @@ reqwest = { version = "0.12.12", features = [
 reqwest-middleware = "0.4.0"
 serde = { version = "1.0.217", features = ["derive"] }
 serde-sarif = "0.7.0"
-serde_json = "1.0.135"
+serde_json = "1.0.137"
 serde_yaml = "0.9.34"
 # TODO remove pending https://github.com/tree-sitter/tree-sitter/pull/4034
 streaming-iterator = "0.1.9"
@@ -49,7 +50,7 @@ tar = "0.4.43"
 terminal-link = "0.1.0"
 tokio = { version = "1.43.0", features = ["rt-multi-thread"] }
 tracing = "0.1.41"
-tracing-indicatif = "0.3.8"
+tracing-indicatif = "0.3.9"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
 tree-sitter = "0.24.7"
 tree-sitter-bash = "0.23.3"
@@ -65,6 +66,6 @@ lto = true
 
 [dev-dependencies]
 assert_cmd = "2.0.16"
-insta = { version = "1.42.0" }
+insta = { version = "1.42.1" }
 pretty_assertions = "1.4.1"
 serde_json_path = "0.7.1"

{zizmor-1.2.2 → zizmor-1.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 1.2.2
+Version: 1.3.0
 License-File: LICENSE
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security

{zizmor-1.2.2 → zizmor-1.3.0}/docs/audits.md

@@ -849,7 +849,7 @@ not using `pull_request_target` for auto-merge workflows.
     jobs:
       automerge:
         runs-on: ubuntu-latest
-        if: github.actor == 'dependabot[bot] && github.repository == 'me/my-repo'
+        if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
         steps:
           - run: gh pr merge --auto --merge "$PR_URL"
             env:
@@ -865,7 +865,7 @@ not using `pull_request_target` for auto-merge workflows.
     jobs:
       automerge:
         runs-on: ubuntu-latest
-        if: github.event.pull_request.user.login == 'dependabot[bot] && github.repository == 'me/my-repo'
+        if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
         steps:
           - run: gh pr merge --auto --merge "$PR_URL"
             env:
@@ -873,6 +873,67 @@ not using `pull_request_target` for auto-merge workflows.
               GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     ```
 
+## `overprovisioned-secrets`
+
+| Type     | Examples                | Introduced in | Works offline  | Enabled by default |
+|----------|-------------------------|---------------|----------------|--------------------|
+| Workflow  | [overprovisioned-secrets.yml]   | v1.3.0      | ✅             | ✅                 |
+
+[overprovisioned-secrets.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/overprovisioned-secrets.yml
+
+Detects excessive sharing of the `secrets` context.
+
+Typically, users access the `secrets` context via its individual members:
+
+```yaml
+env:
+  SECRET_ONE: ${{ secrets.SECRET_ONE }}
+  SECRET_TWO: ${{ secrets.SECRET_TWO }}
+```
+
+This allows the Actions runner to only expose the secrets actually used by
+the workflow to the job environment.
+
+However, if the user instead accesses the *entire* `secrets` context:
+
+```yaml
+env:
+  SECRETS: ${{ toJson(secrets) }}
+```
+
+...then the entire `secrets` context is exposed to the runner, even if
+only a single secret is actually needed.
+
+### Remediation
+
+In general, users should avoid loading the entire `secrets` context.
+Secrets should be accessed individually by name.
+
+=== "Before :warning:"
+
+    ```yaml title="overprovisioned.yml" hl_lines="7"
+    jobs:
+      deploy:
+        runs-on: ubuntu-latest
+        steps:
+          - run: ./deploy.sh
+            env:
+              SECRETS: ${{ toJSON(secrets) }}
+    ```
+
+=== "After :white_check_mark:"
+
+    ```yaml title="overprovisioned.yml" hl_lines="7-8"
+    jobs:
+      deploy:
+        runs-on: ubuntu-latest
+        steps:
+          - run: ./deploy.sh
+            env:
+              SECRET_ONE: ${{ secrets.SECRET_ONE }}
+              SECRET_TWO: ${{ secrets.SECRET_TWO }}
+    ```
+
 [ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts]: https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
 [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests]: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
 [What the fork? Imposter commits in GitHub Actions and CI/CD]: https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd

{zizmor-1.2.2 → zizmor-1.3.0}/docs/release-notes.md

@@ -9,7 +9,35 @@ of `zizmor`.
 
 ## Next (UNRELEASED)
 
-Nothing to see here (yet!)
+Nothing to see here yet!
+
+## v1.3.0
+
+This release comes with one new audit ([overprovisioned-secrets]), plus a
+handful of bugfixes and analysis improvements to existing audits. It also
+comes with a special easter egg for those who wish to *kvell* about their
+audit results.
+
+### New Features 🌈
+
+* **New audit**: [overprovisioned-secrets] detects uses of the `secrets`
+  context that result in excessive secret provisioning (#485)
+* Added a special naches mode for when you're feeling particularly proud of
+  your audit results (#490)
+
+### Improvements 🌱
+
+* `zizmor` produces slightly more informative error messages when given
+  an invalid input file (#482)
+* Case insensitivity in contexts is now handeled more consistently
+  and pervasively (#491)
+
+### Bug Fixes 🐛
+
+* Fixed a bug where `zizmor` would fail to discover actions within
+  subdirectories of `.github/workflows` (#477)
+* Fixed a bug where `zizmor` would fail to parse composite action definitions
+  with no `name` field (#487)
 
 ## v1.2.2
 
@@ -490,3 +518,4 @@ This is one of `zizmor`'s bigger recent releases! Key enhancements include:
 [secrets-inherit]: ./audits.md#secrets-inherit
 [unpinned-uses]: ./audits.md#unpinned-uses
 [bot-conditions]: ./audits.md#bot-conditions
+[overprovisioned-secrets]: ./audits.md#overprovisioned-secrets

{zizmor-1.2.2 → zizmor-1.3.0}/docs/snippets/trophies.md

@@ -48,6 +48,22 @@
         - autotag-dev/autotag#142
 
 
+-   ![](https://github.com/BerkeleyLearnVerify.png?size=40){ width="40" loading=lazy align=left } BerkeleyLearnVerify
+
+    ---
+
+    ??? example "Examples"
+        - BerkeleyLearnVerify/Scenic#320
+
+
+-   ![](https://github.com/bitcoindevkit.png?size=40){ width="40" loading=lazy align=left } bitcoindevkit
+
+    ---
+
+    ??? example "Examples"
+        - bitcoindevkit/bdk#1778
+
+
 -   ![](https://github.com/blakeblackshear.png?size=40){ width="40" loading=lazy align=left } blakeblackshear
 
     ---
@@ -445,6 +461,15 @@
         - numpy/numpy.org#797
 
 
+-   ![](https://github.com/onnx.png?size=40){ width="40" loading=lazy align=left } onnx
+
+    ---
+
+    ??? example "Examples"
+        - onnx/onnx#6661
+        - onnx/onnx#6662
+
+
 -   ![](https://github.com/Orange-OpenSource.png?size=40){ width="40" loading=lazy align=left } Orange-OpenSource
 
     ---
@@ -514,6 +539,7 @@
     ---
 
     ??? example "Examples"
+        - pymc-devs/pymc#7624
         - pymc-devs/pytensor#1136
 
 
@@ -666,6 +692,7 @@
         - sigstore/cosign#3959
         - sigstore/fulcio#1910
         - sigstore/gitsign#602
+        - sigstore/sigstore-rs#424
 
 
 -   ![](https://github.com/simpeg.png?size=40){ width="40" loading=lazy align=left } simpeg

{zizmor-1.2.2 → zizmor-1.3.0}/docs/snippets/trophies.txt

@@ -11,6 +11,8 @@ ashishb/wp2hugo#91
 astral-sh/ruff#14844
 astropy/astropy#17315
 autotag-dev/autotag#142
+BerkeleyLearnVerify/Scenic#320
+bitcoindevkit/bdk#1778
 blakeblackshear/frigate#15490
 brian-team/brian2@d497b11a268549c0c491df2f5f9c6332c4f733d0
 cakephp/cakephp#18081
@@ -93,6 +95,8 @@ NLnetLabs/nsd#413
 NLnetLabs/unbound#1204
 numpy/numpy#27931
 numpy/numpy.org#797
+onnx/onnx#6661
+onnx/onnx#6662
 Ouranosinc/xclim#2023
 Orange-OpenSource/hurl#3574
 oxc-project/oxc#7844
@@ -105,6 +109,7 @@ pypa/packaging.python.org#1765
 pypa/pip-audit#851
 pypi/stdlib-list#138
 pypi/warehouse#16996
+pymc-devs/pymc#7624
 pymc-devs/pytensor#1136
 pytest-dev/pytest#13062
 python/bedevere#652
@@ -134,6 +139,7 @@ Saghen/blink.cmp#991
 sigstore/cosign#3959
 sigstore/fulcio#1910
 sigstore/gitsign#602
+sigstore/sigstore-rs#424
 simpeg/simpeg#1592
 termcolor/termcolor#89
 termux/termux-packages#22519

{zizmor-1.2.2 → zizmor-1.3.0}/docs/usage.md

@@ -457,7 +457,7 @@ To do so, add the following to your `.pre-commit-config.yaml` `repos` section:
 
 ```yaml
 - repo: https://github.com/woodruffw/zizmor-pre-commit
-  rev: v1.2.2 # (1)!
+  rev: v1.3.0 # (1)!
   hooks:
   - id: zizmor
 ```

{zizmor-1.2.2 → zizmor-1.3.0}/src/audit/bot_conditions.rs

@@ -2,7 +2,7 @@ use github_actions_models::common::{expr::ExplicitExpr, If};
 
 use super::{audit_meta, Audit};
 use crate::{
-    expr::{self, Expr},
+    expr::{self, Context, Expr},
     finding::{Confidence, Severity},
     models::JobExt,
 };
@@ -73,10 +73,10 @@ impl BotConditions {
                 func: _,
                 args: exprs,
             }
-            | Expr::Context {
+            | Expr::Context(Context {
                 raw: _,
                 components: exprs,
-            } => exprs
+            }) => exprs
                 .iter()
                 .map(|arg| Self::walk_tree_for_bot_condition(arg, false))
                 .reduce(|(bc, _), (bc_next, _)| (bc || bc_next, false))
@@ -92,9 +92,9 @@ impl BotConditions {
                 }
                 // == is trivially dominating.
                 expr::BinOp::Eq => match (lhs.as_ref(), rhs.as_ref()) {
-                    (Expr::Context { raw, .. }, Expr::String(s))
-                    | (Expr::String(s), Expr::Context { raw, .. }) => {
-                        if raw == "github.actor" && s.ends_with("[bot]") {
+                    (Expr::Context(ctx), Expr::String(s))
+                    | (Expr::String(s), Expr::Context(ctx)) => {
+                        if ctx == "github.actor" && s.ends_with("[bot]") {
                             (true, true)
                         } else {
                             (false, true)
@@ -132,10 +132,13 @@ impl BotConditions {
     }
 
     fn bot_condition(expr: &str) -> Option<Confidence> {
-        let Ok(expr) = (match ExplicitExpr::from_curly(expr) {
-            Some(raw_expr) => Expr::parse(raw_expr.as_bare()),
-            None => Expr::parse(expr),
-        }) else {
+        // TODO: Remove clones here.
+        let bare = match ExplicitExpr::from_curly(expr) {
+            Some(raw_expr) => raw_expr.as_bare().to_string(),
+            None => expr.to_string(),
+        };
+
+        let Ok(expr) = Expr::parse(&bare) else {
             tracing::warn!("couldn't parse expression: {expr}");
             return None;
         };
@@ -166,6 +169,8 @@ mod tests {
             // Trivial dominating cases.
             ("github.actor == 'dependabot[bot]'", Confidence::High),
             ("'dependabot[bot]' == github.actor", Confidence::High),
+            ("'dependabot[bot]' == GitHub.actor", Confidence::High),
+            ("'dependabot[bot]' == GitHub.ACTOR", Confidence::High),
             // Dominating cases with OR.
             (
                 "'dependabot[bot]' == github.actor || true",