zizmor 1.2.2__tar.gz → 1.3.1__tar.gz

{zizmor-1.2.2 → zizmor-1.3.1}/.github/workflows/ci.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
 
       - name: Lint
-        run: cargo clippy -- -D warnings
+        run: cargo clippy -- -D warnings -D clippy::dbg_macro
 
   test:
     runs-on: ubuntu-latest
@@ -33,10 +33,12 @@ jobs:
 
     - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
 
-    - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+    - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
 
     - name: Test
-      run: cargo test
+      run: cargo test --features online-tests
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Test snippets
       run: |
@@ -50,7 +52,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+      - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
 
       - name: Test site
         run: make site

{zizmor-1.2.2 → zizmor-1.3.1}/.github/workflows/pypi.yml

@@ -23,7 +23,7 @@ jobs:
           - runner: ubuntu-24.04
             target: x86
             manylinux: auto
-          - runner: ubuntu-24.04-arm
+          - runner: ubuntu-24.04
             target: aarch64
             manylinux: "2_24"
           - runner: ubuntu-24.04
@@ -40,7 +40,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -70,7 +70,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -96,7 +96,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -121,7 +121,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build wheels
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
@@ -139,7 +139,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Build sdist
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           command: sdist
           args: --out dist
@@ -167,12 +167,12 @@ jobs:
     steps:
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2
         with:
           subject-path: 'wheels-*/*'
       - name: Publish to PyPI
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
-        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1
+        uses: PyO3/maturin-action@5f8a1b3b0aad13193f46c9131f9b9e663def8ce5 # v1
         with:
           command: upload
           args: --non-interactive --skip-existing wheels-*/*

{zizmor-1.2.2 → zizmor-1.3.1}/.github/workflows/site.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
 
       - name: build site
         run: make site

{zizmor-1.2.2 → zizmor-1.3.1}/.github/workflows/zizmor.yml

@@ -21,13 +21,13 @@ jobs:
         with:
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: results.sarif
           category: zizmor

{zizmor-1.2.2 → zizmor-1.3.1}/Cargo.lock

@@ -125,9 +125,9 @@ dependencies = [
 
 [[package]]
 name = "async-trait"
-version = "0.1.83"
+version = "0.1.86"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd"
+checksum = "644dd749086bf3771a2fbc5f256fdb982d53f011c7d5d560304eafeecebce79d"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -273,9 +273,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
 [[package]]
 name = "clap"
-version = "4.5.26"
+version = "4.5.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8eb5e908ef3a6efbe1ed62520fb7287959888c88485abe072543190ecc66783"
+checksum = "769b0145982b4b48713e01ec42d61614425f27b7058bda7180a3a41f30104796"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -293,9 +293,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.26"
+version = "4.5.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "96b01801b5fc6a0a232407abc821660c9c6d25a1cafc0d4f85f29fb8d9afc121"
+checksum = "1b26884eb4b57140e4d2d93652abfa49498b938b3c9179f9fc487b0acc3edad7"
 dependencies = [
  "anstream",
  "anstyle",
@@ -616,9 +616,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 
 [[package]]
 name = "github-actions-models"
-version = "0.22.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea4c30fa8bf11e002d3ca72233e7a7bac33ffce4dc50877d63a8f5a161e0cd84"
+checksum = "d3d33cc977e9aaa73b0e447c5c387e1720dcdfbc54e7f86e32c76e2a78bfcb9c"
 dependencies = [
  "indexmap",
  "serde",
@@ -660,9 +660,9 @@ dependencies = [
 
 [[package]]
 name = "http"
-version = "1.1.0"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21b9ddb458710bc376481b842f5da65cdf31522de232c1ca8146abce2a358258"
+checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea"
 dependencies = [
  "bytes",
  "fnv",
@@ -694,9 +694,9 @@ dependencies = [
 
 [[package]]
 name = "http-cache"
-version = "0.20.0"
+version = "0.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33b65cd1687caf2c7fff496741a2f264c26f54e6d6cec03dac8f276fa4e5430e"
+checksum = "7e883defacf53960c7717d9e928dc8667be9501d9f54e6a8b7703d7a30320e9c"
 dependencies = [
  "async-trait",
  "bincode",
@@ -710,9 +710,9 @@ dependencies = [
 
 [[package]]
 name = "http-cache-reqwest"
-version = "0.15.0"
+version = "0.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "735586904a5ce0c13877c57cb4eb8195eb7c11ec1ffd64d4db053fb8559ca62e"
+checksum = "e076afd9d376f09073b515ce95071b29393687d98ed521948edb899195595ddf"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -972,9 +972,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.7.0"
+version = "2.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f"
+checksum = "8c9c992b02b5b4c94ea26e32fe5bccb7aa7d9f390ab5c1221ff895bc7ea8b652"
 dependencies = [
  "equivalent",
  "hashbrown",
@@ -983,9 +983,9 @@ dependencies = [
 
 [[package]]
 name = "indicatif"
-version = "0.17.9"
+version = "0.17.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cbf675b85ed934d3c67b5c5469701eec7db22689d0a2139d856e0925fa28b281"
+checksum = "183b3088984b400f4cfac3620d5e076c84da5364016b4f49473de574b2586235"
 dependencies = [
  "console",
  "number_prefix",
@@ -997,13 +997,14 @@ dependencies = [
 
 [[package]]
 name = "insta"
-version = "1.42.0"
+version = "1.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6513e4067e16e69ed1db5ab56048ed65db32d10ba5fc1217f5393f8f17d8b5a5"
+checksum = "71c1b125e30d93896b365e156c33dadfffab45ee8400afcbba4752f59de08a86"
 dependencies = [
  "console",
  "linked-hash-map",
  "once_cell",
+ "pin-project",
  "similar",
 ]
 
@@ -1072,6 +1073,16 @@ dependencies = [
  "redox_syscall",
 ]
 
+[[package]]
+name = "line-index"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3e27e0ed5a392a7f5ba0b3808a2afccff16c64933312c84b57618b49d1209bd2"
+dependencies = [
+ "nohash-hasher",
+ "text-size",
+]
+
 [[package]]
 name = "linked-hash-map"
 version = "0.5.6"
@@ -1176,6 +1187,12 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "nohash-hasher"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451"
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -1297,6 +1314,26 @@ dependencies = [
  "sha2",
 ]
 
+[[package]]
+name = "pin-project"
+version = "1.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e2ec53ad785f4d35dac0adea7f7dc6f1bb277ad84a680c7afefeae05d1f5916"
+dependencies = [
+ "pin-project-internal",
+]
+
+[[package]]
+name = "pin-project-internal"
+version = "1.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d56a66c0c55993aa927429d0f8a0abfd74f084e4d9c192cffed01e418d83eefb"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.90",
+]
+
 [[package]]
 name = "pin-project-lite"
 version = "0.2.15"
@@ -1766,9 +1803,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.135"
+version = "1.0.138"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b0d7ba2887406110130a978386c4e1befb98c674b4fba677954e4db976630d9"
+checksum = "d434192e7da787e94a6ea7e9670b26a036d0ca41e0b7efb2676dd32bae872949"
 dependencies = [
  "itoa",
  "memchr",
@@ -2083,6 +2120,12 @@ version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3369f5ac52d5eb6ab48c6b4ffdc8efbcad6b89c765749064ba298f2c68a16a76"
 
+[[package]]
+name = "text-size"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f18aa187839b2bdb1ad2fa35ead8c4c2976b64e4363c386d45ac0f7ee85c9233"
+
 [[package]]
 name = "thiserror"
 version = "1.0.69"
@@ -2332,9 +2375,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-indicatif"
-version = "0.3.8"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74ba258e9de86447f75edf6455fded8e5242704c6fccffe7bf8d7fb6daef1180"
+checksum = "8201ca430e0cd893ef978226fd3516c06d9c494181c8bf4e5b32e30ed4b40aa1"
 dependencies = [
  "indicatif",
  "tracing",
@@ -3108,7 +3151,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.2.2"
+version = "1.3.1"
 dependencies = [
  "annotate-snippets",
  "anstream",
@@ -3126,6 +3169,7 @@ dependencies = [
  "indicatif",
  "insta",
  "itertools",
+ "line-index",
  "owo-colors",
  "pest",
  "pest_derive",

{zizmor-1.2.2 → zizmor-1.3.1}/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.2.2"
+version = "1.3.1"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
@@ -12,23 +12,30 @@ keywords = ["cli", "github-actions", "static-analysis", "security"]
 categories = ["command-line-utilities"]
 rust-version = "1.80.1"
 
+[features]
+# Test-only: enable online audits that make use of a GitHub token via GH_TOKEN.
+gh-token-tests = []
+# Test-only: enable all online audits.
+online-tests = ["gh-token-tests"]
+
 [dependencies]
 annotate-snippets = "0.11.5"
 anstream = "0.6.18"
 anyhow = "1.0.95"
 camino = { version = "1.1.9", features = ["serde1"] }
-clap = { version = "4.5.26", features = ["derive", "env"] }
+clap = { version = "4.5.27", features = ["derive", "env"] }
 clap-verbosity-flag = { version = "3.0.2", features = [
     "tracing",
 ], default-features = false }
 etcetera = "0.8.0"
 flate2 = "1.0.35"
-github-actions-models = "0.22.0"
-http-cache-reqwest = "0.15.0"
+github-actions-models = "0.25.0"
+http-cache-reqwest = "0.15.1"
 human-panic = "2.0.1"
-indexmap = "2.7.0"
-indicatif = "0.17.9"
+indexmap = "2.7.1"
+indicatif = "0.17.11"
 itertools = "0.14.0"
+line-index = "0.1.2"
 owo-colors = "4.1.0"
 pest = "2.7.15"
 pest_derive = "2.7.15"
@@ -41,7 +48,7 @@ reqwest = { version = "0.12.12", features = [
 reqwest-middleware = "0.4.0"
 serde = { version = "1.0.217", features = ["derive"] }
 serde-sarif = "0.7.0"
-serde_json = "1.0.135"
+serde_json = "1.0.138"
 serde_yaml = "0.9.34"
 # TODO remove pending https://github.com/tree-sitter/tree-sitter/pull/4034
 streaming-iterator = "0.1.9"
@@ -49,7 +56,7 @@ tar = "0.4.43"
 terminal-link = "0.1.0"
 tokio = { version = "1.43.0", features = ["rt-multi-thread"] }
 tracing = "0.1.41"
-tracing-indicatif = "0.3.8"
+tracing-indicatif = "0.3.9"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
 tree-sitter = "0.24.7"
 tree-sitter-bash = "0.23.3"
@@ -65,6 +72,6 @@ lto = true
 
 [dev-dependencies]
 assert_cmd = "2.0.16"
-insta = { version = "1.42.0" }
+insta = { version = "1.42.1" }
 pretty_assertions = "1.4.1"
 serde_json_path = "0.7.1"

{zizmor-1.2.2 → zizmor-1.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 1.2.2
+Version: 1.3.1
 License-File: LICENSE
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security
@@ -19,8 +19,18 @@ Project-URL: Source Code, https://github.com/woodruffw/zizmor
 [![Packaging status](https://repology.org/badge/tiny-repos/zizmor.svg)](https://repology.org/project/zizmor/versions)
 [![GitHub Sponsors](https://img.shields.io/github/sponsors/woodruffw?style=flat&logo=githubsponsors&labelColor=white&color=white)](https://github.com/sponsors/woodruffw)
 
-`zizmor` is a static analysis tool for GitHub Actions. It can find
-many common security issues in typical GitHub Actions CI/CD setups.
+`zizmor` is a static analysis tool for GitHub Actions.
+
+It can find many common security issues in typical GitHub Actions CI/CD setups,
+including:
+
+* Template injection vulnerabilities, leading to attacker-controlled code execution
+* Accidental credential persistence and leakage
+* Excessive permission scopes and credential grants to runners
+* Impostor commits and confusable `git` references
+* ...[and much more]!
+
+[and much more]: https://woodruffw.github.io/zizmor/audits/
 
 ![zizmor demo](https://raw.githubusercontent.com/woodruffw/zizmor/main/docs/assets/zizmor-demo.gif)
 

{zizmor-1.2.2 → zizmor-1.3.1}/README.md

@@ -5,8 +5,18 @@
 [![Packaging status](https://repology.org/badge/tiny-repos/zizmor.svg)](https://repology.org/project/zizmor/versions)
 [![GitHub Sponsors](https://img.shields.io/github/sponsors/woodruffw?style=flat&logo=githubsponsors&labelColor=white&color=white)](https://github.com/sponsors/woodruffw)
 
-`zizmor` is a static analysis tool for GitHub Actions. It can find
-many common security issues in typical GitHub Actions CI/CD setups.
+`zizmor` is a static analysis tool for GitHub Actions.
+
+It can find many common security issues in typical GitHub Actions CI/CD setups,
+including:
+
+* Template injection vulnerabilities, leading to attacker-controlled code execution
+* Accidental credential persistence and leakage
+* Excessive permission scopes and credential grants to runners
+* Impostor commits and confusable `git` references
+* ...[and much more]!
+
+[and much more]: https://woodruffw.github.io/zizmor/audits/
 
 ![zizmor demo](https://raw.githubusercontent.com/woodruffw/zizmor/main/docs/assets/zizmor-demo.gif)
 

{zizmor-1.2.2 → zizmor-1.3.1}/docs/audits.md

@@ -849,7 +849,7 @@ not using `pull_request_target` for auto-merge workflows.
     jobs:
       automerge:
         runs-on: ubuntu-latest
-        if: github.actor == 'dependabot[bot] && github.repository == 'me/my-repo'
+        if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
         steps:
           - run: gh pr merge --auto --merge "$PR_URL"
             env:
@@ -865,7 +865,7 @@ not using `pull_request_target` for auto-merge workflows.
     jobs:
       automerge:
         runs-on: ubuntu-latest
-        if: github.event.pull_request.user.login == 'dependabot[bot] && github.repository == 'me/my-repo'
+        if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
         steps:
           - run: gh pr merge --auto --merge "$PR_URL"
             env:
@@ -873,6 +873,67 @@ not using `pull_request_target` for auto-merge workflows.
               GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     ```
 
+## `overprovisioned-secrets`
+
+| Type     | Examples                | Introduced in | Works offline  | Enabled by default |
+|----------|-------------------------|---------------|----------------|--------------------|
+| Workflow  | [overprovisioned-secrets.yml]   | v1.3.0      | ✅             | ✅                 |
+
+[overprovisioned-secrets.yml]: https://github.com/woodruffw/gha-hazmat/blob/main/.github/workflows/overprovisioned-secrets.yml
+
+Detects excessive sharing of the `secrets` context.
+
+Typically, users access the `secrets` context via its individual members:
+
+```yaml
+env:
+  SECRET_ONE: ${{ secrets.SECRET_ONE }}
+  SECRET_TWO: ${{ secrets.SECRET_TWO }}
+```
+
+This allows the Actions runner to only expose the secrets actually used by
+the workflow to the job environment.
+
+However, if the user instead accesses the *entire* `secrets` context:
+
+```yaml
+env:
+  SECRETS: ${{ toJson(secrets) }}
+```
+
+...then the entire `secrets` context is exposed to the runner, even if
+only a single secret is actually needed.
+
+### Remediation
+
+In general, users should avoid loading the entire `secrets` context.
+Secrets should be accessed individually by name.
+
+=== "Before :warning:"
+
+    ```yaml title="overprovisioned.yml" hl_lines="7"
+    jobs:
+      deploy:
+        runs-on: ubuntu-latest
+        steps:
+          - run: ./deploy.sh
+            env:
+              SECRETS: ${{ toJSON(secrets) }}
+    ```
+
+=== "After :white_check_mark:"
+
+    ```yaml title="overprovisioned.yml" hl_lines="7-8"
+    jobs:
+      deploy:
+        runs-on: ubuntu-latest
+        steps:
+          - run: ./deploy.sh
+            env:
+              SECRET_ONE: ${{ secrets.SECRET_ONE }}
+              SECRET_TWO: ${{ secrets.SECRET_TWO }}
+    ```
+
 [ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts]: https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
 [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests]: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
 [What the fork? Imposter commits in GitHub Actions and CI/CD]: https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd

{zizmor-1.2.2 → zizmor-1.3.1}/docs/development.md

@@ -90,6 +90,21 @@ cargo test --test snapshot
 cargo test
 ```
 
+### Online tests
+
+`zizmor` has some online tests that are ignored by default. These
+tests are gated behind crate features:
+
+- `gh-token-tests`: Enable online tests that use the GitHub API.
+- `online-tests`: Enable all online tests, including `gh-token-tests`.
+
+To run these successfully, you'll need to set the `GH_TOKEN` environment
+variable and pass the `--features` flag to `cargo test`:
+
+```bash
+GH_TOKEN=$(gh auth token) cargo test --features online-tests
+```
+
 ### Writing snapshot tests
 
 `zizmor` uses @mitsuhiko/insta for snapshot testing.
@@ -215,9 +230,9 @@ Some things that can be useful to discuss beforehand:
 When developing a new `zizmor` audit, there are a couple of implementation details to be aware of:
 
 - All existing audits live in a Rust modules grouped under `src/audit` folder
-- The expected behavior for all audits is defined by the `WorkflowAudit` trait at `src/audit/mod.rs`
+- The expected behavior for all audits is defined by the `Audit` trait at `src/audit/mod.rs`
 - The expected outcome of an executed audit is defined by the `Finding` struct at `src/finding/mod.rs`
-- Any `WorkflowAudit` implementation can have access to an `AuditState` instance, as per `src/state.rs`
+- Any `Audit` implementation can have access to an `AuditState` instance, as per `src/state.rs`
 - If an audit requires data from the GitHub API, there is a `Client` implementation at `src/github_api.rs`
 - All the audits must be registered at `src/main.rs` according to the `register_audit!` macro
 
@@ -233,12 +248,12 @@ cargo test
 
 !!! tip
 
-    `WorkflowAudit` has various default implementations that are useful if your
+    `Audit` has various default implementations that are useful if your
     audit only needs to look at individual jobs, steps, etc.
 
-    For example, you may want to implement `WorkflowAudit::audit_step` to
+    For example, you may want to implement `Audit::audit_step` to
     audit each step individually rather than having to iterate from the workflow
-    downwards with `WorkflowAudit::audit`.
+    downwards with `Audit::audit`.
 
 !!! tip
 
@@ -248,8 +263,8 @@ The general procedure for adding a new audit can be described as:
 
 - Define a new file at `src/audit/my_new_audit.rs`
 - Define a struct like `MyNewAudit`
-- Use the `audit_meta!` macro to implement `Audit` for `MyNewAudit`
-- Implement the `WorkflowAudit` trait for `MyNewAudit`
+- Use the `audit_meta!` macro to implement `AuditCore` for `MyNewAudit`
+- Implement the `Audit` trait for `MyNewAudit`
     - You may want to use both the `AuditState` and `github_api::Client` to get the job done
 - Assign the proper `location` when creating a `Finding`, grabbing it from the
   proper `Workflow`, `Job` or `Step` instance