zizmor 1.3.0__tar.gz → 1.3.1__tar.gz

{zizmor-1.3.0 → zizmor-1.3.1}/.github/workflows/ci.yml

@@ -33,10 +33,12 @@ jobs:
 
     - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2
 
-    - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+    - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
 
     - name: Test
-      run: cargo test
+      run: cargo test --features online-tests
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Test snippets
       run: |
@@ -50,7 +52,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+      - uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
 
       - name: Test site
         run: make site

{zizmor-1.3.0 → zizmor-1.3.1}/.github/workflows/site.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
 
       - name: build site
         run: make site

{zizmor-1.3.0 → zizmor-1.3.1}/.github/workflows/zizmor.yml

@@ -21,13 +21,13 @@ jobs:
         with:
           persist-credentials: false
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+        uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: results.sarif
           category: zizmor

{zizmor-1.3.0 → zizmor-1.3.1}/Cargo.lock

@@ -125,9 +125,9 @@ dependencies = [
 
 [[package]]
 name = "async-trait"
-version = "0.1.83"
+version = "0.1.86"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd"
+checksum = "644dd749086bf3771a2fbc5f256fdb982d53f011c7d5d560304eafeecebce79d"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -616,9 +616,9 @@ checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
 
 [[package]]
 name = "github-actions-models"
-version = "0.23.0"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2269402e4d8fe06d41aa858a0fe15a49842764334d0aacc52f5f41e11466e30"
+checksum = "d3d33cc977e9aaa73b0e447c5c387e1720dcdfbc54e7f86e32c76e2a78bfcb9c"
 dependencies = [
  "indexmap",
  "serde",
@@ -660,9 +660,9 @@ dependencies = [
 
 [[package]]
 name = "http"
-version = "1.1.0"
+version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21b9ddb458710bc376481b842f5da65cdf31522de232c1ca8146abce2a358258"
+checksum = "f16ca2af56261c99fba8bac40a10251ce8188205a4c448fbb745a2e4daa76fea"
 dependencies = [
  "bytes",
  "fnv",
@@ -694,9 +694,9 @@ dependencies = [
 
 [[package]]
 name = "http-cache"
-version = "0.20.0"
+version = "0.20.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33b65cd1687caf2c7fff496741a2f264c26f54e6d6cec03dac8f276fa4e5430e"
+checksum = "7e883defacf53960c7717d9e928dc8667be9501d9f54e6a8b7703d7a30320e9c"
 dependencies = [
  "async-trait",
  "bincode",
@@ -710,9 +710,9 @@ dependencies = [
 
 [[package]]
 name = "http-cache-reqwest"
-version = "0.15.0"
+version = "0.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "735586904a5ce0c13877c57cb4eb8195eb7c11ec1ffd64d4db053fb8559ca62e"
+checksum = "e076afd9d376f09073b515ce95071b29393687d98ed521948edb899195595ddf"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1803,9 +1803,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.137"
+version = "1.0.138"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "930cfb6e6abf99298aaad7d29abbef7a9999a9a8806a40088f55f0dcec03146b"
+checksum = "d434192e7da787e94a6ea7e9670b26a036d0ca41e0b7efb2676dd32bae872949"
 dependencies = [
  "itoa",
  "memchr",
@@ -3151,7 +3151,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.3.0"
+version = "1.3.1"
 dependencies = [
  "annotate-snippets",
  "anstream",

{zizmor-1.3.0 → zizmor-1.3.1}/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.3.0"
+version = "1.3.1"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
@@ -12,6 +12,12 @@ keywords = ["cli", "github-actions", "static-analysis", "security"]
 categories = ["command-line-utilities"]
 rust-version = "1.80.1"
 
+[features]
+# Test-only: enable online audits that make use of a GitHub token via GH_TOKEN.
+gh-token-tests = []
+# Test-only: enable all online audits.
+online-tests = ["gh-token-tests"]
+
 [dependencies]
 annotate-snippets = "0.11.5"
 anstream = "0.6.18"
@@ -23,8 +29,8 @@ clap-verbosity-flag = { version = "3.0.2", features = [
 ], default-features = false }
 etcetera = "0.8.0"
 flate2 = "1.0.35"
-github-actions-models = "0.23.0"
-http-cache-reqwest = "0.15.0"
+github-actions-models = "0.25.0"
+http-cache-reqwest = "0.15.1"
 human-panic = "2.0.1"
 indexmap = "2.7.1"
 indicatif = "0.17.11"
@@ -42,7 +48,7 @@ reqwest = { version = "0.12.12", features = [
 reqwest-middleware = "0.4.0"
 serde = { version = "1.0.217", features = ["derive"] }
 serde-sarif = "0.7.0"
-serde_json = "1.0.137"
+serde_json = "1.0.138"
 serde_yaml = "0.9.34"
 # TODO remove pending https://github.com/tree-sitter/tree-sitter/pull/4034
 streaming-iterator = "0.1.9"

{zizmor-1.3.0 → zizmor-1.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 1.3.0
+Version: 1.3.1
 License-File: LICENSE
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security
@@ -19,8 +19,18 @@ Project-URL: Source Code, https://github.com/woodruffw/zizmor
 [![Packaging status](https://repology.org/badge/tiny-repos/zizmor.svg)](https://repology.org/project/zizmor/versions)
 [![GitHub Sponsors](https://img.shields.io/github/sponsors/woodruffw?style=flat&logo=githubsponsors&labelColor=white&color=white)](https://github.com/sponsors/woodruffw)
 
-`zizmor` is a static analysis tool for GitHub Actions. It can find
-many common security issues in typical GitHub Actions CI/CD setups.
+`zizmor` is a static analysis tool for GitHub Actions.
+
+It can find many common security issues in typical GitHub Actions CI/CD setups,
+including:
+
+* Template injection vulnerabilities, leading to attacker-controlled code execution
+* Accidental credential persistence and leakage
+* Excessive permission scopes and credential grants to runners
+* Impostor commits and confusable `git` references
+* ...[and much more]!
+
+[and much more]: https://woodruffw.github.io/zizmor/audits/
 
 ![zizmor demo](https://raw.githubusercontent.com/woodruffw/zizmor/main/docs/assets/zizmor-demo.gif)
 

{zizmor-1.3.0 → zizmor-1.3.1}/README.md

@@ -5,8 +5,18 @@
 [![Packaging status](https://repology.org/badge/tiny-repos/zizmor.svg)](https://repology.org/project/zizmor/versions)
 [![GitHub Sponsors](https://img.shields.io/github/sponsors/woodruffw?style=flat&logo=githubsponsors&labelColor=white&color=white)](https://github.com/sponsors/woodruffw)
 
-`zizmor` is a static analysis tool for GitHub Actions. It can find
-many common security issues in typical GitHub Actions CI/CD setups.
+`zizmor` is a static analysis tool for GitHub Actions.
+
+It can find many common security issues in typical GitHub Actions CI/CD setups,
+including:
+
+* Template injection vulnerabilities, leading to attacker-controlled code execution
+* Accidental credential persistence and leakage
+* Excessive permission scopes and credential grants to runners
+* Impostor commits and confusable `git` references
+* ...[and much more]!
+
+[and much more]: https://woodruffw.github.io/zizmor/audits/
 
 ![zizmor demo](https://raw.githubusercontent.com/woodruffw/zizmor/main/docs/assets/zizmor-demo.gif)
 

{zizmor-1.3.0 → zizmor-1.3.1}/docs/development.md

@@ -90,6 +90,21 @@ cargo test --test snapshot
 cargo test
 ```
 
+### Online tests
+
+`zizmor` has some online tests that are ignored by default. These
+tests are gated behind crate features:
+
+- `gh-token-tests`: Enable online tests that use the GitHub API.
+- `online-tests`: Enable all online tests, including `gh-token-tests`.
+
+To run these successfully, you'll need to set the `GH_TOKEN` environment
+variable and pass the `--features` flag to `cargo test`:
+
+```bash
+GH_TOKEN=$(gh auth token) cargo test --features online-tests
+```
+
 ### Writing snapshot tests
 
 `zizmor` uses @mitsuhiko/insta for snapshot testing.
@@ -215,9 +230,9 @@ Some things that can be useful to discuss beforehand:
 When developing a new `zizmor` audit, there are a couple of implementation details to be aware of:
 
 - All existing audits live in a Rust modules grouped under `src/audit` folder
-- The expected behavior for all audits is defined by the `WorkflowAudit` trait at `src/audit/mod.rs`
+- The expected behavior for all audits is defined by the `Audit` trait at `src/audit/mod.rs`
 - The expected outcome of an executed audit is defined by the `Finding` struct at `src/finding/mod.rs`
-- Any `WorkflowAudit` implementation can have access to an `AuditState` instance, as per `src/state.rs`
+- Any `Audit` implementation can have access to an `AuditState` instance, as per `src/state.rs`
 - If an audit requires data from the GitHub API, there is a `Client` implementation at `src/github_api.rs`
 - All the audits must be registered at `src/main.rs` according to the `register_audit!` macro
 
@@ -233,12 +248,12 @@ cargo test
 
 !!! tip
 
-    `WorkflowAudit` has various default implementations that are useful if your
+    `Audit` has various default implementations that are useful if your
     audit only needs to look at individual jobs, steps, etc.
 
-    For example, you may want to implement `WorkflowAudit::audit_step` to
+    For example, you may want to implement `Audit::audit_step` to
     audit each step individually rather than having to iterate from the workflow
-    downwards with `WorkflowAudit::audit`.
+    downwards with `Audit::audit`.
 
 !!! tip
 
@@ -248,8 +263,8 @@ The general procedure for adding a new audit can be described as:
 
 - Define a new file at `src/audit/my_new_audit.rs`
 - Define a struct like `MyNewAudit`
-- Use the `audit_meta!` macro to implement `Audit` for `MyNewAudit`
-- Implement the `WorkflowAudit` trait for `MyNewAudit`
+- Use the `audit_meta!` macro to implement `AuditCore` for `MyNewAudit`
+- Implement the `Audit` trait for `MyNewAudit`
     - You may want to use both the `AuditState` and `github_api::Client` to get the job done
 - Assign the proper `location` when creating a `Finding`, grabbing it from the
   proper `Workflow`, `Job` or `Step` instance

{zizmor-1.3.0 → zizmor-1.3.1}/docs/release-notes.md

@@ -9,7 +9,27 @@ of `zizmor`.
 
 ## Next (UNRELEASED)
 
-Nothing to see here yet!
+Nothing yet!
+
+## v1.3.1
+
+### Improvements 🌱
+
+* Passing both `--offline` and a GitHub token (either implicitly with
+  `GH_TOKEN` or explicitly with `--gh-token`) no longer results in an
+  error. `--offline` is now given precedence, regardless of
+  any other flags or environment settings (#519)
+
+### Bug Fixes 🐛
+
+* Fixed a bug where `zizmor` would fail to parse composite actions with
+  inputs/outputs that are missing descriptions (#502)
+* Expressions that contain indices with non-semantic whitespace are now parsed
+  correctly (#511)
+* Fixed a false positive in [ref-confusion] where partial tag matches were
+  incorrectly considered confusable (#519)
+* Fixed a bug where `zizmor` would fail to parse workflow definitions with
+  an expression inside `strategy.max-parallel` (#522)
 
 ## v1.3.0
 

{zizmor-1.3.0 → zizmor-1.3.1}/docs/snippets/trophies.md

@@ -16,6 +16,16 @@
         - apache/opennlp#736
 
 
+-   ![](https://github.com/artichoke.png?size=40){ width="40" loading=lazy align=left } artichoke
+
+    ---
+
+    ??? example "Examples"
+        - artichoke/boba#265
+        - artichoke/project-infrastructure#683
+        - artichoke/setup-rust#121
+
+
 -   ![](https://github.com/ashishb.png?size=40){ width="40" loading=lazy align=left } ashishb
 
     ---
@@ -419,6 +429,14 @@
         - mongodb-labs/flask-pymongo#170
 
 
+-   ![](https://github.com/mozilla.png?size=40){ width="40" loading=lazy align=left } mozilla
+
+    ---
+
+    ??? example "Examples"
+        - mozilla/neqo#2413
+
+
 -   ![](https://github.com/narwhals-dev.png?size=40){ width="40" loading=lazy align=left } narwhals-dev
 
     ---
@@ -631,6 +649,7 @@
 
     ??? example "Examples"
         - python-telegram-bot/python-telegram-bot#4606
+        - python-telegram-bot/python-telegram-bot#4668
 
 
 -   ![](https://github.com/python-trio.png?size=40){ width="40" loading=lazy align=left } python-trio
@@ -641,6 +660,14 @@
         - python-trio/trio#3154
 
 
+-   ![](https://github.com/pyvista.png?size=40){ width="40" loading=lazy align=left } pyvista
+
+    ---
+
+    ??? example "Examples"
+        - pyvista/pyvista#7006
+
+
 -   ![](https://github.com/PyVRP.png?size=40){ width="40" loading=lazy align=left } PyVRP
 
     ---
@@ -684,6 +711,30 @@
         - Saghen/blink.cmp#991
 
 
+-   ![](https://github.com/scientific-python.png?size=40){ width="40" loading=lazy align=left } scientific-python
+
+    ---
+
+    ??? example "Examples"
+        - scientific-python/repo-review#257
+
+
+-   ![](https://github.com/scikit-build.png?size=40){ width="40" loading=lazy align=left } scikit-build
+
+    ---
+
+    ??? example "Examples"
+        - scikit-build/scikit-build-core#983
+
+
+-   ![](https://github.com/scikit-image.png?size=40){ width="40" loading=lazy align=left } scikit-image
+
+    ---
+
+    ??? example "Examples"
+        - scikit-image/scikit-image#7662
+
+
 -   ![](https://github.com/sigstore.png?size=40){ width="40" loading=lazy align=left } sigstore
 
     ---
@@ -799,6 +850,22 @@
         - wagtail/wagtail-localize#843
 
 
+-   ![](https://github.com/wntrblm.png?size=40){ width="40" loading=lazy align=left } wntrblm
+
+    ---
+
+    ??? example "Examples"
+        - wntrblm/nox#925
+
+
+-   ![](https://github.com/zcash.png?size=40){ width="40" loading=lazy align=left } zcash
+
+    ---
+
+    ??? example "Examples"
+        - zcash/librustzcash#1679
+
+
 -   ![](https://github.com/zkonduit.png?size=40){ width="40" loading=lazy align=left } zkonduit
 
     ---

{zizmor-1.3.0 → zizmor-1.3.1}/docs/snippets/trophies.txt

@@ -7,6 +7,9 @@
 adafruit/circuitpython#9785
 apache/airflow#45408
 apache/opennlp#736
+artichoke/boba#265
+artichoke/project-infrastructure#683
+artichoke/setup-rust#121
 ashishb/wp2hugo#91
 astral-sh/ruff#14844
 astropy/astropy#17315
@@ -88,6 +91,7 @@ MoarVM/MoarVM#1875
 mongodb/motor#312
 mongodb/mongo-python-driver#2001
 mongodb-labs/flask-pymongo#170
+mozilla/neqo#2413
 narwhals-dev/narwhals#1567
 NetApp/harvest#3247
 nextcloud/.github#477
@@ -126,7 +130,9 @@ python-poetry/poetry-core#799
 python-poetry/poetry-plugin-export#308
 python-poetry/poetry-plugin-bundle#125
 python-telegram-bot/python-telegram-bot#4606
+python-telegram-bot/python-telegram-bot#4668
 python-trio/trio#3154
+pyvista/pyvista#7006
 PyVRP/PyVRP#670
 PyO3/pyo3#4774
 rubygems/rubygems.org#5350
@@ -136,6 +142,9 @@ rustls/rustls#2261
 rustls/tokio-rustls#96
 rustls/webpki#299
 Saghen/blink.cmp#991
+scientific-python/repo-review#257
+scikit-build/scikit-build-core#983
+scikit-image/scikit-image#7662
 sigstore/cosign#3959
 sigstore/fulcio#1910
 sigstore/gitsign#602
@@ -153,5 +162,7 @@ uutils/coreutils#6973
 ViaVersion/ViaVersion#4315
 vlang/v#22681
 wagtail/wagtail-localize#843
+wntrblm/nox#925
+zcash/librustzcash#1679
 zkonduit/ezkl#907
 zkonduit/ezkl#906

{zizmor-1.3.0 → zizmor-1.3.1}/docs/usage.md

@@ -457,7 +457,7 @@ To do so, add the following to your `.pre-commit-config.yaml` `repos` section:
 
 ```yaml
 - repo: https://github.com/woodruffw/zizmor-pre-commit
-  rev: v1.3.0 # (1)!
+  rev: v1.3.1 # (1)!
   hooks:
   - id: zizmor
 ```

{zizmor-1.3.0 → zizmor-1.3.1}/src/expr/expr.pest

@@ -73,7 +73,7 @@ null = { "null" }
 context    = ${ (function_call | identifier) ~ (("." ~ (identifier | star)) | index)* }
 star       =  { "*" }
 identifier = @{ (ASCII_ALPHA | "_" | "-") ~ (ASCII_ALPHANUMERIC | "_" | "-")* }
-index      =  { ("[" ~ (or_expr | star) ~ "]") }
+index      = !{ ("[" ~ (or_expr | star) ~ "]") }
 
 /// Function calls
 function_call = !{ identifier ~ "(" ~ (or_expr ~ ("," ~ or_expr)*)? ~ ")" }

{zizmor-1.3.0 → zizmor-1.3.1}/src/expr/mod.rs

@@ -527,6 +527,10 @@ mod tests {
             "foo()[0]",
             "fromJson(steps.runs.outputs.data).workflow_runs[0].id",
             multiline,
+            "'a' == 'b' && 'c' || 'd'",
+            "github.event['a']",
+            "github.event['a' == 'b']",
+            "github.event['a' == 'b' && 'c' || 'd']",
         ];
 
         for case in cases {

{zizmor-1.3.0 → zizmor-1.3.1}/src/github_api.rs

@@ -182,7 +182,7 @@ impl Client {
     #[tokio::main]
     pub(crate) async fn has_tag(&self, owner: &str, repo: &str, tag: &str) -> Result<bool> {
         let url = format!(
-            "{api_base}/repos/{owner}/{repo}/git/refs/tags/{tag}",
+            "{api_base}/repos/{owner}/{repo}/git/ref/tags/{tag}",
             api_base = self.api_base
         );
 

{zizmor-1.3.0 → zizmor-1.3.1}/src/main.rs

@@ -50,8 +50,7 @@ struct App {
     ///
     /// This disables all online audit rules, and prevents zizmor from
     /// auditing remote repositories.
-    #[arg(short, long, env = "ZIZMOR_OFFLINE",
-        conflicts_with_all = ["gh_token", "gh_hostname"])]
+    #[arg(short, long, env = "ZIZMOR_OFFLINE")]
     offline: bool,
 
     /// The GitHub API token to use.
@@ -330,6 +329,14 @@ fn run() -> Result<ExitCode> {
         app.persona = Persona::Pedantic;
     }
 
+    // Unset the GitHub token if we're in offline mode.
+    // We do this manually instead of with clap's `conflicts_with` because
+    // we want to support explicitly enabling offline mode while still
+    // having `GH_TOKEN` present in the environment.
+    if app.offline {
+        app.gh_token = None;
+    }
+
     let indicatif_layer = IndicatifLayer::new();
 
     let filter = EnvFilter::builder()

{zizmor-1.3.0 → zizmor-1.3.1}/tests/snapshot.rs

@@ -1,4 +1,4 @@
-use anyhow::Result;
+use anyhow::{Context, Result};
 use assert_cmd::Command;
 use common::workflow_under_test;
 
@@ -36,6 +36,7 @@ impl Zizmor {
         self
     }
 
+    #[allow(dead_code)]
     fn setenv(mut self, key: &str, value: &str) -> Self {
         self.cmd.env(key, value);
         self
@@ -65,6 +66,10 @@ impl Zizmor {
     fn run(mut self) -> Result<String> {
         if self.offline {
             self.cmd.arg("--offline");
+        } else {
+            // If we're running in online mode, we pre-assert the
+            // presence of GH_TOKEN to make configuration failures more obvious.
+            std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?;
         }
 
         if let Some(workflow) = &self.workflow {
@@ -103,30 +108,6 @@ fn test_cant_retrieve() -> Result<()> {
     Ok(())
 }
 
-#[test]
-fn test_conflicting_online_options() -> Result<()> {
-    insta::assert_snapshot!(zizmor()
-        .output(OutputMode::Stderr)
-        .setenv("GH_TOKEN", "phony")
-        .offline(true)
-        .run()?);
-
-    insta::assert_snapshot!(zizmor()
-        .output(OutputMode::Stderr)
-        .offline(true)
-        .args(["--gh-token=phony"])
-        .run()?);
-
-    insta::assert_snapshot!(zizmor()
-        .output(OutputMode::Stderr)
-        .setenv("ZIZMOR_OFFLINE", "true")
-        .setenv("GH_TOKEN", "phony")
-        .offline(false) // explicitly disable so that we test ZIZMOR_OFFLINE above
-        .run()?);
-
-    Ok(())
-}
-
 #[test]
 fn test_invalid_inputs() -> Result<()> {
     insta::assert_snapshot!(zizmor()
@@ -512,3 +493,19 @@ fn overprovisioned_secrets() -> Result<()> {
 
     Ok(())
 }
+
+#[cfg_attr(not(feature = "gh-token-tests"), ignore)]
+#[test]
+fn ref_confusion() -> Result<()> {
+    insta::assert_snapshot!(zizmor()
+        .workflow(workflow_under_test("ref-confusion.yml"))
+        .offline(false)
+        .run()?);
+
+    insta::assert_snapshot!(zizmor()
+        .workflow(workflow_under_test("ref-confusion/issue-518-repro.yml"))
+        .offline(false)
+        .run()?);
+
+    Ok(())
+}

zizmor-1.3.1/tests/snapshots/snapshot__ref_confusion-2.snap

@@ -0,0 +1,5 @@
+---
+source: tests/snapshot.rs
+expression: "zizmor().workflow(workflow_under_test(\"ref-confusion/issue-518-repro.yml\")).offline(false).run()?"
+---
+No findings to report. Good job! (1 suppressed)

zizmor-1.3.1/tests/snapshots/snapshot__ref_confusion.snap

@@ -0,0 +1,13 @@
+---
+source: tests/snapshot.rs
+expression: "zizmor().workflow(workflow_under_test(\"ref-confusion.yml\")).offline(false).run()?"
+---
+warning[ref-confusion]: git ref for action with ambiguous ref type
+  --> @@INPUT@@:11:9
+   |
+11 |       - uses: woodruffw/gha-hazmat/ref-confusion@confusable
+   |         --------------------------------------------------- uses a ref that's provided by both the branch and tag namespaces
+   |
+   = note: audit confidence → High
+
+2 findings (1 suppressed): 0 unknown, 0 informational, 0 low, 1 medium, 0 high

{zizmor-1.3.0 → zizmor-1.3.1}/tests/test-data/artipacked/issue-447-repro.yml

@@ -6,7 +6,7 @@ on: push
 permissions: {}
 
 jobs:
-  issue-557-repro:
+  issue-447-repro:
     runs-on: ubuntu-latest
 
     steps:

zizmor-1.3.1/tests/test-data/ref-confusion/issue-518-repro.yml

@@ -0,0 +1,12 @@
+name: ISSUE-518-REPRO
+on: [push]
+
+permissions: {}
+
+jobs:
+  issue-518-repro:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install Task
+        uses: arduino/setup-task@v2

zizmor-1.3.1/tests/test-data/ref-confusion.yml

@@ -0,0 +1,11 @@
+name: example
+on: [push]
+
+permissions: {}
+
+jobs:
+  commit:
+    runs-on: ubuntu-latest
+    steps:
+      # NOT OK: `confusable` is both a tag and a branch
+      - uses: woodruffw/gha-hazmat/ref-confusion@confusable