zizmor 1.5.2__tar.gz → 1.7.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of zizmor might be problematic. Click here for more details.
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/workflows/ci.yml +4 -4
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/workflows/docker.yml +3 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/workflows/pypi.yml +15 -17
- zizmor-1.7.0/.github/workflows/refresh-schemas.yml +40 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/workflows/site.yml +1 -1
- zizmor-1.5.2/.github/workflows/test-sarif.yml → zizmor-1.7.0/.github/workflows/test-output.yml +26 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/workflows/zizmor.yml +3 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/Cargo.lock +709 -347
- {zizmor-1.5.2 → zizmor-1.7.0}/Cargo.toml +18 -16
- zizmor-1.7.0/Dockerfile +18 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/Makefile +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/PKG-INFO +2 -1
- {zizmor-1.5.2 → zizmor-1.7.0}/README.md +1 -0
- zizmor-1.7.0/docs/audits.md +1527 -0
- zizmor-1.7.0/docs/configuration.md +156 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/development.md +11 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/index.md +1 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/release-notes.md +143 -1
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/help.txt +5 -1
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/trophies.md +136 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/trophies.txt +31 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/usage.md +313 -70
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/artipacked.rs +5 -5
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/bot_conditions.rs +7 -8
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/cache_poisoning.rs +135 -103
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/dangerous_triggers.rs +3 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/excessive_permissions.rs +7 -9
- zizmor-1.7.0/src/audit/forbidden_uses.rs +103 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/github_env.rs +15 -11
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/hardcoded_container_credentials.rs +7 -7
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/impostor_commit.rs +10 -6
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/insecure_commands.rs +20 -20
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/known_vulnerable_actions.rs +42 -62
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/mod.rs +42 -24
- zizmor-1.7.0/src/audit/obfuscation.rs +143 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/overprovisioned_secrets.rs +7 -6
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/ref_confusion.rs +12 -8
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/secrets_inherit.rs +5 -5
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/self_hosted_runner.rs +5 -5
- zizmor-1.7.0/src/audit/stale_action_refs.rs +86 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/template_injection.rs +38 -51
- zizmor-1.7.0/src/audit/unpinned_images.rs +109 -0
- zizmor-1.7.0/src/audit/unpinned_uses.rs +301 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/unredacted_secrets.rs +7 -9
- zizmor-1.7.0/src/audit/unsound_contains.rs +187 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/audit/use_trusted_publishing.rs +9 -9
- {zizmor-1.5.2 → zizmor-1.7.0}/src/config.rs +22 -2
- zizmor-1.7.0/src/data/github-action.json +695 -0
- zizmor-1.7.0/src/data/github-workflow.json +1711 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/expr/mod.rs +265 -44
- {zizmor-1.5.2 → zizmor-1.7.0}/src/finding/mod.rs +90 -59
- {zizmor-1.5.2 → zizmor-1.7.0}/src/github_api.rs +56 -42
- {zizmor-1.5.2 → zizmor-1.7.0}/src/main.rs +132 -57
- zizmor-1.7.0/src/models/coordinate.rs +453 -0
- zizmor-1.7.0/src/models/uses.rs +485 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/models.rs +161 -161
- zizmor-1.7.0/src/output/github.rs +64 -0
- zizmor-1.7.0/src/output/mod.rs +3 -0
- zizmor-1.5.2/src/render.rs → zizmor-1.7.0/src/output/plain.rs +8 -7
- {zizmor-1.5.2/src → zizmor-1.7.0/src/output}/sarif.rs +5 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/src/registry.rs +75 -32
- {zizmor-1.5.2 → zizmor-1.7.0}/src/state.rs +6 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/src/utils.rs +111 -16
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/acceptance.rs +39 -4
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/common.rs +46 -1
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/e2e.rs +56 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshot.rs +177 -5
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__gha_hazmat.snap +143 -6
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_config_file.snap +8 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-10.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-2.snap +12 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-3.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-4.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-5.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-6.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-7.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-8.snap +19 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-9.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs.snap +13 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__issue_569.snap +187 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__e2e__issue_726.snap +17 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__menagerie-2.snap +2 -1
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__menagerie.snap +2 -1
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked-2.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked-3.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked-4.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__bot_conditions.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap +2 -3
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning-15.snap +19 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cant_retrieve.snap +2 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-2.snap +29 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-3.snap +13 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-4.snap +21 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-5.snap +22 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-6.snap +14 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_env-2.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_env-3.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_env.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__github_output.snap +8 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__insecure_commands.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__obfuscation.snap +190 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap +13 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__ref_confusion.snap +21 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__secrets_inherit.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-3.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-4.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-5.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-6.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__stale_action_refs.snap +13 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-2.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__template_injection-3.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-4.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-5.snap +1 -2
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-6.snap +2 -3
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__template_injection-7.snap +5 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-8.snap +4 -5
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__template_injection-9.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__template_injection.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned-uses-composite-config-2.snap +29 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned-uses-composite-config.snap +29 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned-uses-default-config.snap +21 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned-uses-empty-config.snap +53 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned-uses-hash-pin-everything-config.snap +53 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned-uses-ref-pin-everything-config.snap +13 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_images.snap +53 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-10.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-11.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-12.snap +12 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap +6 -7
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap +21 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap +5 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-5.snap +32 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-6.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-7.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-8.snap +11 -0
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-9.snap +11 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses.snap +6 -15
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap +1 -2
- zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unsound_contains.snap +46 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/issue-378-repro.yml +1 -0
- zizmor-1.7.0/tests/integration/test-data/cache-poisoning/issue-642-repro.yml +39 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/allow-all.yml +11 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/allow-some-refs.yml +13 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/allow-some.yml +12 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/deny-all.yml +11 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/deny-some-refs.yml +13 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/deny-some.yml +12 -0
- zizmor-1.7.0/tests/integration/test-data/forbidden-uses/forbidden-uses-menagerie.yml +16 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/inlined-ignores.yml +1 -1
- zizmor-1.7.0/tests/integration/test-data/invalid/bad-yaml-1.yml +1 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/bad-yaml-2.yml +3 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/blank.yml +2 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/comment-only.yml +1 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/empty-action/action.yml +0 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/empty.yml +0 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/invalid-action-1/action.yml +11 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/invalid-action-2/action.yml +3 -0
- zizmor-1.7.0/tests/integration/test-data/invalid/invalid-workflow-2.yml +17 -0
- zizmor-1.7.0/tests/integration/test-data/obfuscation.yml +52 -0
- zizmor-1.7.0/tests/integration/test-data/several-vulnerabilities.yml +16 -0
- zizmor-1.7.0/tests/integration/test-data/stale-action-refs.yml +30 -0
- zizmor-1.7.0/tests/integration/test-data/template-injection/dataflow.yml +29 -0
- zizmor-1.7.0/tests/integration/test-data/template-injection/false-positive-menagerie.yml +25 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-images.yml +71 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/composite-2.yml +13 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/composite.yml +10 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/empty.yml +7 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/hash-pin-everything.yml +5 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-1.yml +6 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-2.yml +6 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-3.yml +6 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-4.yml +6 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-5.yml +6 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-6.yml +7 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-wrong-policy-object.yml +5 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/ref-pin-everything.yml +5 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/issue-659-repro.yml +19 -0
- zizmor-1.7.0/tests/integration/test-data/unpinned-uses/menagerie-of-uses.yml +29 -0
- zizmor-1.7.0/tests/integration/test-data/unsound-contains.yml +33 -0
- zizmor-1.5.2/Dockerfile +0 -30
- zizmor-1.5.2/docs/audits.md +0 -1027
- zizmor-1.5.2/docs/configuration.md +0 -81
- zizmor-1.5.2/src/audit/unpinned_uses.rs +0 -100
- zizmor-1.5.2/src/models/coordinate.rs +0 -282
- zizmor-1.5.2/src/models/uses.rs +0 -147
- zizmor-1.5.2/tests/integration/snapshots/integration__e2e__issue_569.snap +0 -41
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__invalid_inputs.snap +0 -17
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__ref_confusion.snap +0 -14
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__template_injection-3.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__template_injection-7.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__template_injection.snap +0 -6
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap +0 -22
- zizmor-1.5.2/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap +0 -6
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/ISSUE_TEMPLATE/bug-report.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/ISSUE_TEMPLATE/config.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/ISSUE_TEMPLATE/feature-request.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/dependabot.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/.github/workflows/release.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/.gitignore +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/CONTRIBUTING.md +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/LICENSE +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/assets/favicon48x48.png +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/assets/rainbow.svg +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/assets/zizmor-demo.gif +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/installation.md +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/magiclink.css +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/quickstart.md +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/render-sponsors.py +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/render-trophies.py +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/sponsors.html +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/snippets/sponsors.json +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/docs/trophy-case.md +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/mkdocs.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/pyproject.toml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/src/expr/expr.pest +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/main.rs +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__issue_612_repro.snap +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/artipacked/issue-447-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/artipacked.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/bot-conditions.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-disabled-by-default.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-enabled-by-default.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-not-configurable.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-out.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/issue-343-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/no-cache-aware-steps.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/publisher-step.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/workflow-release-branch-trigger.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/workflow-tag-trigger.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/dummy-action-2/action.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/workflows/another-dummy.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/workflows/dummy.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/workflows/ignored.yaml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.gitignore +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/README.md +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/dummy-action-1/action.yaml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/issue-336-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/issue-472-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/jobs-broaden-permissions.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/reusable-workflow-call.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/reusable-workflow-other-triggers.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-default-perms.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-empty-perms.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-read-all.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-write-all.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-write-explicit.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/github-env/action.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/github-env/github-path.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/github-env/issue-397-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/github_env.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/hardcoded-credentials.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/insecure-commands/action.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/insecure-commands.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/invalid/invalid-workflow.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/issue-612-repro/action.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/overprovisioned-secrets.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/ref-confusion/issue-518-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/ref-confusion.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/secrets-inherit.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/issue-283-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-matrix-dimension.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-matrix-exclusion.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-matrix-inclusion.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-runner-group.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-runner-label.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/self-hosted.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/issue-22-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/issue-339-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/issue-418-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/pr-317-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/pr-425-backstop/action.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/static-env.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/template-injection-dynamic-matrix.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection/template-injection-static-matrix.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/template-injection.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/action.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/issue-433-repro.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/unredacted-secrets.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/tests/integration/test-data/use-trusted-publishing.yml +0 -0
- {zizmor-1.5.2 → zizmor-1.7.0}/uv.lock +0 -0
|
@@ -19,7 +19,7 @@ jobs:
|
|
|
19
19
|
- name: Format
|
|
20
20
|
run: cargo fmt && git diff --exit-code
|
|
21
21
|
|
|
22
|
-
- uses: Swatinem/rust-cache@
|
|
22
|
+
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
|
|
23
23
|
|
|
24
24
|
- name: Lint
|
|
25
25
|
run: cargo clippy -- -D warnings -D clippy::dbg_macro
|
|
@@ -31,9 +31,9 @@ jobs:
|
|
|
31
31
|
with:
|
|
32
32
|
persist-credentials: false
|
|
33
33
|
|
|
34
|
-
- uses: Swatinem/rust-cache@
|
|
34
|
+
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
|
|
35
35
|
|
|
36
|
-
- uses: astral-sh/setup-uv@
|
|
36
|
+
- uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
|
|
37
37
|
|
|
38
38
|
- name: Test dependencies
|
|
39
39
|
run: |
|
|
@@ -57,7 +57,7 @@ jobs:
|
|
|
57
57
|
with:
|
|
58
58
|
persist-credentials: false
|
|
59
59
|
|
|
60
|
-
- uses: astral-sh/setup-uv@
|
|
60
|
+
- uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
|
|
61
61
|
|
|
62
62
|
- name: Test site
|
|
63
63
|
run: make site
|
|
@@ -68,7 +68,7 @@ jobs:
|
|
|
68
68
|
|
|
69
69
|
- name: Build and push by digest
|
|
70
70
|
id: build
|
|
71
|
-
uses: docker/build-push-action@
|
|
71
|
+
uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
|
|
72
72
|
with:
|
|
73
73
|
platforms: ${{ matrix.image.platform }}
|
|
74
74
|
labels: ${{ steps.docker-metadata.outputs.labels }}
|
|
@@ -85,7 +85,7 @@ jobs:
|
|
|
85
85
|
DIGEST: ${{ steps.build.outputs.digest }}
|
|
86
86
|
|
|
87
87
|
- name: Upload digest
|
|
88
|
-
uses: actions/upload-artifact@
|
|
88
|
+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
89
89
|
with:
|
|
90
90
|
name: digests-${{ matrix.image.platform-pair }}
|
|
91
91
|
path: ${{ runner.temp }}/digests/*
|
|
@@ -105,7 +105,7 @@ jobs:
|
|
|
105
105
|
|
|
106
106
|
steps:
|
|
107
107
|
- name: Download digests
|
|
108
|
-
uses: actions/download-artifact@
|
|
108
|
+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
109
109
|
with:
|
|
110
110
|
path: ${{ runner.temp }}/digests
|
|
111
111
|
pattern: digests-*
|
|
@@ -40,13 +40,13 @@ jobs:
|
|
|
40
40
|
with:
|
|
41
41
|
persist-credentials: false
|
|
42
42
|
- name: Build wheels
|
|
43
|
-
uses: PyO3/maturin-action@
|
|
43
|
+
uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1
|
|
44
44
|
with:
|
|
45
45
|
target: ${{ matrix.platform.target }}
|
|
46
46
|
args: --release --out dist
|
|
47
47
|
manylinux: ${{ matrix.platform.manylinux }}
|
|
48
48
|
- name: Upload wheels
|
|
49
|
-
uses: actions/upload-artifact@
|
|
49
|
+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
50
50
|
with:
|
|
51
51
|
name: wheels-linux-${{ matrix.platform.target }}
|
|
52
52
|
path: dist
|
|
@@ -69,13 +69,13 @@ jobs:
|
|
|
69
69
|
with:
|
|
70
70
|
persist-credentials: false
|
|
71
71
|
- name: Build wheels
|
|
72
|
-
uses: PyO3/maturin-action@
|
|
72
|
+
uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1
|
|
73
73
|
with:
|
|
74
74
|
target: ${{ matrix.platform.target }}
|
|
75
75
|
args: --release --out dist
|
|
76
76
|
manylinux: musllinux_1_2
|
|
77
77
|
- name: Upload wheels
|
|
78
|
-
uses: actions/upload-artifact@
|
|
78
|
+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
79
79
|
with:
|
|
80
80
|
name: wheels-musllinux-${{ matrix.platform.target }}
|
|
81
81
|
path: dist
|
|
@@ -94,12 +94,12 @@ jobs:
|
|
|
94
94
|
with:
|
|
95
95
|
persist-credentials: false
|
|
96
96
|
- name: Build wheels
|
|
97
|
-
uses: PyO3/maturin-action@
|
|
97
|
+
uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1
|
|
98
98
|
with:
|
|
99
99
|
target: ${{ matrix.platform.target }}
|
|
100
100
|
args: --release --out dist
|
|
101
101
|
- name: Upload wheels
|
|
102
|
-
uses: actions/upload-artifact@
|
|
102
|
+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
103
103
|
with:
|
|
104
104
|
name: wheels-windows-${{ matrix.platform.target }}
|
|
105
105
|
path: dist
|
|
@@ -109,23 +109,21 @@ jobs:
|
|
|
109
109
|
strategy:
|
|
110
110
|
matrix:
|
|
111
111
|
platform:
|
|
112
|
-
|
|
113
|
-
# See: https://github.com/actions/runner-images/issues/11637
|
|
114
|
-
- runner: macos-14
|
|
112
|
+
- runner: macos-15
|
|
115
113
|
target: x86_64
|
|
116
|
-
- runner: macos-
|
|
114
|
+
- runner: macos-15
|
|
117
115
|
target: aarch64
|
|
118
116
|
steps:
|
|
119
117
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
|
120
118
|
with:
|
|
121
119
|
persist-credentials: false
|
|
122
120
|
- name: Build wheels
|
|
123
|
-
uses: PyO3/maturin-action@
|
|
121
|
+
uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1
|
|
124
122
|
with:
|
|
125
123
|
target: ${{ matrix.platform.target }}
|
|
126
124
|
args: --release --out dist
|
|
127
125
|
- name: Upload wheels
|
|
128
|
-
uses: actions/upload-artifact@
|
|
126
|
+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
129
127
|
with:
|
|
130
128
|
name: wheels-macos-${{ matrix.platform.target }}
|
|
131
129
|
path: dist
|
|
@@ -137,12 +135,12 @@ jobs:
|
|
|
137
135
|
with:
|
|
138
136
|
persist-credentials: false
|
|
139
137
|
- name: Build sdist
|
|
140
|
-
uses: PyO3/maturin-action@
|
|
138
|
+
uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1
|
|
141
139
|
with:
|
|
142
140
|
command: sdist
|
|
143
141
|
args: --out dist
|
|
144
142
|
- name: Upload sdist
|
|
145
|
-
uses: actions/upload-artifact@
|
|
143
|
+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
146
144
|
with:
|
|
147
145
|
name: wheels-sdist
|
|
148
146
|
path: dist
|
|
@@ -163,14 +161,14 @@ jobs:
|
|
|
163
161
|
# Used to generate artifact attestation
|
|
164
162
|
attestations: write
|
|
165
163
|
steps:
|
|
166
|
-
- uses: actions/download-artifact@
|
|
164
|
+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
|
|
167
165
|
- name: Generate artifact attestation
|
|
168
|
-
uses: actions/attest-build-provenance@
|
|
166
|
+
uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
|
|
169
167
|
with:
|
|
170
168
|
subject-path: 'wheels-*/*'
|
|
171
169
|
- name: Publish to PyPI
|
|
172
170
|
if: ${{ startsWith(github.ref, 'refs/tags/') }}
|
|
173
|
-
uses: PyO3/maturin-action@
|
|
171
|
+
uses: PyO3/maturin-action@aef21716ff3dcae8a1c301d23ec3e4446972a6e3 # v1
|
|
174
172
|
with:
|
|
175
173
|
command: upload
|
|
176
174
|
args: --non-interactive --skip-existing wheels-*/*
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
name: Refresh schemas
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
workflow_dispatch:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: '0 12 * * 1'
|
|
7
|
+
|
|
8
|
+
permissions: {}
|
|
9
|
+
|
|
10
|
+
jobs:
|
|
11
|
+
refresh-schemas:
|
|
12
|
+
runs-on: ubuntu-latest
|
|
13
|
+
|
|
14
|
+
permissions:
|
|
15
|
+
contents: write
|
|
16
|
+
pull-requests: write
|
|
17
|
+
|
|
18
|
+
steps:
|
|
19
|
+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
20
|
+
with:
|
|
21
|
+
persist-credentials: false
|
|
22
|
+
|
|
23
|
+
- name: try to refresh schemas
|
|
24
|
+
run: |
|
|
25
|
+
make refresh-schemas
|
|
26
|
+
|
|
27
|
+
- name: create PR
|
|
28
|
+
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
|
|
29
|
+
with:
|
|
30
|
+
commit-message: "[BOT] update JSON schemas from SchemaStore"
|
|
31
|
+
branch: refresh-schemas
|
|
32
|
+
branch-suffix: timestamp
|
|
33
|
+
title: "[BOT] update JSON schemas from SchemaStore"
|
|
34
|
+
body: |
|
|
35
|
+
This is an automated pull request, updating `src/data`
|
|
36
|
+
after a detected change in the JSON schemas from SchemaStore.
|
|
37
|
+
|
|
38
|
+
Please review manually before merging.
|
|
39
|
+
assignees: "woodruffw"
|
|
40
|
+
reviewers: "woodruffw"
|
|
@@ -30,7 +30,7 @@ jobs:
|
|
|
30
30
|
persist-credentials: false
|
|
31
31
|
|
|
32
32
|
- name: Install the latest version of uv
|
|
33
|
-
uses: astral-sh/setup-uv@
|
|
33
|
+
uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
|
|
34
34
|
|
|
35
35
|
- name: build site
|
|
36
36
|
run: make site
|
zizmor-1.5.2/.github/workflows/test-sarif.yml → zizmor-1.7.0/.github/workflows/test-output.yml
RENAMED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
name: Test
|
|
1
|
+
name: Test output formats
|
|
2
2
|
|
|
3
3
|
on:
|
|
4
4
|
pull_request:
|
|
@@ -22,14 +22,14 @@ jobs:
|
|
|
22
22
|
with:
|
|
23
23
|
persist-credentials: false
|
|
24
24
|
|
|
25
|
-
- uses: Swatinem/rust-cache@
|
|
25
|
+
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
|
|
26
26
|
|
|
27
27
|
- name: Run zizmor
|
|
28
28
|
run: |
|
|
29
29
|
cargo run -- --format sarif . > results.sarif
|
|
30
30
|
|
|
31
31
|
- name: Upload SARIF file
|
|
32
|
-
uses: github/codeql-action/upload-sarif@
|
|
32
|
+
uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
|
|
33
33
|
with:
|
|
34
34
|
sarif_file: results.sarif
|
|
35
35
|
category: zizmor-test-sarif-presentation
|
|
@@ -46,3 +46,26 @@ jobs:
|
|
|
46
46
|
repo: context.repo.repo,
|
|
47
47
|
body: `:robot: Presentation results: <${url}>`
|
|
48
48
|
})
|
|
49
|
+
|
|
50
|
+
test-github-presentation:
|
|
51
|
+
runs-on: ubuntu-latest
|
|
52
|
+
if: contains(github.event.pull_request.labels.*.name, 'test-github-presentation')
|
|
53
|
+
permissions: {}
|
|
54
|
+
|
|
55
|
+
steps:
|
|
56
|
+
- name: Checkout repository
|
|
57
|
+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
|
58
|
+
with:
|
|
59
|
+
persist-credentials: false
|
|
60
|
+
|
|
61
|
+
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
|
|
62
|
+
|
|
63
|
+
- name: Run zizmor
|
|
64
|
+
run: |
|
|
65
|
+
# Normally we'd want a workflow to fail if the audit fails,
|
|
66
|
+
# but we're only testing presentation here.
|
|
67
|
+
cargo run \
|
|
68
|
+
-- \
|
|
69
|
+
--no-exit-codes \
|
|
70
|
+
--format github \
|
|
71
|
+
tests/integration/test-data/several-vulnerabilities.yml
|
|
@@ -21,13 +21,13 @@ jobs:
|
|
|
21
21
|
with:
|
|
22
22
|
persist-credentials: false
|
|
23
23
|
- name: Install the latest version of uv
|
|
24
|
-
uses: astral-sh/setup-uv@
|
|
24
|
+
uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
|
|
25
25
|
- name: Run zizmor 🌈
|
|
26
|
-
run: uvx zizmor --format sarif . > results.sarif
|
|
26
|
+
run: uvx zizmor --format sarif .github/workflows > results.sarif
|
|
27
27
|
env:
|
|
28
28
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
29
29
|
- name: Upload SARIF file
|
|
30
|
-
uses: github/codeql-action/upload-sarif@
|
|
30
|
+
uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
|
|
31
31
|
with:
|
|
32
32
|
sarif_file: results.sarif
|
|
33
33
|
category: zizmor
|