zizmor 1.6.0__tar.gz → 1.7.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of zizmor might be problematic. Click here for more details.

Files changed (319) hide show
  1. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/ci.yml +2 -2
  2. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/docker.yml +2 -2
  3. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/pypi.yml +2 -2
  4. zizmor-1.7.0/.github/workflows/refresh-schemas.yml +40 -0
  5. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/site.yml +1 -1
  6. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/test-output.yml +1 -1
  7. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/zizmor.yml +3 -3
  8. {zizmor-1.6.0 → zizmor-1.7.0}/Cargo.lock +663 -305
  9. {zizmor-1.6.0 → zizmor-1.7.0}/Cargo.toml +6 -4
  10. {zizmor-1.6.0 → zizmor-1.7.0}/Makefile +5 -0
  11. {zizmor-1.6.0 → zizmor-1.7.0}/PKG-INFO +2 -1
  12. {zizmor-1.6.0 → zizmor-1.7.0}/README.md +1 -0
  13. {zizmor-1.6.0 → zizmor-1.7.0}/docs/audits.md +906 -638
  14. {zizmor-1.6.0 → zizmor-1.7.0}/docs/configuration.md +66 -0
  15. {zizmor-1.6.0 → zizmor-1.7.0}/docs/development.md +11 -2
  16. {zizmor-1.6.0 → zizmor-1.7.0}/docs/index.md +1 -0
  17. {zizmor-1.6.0 → zizmor-1.7.0}/docs/release-notes.md +75 -0
  18. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/help.txt +4 -0
  19. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/trophies.md +64 -0
  20. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/trophies.txt +22 -0
  21. {zizmor-1.6.0 → zizmor-1.7.0}/docs/usage.md +37 -2
  22. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/artipacked.rs +3 -3
  23. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/bot_conditions.rs +5 -6
  24. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/cache_poisoning.rs +56 -66
  25. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/dangerous_triggers.rs +1 -1
  26. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/excessive_permissions.rs +3 -3
  27. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/forbidden_uses.rs +33 -48
  28. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/github_env.rs +5 -5
  29. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/hardcoded_container_credentials.rs +3 -3
  30. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/impostor_commit.rs +2 -2
  31. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/insecure_commands.rs +17 -17
  32. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/known_vulnerable_actions.rs +41 -65
  33. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/mod.rs +26 -24
  34. zizmor-1.7.0/src/audit/obfuscation.rs +143 -0
  35. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/overprovisioned_secrets.rs +4 -3
  36. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/ref_confusion.rs +4 -4
  37. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/secrets_inherit.rs +3 -3
  38. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/self_hosted_runner.rs +3 -3
  39. zizmor-1.7.0/src/audit/stale_action_refs.rs +86 -0
  40. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/template_injection.rs +23 -42
  41. zizmor-1.7.0/src/audit/unpinned_images.rs +109 -0
  42. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/unpinned_uses.rs +47 -51
  43. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/unredacted_secrets.rs +4 -6
  44. zizmor-1.7.0/src/audit/unsound_contains.rs +187 -0
  45. {zizmor-1.6.0 → zizmor-1.7.0}/src/audit/use_trusted_publishing.rs +5 -2
  46. zizmor-1.7.0/src/data/github-action.json +695 -0
  47. zizmor-1.7.0/src/data/github-workflow.json +1711 -0
  48. {zizmor-1.6.0 → zizmor-1.7.0}/src/expr/mod.rs +167 -2
  49. {zizmor-1.6.0 → zizmor-1.7.0}/src/finding/mod.rs +53 -55
  50. {zizmor-1.6.0 → zizmor-1.7.0}/src/github_api.rs +56 -42
  51. {zizmor-1.6.0 → zizmor-1.7.0}/src/main.rs +74 -32
  52. {zizmor-1.6.0 → zizmor-1.7.0}/src/models/coordinate.rs +35 -18
  53. {zizmor-1.6.0 → zizmor-1.7.0}/src/models/uses.rs +136 -80
  54. {zizmor-1.6.0 → zizmor-1.7.0}/src/models.rs +161 -161
  55. {zizmor-1.6.0 → zizmor-1.7.0}/src/output/plain.rs +7 -6
  56. {zizmor-1.6.0 → zizmor-1.7.0}/src/output/sarif.rs +3 -2
  57. {zizmor-1.6.0 → zizmor-1.7.0}/src/registry.rs +75 -32
  58. {zizmor-1.6.0 → zizmor-1.7.0}/src/utils.rs +101 -7
  59. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/acceptance.rs +37 -2
  60. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/common.rs +33 -1
  61. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/e2e.rs +45 -2
  62. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshot.rs +56 -17
  63. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__gha_hazmat.snap +26 -2
  64. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__invalid_config_file.snap +1 -2
  65. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-10.snap +11 -0
  66. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-2.snap +12 -0
  67. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-3.snap +11 -0
  68. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-4.snap +11 -0
  69. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-5.snap +11 -0
  70. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-6.snap +11 -0
  71. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-7.snap +11 -0
  72. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-8.snap +19 -0
  73. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs-9.snap +11 -0
  74. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__invalid_inputs.snap +13 -0
  75. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__issue_569.snap +10 -1
  76. zizmor-1.7.0/tests/integration/snapshots/integration__e2e__issue_726.snap +17 -0
  77. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__menagerie-2.snap +1 -1
  78. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__menagerie.snap +1 -1
  79. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked-2.snap +1 -2
  80. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked-3.snap +1 -2
  81. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked-4.snap +1 -2
  82. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__artipacked.snap +1 -2
  83. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__bot_conditions.snap +1 -2
  84. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap +0 -1
  85. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap +1 -2
  86. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap +1 -2
  87. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap +5 -0
  88. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap +5 -0
  89. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cant_retrieve.snap +1 -2
  90. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap +1 -2
  91. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap +1 -2
  92. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap +1 -2
  93. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap +1 -2
  94. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap +1 -2
  95. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap +1 -2
  96. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap +1 -2
  97. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap +5 -0
  98. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap +1 -2
  99. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap +1 -2
  100. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap +5 -0
  101. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap +5 -0
  102. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__forbidden_uses-2.snap +0 -1
  103. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__forbidden_uses-3.snap +0 -1
  104. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__forbidden_uses-4.snap +0 -1
  105. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-5.snap +22 -0
  106. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__forbidden_uses-6.snap +14 -0
  107. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__forbidden_uses.snap +0 -1
  108. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_env-2.snap +1 -2
  109. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_env-3.snap +1 -2
  110. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_env.snap +1 -2
  111. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap +1 -2
  112. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap +1 -2
  113. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__insecure_commands.snap +1 -2
  114. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__obfuscation.snap +190 -0
  115. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap +1 -2
  116. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap +0 -1
  117. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__ref_confusion.snap +0 -1
  118. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__secrets_inherit.snap +1 -2
  119. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap +5 -0
  120. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-3.snap +1 -2
  121. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-4.snap +1 -2
  122. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-5.snap +1 -2
  123. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted-6.snap +1 -2
  124. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap +5 -0
  125. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap +5 -0
  126. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__self_hosted.snap +1 -2
  127. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__stale_action_refs.snap +13 -0
  128. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-2.snap +1 -2
  129. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-3.snap +0 -1
  130. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-4.snap +1 -2
  131. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-5.snap +1 -2
  132. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-7.snap +0 -1
  133. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-8.snap +0 -1
  134. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__template_injection.snap +5 -0
  135. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned-uses-composite-config-2.snap +0 -1
  136. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned-uses-composite-config.snap +0 -1
  137. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned-uses-default-config.snap +0 -1
  138. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned-uses-empty-config.snap +0 -1
  139. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned-uses-hash-pin-everything-config.snap +0 -1
  140. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned-uses-ref-pin-everything-config.snap +0 -1
  141. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_images.snap +53 -0
  142. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-10.snap +1 -2
  143. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-11.snap +1 -2
  144. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-12.snap +12 -0
  145. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap +0 -1
  146. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap +0 -1
  147. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap +5 -0
  148. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-5.snap +0 -1
  149. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-6.snap +1 -2
  150. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-7.snap +1 -2
  151. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-8.snap +1 -2
  152. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses-9.snap +1 -2
  153. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unpinned_uses.snap +0 -1
  154. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap +1 -2
  155. zizmor-1.7.0/tests/integration/snapshots/integration__snapshot__unsound_contains.snap +46 -0
  156. zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/allow-some-refs.yml +13 -0
  157. zizmor-1.7.0/tests/integration/test-data/forbidden-uses/configs/deny-some-refs.yml +13 -0
  158. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/inlined-ignores.yml +1 -1
  159. zizmor-1.7.0/tests/integration/test-data/invalid/bad-yaml-1.yml +1 -0
  160. zizmor-1.7.0/tests/integration/test-data/invalid/bad-yaml-2.yml +3 -0
  161. zizmor-1.7.0/tests/integration/test-data/invalid/blank.yml +2 -0
  162. zizmor-1.7.0/tests/integration/test-data/invalid/comment-only.yml +1 -0
  163. zizmor-1.7.0/tests/integration/test-data/invalid/empty-action/action.yml +0 -0
  164. zizmor-1.7.0/tests/integration/test-data/invalid/empty.yml +0 -0
  165. zizmor-1.7.0/tests/integration/test-data/invalid/invalid-action-1/action.yml +11 -0
  166. zizmor-1.7.0/tests/integration/test-data/invalid/invalid-action-2/action.yml +3 -0
  167. zizmor-1.7.0/tests/integration/test-data/invalid/invalid-workflow-2.yml +17 -0
  168. zizmor-1.7.0/tests/integration/test-data/obfuscation.yml +52 -0
  169. zizmor-1.7.0/tests/integration/test-data/stale-action-refs.yml +30 -0
  170. zizmor-1.7.0/tests/integration/test-data/unpinned-images.yml +71 -0
  171. zizmor-1.7.0/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-6.yml +7 -0
  172. zizmor-1.7.0/tests/integration/test-data/unsound-contains.yml +33 -0
  173. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap +0 -6
  174. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap +0 -6
  175. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap +0 -6
  176. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap +0 -6
  177. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap +0 -6
  178. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__invalid_inputs.snap +0 -18
  179. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap +0 -6
  180. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap +0 -6
  181. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap +0 -6
  182. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__template_injection.snap +0 -6
  183. zizmor-1.6.0/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap +0 -6
  184. {zizmor-1.6.0 → zizmor-1.7.0}/.github/ISSUE_TEMPLATE/bug-report.yml +0 -0
  185. {zizmor-1.6.0 → zizmor-1.7.0}/.github/ISSUE_TEMPLATE/config.yml +0 -0
  186. {zizmor-1.6.0 → zizmor-1.7.0}/.github/ISSUE_TEMPLATE/feature-request.yml +0 -0
  187. {zizmor-1.6.0 → zizmor-1.7.0}/.github/dependabot.yml +0 -0
  188. {zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/release.yml +0 -0
  189. {zizmor-1.6.0 → zizmor-1.7.0}/.gitignore +0 -0
  190. {zizmor-1.6.0 → zizmor-1.7.0}/CONTRIBUTING.md +0 -0
  191. {zizmor-1.6.0 → zizmor-1.7.0}/Dockerfile +0 -0
  192. {zizmor-1.6.0 → zizmor-1.7.0}/LICENSE +0 -0
  193. {zizmor-1.6.0 → zizmor-1.7.0}/docs/assets/favicon48x48.png +0 -0
  194. {zizmor-1.6.0 → zizmor-1.7.0}/docs/assets/rainbow.svg +0 -0
  195. {zizmor-1.6.0 → zizmor-1.7.0}/docs/assets/zizmor-demo.gif +0 -0
  196. {zizmor-1.6.0 → zizmor-1.7.0}/docs/installation.md +0 -0
  197. {zizmor-1.6.0 → zizmor-1.7.0}/docs/magiclink.css +0 -0
  198. {zizmor-1.6.0 → zizmor-1.7.0}/docs/quickstart.md +0 -0
  199. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/render-sponsors.py +0 -0
  200. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/render-trophies.py +0 -0
  201. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/sponsors.html +0 -0
  202. {zizmor-1.6.0 → zizmor-1.7.0}/docs/snippets/sponsors.json +0 -0
  203. {zizmor-1.6.0 → zizmor-1.7.0}/docs/trophy-case.md +0 -0
  204. {zizmor-1.6.0 → zizmor-1.7.0}/mkdocs.yml +0 -0
  205. {zizmor-1.6.0 → zizmor-1.7.0}/pyproject.toml +0 -0
  206. {zizmor-1.6.0 → zizmor-1.7.0}/src/config.rs +0 -0
  207. {zizmor-1.6.0 → zizmor-1.7.0}/src/expr/expr.pest +0 -0
  208. {zizmor-1.6.0 → zizmor-1.7.0}/src/output/github.rs +0 -0
  209. {zizmor-1.6.0 → zizmor-1.7.0}/src/output/mod.rs +0 -0
  210. {zizmor-1.6.0 → zizmor-1.7.0}/src/state.rs +0 -0
  211. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/main.rs +0 -0
  212. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__e2e__issue_612_repro.snap +0 -0
  213. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap +0 -0
  214. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap +0 -0
  215. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap +0 -0
  216. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap +0 -0
  217. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-15.snap +0 -0
  218. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap +0 -0
  219. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap +0 -0
  220. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap +0 -0
  221. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap +0 -0
  222. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap +0 -0
  223. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__github_output.snap +0 -0
  224. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-6.snap +0 -0
  225. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/snapshots/integration__snapshot__template_injection-9.snap +0 -0
  226. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/artipacked/issue-447-repro.yml +0 -0
  227. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/artipacked.yml +0 -0
  228. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/bot-conditions.yml +0 -0
  229. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-disabled-by-default.yml +0 -0
  230. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-enabled-by-default.yml +0 -0
  231. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-not-configurable.yml +0 -0
  232. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml +0 -0
  233. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml +0 -0
  234. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml +0 -0
  235. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml +0 -0
  236. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/caching-opt-out.yml +0 -0
  237. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/issue-343-repro.yml +0 -0
  238. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/issue-378-repro.yml +0 -0
  239. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/issue-642-repro.yml +0 -0
  240. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/no-cache-aware-steps.yml +0 -0
  241. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/publisher-step.yml +0 -0
  242. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/workflow-release-branch-trigger.yml +0 -0
  243. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning/workflow-tag-trigger.yml +0 -0
  244. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/cache-poisoning.yml +0 -0
  245. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/dummy-action-2/action.yml +0 -0
  246. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/workflows/another-dummy.yml +0 -0
  247. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/workflows/dummy.yml +0 -0
  248. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.github/workflows/ignored.yaml +0 -0
  249. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/.gitignore +0 -0
  250. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/README.md +0 -0
  251. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/e2e-menagerie/dummy-action-1/action.yaml +0 -0
  252. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/issue-336-repro.yml +0 -0
  253. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/issue-472-repro.yml +0 -0
  254. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/jobs-broaden-permissions.yml +0 -0
  255. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/reusable-workflow-call.yml +0 -0
  256. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/reusable-workflow-other-triggers.yml +0 -0
  257. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml +0 -0
  258. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-default-perms.yml +0 -0
  259. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-empty-perms.yml +0 -0
  260. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-read-all.yml +0 -0
  261. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-write-all.yml +0 -0
  262. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions/workflow-write-explicit.yml +0 -0
  263. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/excessive-permissions.yml +0 -0
  264. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/forbidden-uses/configs/allow-all.yml +0 -0
  265. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/forbidden-uses/configs/allow-some.yml +0 -0
  266. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/forbidden-uses/configs/deny-all.yml +0 -0
  267. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/forbidden-uses/configs/deny-some.yml +0 -0
  268. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/forbidden-uses/forbidden-uses-menagerie.yml +0 -0
  269. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/github-env/action.yml +0 -0
  270. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/github-env/github-path.yml +0 -0
  271. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/github-env/issue-397-repro.yml +0 -0
  272. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/github_env.yml +0 -0
  273. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/hardcoded-credentials.yml +0 -0
  274. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/insecure-commands/action.yml +0 -0
  275. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/insecure-commands.yml +0 -0
  276. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/invalid/invalid-workflow.yml +0 -0
  277. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/issue-612-repro/action.yml +0 -0
  278. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/overprovisioned-secrets.yml +0 -0
  279. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/ref-confusion/issue-518-repro.yml +0 -0
  280. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/ref-confusion.yml +0 -0
  281. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/secrets-inherit.yml +0 -0
  282. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/issue-283-repro.yml +0 -0
  283. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-matrix-dimension.yml +0 -0
  284. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-matrix-exclusion.yml +0 -0
  285. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-matrix-inclusion.yml +0 -0
  286. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-runner-group.yml +0 -0
  287. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted/self-hosted-runner-label.yml +0 -0
  288. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/self-hosted.yml +0 -0
  289. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/several-vulnerabilities.yml +0 -0
  290. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/dataflow.yml +0 -0
  291. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/false-positive-menagerie.yml +0 -0
  292. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/issue-22-repro.yml +0 -0
  293. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/issue-339-repro.yml +0 -0
  294. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/issue-418-repro.yml +0 -0
  295. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/pr-317-repro.yml +0 -0
  296. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/pr-425-backstop/action.yml +0 -0
  297. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/static-env.yml +0 -0
  298. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/template-injection-dynamic-matrix.yml +0 -0
  299. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection/template-injection-static-matrix.yml +0 -0
  300. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/template-injection.yml +0 -0
  301. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/action.yml +0 -0
  302. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/composite-2.yml +0 -0
  303. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/composite.yml +0 -0
  304. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/empty.yml +0 -0
  305. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/hash-pin-everything.yml +0 -0
  306. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-1.yml +0 -0
  307. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-2.yml +0 -0
  308. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-3.yml +0 -0
  309. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-4.yml +0 -0
  310. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/invalid-policy-syntax-5.yml +0 -0
  311. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/invalid-wrong-policy-object.yml +0 -0
  312. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/configs/ref-pin-everything.yml +0 -0
  313. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/issue-433-repro.yml +0 -0
  314. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/issue-659-repro.yml +0 -0
  315. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses/menagerie-of-uses.yml +0 -0
  316. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unpinned-uses.yml +0 -0
  317. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/unredacted-secrets.yml +0 -0
  318. {zizmor-1.6.0 → zizmor-1.7.0}/tests/integration/test-data/use-trusted-publishing.yml +0 -0
  319. {zizmor-1.6.0 → zizmor-1.7.0}/uv.lock +0 -0
{zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/ci.yml RENAMED
@@ -33,7 +33,7 @@ jobs:
33
33
 
34
34
  - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
35
35
 
36
- - uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
36
+ - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
37
37
 
38
38
  - name: Test dependencies
39
39
  run: |
@@ -57,7 +57,7 @@ jobs:
57
57
  with:
58
58
  persist-credentials: false
59
59
 
60
- - uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
60
+ - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
61
61
 
62
62
  - name: Test site
63
63
  run: make site
{zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/docker.yml RENAMED
@@ -68,7 +68,7 @@ jobs:
68
68
 
69
69
  - name: Build and push by digest
70
70
  id: build
71
- uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
71
+ uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
72
72
  with:
73
73
  platforms: ${{ matrix.image.platform }}
74
74
  labels: ${{ steps.docker-metadata.outputs.labels }}
@@ -105,7 +105,7 @@ jobs:
105
105
 
106
106
  steps:
107
107
  - name: Download digests
108
- uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
108
+ uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
109
109
  with:
110
110
  path: ${{ runner.temp }}/digests
111
111
  pattern: digests-*
{zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/pypi.yml RENAMED
@@ -161,9 +161,9 @@ jobs:
161
161
  # Used to generate artifact attestation
162
162
  attestations: write
163
163
  steps:
164
- - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
164
+ - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
165
165
  - name: Generate artifact attestation
166
- uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2
166
+ uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
167
167
  with:
168
168
  subject-path: 'wheels-*/*'
169
169
  - name: Publish to PyPI
zizmor-1.7.0/.github/workflows/refresh-schemas.yml ADDED
@@ -0,0 +1,40 @@
1
+ name: Refresh schemas
2
+
3
+ on:
4
+ workflow_dispatch:
5
+ schedule:
6
+ - cron: '0 12 * * 1'
7
+
8
+ permissions: {}
9
+
10
+ jobs:
11
+ refresh-schemas:
12
+ runs-on: ubuntu-latest
13
+
14
+ permissions:
15
+ contents: write
16
+ pull-requests: write
17
+
18
+ steps:
19
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
20
+ with:
21
+ persist-credentials: false
22
+
23
+ - name: try to refresh schemas
24
+ run: |
25
+ make refresh-schemas
26
+
27
+ - name: create PR
28
+ uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
29
+ with:
30
+ commit-message: "[BOT] update JSON schemas from SchemaStore"
31
+ branch: refresh-schemas
32
+ branch-suffix: timestamp
33
+ title: "[BOT] update JSON schemas from SchemaStore"
34
+ body: |
35
+ This is an automated pull request, updating `src/data`
36
+ after a detected change in the JSON schemas from SchemaStore.
37
+
38
+ Please review manually before merging.
39
+ assignees: "woodruffw"
40
+ reviewers: "woodruffw"
{zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/site.yml RENAMED
@@ -30,7 +30,7 @@ jobs:
30
30
  persist-credentials: false
31
31
 
32
32
  - name: Install the latest version of uv
33
- uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
33
+ uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
34
34
 
35
35
  - name: build site
36
36
  run: make site
{zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/test-output.yml RENAMED
@@ -29,7 +29,7 @@ jobs:
29
29
  cargo run -- --format sarif . > results.sarif
30
30
 
31
31
  - name: Upload SARIF file
32
- uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
32
+ uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
33
33
  with:
34
34
  sarif_file: results.sarif
35
35
  category: zizmor-test-sarif-presentation
{zizmor-1.6.0 → zizmor-1.7.0}/.github/workflows/zizmor.yml RENAMED
@@ -21,13 +21,13 @@ jobs:
21
21
  with:
22
22
  persist-credentials: false
23
23
  - name: Install the latest version of uv
24
- uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
24
+ uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
25
25
  - name: Run zizmor 🌈
26
- run: uvx zizmor --format sarif . > results.sarif
26
+ run: uvx zizmor --format sarif .github/workflows > results.sarif
27
27
  env:
28
28
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
29
29
  - name: Upload SARIF file
30
- uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
30
+ uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
31
31
  with:
32
32
  sarif_file: results.sarif
33
33
  category: zizmor