⬆ Bump zizmor from 1.24.1 to 1.25.1
Type: Pull Request
State: Closed
![dependabot[bot]](https://github.com/dependabot.png){kind=small}
dependabot[bot]Association: Unknown
Comments: 2
(17 days ago)
(14 days ago)
(14 days ago)
dependencies internal python:uv
Bumps zizmor from 1.24.1 to 1.25.1.
Release notes
Sourced from zizmor's releases.
v1.25.1
Bug Fixes 🐛🔗
Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#2004)
Fixed a typo when suggesting --fix flags for findings (#2010)
Many thanks to
@0xdeafor implementing this fix!Fixed a typo in unpinned-tools annotations (#2008)
Many thanks to
@martincostellofor implementing this fix!Fixed a bug where the github-app audit would incorrectly flag some safe uses of actions/create-github-app-token as unsafe (#2011)
v1.25.0
New Features 🌈🔗
zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)
Many thanks to
@Proximystfor proposing and implementing this improvement!New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)
New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)
zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)
zizmor's LSP now honors the --persona flag on the CLI (#1943)
zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)
Enhancements🔗
Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions
Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions
Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions
Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions
Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions
tibdex/github-app-token is now recognized as an archived action by archived-uses (#1910)
The [dangerous-triggers] audit now explicitly exempts workflows that only invoke actions/labeler (#1956)
The unpinned-images audit now detects unpinned image references in Docker-based action definitions (#1965)
... (truncated)
Changelog
Sourced from zizmor's changelog.
1.25.1
Bug Fixes 🐛
Fixed a bug where the [cache-poisoning] audit would fail to consider
releaseevents as exempt from cache usage findings when filtered by a tag condition (#2004)Fixed a typo when suggesting
--fixflags for findings (#2010)Many thanks to
@0xdeafor implementing this fix!Fixed a typo in [unpinned-tools] annotations (#2008)
Many thanks to
@martincostellofor implementing this fix!Fixed a bug where the [github-app] audit would incorrectly flag some safe uses of
@actions/create-github-app-tokenas unsafe (#2011)1.25.0
New Features 🌈
zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)
Many thanks to
@Proximystfor proposing and implementing this improvement!New audit: [github-app] detects dangerous usages of GitHub App installation tokens (#1926)
New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)
zizmornow accepts the--no-ignoresflag to disable all ignore comments and configurations when reporting findings (#1935)
zizmor's LSP now honors the--personaflag on the CLI (#1943)
zizmoris now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)Enhancements
Recommend
gh issue edit --add-label/gh pr edit --add-labelas a replacement for@actions-ecosystem/action-add-labelsin [superfluous-actions]Recommend
gh issue edit --remove-label/gh pr edit --remove-labelas a replacement for@actions-ecosystem/action-remove-labelsin [superfluous-actions]
... (truncated)
Commits
9300d3bww/release (#2016)331917achore: dropserde_yamlrename (#2015)506f085github-app: testrepositories, notrepository(#2011)53dea37unpinned-tools, docs: fix typos (#2008)8068e11fix: replace--fix=unsafewith--fix=unsafe-onlyin suggestion (#2010)05e3d99cache-poisoning: relax trigger check in heuristics (#2004)9440cedFix link in release-notes (#2002)ee07597Prep zizmor 1.25.0 (#2001)77e92cfBump trophies (#1999)bf0362dAdd some gatekeeping that instructs agents to refer their operator to the AI ...- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Package Dependencies
Technical Details
| ID: | 15921014 |
| UUID: | 4505849045 |
| Node ID: | PR_kwDOF8_QEs7egeQP |
| Host: | GitHub |
| Repository: | fastapi/sqlmodel |