Overview

File zizmor.changes of Package zizmor

-------------------------------------------------------------------
Sun Mar 23 18:20:03 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.5.2:
  * Bug Fixes
    - Fixed a bug where zizmor would over-eagerly parse invalid and
      commented-out expressions, resulting in spurious warnings
      (#570)
    - Fixed a bug where zizmor would fail to honor # zizmor:
      ignore[rule] comments in unintuitive cases (#612)
    - Fixed a regression in zizmor's SARIF output format that
      caused suboptimal presentation of findings on GitHub (#621)

-------------------------------------------------------------------
Wed Mar 12 15:29:54 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.5.1:
  * chore: prep for v1.5.1 release (#601)
  * bugfix: don't require `.git/` to respect `.gitignore` files
    (#598)
  * docs: fix typo in release notes (#595)

-------------------------------------------------------------------
Tue Mar 11 06:10:49 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.5.0:
  * chore: prep for release v1.5.0 (#594)
  * chore(deps): bump the cargo group with 3 updates (#592)
  * chore(deps): bump the github-actions group with 2 updates
    (#593)
  * docs: fix typo (#591)
  * docs: fixup release notes (#590)
  * feat(cli): fine-grained color control (#586)
  * cli: re-add `--no-progress` flag (#589)
  * chore(deps): bump ring from 0.17.8 to 0.17.13 (#588)
  * docs: bump trophies (#587)
  * cargo: bump edition (#585)
  * docs: bump trophies (#584)
  * ci: pypi: bump maturin-action to v1.47.2 (#583)
  * chore(deps): bump the cargo group with 5 updates (#580)
  * chore(deps): bump the github-actions group with 7 updates
    (#581)
  * feat: respect .gitignore files when collecting inputs (#575)
  * test: refactor integration tests (#576)
  * feat: detect overprovisioned `secrets[...]` (#573)
  * bugfix: don't remove prefixes from local paths (#572)

-------------------------------------------------------------------
Tue Feb 25 18:37:57 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.4.1:
  * Bug Fixes
    - Findings produced by (unredacted-secrets) now use the correct
      ID and link to the correct URL in the audit documentation
      (#566)

-------------------------------------------------------------------
Tue Feb 25 18:24:40 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.4.0:
  * New Features
    - zizmor now has official Docker images! You can find them on
      the GitHub Container Registry under ghcr.io/woodruffw/zizmor
      (#532)
    - New audit: unredacted-secrets detects secret accesses that
      are not redacted in logs (#549)
  * Improvements
    - SARIF outputs are now slightly more aligned with GitHub Code
      Scanning expectations (#528)
    - # zizmor: ignore[rule] comments can now have trailing
      explanations, e.g. # zizmor: ignore[rule] because reasons
      (#531)
    - The bot-conditions audit now detects github.triggering_actor
      as another spoofable actor check (#559)
  * Bug Fixes
    - Fixed a bug where zizmor would fail to parse workflows with
      workflow_dispatch triggers that contained non-string inputs
      (#563)
  * Upcoming Changes
    - The next minor release of zizmor will be built with Rust
      2024. This should have no effect on most users, but may
      require users who build zizmor from source to update their
      Rust toolchain.

-------------------------------------------------------------------
Mon Feb 10 07:39:35 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.3.1:
  * chore: prep for 1.3.1 release (#523)
  * bugfix: bump github-actions-models to 0.25.0 (#522)
  * docs: bump trophies (#521)
  * docs: bump trophies (#520)
  * bugfix: fix has_tag lookup (#519)
  * docs: bump trophies (#515)
  * docs: bump trophies (#512)
  * bugfix: expr: make index rule non-atomic (#511)
  * chore(deps): bump the github-actions group with 2 updates
    (#509)
  * chore(deps): bump the cargo group with 2 updates (#508)
  * docs: bump trophies (#507)
  * docs: update dev-docs (#505)
  * README: more details (#504)
  * docs: bump trophies (#503)
  * bugfix: bump github-actions-models to 0.24.0 (#502)

-------------------------------------------------------------------
Wed Jan 29 06:28:45 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.3.0:
  * chore: prep for 1.3.0 release (#500)
  * docs: bump trophies (#499)
  * deps: bump indicatif from 0.17.9 to 0.17.11 (#498)
  * Downgrade tracing-indicatif (#496)
  * docs: bump trophies (#495)
  * ci: attempt to fix arm build (#494)
  * chore(deps): bump the github-actions group with 3 updates
    (#493)
  * chore(deps): bump the cargo group with 2 updates (#492)
  * refactor: improve context handling (#491)
  * feat(cli): add naches mode (#490)
  * release-notes: record #485 (#489)
  * feat: "raw" audit support + `overprovisioned-secrets` (#485)
  * cli: reduce warning to info when skipping audits (#488)
  * deps: bump github-actions-models (#487)
  * docs: bump trophies (#486)
  * docs: bump trophies (#484)
  * Fix syntax in docs for bot-condition (#483)
  * feat: improve parse error slightly (#482)
  * docs: bump trophies (#481)
  * chore(deps): bump the cargo group with 3 updates (#480)
  * Add slash to avoid redirect (#478)
  * bugfix: collect actions from subdirectories of
    .github/workflows (#477)

-------------------------------------------------------------------
Mon Jan 20 06:16:20 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.2.2:
  * chore: prep for 1.2.2 release (#476)
  * feat: improve error message when repo fetch fails (#475)
  * bugfix: special-case workflow_call in excessive-permissions
    (#473)

-------------------------------------------------------------------
Mon Jan 20 06:05:10 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.2.1:
  * chore: prep 1.2.1 (#470)
  * bugfix: generalize path prefix handling (#469)
  * chore(deps): bump astral-sh/setup-uv from 5.1.0 to 5.2.1 in the
    github-actions group (#467)
  * docs: try to fix the site (#466)
  * chore: remove site-requirements.txt (#465)

-------------------------------------------------------------------
Mon Jan 20 06:00:28 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.2.0:
  * chore: prep 1.2.0 (#464)
  * bugfix: bump github-actions-models (#463)
  * bugfix: parse multi-line expressions correctly (#461)
  * feat: bot-conditions (#460)
  * ci: pypi: try enabling aarch64 on an ARM runner (#457)
  * docs: typo (#456)
  * docs: add sponsors to README and site (#454)
  * bugfix: sarif: use absolute physical locations only (#453)
  * chore(docs): bump trophies (#451)
  * chore(docs): bump trophies (#450)
  * refactor: reduce invalid states in job APIs (#449)
  * fix: artipacked: check for stringy bools (#448)
  * docs: bump trophies (#446)
  * bugfix: mark another context as safe during injections (#445)
  * docs: bump trophies (#444)
  * docs: bump trophies (#443)
  * docs: bump trophies (#442)
  * refactor: make excessive-permissions more correct (#441)
  * docs: bump trophies (#440)
  * fix: don't flag local workflows in unpinned-uses (#439)

-------------------------------------------------------------------
Tue Jan 14 05:42:08 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.1.1:
  * chore: prep 1.1.1 (#438)
  * chore(deps): bump the cargo group with 4 updates (#434)
  * chore(deps): bump the github-actions group with 2 updates
    (#436)
  * fix: bump github-actions-models (#437)
  * docs: bump trophies (#430)

-------------------------------------------------------------------
Mon Jan 13 06:58:02 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.1.0:
  This release comes with one new audit (secrets-inherit), plus a
  slew of bugfixes and internal refactors that unblock future
  improvements!
  * Added
    - New audit: secrets-inherit detects use of secrets: inherit
      with reusable workflow calls (#408)
  * Improved
    - The template-injection audit now detects injections in calls
      to azure/cli and azure/powershell (#421)
  * Fixed
    - The template-injection audit no longer consider
      github.server_url dangerous (#412)
    - The template-injection audit no longer crashes when
      evaluating the static-ness of an environment for a uses: step
      (#420)

-------------------------------------------------------------------
Wed Jan 08 12:10:48 UTC 2025 - opensuse_buildservice@ojkastl.de

- Update to version 1.0.1:
  This is a small quality and bugfix release. Thank you to
  everybody who helped by reporting and shaking out bugs from our
  first stable release!
  * Improved
    - The github-env audit now detects dangerous writes to
      GITHUB_PATH, is more precise, and can produce multiple
      findings per run block (#391)
  * Fixed
    - workflow_call.secrets keys with missing values are now parsed
      correctly (#388)
    - The cache-poisoning audit no longer incorrectly treats
      docker/build-push-action as a publishing workflow is push:
      false is explicitly set (#389)
    - The template-injection audit no longer considers
      github.action_path to be a potentially dangerous expansion
      (#402)
    - The github-env audit no longer skips run: steps with
      non-trivial shell: stanzas (#403)

-------------------------------------------------------------------
Fri Jan  3 15:07:00 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>

- new package zizmore: a static analysis tool for GitHub Actions
openSUSE Build Service is sponsored by
Places