chore(deps): Bump the all-dependencies group with 2 updates

[dependabot]

Bumps the all-dependencies group with 2 updates: yamllint and zizmor.

Updates yamllint from 1.35.1 to 1.37.0

Changelog

Sourced from yamllint's changelog.

1.37.0 (2025-03-23)

• Automatically detect Unicode character encoding of files
• Publish pushes to master branch to TestPyPI

1.36.2 (2025-03-17)

• Build: Restore missing documentation and tests in sdist

1.36.1 (2025-03-15)

• Publish PyPI releases using GitHub Actions workflows

1.36.0 (2025-03-11)

• Add support for Python 3.13, drop support for Python 3.8
• Rule key-ordering: add ignored-keys option
• Rule quoted-strings: fix only-when-needed and escaped special chars
• Fix TTY-related tests on Python 3.14
• Docs: fix import of yamllint.config rather than yamllint

Commits

• be92e15 yamllint version 1.37.0
• 8323394 CI: Fail when open()’s default encoding is used
• 4d7be6d tests: Stop using open()’s default encoding
• fd58e6b decoder: Autodetect encoding for ignore-from-file
• 8e3a3b3 decoder: Autodetect decoding of stdin
• a53fa80 decoder: Autodetect encoding of most YAML files
• 0b3abe5 tests: Move code for deleting env vars to init
• 82a57b7 tests: Restore stdout
• 5f57f9e tests: Use correct encoding for path
• 325fafa CI: Publish each master commit with a unique version on TestPyPI
• Additional commits viewable in compare view

Updates zizmor from 1.3.1 to 1.5.2

Release notes

Sourced from zizmor's releases.

v1.5.2

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would over-eagerly parse invalid and commented-out expressions, resulting in spurious warnings (#570)
• Fixed a bug where zizmor would fail to honor # zizmor: ignore[rule] comments in unintuitive cases (#612)
• Fixed a regression in zizmor's SARIF output format that caused suboptimal presentation of findings on GitHub (#621)

Upcoming Changes 🚧🔗

• The official PyPI builds for zizmor will support fewer architectures in the next release, due to cross-compilation and testing difficulties. This should have no effect on the overwhelming majority of users. See #603 for additional details.

v1.5.1

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would fail to honor .gitignore files when a .git/ directory is not present (#598)

v1.5.0

New Features 🌈🔗

• The overprovisioned-secrets audit now detects indexing operations on the secrets context that result in overprovisioning (#573)
• zizmor now ignores patterns in .gitignore (and related files, like .git/info/exclude) by default when performing input collection. This makes input collection significantly faster for users with local development state and more closely reflects typical user expectations. Users who wish to explicitly collect everything regardless of ignore patterns can continue to use --collect=all (#575)
• zizmor now has a --no-progress flag that disables progress bars, even if the terminal supports them (#589)
• zizmor now has a --color flag that controls when zizmor's output is colorized (beyond basic terminal detection) (#586)

Bug Fixes 🐛🔗

• Fixed zizmor's path presentation behavior to correctly present unambiguous paths in both SARIF and "plain" outputs when multiple input directories are given (#572)

v1.4.1

This is a small corrective release for v1.4.0.

Bug Fixes 🐛🔗

• Findings produced by (unredacted-secrets) now use the correct ID and link to the correct URL in the audit documentation (#566)

v1.4.0

This release comes with one new audit (unredacted-secrets), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with improvements to SARIF presentation, ignore comments, as well as an official Docker image!

New Features 🌈🔗

• zizmor now has official Docker images! You can find them on the GitHub Container Registry under ghcr.io/woodruffw/zizmor (#532)
• New audit: unredacted-secrets detects secret accesses that are not redacted in logs (#549)

Improvements 🌱🔗

• SARIF outputs are now slightly more aligned with GitHub Code Scanning expectations (#528)
• # zizmor: ignore[rule] comments can now have trailing explanations, e.g. # zizmor: ignore[rule] because reasons (#531)
• The bot-conditions audit now detects github.triggering_actor as another spoofable actor check (#559)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would fail to parse workflows with workflow_dispatch triggers that contained non-string inputs (#563)

Upcoming Changes 🚧🔗

• The next minor release of zizmor will be built with Rust 2024. This should have no effect on most users, but may require users who build zizmor from source to update their Rust toolchain.

Changelog

Sourced from zizmor's changelog.

v1.5.2

Bug Fixes 🐛

• Fixed a bug where zizmor would over-eagerly parse invalid and commented-out expressions, resulting in spurious warnings (#570)
• Fixed a bug where zizmor would fail to honor # zizmor: ignore[rule] comments in unintuitive cases (#612)
• Fixed a regression in zizmor's SARIF output format that caused suboptimal presentation of findings on GitHub (#621)

Upcoming Changes 🚧

• The official PyPI builds for zizmor will support fewer architectures in the next release, due to cross-compilation and testing difficulties. This should have no effect on the overwhelming majority of users. See #603 for additional details.

v1.5.1

Bug Fixes 🐛

• Fixed a bug where zizmor would fail to honor .gitignore files when a .git/ directory is not present (#598)

v1.5.0

New Features 🌈

• The [overprovisioned-secrets] audit now detects indexing operations on the secrets context that result in overprovisioning (#573)
• zizmor now ignores patterns in .gitignore (and related files, like .git/info/exclude) by default when performing input collection. This makes input collection significantly faster for users with local development state and more closely reflects typical user expectations. Users who wish to explicitly collect everything regardless of ignore patterns can continue to use --collect=all (#575)
• zizmor now has a --no-progress flag that disables progress bars, even if the terminal supports them (#589)
• zizmor now has a --color flag that controls when zizmor's output is colorized (beyond basic terminal detection) (#586)

Bug Fixes 🐛

• Fixed zizmor's path presentation behavior to correctly present unambiguous paths in both SARIF and "plain" outputs when multiple input directories are given (#572)

... (truncated)

Commits

• 0c590a6 chore: prep for v1.5.2 release (#623)
• fcedd86 bugfix: sarif: add working directory to invocation (#621)
• f6c0af2 docs: bump trophies (#620)
• 8638762 chore(deps): bump docker/login-action in the github-actions group (#610)
• 91abf6b tests: add repro case for #612 (#616)
• 28b6266 Clearly state that actions: read is only required for private repos (#615)
• 39fb35c docs: usage: clarify ignore comment placement (#614)
• 3af2d80 docs: bump trophies (#613)
• 0b20ed2 chore(deps): bump the cargo group with 4 updates (#609)
• 6175eee chore: drop explicit dependency on streaming-iterator (#605)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.09%. Comparing base (6ad32d1) to head (9f5cfae).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #96   +/-   ##
=======================================
  Coverage   41.09%   41.09%           
=======================================
  Files          20       20           
  Lines        1173     1173           
=======================================
  Hits          482      482           
  Misses        646      646           
  Partials       45       45           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.