Update integration tests and snaps

aldur · aldur · commit 013261777f41 · 2025-04-22T10:09:49.000+02:00
diff --git a/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap
@@ -3,14 +3,14 @@ source: tests/integration/snapshot.rs
 expression: "zizmor().input(input_under_test(\"cache-poisoning/publisher-step.yml\")).run()?"
 ---
 error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
-  --> @@INPUT@@:25:9
+  --> @@INPUT@@:26:9
    |
-18 |         uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+19 |         uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
-19 |
+20 |
 ...
-24 |       - name: Publish draft release on Github
-25 |         uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974
+25 |       - name: Publish draft release on Github
+26 |         uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ runtime artifacts usually published here
    |
    = note: audit confidence → Low
diff --git a/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap
@@ -9,10 +9,10 @@ error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache pois
    |   ^^^^^^^^^^^ generally used when publishing artifacts generated at runtime
  2 |
 ...
-15 |           uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a
-16 | /         with:
-17 | |           python-version: "3.12"
-18 | |           enable-cache: ${{ github.ref == 'refs/heads/main' }}
+16 |           uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a
+17 | /         with:
+18 | |           python-version: "3.12"
+19 | |           enable-cache: ${{ github.ref == 'refs/heads/main' }}
    | |______________________________________________________________^ opt-in for caching might happen here
    |
    = note: audit confidence → Low
diff --git a/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap b/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap
@@ -1,20 +1,19 @@
 ---
 source: tests/integration/snapshot.rs
-expression: "zizmor().input(workflow_under_test(\"overprovisioned-secrets.yml\")).run()?"
-snapshot_kind: text
+expression: "zizmor().input(input_under_test(\"overprovisioned-secrets.yml\")).run()?"
 ---
 warning[overprovisioned-secrets]: excessively provisioned secrets
-  --> @@INPUT@@:12:18
+  --> @@INPUT@@:13:18
    |
-12 |           stuff: ${{ format('{0}', toJSON(secrets)) }}
+13 |           stuff: ${{ format('{0}', toJSON(secrets)) }}
    |                  ------------------------------------- injects the entire secrets context into the runner
    |
    = note: audit confidence → High
 
 warning[overprovisioned-secrets]: excessively provisioned secrets
-  --> @@INPUT@@:21:25
+  --> @@INPUT@@:22:25
    |
-21 |           secrets_json: ${{ toJSON(secrets) }}
+22 |           secrets_json: ${{ toJSON(secrets) }}
    |                         ---------------------- injects the entire secrets context into the runner
    |
    = note: audit confidence → High
diff --git a/tests/integration/snapshots/integration__snapshot__secrets_outside_environment.snap b/tests/integration/snapshots/integration__snapshot__secrets_outside_environment.snap
@@ -0,0 +1,17 @@
+---
+source: tests/integration/snapshot.rs
+expression: "zizmor().input(input_under_test(\"secrets-outside-environment.yml\")).run()?"
+---
+error[secrets-outside-environment]: secrets used without an environment to gate them
+  --> @@INPUT@@:7:9
+   |
+ 7 |         - uses: actions_repo/actions/docker@13c8cf37e54dd9488afe8c067575444cc58bf155
+   |  _________^
+ 8 | |         with:
+ 9 | |           # NOT OK: Anyone with write access can exfiltrate this secret.
+10 | |           password: ${{ secrets.DOCKERHUB_PASSWORD }}
+   | |______________________________________________________^ this step
+   |
+   = note: audit confidence → High
+
+1 finding: 0 unknown, 0 informational, 0 low, 0 medium, 1 high
diff --git a/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap b/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap
@@ -1,20 +1,19 @@
 ---
 source: tests/integration/snapshot.rs
-expression: "zizmor().input(workflow_under_test(\"unredacted-secrets.yml\")).run()?"
-snapshot_kind: text
+expression: "zizmor().input(input_under_test(\"unredacted-secrets.yml\")).run()?"
 ---
 warning[unredacted-secrets]: leaked secret values
-  --> @@INPUT@@:14:18
+  --> @@INPUT@@:15:18
    |
-14 |           stuff: ${{ fromJSON(secrets.password) }}
+15 |           stuff: ${{ fromJSON(secrets.password) }}
    |                  --------------------------------- bypasses secret redaction
    |
    = note: audit confidence → High
 
 warning[unredacted-secrets]: leaked secret values
-  --> @@INPUT@@:17:23
+  --> @@INPUT@@:18:23
    |
-17 |           otherstuff: ${{ fromJson(secrets.otherstuff).field }}
+18 |           otherstuff: ${{ fromJson(secrets.otherstuff).field }}
    |                       ----------------------------------------- bypasses secret redaction
    |
    = note: audit confidence → High
diff --git a/tests/integration/test-data/cache-poisoning.yml b/tests/integration/test-data/cache-poisoning.yml
@@ -5,6 +5,7 @@ permissions: {}
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: "Pypi"
     steps:
       - name: Setup uv
         uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a
diff --git a/tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml b/tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml
@@ -5,6 +5,7 @@ permissions: {}
 jobs:
   publish:
     runs-on: ubuntu-latest
+    environment: "Pypi"
     steps:
       - name: Project Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
diff --git a/tests/integration/test-data/cache-poisoning/publisher-step.yml b/tests/integration/test-data/cache-poisoning/publisher-step.yml
@@ -8,6 +8,7 @@ permissions: {}
 jobs:
   publish:
     runs-on: macos-latest
+    environment: "GitHub release"
     steps:
       - name: Project Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
diff --git a/tests/integration/test-data/overprovisioned-secrets.yml b/tests/integration/test-data/overprovisioned-secrets.yml
@@ -5,6 +5,7 @@ permissions: {}
 jobs:
   test:
     runs-on: ubuntu-latest
+    environment: "overprovisioned-secrets"
     steps:
       - run: echo "${stuff} ${otherstuff} ${morestuff}"
         env:
diff --git a/tests/integration/test-data/secrets-outside-environment.yml b/tests/integration/test-data/secrets-outside-environment.yml
@@ -4,7 +4,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions_repo/actions/docker@main
+      - uses: actions_repo/actions/docker@13c8cf37e54dd9488afe8c067575444cc58bf155
         with:
           # NOT OK: Anyone with write access can exfiltrate this secret.
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
diff --git a/tests/integration/test-data/unredacted-secrets.yml b/tests/integration/test-data/unredacted-secrets.yml
@@ -7,6 +7,7 @@ permissions: {}
 jobs:
   test:
     runs-on: ubuntu-latest
+    environment: "Unredacted secrets"
     steps:
       - run: echo "${stuff} ${otherstuff}"
         env:
