Add snapshot test

Author: aldur

tests/integration/snapshot.rs

@@ -533,3 +533,14 @@ fn unredacted_secrets() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn secrets_outside_environment() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+            .input(input_under_test("secrets-outside-environment.yml"))
+            .run()?
+    );
+
+    Ok(())
+}

tests/integration/test-data/secrets-outside-environment.yml

@@ -1,12 +1,10 @@
-name: Action
 on: push
+permissions: {}
 jobs:
   build:
-    name: Job
     runs-on: ubuntu-latest
     steps:
-      - name: Docker setup
-        uses: actions_repo/actions/docker@main
+      - uses: actions_repo/actions/docker@main
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          # NOT OK: Anyone with write access can exfiltrate this secret.
           password: ${{ secrets.DOCKERHUB_PASSWORD }}