v1.23.1

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#1724)

v1.23.0

New Features 🌈🔗

• New audit: secrets-outside-env detects usage of the secrets context in jobs that don't have a corresponding environment (#1599)

• New audit: superfluous-actions detects usage of actions that perform operations already provided by GitHub's own runner images (#1618)

Enhancements 🌱🔗

• zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (#1555)

• zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (#1566)

• zizmor now supports inputs that contain duplicated anchor names (#1575)

• zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (#1586)

• zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#1641)

• The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (#1656)

• Added awalsh128/cache-apt-pkgs-action as a cache-aware action to the cache-poisoning audit (#1708)

Changes ⚠️🔗

• SARIF categories have been regraded. zizmor's "medium" is changed from SARIF's "warning" to "low" (#1635)
  Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash on uses: clauses containing non-significant whitespace while performing the unpinned-uses audit (#1544)

• Fixed a bug in yamlpath where sequences containing anchors were splatted instead of being properly nested (#1557)

  Many thanks to @DarkaMaul for implementing this fix!

• Fixed a bug in yamlpath where anchor prefixes in sequences and mapping were not stripped during path queries (#1562)

• Fixed a bug where "merge into" autofixes would produce incorrect patches in the presence of multi-byte Unicode characters (#1581)

  Many thanks to @ManuelLerchnerQC for implementing this fix!

• Fixed a bug where the template-injection audit would produce duplicated pedantic-only findings (#1589)

• Fixed a bug where the obfuscation audit would produce incorrect autofixes for a subset of constant-reducible expressions (#1597)

• Fixed a bug where the obfuscation audit would fail to apply fixes to a subset of inputs with leading whitespace (#1597)

• Fixed a bug where the concurrency-limits audit would incorrectly flag reusable-only workflows as needing a concurrency: key (#1620)

• Fixed a bug where the known-vulnerable-actions audit would fail when applying some fixes (#1640)

  Many thanks to @reubenwong97 for implementing this fix!

• Fixed a bug where the pre-commit ecosystem was not recognized in Dependabot configuration files (#1637)

• Fixed a bug where the template-injection audit would incorrectly flag github.triggering_actor as an injection risk in the default persona (#1645)

• Fixed a bug where zizmor's expression parser did not correctly handle number literals in GitHub Actions expressions (#1625)

• Fixed a bug where the template-injection audit would crash on some forms of multi-line expressions (#1669)

• Fixed a bug where deserialization of a workflow containing fractional minutes would fail (#1675)

• Fixed a bug where deserialization of a workflow where a workflow_run with a scalar types would fail (#1676)

• Fixed a bug where zizmor would crash on workflows containing bare numeric values in if: conditions (#1683)

• Fixed a bug where GitHub Actions expression string comparisons were not case-insensitive (#1687)

v1.23.0-rc7

zizmor 1.23.0-rc7 (#1718)

Signed-off-by: William Woodruff <william@yossarian.net>

v1.23.0-rc6

zizmor 1.23.0-rc6 (#1715)

Signed-off-by: William Woodruff <william@yossarian.net>

v1.23.0-rc5

zizmor 1.23.0-rc5 (#1663)

Signed-off-by: William Woodruff <william@yossarian.net>

v1.23.0-rc4

zizmor v1.23.0-rc4 (#1662)

Signed-off-by: William Woodruff <william@yossarian.net>

v1.23.0-rc3

zizmor 1.23.0-rc3 (#1661)

* Fix broken release bits

Signed-off-by: William Woodruff <william@yossarian.net>

* zizmor 1.23.0-rc3

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: William Woodruff <william@yossarian.net>

v1.23.0-rc2

zizmor 1.23.0-rc2 (#1658)

Signed-off-by: William Woodruff <william@yossarian.net>

v1.23.0-rc1

This is a prerelease, and is not considered stable. It exists only to shake out release process bugs prior to a real release.

v1.22.0

Changes ⚠️🔗

• The misfeature audit now only shows non-"well known" shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛🔗

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the unpinned-uses audit (#1536)