diff --git a/crates/zizmor/src/registry/input.rs b/crates/zizmor/src/registry/input.rs index 7fe21510..47b49fce 100644 --- a/crates/zizmor/src/registry/input.rs +++ b/crates/zizmor/src/registry/input.rs @@ -384,16 +384,29 @@ impl InputGroup { ) -> Result { let config = Config::discover(options, || Config::discover_local(path)).await?; + // Workflows can be named anything, including `dependabot.yml` + // (overlapping with Dependabot configs) and `action.yml` (overlapping + // with action definitions). Consequently, we make a best effort + // disambiguate them by looking at their parent path. + // See: https://github.com/zizmorcore/zizmor/issues/1341 + let is_workflow_path = { + let resolved = path.canonicalize_utf8()?; + + resolved + .parent() + .is_some_and(|parent| parent.ends_with(".github/workflows")) + }; + let mut group = Self::new(config); // When collecting individual files, we don't know which part // of the input path is the prefix. let (key, kind) = match (path.file_stem(), path.extension()) { - (Some("dependabot"), Some("yml" | "yaml")) => ( + (Some("dependabot"), Some("yml" | "yaml")) if !is_workflow_path => ( InputKey::local(Group(path.as_str().into()), path, None), InputKind::Dependabot, ), - (Some("action"), Some("yml" | "yaml")) => ( + (Some("action"), Some("yml" | "yaml")) if !is_workflow_path => ( InputKey::local(Group(path.as_str().into()), path, None), InputKind::Action, ), diff --git a/crates/zizmor/tests/integration/e2e.rs b/crates/zizmor/tests/integration/e2e.rs index bf214846..afc6aeee 100644 --- a/crates/zizmor/tests/integration/e2e.rs +++ b/crates/zizmor/tests/integration/e2e.rs @@ -430,3 +430,21 @@ fn issue_1300() -> Result<()> { Ok(()) } + +/// Regression test for #1341. +/// +/// Ensures that we successfully collect a *workflow* named `dependabot.yml`, rather +/// than failing to parse it as a Dependabot config. +#[test] +fn issue_1341() -> Result<()> { + insta::assert_snapshot!( + zizmor() + .offline(true) + .input(input_under_test( + "issue-1341-repro/.github/workflows/dependabot.yml" + )) + .run()?, + ); + + Ok(()) +} diff --git a/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1341.snap b/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1341.snap new file mode 100644 index 00000000..fbb9a867 --- /dev/null +++ b/crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1341.snap @@ -0,0 +1,5 @@ +--- +source: crates/zizmor/tests/integration/e2e.rs +expression: "zizmor().offline(true).input(input_under_test(\"issue-1341-repro/.github/workflows/dependabot.yml\")).run()?" +--- +No findings to report. Good job! (2 suppressed) diff --git a/crates/zizmor/tests/integration/test-data/issue-1341-repro/.github/workflows/dependabot.yml b/crates/zizmor/tests/integration/test-data/issue-1341-repro/.github/workflows/dependabot.yml new file mode 100644 index 00000000..003ba8ae --- /dev/null +++ b/crates/zizmor/tests/integration/test-data/issue-1341-repro/.github/workflows/dependabot.yml @@ -0,0 +1,8 @@ +name: a valid workflow +on: [push] +permissions: {} +jobs: + something: + runs-on: ubuntu-latest + steps: + - run: echo ok diff --git a/docs/release-notes.md b/docs/release-notes.md index e2a31567..f9332a2b 100644 --- a/docs/release-notes.md +++ b/docs/release-notes.md @@ -35,6 +35,10 @@ of `zizmor`. * The [concurrency-limits] audit now correctly detects job-level `concurrency` settings, in addition to workflow-level settings (#1338) +* Fixed a bug where `zizmor` would fail to collect workflows with names that + overlapped with other input types (e.g. `action.yml` and `dependabot.yml`) + when passed explicitly by path (#1345) + ## 1.16.3 ### Bug Fixes 🐛