fix: disambiguate workflows with misleading names (#1345)

crates/zizmor/src/registry/input.rs

@@ -384,16 +384,29 @@ impl InputGroup {
     ) -> Result<Self, CollectionError> {
         let config = Config::discover(options, || Config::discover_local(path)).await?;
 
+        // Workflows can be named anything, including `dependabot.yml`
+        // (overlapping with Dependabot configs) and `action.yml` (overlapping
+        // with action definitions). Consequently, we make a best effort
+        // disambiguate them by looking at their parent path.
+        // See: https://github.com/zizmorcore/zizmor/issues/1341
+        let is_workflow_path = {
+            let resolved = path.canonicalize_utf8()?;
+
+            resolved
+                .parent()
+                .is_some_and(|parent| parent.ends_with(".github/workflows"))
+        };
+
         let mut group = Self::new(config);
 
         // When collecting individual files, we don't know which part
         // of the input path is the prefix.
         let (key, kind) = match (path.file_stem(), path.extension()) {
-            (Some("dependabot"), Some("yml" | "yaml")) => (
+            (Some("dependabot"), Some("yml" | "yaml")) if !is_workflow_path => (
                 InputKey::local(Group(path.as_str().into()), path, None),
                 InputKind::Dependabot,
             ),
-            (Some("action"), Some("yml" | "yaml")) => (
+            (Some("action"), Some("yml" | "yaml")) if !is_workflow_path => (
                 InputKey::local(Group(path.as_str().into()), path, None),
                 InputKind::Action,
             ),

crates/zizmor/tests/integration/e2e.rs

@@ -430,3 +430,21 @@ fn issue_1300() -> Result<()> {
 
     Ok(())
 }
+
+/// Regression test for #1341.
+///
+/// Ensures that we successfully collect a *workflow* named `dependabot.yml`, rather
+/// than failing to parse it as a Dependabot config.
+#[test]
+fn issue_1341() -> Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+            .offline(true)
+            .input(input_under_test(
+                "issue-1341-repro/.github/workflows/dependabot.yml"
+            ))
+            .run()?,
+    );
+
+    Ok(())
+}

crates/zizmor/tests/integration/snapshots/integration__e2e__issue_1341.snap

@@ -0,0 +1,5 @@
+---
+source: crates/zizmor/tests/integration/e2e.rs
+expression: "zizmor().offline(true).input(input_under_test(\"issue-1341-repro/.github/workflows/dependabot.yml\")).run()?"
+---
+No findings to report. Good job! (2 suppressed)

crates/zizmor/tests/integration/test-data/issue-1341-repro/.github/workflows/dependabot.yml

@@ -0,0 +1,8 @@
+name: a valid workflow
+on: [push]
+permissions: {}
+jobs:
+  something:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ok

docs/release-notes.md

@@ -35,6 +35,10 @@ of `zizmor`.
 * The [concurrency-limits] audit now correctly detects job-level `concurrency`
   settings, in addition to workflow-level settings (#1338)
 
+* Fixed a bug where `zizmor` would fail to collect workflows with names that
+  overlapped with other input types (e.g. `action.yml` and `dependabot.yml`)
+  when passed explicitly by path (#1345)
+
 ## 1.16.3
 
 ### Bug Fixes 🐛