From b7b1889a03df8cabd39e4f04cd077127eb10a613 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 27 Feb 2025 00:14:29 -0500 Subject: [PATCH] test: refactor integration tests (#576) --- docs/development.md | 3 + tests/common.rs | 12 - tests/{ => integration}/acceptance.rs | 4 +- tests/integration/common.rs | 112 +++ tests/integration/e2e.rs | 20 + tests/integration/main.rs | 4 + tests/{ => integration}/snapshot.rs | 225 ++--- .../integration__e2e__gha_hazmat.snap | 870 ++++++++++++++++++ .../integration__snapshot__artipacked-2.snap} | 4 +- .../integration__snapshot__artipacked-3.snap} | 4 +- .../integration__snapshot__artipacked-4.snap} | 5 +- .../integration__snapshot__artipacked.snap} | 4 +- ...ntegration__snapshot__bot_conditions.snap} | 4 +- ...ration__snapshot__cache_poisoning-10.snap} | 4 +- ...ration__snapshot__cache_poisoning-11.snap} | 4 +- ...ration__snapshot__cache_poisoning-12.snap} | 4 +- ...ration__snapshot__cache_poisoning-13.snap} | 4 +- ...gration__snapshot__cache_poisoning-14.snap | 6 + ...gration__snapshot__cache_poisoning-2.snap} | 4 +- ...gration__snapshot__cache_poisoning-3.snap} | 4 +- ...gration__snapshot__cache_poisoning-4.snap} | 4 +- ...gration__snapshot__cache_poisoning-5.snap} | 4 +- ...egration__snapshot__cache_poisoning-6.snap | 6 + ...egration__snapshot__cache_poisoning-7.snap | 6 + ...gration__snapshot__cache_poisoning-8.snap} | 4 +- ...gration__snapshot__cache_poisoning-9.snap} | 4 +- ...ntegration__snapshot__cache_poisoning.snap | 6 + .../integration__snapshot__cant_retrieve.snap | 7 + ...__snapshot__excessive_permissions-10.snap} | 4 +- ...__snapshot__excessive_permissions-11.snap} | 4 +- ...__snapshot__excessive_permissions-12.snap} | 4 +- ...n__snapshot__excessive_permissions-2.snap} | 4 +- ...n__snapshot__excessive_permissions-3.snap} | 4 +- ...n__snapshot__excessive_permissions-4.snap} | 4 +- ...n__snapshot__excessive_permissions-5.snap} | 4 +- ...on__snapshot__excessive_permissions-6.snap | 6 + ...n__snapshot__excessive_permissions-7.snap} | 4 +- ...n__snapshot__excessive_permissions-8.snap} | 4 +- ...on__snapshot__excessive_permissions-9.snap | 6 + ...tion__snapshot__excessive_permissions.snap | 6 + .../integration__snapshot__github_env-2.snap} | 4 +- .../integration__snapshot__github_env-3.snap} | 4 +- .../integration__snapshot__github_env.snap} | 4 +- ...ation__snapshot__insecure_commands-2.snap} | 4 +- ...ation__snapshot__insecure_commands-3.snap} | 4 +- ...gration__snapshot__insecure_commands.snap} | 4 +- ...ntegration__snapshot__invalid_inputs.snap} | 4 +- ...n__snapshot__overprovisioned_secrets.snap} | 4 +- ...ntegration__snapshot__ref_confusion-2.snap | 6 + ...integration__snapshot__ref_confusion.snap} | 5 +- ...tegration__snapshot__secrets_inherit.snap} | 4 +- .../integration__snapshot__self_hosted-2.snap | 6 + ...integration__snapshot__self_hosted-3.snap} | 4 +- ...integration__snapshot__self_hosted-4.snap} | 4 +- ...integration__snapshot__self_hosted-5.snap} | 4 +- ...integration__snapshot__self_hosted-6.snap} | 4 +- .../integration__snapshot__self_hosted-7.snap | 6 + .../integration__snapshot__self_hosted-8.snap | 6 + .../integration__snapshot__self_hosted.snap} | 4 +- ...tion__snapshot__template_injection-2.snap} | 4 +- ...ation__snapshot__template_injection-3.snap | 6 + ...tion__snapshot__template_injection-4.snap} | 4 +- ...tion__snapshot__template_injection-5.snap} | 4 +- ...tion__snapshot__template_injection-6.snap} | 4 +- ...ation__snapshot__template_injection-7.snap | 6 + ...tion__snapshot__template_injection-8.snap} | 4 +- ...gration__snapshot__template_injection.snap | 6 + ...tegration__snapshot__unpinned_uses-2.snap} | 4 +- ...tegration__snapshot__unpinned_uses-3.snap} | 4 +- ...ntegration__snapshot__unpinned_uses-4.snap | 6 + ...integration__snapshot__unpinned_uses.snap} | 4 +- ...ration__snapshot__unredacted_secrets.snap} | 5 +- .../test-data/artipacked.yml | 0 .../test-data/artipacked/issue-447-repro.yml | 0 .../test-data/bot-conditions.yml | 0 .../test-data/cache-poisoning.yml | 0 .../caching-disabled-by-default.yml | 0 .../caching-enabled-by-default.yml | 0 .../caching-not-configurable.yml | 0 .../caching-opt-in-boolean-toggle.yml | 0 .../caching-opt-in-boolish-toggle.yml | 0 .../caching-opt-in-expression.yml | 0 .../caching-opt-in-multi-value-toggle.yml | 0 .../cache-poisoning/caching-opt-out.yml | 0 .../cache-poisoning/issue-343-repro.yml | 0 .../cache-poisoning/issue-378-repro.yml | 0 .../cache-poisoning/no-cache-aware-steps.yml | 0 .../cache-poisoning/publisher-step.yml | 0 .../workflow-release-branch-trigger.yml | 0 .../cache-poisoning/workflow-tag-trigger.yml | 0 .../test-data/excessive-permissions.yml | 0 .../excessive-permissions/issue-336-repro.yml | 0 .../excessive-permissions/issue-472-repro.yml | 0 .../jobs-broaden-permissions.yml | 0 .../reusable-workflow-call.yml | 0 .../reusable-workflow-other-triggers.yml | 0 ...rkflow-default-perms-all-jobs-explicit.yml | 0 .../workflow-default-perms.yml | 0 .../workflow-empty-perms.yml | 0 .../workflow-read-all.yml | 0 .../workflow-write-all.yml | 0 .../workflow-write-explicit.yml | 0 .../test-data/github-env/action.yml | 0 .../test-data/github-env/github-path.yml | 0 .../test-data/github-env/issue-397-repro.yml | 0 .../test-data/github_env.yml | 0 .../test-data/hardcoded-credentials.yml | 0 .../test-data/inlined-ignores.yml | 0 .../test-data/insecure-commands.yml | 0 .../test-data/insecure-commands/action.yml | 0 .../test-data/invalid/invalid-workflow.yml | 0 .../test-data/overprovisioned-secrets.yml | 0 .../test-data/ref-confusion.yml | 0 .../ref-confusion/issue-518-repro.yml | 0 .../test-data/secrets-inherit.yml | 0 .../test-data/self-hosted.yml | 0 .../test-data/self-hosted/issue-283-repro.yml | 0 .../self-hosted-matrix-dimension.yml | 0 .../self-hosted-matrix-exclusion.yml | 0 .../self-hosted-matrix-inclusion.yml | 0 .../self-hosted/self-hosted-runner-group.yml | 0 .../self-hosted/self-hosted-runner-label.yml | 0 .../test-data/template-injection.yml | 0 .../template-injection/issue-22-repro.yml | 0 .../template-injection/issue-339-repro.yml | 0 .../template-injection/issue-418-repro.yml | 0 .../template-injection/pr-317-repro.yml | 0 .../pr-425-backstop/action.yml | 0 .../template-injection/static-env.yml | 0 .../template-injection-dynamic-matrix.yml | 0 .../template-injection-static-matrix.yml | 0 .../test-data/unpinned-uses.yml | 0 .../test-data/unpinned-uses/action.yml | 0 .../unpinned-uses/issue-433-repro.yml | 0 .../test-data/unredacted-secrets.yml | 0 .../test-data/use-trusted-publishing.yml | 0 .../snapshot__cache_poisoning-14.snap | 6 - .../snapshot__cache_poisoning-6.snap | 6 - .../snapshot__cache_poisoning-7.snap | 6 - .../snapshots/snapshot__cache_poisoning.snap | 6 - tests/snapshots/snapshot__cant_retrieve.snap | 7 - .../snapshot__excessive_permissions-6.snap | 6 - .../snapshot__excessive_permissions-9.snap | 6 - .../snapshot__excessive_permissions.snap | 6 - .../snapshots/snapshot__ref_confusion-2.snap | 5 - tests/snapshots/snapshot__self_hosted-2.snap | 6 - tests/snapshots/snapshot__self_hosted-7.snap | 6 - tests/snapshots/snapshot__self_hosted-8.snap | 6 - .../snapshot__template_injection-3.snap | 6 - .../snapshot__template_injection-7.snap | 6 - .../snapshot__template_injection.snap | 6 - .../snapshots/snapshot__unpinned_uses-4.snap | 6 - 152 files changed, 1272 insertions(+), 366 deletions(-) delete mode 100644 tests/common.rs rename tests/{ => integration}/acceptance.rs (99%) create mode 100644 tests/integration/common.rs create mode 100644 tests/integration/e2e.rs create mode 100644 tests/integration/main.rs rename tests/{ => integration}/snapshot.rs (58%) create mode 100644 tests/integration/snapshots/integration__e2e__gha_hazmat.snap rename tests/{snapshots/snapshot__artipacked-2.snap => integration/snapshots/integration__snapshot__artipacked-2.snap} (80%) rename tests/{snapshots/snapshot__artipacked-3.snap => integration/snapshots/integration__snapshot__artipacked-3.snap} (85%) rename tests/{snapshots/snapshot__artipacked-4.snap => integration/snapshots/integration__snapshot__artipacked-4.snap} (75%) rename tests/{snapshots/snapshot__artipacked.snap => integration/snapshots/integration__snapshot__artipacked.snap} (76%) rename tests/{snapshots/snapshot__bot_conditions.snap => integration/snapshots/integration__snapshot__bot_conditions.snap} (92%) rename tests/{snapshots/snapshot__cache_poisoning-10.snap => integration/snapshots/integration__snapshot__cache_poisoning-10.snap} (84%) rename tests/{snapshots/snapshot__cache_poisoning-11.snap => integration/snapshots/integration__snapshot__cache_poisoning-11.snap} (92%) rename tests/{snapshots/snapshot__cache_poisoning-12.snap => integration/snapshots/integration__snapshot__cache_poisoning-12.snap} (81%) rename tests/{snapshots/snapshot__cache_poisoning-13.snap => integration/snapshots/integration__snapshot__cache_poisoning-13.snap} (81%) create mode 100644 tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap rename tests/{snapshots/snapshot__cache_poisoning-2.snap => integration/snapshots/integration__snapshot__cache_poisoning-2.snap} (79%) rename tests/{snapshots/snapshot__cache_poisoning-3.snap => integration/snapshots/integration__snapshot__cache_poisoning-3.snap} (79%) rename tests/{snapshots/snapshot__cache_poisoning-4.snap => integration/snapshots/integration__snapshot__cache_poisoning-4.snap} (82%) rename tests/{snapshots/snapshot__cache_poisoning-5.snap => integration/snapshots/integration__snapshot__cache_poisoning-5.snap} (80%) create mode 100644 tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap create mode 100644 tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap rename tests/{snapshots/snapshot__cache_poisoning-8.snap => integration/snapshots/integration__snapshot__cache_poisoning-8.snap} (81%) rename tests/{snapshots/snapshot__cache_poisoning-9.snap => integration/snapshots/integration__snapshot__cache_poisoning-9.snap} (81%) create mode 100644 tests/integration/snapshots/integration__snapshot__cache_poisoning.snap create mode 100644 tests/integration/snapshots/integration__snapshot__cant_retrieve.snap rename tests/{snapshots/snapshot__excessive_permissions-10.snap => integration/snapshots/integration__snapshot__excessive_permissions-10.snap} (83%) rename tests/{snapshots/snapshot__excessive_permissions-11.snap => integration/snapshots/integration__snapshot__excessive_permissions-11.snap} (81%) rename tests/{snapshots/snapshot__excessive_permissions-12.snap => integration/snapshots/integration__snapshot__excessive_permissions-12.snap} (90%) rename tests/{snapshots/snapshot__excessive_permissions-2.snap => integration/snapshots/integration__snapshot__excessive_permissions-2.snap} (65%) rename tests/{snapshots/snapshot__excessive_permissions-3.snap => integration/snapshots/integration__snapshot__excessive_permissions-3.snap} (85%) rename tests/{snapshots/snapshot__excessive_permissions-4.snap => integration/snapshots/integration__snapshot__excessive_permissions-4.snap} (66%) rename tests/{snapshots/snapshot__excessive_permissions-5.snap => integration/snapshots/integration__snapshot__excessive_permissions-5.snap} (66%) create mode 100644 tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap rename tests/{snapshots/snapshot__excessive_permissions-7.snap => integration/snapshots/integration__snapshot__excessive_permissions-7.snap} (87%) rename tests/{snapshots/snapshot__excessive_permissions-8.snap => integration/snapshots/integration__snapshot__excessive_permissions-8.snap} (83%) create mode 100644 tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap create mode 100644 tests/integration/snapshots/integration__snapshot__excessive_permissions.snap rename tests/{snapshots/snapshot__github_env-2.snap => integration/snapshots/integration__snapshot__github_env-2.snap} (79%) rename tests/{snapshots/snapshot__github_env-3.snap => integration/snapshots/integration__snapshot__github_env-3.snap} (78%) rename tests/{snapshots/snapshot__github_env.snap => integration/snapshots/integration__snapshot__github_env.snap} (88%) rename tests/{snapshots/snapshot__insecure_commands-2.snap => integration/snapshots/integration__snapshot__insecure_commands-2.snap} (76%) rename tests/{snapshots/snapshot__insecure_commands-3.snap => integration/snapshots/integration__snapshot__insecure_commands-3.snap} (85%) rename tests/{snapshots/snapshot__insecure_commands.snap => integration/snapshots/integration__snapshot__insecure_commands.snap} (81%) rename tests/{snapshots/snapshot__invalid_inputs.snap => integration/snapshots/integration__snapshot__invalid_inputs.snap} (71%) rename tests/{snapshots/snapshot__overprovisioned_secrets.snap => integration/snapshots/integration__snapshot__overprovisioned_secrets.snap} (84%) create mode 100644 tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap rename tests/{snapshots/snapshot__ref_confusion.snap => integration/snapshots/integration__snapshot__ref_confusion.snap} (73%) rename tests/{snapshots/snapshot__secrets_inherit.snap => integration/snapshots/integration__snapshot__secrets_inherit.snap} (81%) create mode 100644 tests/integration/snapshots/integration__snapshot__self_hosted-2.snap rename tests/{snapshots/snapshot__self_hosted-3.snap => integration/snapshots/integration__snapshot__self_hosted-3.snap} (66%) rename tests/{snapshots/snapshot__self_hosted-4.snap => integration/snapshots/integration__snapshot__self_hosted-4.snap} (66%) rename tests/{snapshots/snapshot__self_hosted-5.snap => integration/snapshots/integration__snapshot__self_hosted-5.snap} (75%) rename tests/{snapshots/snapshot__self_hosted-6.snap => integration/snapshots/integration__snapshot__self_hosted-6.snap} (76%) create mode 100644 tests/integration/snapshots/integration__snapshot__self_hosted-7.snap create mode 100644 tests/integration/snapshots/integration__snapshot__self_hosted-8.snap rename tests/{snapshots/snapshot__self_hosted.snap => integration/snapshots/integration__snapshot__self_hosted.snap} (70%) rename tests/{snapshots/snapshot__template_injection-2.snap => integration/snapshots/integration__snapshot__template_injection-2.snap} (73%) create mode 100644 tests/integration/snapshots/integration__snapshot__template_injection-3.snap rename tests/{snapshots/snapshot__template_injection-4.snap => integration/snapshots/integration__snapshot__template_injection-4.snap} (79%) rename tests/{snapshots/snapshot__template_injection-5.snap => integration/snapshots/integration__snapshot__template_injection-5.snap} (90%) rename tests/{snapshots/snapshot__template_injection-6.snap => integration/snapshots/integration__snapshot__template_injection-6.snap} (82%) create mode 100644 tests/integration/snapshots/integration__snapshot__template_injection-7.snap rename tests/{snapshots/snapshot__template_injection-8.snap => integration/snapshots/integration__snapshot__template_injection-8.snap} (93%) create mode 100644 tests/integration/snapshots/integration__snapshot__template_injection.snap rename tests/{snapshots/snapshot__unpinned_uses-2.snap => integration/snapshots/integration__snapshot__unpinned_uses-2.snap} (90%) rename tests/{snapshots/snapshot__unpinned_uses-3.snap => integration/snapshots/integration__snapshot__unpinned_uses-3.snap} (79%) create mode 100644 tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap rename tests/{snapshots/snapshot__unpinned_uses.snap => integration/snapshots/integration__snapshot__unpinned_uses.snap} (90%) rename tests/{snapshots/snapshot__unredacted_secrets.snap => integration/snapshots/integration__snapshot__unredacted_secrets.snap} (81%) rename tests/{ => integration}/test-data/artipacked.yml (100%) rename tests/{ => integration}/test-data/artipacked/issue-447-repro.yml (100%) rename tests/{ => integration}/test-data/bot-conditions.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-disabled-by-default.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-enabled-by-default.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-not-configurable.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-opt-in-expression.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/caching-opt-out.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/issue-343-repro.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/issue-378-repro.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/no-cache-aware-steps.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/publisher-step.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/workflow-release-branch-trigger.yml (100%) rename tests/{ => integration}/test-data/cache-poisoning/workflow-tag-trigger.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/issue-336-repro.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/issue-472-repro.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/jobs-broaden-permissions.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/reusable-workflow-call.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/reusable-workflow-other-triggers.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/workflow-default-perms.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/workflow-empty-perms.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/workflow-read-all.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/workflow-write-all.yml (100%) rename tests/{ => integration}/test-data/excessive-permissions/workflow-write-explicit.yml (100%) rename tests/{ => integration}/test-data/github-env/action.yml (100%) rename tests/{ => integration}/test-data/github-env/github-path.yml (100%) rename tests/{ => integration}/test-data/github-env/issue-397-repro.yml (100%) rename tests/{ => integration}/test-data/github_env.yml (100%) rename tests/{ => integration}/test-data/hardcoded-credentials.yml (100%) rename tests/{ => integration}/test-data/inlined-ignores.yml (100%) rename tests/{ => integration}/test-data/insecure-commands.yml (100%) rename tests/{ => integration}/test-data/insecure-commands/action.yml (100%) rename tests/{ => integration}/test-data/invalid/invalid-workflow.yml (100%) rename tests/{ => integration}/test-data/overprovisioned-secrets.yml (100%) rename tests/{ => integration}/test-data/ref-confusion.yml (100%) rename tests/{ => integration}/test-data/ref-confusion/issue-518-repro.yml (100%) rename tests/{ => integration}/test-data/secrets-inherit.yml (100%) rename tests/{ => integration}/test-data/self-hosted.yml (100%) rename tests/{ => integration}/test-data/self-hosted/issue-283-repro.yml (100%) rename tests/{ => integration}/test-data/self-hosted/self-hosted-matrix-dimension.yml (100%) rename tests/{ => integration}/test-data/self-hosted/self-hosted-matrix-exclusion.yml (100%) rename tests/{ => integration}/test-data/self-hosted/self-hosted-matrix-inclusion.yml (100%) rename tests/{ => integration}/test-data/self-hosted/self-hosted-runner-group.yml (100%) rename tests/{ => integration}/test-data/self-hosted/self-hosted-runner-label.yml (100%) rename tests/{ => integration}/test-data/template-injection.yml (100%) rename tests/{ => integration}/test-data/template-injection/issue-22-repro.yml (100%) rename tests/{ => integration}/test-data/template-injection/issue-339-repro.yml (100%) rename tests/{ => integration}/test-data/template-injection/issue-418-repro.yml (100%) rename tests/{ => integration}/test-data/template-injection/pr-317-repro.yml (100%) rename tests/{ => integration}/test-data/template-injection/pr-425-backstop/action.yml (100%) rename tests/{ => integration}/test-data/template-injection/static-env.yml (100%) rename tests/{ => integration}/test-data/template-injection/template-injection-dynamic-matrix.yml (100%) rename tests/{ => integration}/test-data/template-injection/template-injection-static-matrix.yml (100%) rename tests/{ => integration}/test-data/unpinned-uses.yml (100%) rename tests/{ => integration}/test-data/unpinned-uses/action.yml (100%) rename tests/{ => integration}/test-data/unpinned-uses/issue-433-repro.yml (100%) rename tests/{ => integration}/test-data/unredacted-secrets.yml (100%) rename tests/{ => integration}/test-data/use-trusted-publishing.yml (100%) delete mode 100644 tests/snapshots/snapshot__cache_poisoning-14.snap delete mode 100644 tests/snapshots/snapshot__cache_poisoning-6.snap delete mode 100644 tests/snapshots/snapshot__cache_poisoning-7.snap delete mode 100644 tests/snapshots/snapshot__cache_poisoning.snap delete mode 100644 tests/snapshots/snapshot__cant_retrieve.snap delete mode 100644 tests/snapshots/snapshot__excessive_permissions-6.snap delete mode 100644 tests/snapshots/snapshot__excessive_permissions-9.snap delete mode 100644 tests/snapshots/snapshot__excessive_permissions.snap delete mode 100644 tests/snapshots/snapshot__ref_confusion-2.snap delete mode 100644 tests/snapshots/snapshot__self_hosted-2.snap delete mode 100644 tests/snapshots/snapshot__self_hosted-7.snap delete mode 100644 tests/snapshots/snapshot__self_hosted-8.snap delete mode 100644 tests/snapshots/snapshot__template_injection-3.snap delete mode 100644 tests/snapshots/snapshot__template_injection-7.snap delete mode 100644 tests/snapshots/snapshot__template_injection.snap delete mode 100644 tests/snapshots/snapshot__unpinned_uses-4.snap diff --git a/docs/development.md b/docs/development.md index 47b8e105..1e3b3ac8 100644 --- a/docs/development.md +++ b/docs/development.md @@ -141,6 +141,9 @@ or, as a shortcut: ```bash cargo insta test --review + +# or, with online tests +GH_TOKEN=$(gh auth token) cargo insta test --review --features online-tests ``` See [insta's documentation] for more details. diff --git a/tests/common.rs b/tests/common.rs deleted file mode 100644 index 1fd75201..00000000 --- a/tests/common.rs +++ /dev/null @@ -1,12 +0,0 @@ -use std::env::current_dir; - -pub fn workflow_under_test(name: &str) -> String { - let current_dir = current_dir().expect("Cannot figure out current directory"); - - let file_path = current_dir.join("tests").join("test-data").join(name); - - file_path - .to_str() - .expect("Cannot create string reference for file path") - .to_string() -} diff --git a/tests/acceptance.rs b/tests/integration/acceptance.rs similarity index 99% rename from tests/acceptance.rs rename to tests/integration/acceptance.rs index 9bb4ec9f..e6e1c8f8 100644 --- a/tests/acceptance.rs +++ b/tests/integration/acceptance.rs @@ -1,10 +1,8 @@ +use crate::common::workflow_under_test; use assert_cmd::Command; -use common::workflow_under_test; use serde_json::Value; use serde_json_path::JsonPath; -mod common; - // Acceptance tests for zizmor, on top of Json output // For now we don't cover tests that depends on GitHub API under the hood diff --git a/tests/integration/common.rs b/tests/integration/common.rs new file mode 100644 index 00000000..30292fd7 --- /dev/null +++ b/tests/integration/common.rs @@ -0,0 +1,112 @@ +use anyhow::{Context as _, Result}; +use std::env::current_dir; + +use assert_cmd::Command; + +pub fn workflow_under_test(name: &str) -> String { + let current_dir = current_dir().expect("Cannot figure out current directory"); + + let file_path = current_dir + .join("tests") + .join("integration") + .join("test-data") + .join(name); + + if !file_path.exists() { + panic!("Cannot find workflow under test: {}", file_path.display()); + } + + file_path + .to_str() + .expect("Cannot create string reference for file path") + .to_string() +} + +pub enum OutputMode { + Stdout, + Stderr, + Both, +} + +pub struct Zizmor { + cmd: Command, + offline: bool, + inputs: Vec, + output: OutputMode, +} + +impl Zizmor { + /// Create a new zizmor runner. + pub fn new() -> Self { + let cmd = Command::cargo_bin("zizmor").unwrap(); + + Self { + cmd, + offline: true, + inputs: vec![], + output: OutputMode::Stdout, + } + } + + pub fn args<'a>(mut self, args: impl IntoIterator) -> Self { + self.cmd.args(args); + self + } + + // pub fn setenv(mut self, key: &str, value: &str) -> Self { + // self.cmd.env(key, value); + // self + // } + + pub fn unsetenv(mut self, key: &str) -> Self { + self.cmd.env_remove(key); + self + } + + pub fn input(mut self, input: impl Into) -> Self { + self.inputs.push(input.into()); + self + } + + pub fn offline(mut self, flag: bool) -> Self { + self.offline = flag; + self + } + + pub fn output(mut self, output: OutputMode) -> Self { + self.output = output; + self + } + + pub fn run(mut self) -> Result { + if self.offline { + self.cmd.arg("--offline"); + } else { + // If we're running in online mode, we pre-assert the + // presence of GH_TOKEN to make configuration failures more obvious. + std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?; + } + + for input in &self.inputs { + self.cmd.arg(input); + } + + let output = self.cmd.output()?; + + let mut raw = String::from_utf8(match self.output { + OutputMode::Stdout => output.stdout, + OutputMode::Stderr => output.stderr, + OutputMode::Both => [output.stderr, output.stdout].concat(), + })?; + + for input in &self.inputs { + raw = raw.replace(input, "@@INPUT@@"); + } + + Ok(raw) + } +} + +pub fn zizmor() -> Zizmor { + Zizmor::new() +} diff --git a/tests/integration/e2e.rs b/tests/integration/e2e.rs new file mode 100644 index 00000000..f80a4f33 --- /dev/null +++ b/tests/integration/e2e.rs @@ -0,0 +1,20 @@ +//! End-to-end snapshot integration tests. + +use anyhow::Result; + +use crate::common::{zizmor, OutputMode}; + +#[cfg_attr(not(feature = "gh-token-tests"), ignore)] +#[test] +fn gha_hazmat() -> Result<()> { + // Stability test against with online retrieval but no online audits. + // Ensures that we consistently collect the same files in the default + // configuration. + insta::assert_snapshot!(zizmor() + .offline(false) + .output(OutputMode::Both) + .args(["--no-online-audits"]) + .input("woodruffw/gha-hazmat@42064a9533f401a493c3599e56f144918f8eacfd") + .run()?); + Ok(()) +} diff --git a/tests/integration/main.rs b/tests/integration/main.rs new file mode 100644 index 00000000..9670bf21 --- /dev/null +++ b/tests/integration/main.rs @@ -0,0 +1,4 @@ +mod acceptance; +mod common; +mod e2e; +mod snapshot; diff --git a/tests/snapshot.rs b/tests/integration/snapshot.rs similarity index 58% rename from tests/snapshot.rs rename to tests/integration/snapshot.rs index d8f3b617..14b354d6 100644 --- a/tests/snapshot.rs +++ b/tests/integration/snapshot.rs @@ -1,100 +1,7 @@ -use anyhow::{Context, Result}; -use assert_cmd::Command; -use common::workflow_under_test; +//! Snapshot integration tests. -mod common; - -#[allow(dead_code)] -enum OutputMode { - Stdout, - Stderr, - Both, -} - -struct Zizmor { - cmd: Command, - offline: bool, - workflow: Option, - output: OutputMode, -} - -impl Zizmor { - /// Create a new zizmor runner. - fn new() -> Self { - let cmd = Command::cargo_bin("zizmor").unwrap(); - - Self { - cmd, - offline: true, - workflow: None, - output: OutputMode::Stdout, - } - } - - fn args<'a>(mut self, args: impl IntoIterator) -> Self { - self.cmd.args(args); - self - } - - #[allow(dead_code)] - fn setenv(mut self, key: &str, value: &str) -> Self { - self.cmd.env(key, value); - self - } - - fn unsetenv(mut self, key: &str) -> Self { - self.cmd.env_remove(key); - self - } - - fn workflow(mut self, workflow: impl Into) -> Self { - self.workflow = Some(workflow.into()); - self - } - - fn offline(mut self, flag: bool) -> Self { - self.offline = flag; - self - } - - #[allow(dead_code)] - fn output(mut self, output: OutputMode) -> Self { - self.output = output; - self - } - - fn run(mut self) -> Result { - if self.offline { - self.cmd.arg("--offline"); - } else { - // If we're running in online mode, we pre-assert the - // presence of GH_TOKEN to make configuration failures more obvious. - std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?; - } - - if let Some(workflow) = &self.workflow { - self.cmd.arg(workflow); - } - - let output = self.cmd.output()?; - - let mut raw = String::from_utf8(match self.output { - OutputMode::Stdout => output.stdout, - OutputMode::Stderr => output.stderr, - OutputMode::Both => [output.stdout, output.stderr].concat(), - })?; - - if let Some(workflow) = &self.workflow { - raw = raw.replace(workflow, "@@INPUT@@"); - } - - Ok(raw) - } -} - -fn zizmor() -> Zizmor { - Zizmor::new() -} +use crate::common::{workflow_under_test, zizmor, OutputMode}; +use anyhow::Result; #[test] fn test_cant_retrieve() -> Result<()> { @@ -113,7 +20,7 @@ fn test_invalid_inputs() -> Result<()> { insta::assert_snapshot!(zizmor() .output(OutputMode::Stderr) .offline(true) - .workflow(workflow_under_test("invalid/invalid-workflow.yml")) + .input(workflow_under_test("invalid/invalid-workflow.yml")) .run()?); Ok(()) @@ -122,21 +29,21 @@ fn test_invalid_inputs() -> Result<()> { #[test] fn artipacked() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("artipacked.yml")) + .input(workflow_under_test("artipacked.yml")) .args(["--persona=pedantic"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("artipacked.yml")) + .input(workflow_under_test("artipacked.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("artipacked.yml")) + .input(workflow_under_test("artipacked.yml")) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("artipacked/issue-447-repro.yml")) + .input(workflow_under_test("artipacked/issue-447-repro.yml")) .args(["--persona=auditor"]) .run()?); @@ -146,44 +53,44 @@ fn artipacked() -> Result<()> { #[test] fn self_hosted() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("self-hosted.yml")) + .input(workflow_under_test("self-hosted.yml")) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("self-hosted.yml")) + .input(workflow_under_test("self-hosted.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "self-hosted/self-hosted-runner-label.yml" )) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "self-hosted/self-hosted-runner-group.yml" )) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "self-hosted/self-hosted-matrix-dimension.yml" )) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "self-hosted/self-hosted-matrix-inclusion.yml" )) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "self-hosted/self-hosted-matrix-exclusion.yml" )) .args(["--persona=auditor"]) @@ -191,7 +98,7 @@ fn self_hosted() -> Result<()> { // Fixed regressions insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("self-hosted/issue-283-repro.yml")) + .input(workflow_under_test("self-hosted/issue-283-repro.yml")) .args(["--persona=auditor"]) .run()?); @@ -201,21 +108,21 @@ fn self_hosted() -> Result<()> { #[test] fn unpinned_uses() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("unpinned-uses.yml")) + .input(workflow_under_test("unpinned-uses.yml")) .args(["--pedantic"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("unpinned-uses.yml")) + .input(workflow_under_test("unpinned-uses.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("unpinned-uses/action.yml")) + .input(workflow_under_test("unpinned-uses/action.yml")) .args(["--pedantic"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("unpinned-uses/issue-433-repro.yml")) + .input(workflow_under_test("unpinned-uses/issue-433-repro.yml")) .args(["--pedantic"]) .run()?); @@ -225,16 +132,16 @@ fn unpinned_uses() -> Result<()> { #[test] fn insecure_commands() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("insecure-commands.yml")) + .input(workflow_under_test("insecure-commands.yml")) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("insecure-commands.yml")) + .input(workflow_under_test("insecure-commands.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("insecure-commands/action.yml")) + .input(workflow_under_test("insecure-commands/action.yml")) .args(["--persona=auditor"]) .run()?); @@ -244,45 +151,45 @@ fn insecure_commands() -> Result<()> { #[test] fn template_injection() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "template-injection/template-injection-static-matrix.yml" )) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "template-injection/template-injection-dynamic-matrix.yml" )) .args(["--persona=auditor"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("template-injection/issue-22-repro.yml")) + .input(workflow_under_test("template-injection/issue-22-repro.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("template-injection/pr-317-repro.yml")) + .input(workflow_under_test("template-injection/pr-317-repro.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("template-injection/static-env.yml")) + .input(workflow_under_test("template-injection/static-env.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "template-injection/issue-339-repro.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "template-injection/issue-418-repro.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "template-injection/pr-425-backstop/action.yml" )) .run()?); @@ -293,79 +200,79 @@ fn template_injection() -> Result<()> { #[test] fn cache_poisoning() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-disabled-by-default.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-enabled-by-default.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-opt-in-boolean-toggle.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-opt-in-expression.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-opt-in-multi-value-toggle.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("cache-poisoning/caching-opt-out.yml")) + .input(workflow_under_test("cache-poisoning/caching-opt-out.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/no-cache-aware-steps.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/workflow-tag-trigger.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-opt-in-boolish-toggle.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("cache-poisoning/publisher-step.yml")) + .input(workflow_under_test("cache-poisoning/publisher-step.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("cache-poisoning/issue-343-repro.yml")) + .input(workflow_under_test("cache-poisoning/issue-343-repro.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/caching-not-configurable.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "cache-poisoning/workflow-release-branch-trigger.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("cache-poisoning/issue-378-repro.yml")) + .input(workflow_under_test("cache-poisoning/issue-378-repro.yml")) .run()?); Ok(()) @@ -374,75 +281,75 @@ fn cache_poisoning() -> Result<()> { #[test] fn excessive_permissions() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/issue-336-repro.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/issue-336-repro.yml" )) .args(["--pedantic"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/workflow-default-perms.yml" )) .args(["--pedantic"]) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/workflow-read-all.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/workflow-write-all.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/workflow-empty-perms.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/jobs-broaden-permissions.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/workflow-write-explicit.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/workflow-default-perms-all-jobs-explicit.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/issue-472-repro.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/reusable-workflow-call.yml" )) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test( + .input(workflow_under_test( "excessive-permissions/reusable-workflow-other-triggers.yml" )) .run()?); @@ -453,15 +360,15 @@ fn excessive_permissions() -> Result<()> { #[test] fn github_env() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("github-env/action.yml")) + .input(workflow_under_test("github-env/action.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("github-env/github-path.yml")) + .input(workflow_under_test("github-env/github-path.yml")) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("github-env/issue-397-repro.yml")) + .input(workflow_under_test("github-env/issue-397-repro.yml")) .run()?); Ok(()) @@ -470,7 +377,7 @@ fn github_env() -> Result<()> { #[test] fn secrets_inherit() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("secrets-inherit.yml")) + .input(workflow_under_test("secrets-inherit.yml")) .run()?); Ok(()) @@ -479,7 +386,7 @@ fn secrets_inherit() -> Result<()> { #[test] fn bot_conditions() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("bot-conditions.yml")) + .input(workflow_under_test("bot-conditions.yml")) .run()?); Ok(()) @@ -488,7 +395,7 @@ fn bot_conditions() -> Result<()> { #[test] fn overprovisioned_secrets() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("overprovisioned-secrets.yml")) + .input(workflow_under_test("overprovisioned-secrets.yml")) .run()?); Ok(()) @@ -498,12 +405,12 @@ fn overprovisioned_secrets() -> Result<()> { #[test] fn ref_confusion() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("ref-confusion.yml")) + .input(workflow_under_test("ref-confusion.yml")) .offline(false) .run()?); insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("ref-confusion/issue-518-repro.yml")) + .input(workflow_under_test("ref-confusion/issue-518-repro.yml")) .offline(false) .run()?); @@ -513,7 +420,7 @@ fn ref_confusion() -> Result<()> { #[test] fn unredacted_secrets() -> Result<()> { insta::assert_snapshot!(zizmor() - .workflow(workflow_under_test("unredacted-secrets.yml")) + .input(workflow_under_test("unredacted-secrets.yml")) .run()?); Ok(()) diff --git a/tests/integration/snapshots/integration__e2e__gha_hazmat.snap b/tests/integration/snapshots/integration__e2e__gha_hazmat.snap new file mode 100644 index 00000000..709495b9 --- /dev/null +++ b/tests/integration/snapshots/integration__e2e__gha_hazmat.snap @@ -0,0 +1,870 @@ +--- +source: tests/integration/e2e.rs +expression: "zizmor().offline(false).output(OutputMode::Both).args([\"--no-online-audits\"]).input(\"woodruffw/gha-hazmat@42064a9533f401a493c3599e56f144918f8eacfd\").run()?" +snapshot_kind: text +--- + INFO collect_inputs: zizmor: collected 20 inputs from woodruffw/gha-hazmat + INFO zizmor: skipping impostor-commit: offline audits only requested + INFO zizmor: skipping ref-confusion: offline audits only requested + INFO zizmor: skipping known-vulnerable-actions: offline audits only requested + INFO audit: zizmor: 🌈 completed .github/workflows/artipacked.yml + INFO audit: zizmor: 🌈 completed .github/workflows/bot-conditions.yml + INFO audit: zizmor: 🌈 completed .github/workflows/cache-poisoning.yml + INFO audit: zizmor: 🌈 completed .github/workflows/excessive-permissions.yml + INFO audit: zizmor: 🌈 completed .github/workflows/github-env.yml + INFO audit: zizmor: 🌈 completed .github/workflows/hardcoded-credentials.yml + INFO audit: zizmor: 🌈 completed .github/workflows/impostor-commit.yml + INFO audit: zizmor: 🌈 completed .github/workflows/insecure-commands.yml + INFO audit: zizmor: 🌈 completed .github/workflows/known-vulnerable-actions.yml + INFO audit: zizmor: 🌈 completed .github/workflows/overprovisioned-secrets.yml + INFO audit: zizmor: 🌈 completed .github/workflows/pull-request-target.yml + INFO audit: zizmor: 🌈 completed .github/workflows/pypi-manual-credential.yml + INFO audit: zizmor: 🌈 completed .github/workflows/ref-confusion.yml + INFO audit: zizmor: 🌈 completed .github/workflows/secrets-inherit.yml + INFO audit: zizmor: 🌈 completed .github/workflows/self-hosted.yml + WARN audit:audit{input=Workflow(https://github.com/woodruffw/gha-hazmat/blob/42064a9533f401a493c3599e56f144918f8eacfd/.github/workflows/template-injection.yml)}: zizmor::audit::overprovisioned_secrets: couldn't parse expression: ... + WARN audit:audit{input=Workflow(https://github.com/woodruffw/gha-hazmat/blob/42064a9533f401a493c3599e56f144918f8eacfd/.github/workflows/template-injection.yml)}: zizmor::audit::unredacted_secrets: couldn't parse expression: ... + INFO audit: zizmor: 🌈 completed .github/workflows/template-injection.yml + INFO audit: zizmor: 🌈 completed .github/workflows/unpinned.yml + INFO audit: zizmor: 🌈 completed .github/workflows/unredacted-secrets.yml + INFO audit: zizmor: 🌈 completed .github/workflows/workflow-run.yml + INFO audit: zizmor: 🌈 completed ref-confusion/action.yml +error[artipacked]: credential persistence through GitHub Actions artifacts + --> .github/workflows/artipacked.yml:34:9 + | +34 | - name: Checkout + | _________^ +35 | | uses: actions/checkout@v4 +36 | | +37 | | # NOT OK: upload-artifact archives entire repo, including persisted creds + | |_______________________________________________________________________________^ does not set persist-credentials: false +38 | - name: Upload artifact + | _________^ +39 | | uses: actions/upload-artifact@v4 +... | +46 | | # minimized from firebase-js-sdk: +47 | | # https://github.com/firebase/firebase-js-sdk/blob/4f157b486833/.github/workflows/test-all.yml + | |________________________________________________________________________________________________^ may leak the credentials persisted above + | + = note: audit confidence → High + +warning[artipacked]: credential persistence through GitHub Actions artifacts + --> .github/workflows/artipacked.yml:52:9 + | +52 | - uses: actions/checkout@v3 + | _________- +53 | | +54 | | # NOT OK: archives the entire repo, including persisted creds + | |___________________________________________________________________- does not set persist-credentials: false + | + = note: audit confidence → Low + +error[artipacked]: credential persistence through GitHub Actions artifacts + --> .github/workflows/artipacked.yml:77:9 + | +77 | - name: Checkout + | _________^ +78 | | uses: actions/checkout@v4 +79 | | +80 | | # NOT OK: archives and uploads entire workspace + | |_____________________________________________________^ does not set persist-credentials: false +81 | - uses: actions/upload-artifact@v4 + | _________^ +82 | | if: failure() +83 | | with: +84 | | name: workspace +85 | | path: ${{ github.workspace }} + | |________________________________________^ may leak the credentials persisted above + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/artipacked.yml:1:1 + | + 1 | / # artipacked.yml + 2 | | # +... | +84 | | name: workspace +85 | | path: ${{ github.workspace }} + | |________________________________________- default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/artipacked.yml:30:3 + | +30 | / vulnerable-1: +31 | | runs-on: ubuntu-latest +... | +46 | | # minimized from firebase-js-sdk: +47 | | # https://github.com/firebase/firebase-js-sdk/blob/4f157b486833/.github/workflows/test-all.yml + | | - + | |________________________________________________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/artipacked.yml:48:3 + | +48 | / vulnerable-2: +49 | | runs-on: ubuntu-latest +... | +71 | | # minimized from quay/clair: +72 | | # https://github.com/quay/clair/blob/1d338051f374/.github/workflows/tests.yml + | | - + | |_______________________________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/artipacked.yml:73:3 + | +73 | / vulnerable-3: +74 | | runs-on: ubuntu-latest +... | +84 | | name: workspace +85 | | path: ${{ github.workspace }} + | | - + | |________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[dangerous-triggers]: use of fundamentally insecure workflow trigger + --> .github/workflows/bot-conditions.yml:11:1 + | +11 | on: pull_request_target + | ^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely + | + = note: audit confidence → Medium + +error[bot-conditions]: spoofable bot actor check + --> .github/workflows/bot-conditions.yml:18:5 + | +18 | if: github.actor == 'dependabot[bot]' + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable + | + = note: audit confidence → High + +error[bot-conditions]: spoofable bot actor check + --> .github/workflows/bot-conditions.yml:22:9 + | +22 | if: ${{ github.actor == 'dependabot[bot]' }} + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable + | + = note: audit confidence → High + +error[bot-conditions]: spoofable bot actor check + --> .github/workflows/bot-conditions.yml:26:9 + | +26 | if: ${{ github.actor == 'dependabot[bot]' && github.repository == 'example/example' }} + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable + | + = note: audit confidence → Medium + +error[bot-conditions]: spoofable bot actor check + --> .github/workflows/bot-conditions.yml:30:9 + | +30 | if: github.actor == 'renovate[bot]' + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/cache-poisoning.yml:1:1 + | + 1 | / # cache-poisoning.yml + 2 | | # +... | +57 | | - name: Publish on crates.io +58 | | run: cargo publish --token ${{ secrets.CRATESIO_PUBLISH_TOKEN }} + | |_________________________________________________________________________- default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/cache-poisoning.yml:25:3 + | +25 | / vulnerable-1: +26 | | runs-on: ubuntu-latest +... | +41 | | - name: Publish to Maven Central +42 | | run: ./gradlew publishToMavenCentral --no-configuration-cache + | | - + | |_____________________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/cache-poisoning.yml:44:3 + | +44 | / vulnerable-2: +45 | | runs-on: ubuntu-latest +... | +57 | | - name: Publish on crates.io +58 | | run: cargo publish --token ${{ secrets.CRATESIO_PUBLISH_TOKEN }} + | | - + | |_________________________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack + --> .github/workflows/cache-poisoning.yml:22:1 + | +22 | on: release + | ^^^^^^^^^^^ generally used when publishing artifacts generated at runtime +23 | +... +35 | uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b +36 | / with: +37 | | distribution: "zulu" +38 | | cache: "gradle" +39 | | java-version: "17" + | |____________________________^ opt-in for caching here + | + = note: audit confidence → Low + +error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack + --> .github/workflows/cache-poisoning.yml:22:1 + | +22 | on: release + | ^^^^^^^^^^^ generally used when publishing artifacts generated at runtime +23 | +... +54 | - name: Setup CI caching +55 | uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab + | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here + | + = note: audit confidence → Low + +error[excessive-permissions]: overly broad permissions + --> .github/workflows/excessive-permissions.yml:19:3 + | +19 | id-token: write + | ^^^^^^^^^^^^^^^ id-token: write is overly broad at the workflow level + | + = note: audit confidence → High + +error[excessive-permissions]: overly broad permissions + --> .github/workflows/excessive-permissions.yml:21:3 + | +21 | contents: write + | ^^^^^^^^^^^^^^^ contents: write is overly broad at the workflow level + | + = note: audit confidence → High + +error[excessive-permissions]: overly broad permissions + --> .github/workflows/excessive-permissions.yml:29:3 + | +29 | / perms-2: +30 | | runs-on: ubuntu-latest +31 | | # NOT OK: extremely broad job-level permissions +32 | | permissions: write-all + | | ^^^^^^^^^^^^^^^^^^^^^^ uses write-all permissions +33 | | steps: +34 | | - run: "echo hello" + | |_________________________^ this job + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/github-env.yml:24:3 + | +24 | / vulnerable: +25 | | runs-on: ubuntu-latest +... | +33 | | env: +34 | | TITLE: ${{ github.event.pull_request.title }} + | | - + | |________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[dangerous-triggers]: use of fundamentally insecure workflow trigger + --> .github/workflows/github-env.yml:19:1 + | +19 | / on: +20 | | # NOT OK: pull_request_target enables this attack +21 | | pull_request_target: + | |______________________^ pull_request_target is almost always used insecurely + | + = note: audit confidence → Medium + +error[github-env]: dangerous use of environment file + --> .github/workflows/github-env.yml:30:9 + | +30 | - run: | + | _________^ +31 | | message=$(echo "$TITLE" | grep -oP '[{\[][^}\]]+[}\]]' | sed 's/{\|}\|\[\|\]//g') +32 | | echo "message=$message" >> $GITHUB_ENV + | |________________________________________________^ write to GITHUB_ENV may allow code execution + | + = note: audit confidence → Low + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/hardcoded-credentials.yml:23:3 + | +23 | / test: +24 | | runs-on: ubuntu-latest +... | +44 | | steps: +45 | | - run: echo 'vulnerable!' + | | - + | |________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[hardcoded-container-credentials]: hardcoded credential in GitHub Actions container configurations + --> .github/workflows/hardcoded-credentials.yml:27:7 + | +27 | / credentials: +28 | | username: user +29 | | # NOT OK: hardcoded credential +30 | | password: hackme + | |________________________^ container registry password is hard-coded + | + = note: audit confidence → High + +error[hardcoded-container-credentials]: hardcoded credential in GitHub Actions container configurations + --> .github/workflows/hardcoded-credentials.yml:34:9 + | +34 | / credentials: +35 | | username: user +36 | | # NOT OK: hardcoded credential +37 | | password: hackme + | |__________________________^ service service-1: container registry password is hard-coded + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/impostor-commit.yml:22:2 + | +22 | / commit: +23 | | runs-on: ubuntu-latest +... | +30 | | run: | +31 | | echo 'hello world!' + | | - + | |_____________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/insecure-commands.yml:10:3 + | +10 | / some-dangerous-job: +11 | | runs-on: ubuntu-latest +... | +18 | | # NOT OK +19 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes + | | - + | |_______________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[insecure-commands]: execution of insecure workflow commands is enabled + --> .github/workflows/insecure-commands.yml:5:1 + | +5 | / env: +6 | | # NOT OK +7 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes + | |______________________________________^ insecure commands enabled here + | + = note: audit confidence → High + +error[insecure-commands]: execution of insecure workflow commands is enabled + --> .github/workflows/insecure-commands.yml:12:5 + | +12 | / env: +13 | | # NOT OK +14 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes + | |__________________________________________^ insecure commands enabled here + | + = note: audit confidence → High + +error[insecure-commands]: execution of insecure workflow commands is enabled + --> .github/workflows/insecure-commands.yml:17:9 + | +17 | / env: +18 | | # NOT OK +19 | | ACTIONS_ALLOW_UNSECURE_COMMANDS: yes + | |_______________________________________________^ insecure commands enabled here + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/known-vulnerable-actions.yml:14:3 + | +14 | / vulnerable: +15 | | runs-on: ubuntu-latest +... | +27 | | # NOT OK: GHSA-6q4m-7476-932w +28 | | - uses: rlespinasse/github-slug-action@4.0.1 + | | - + | |___________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[overprovisioned-secrets]: excessively provisioned secrets + --> .github/workflows/overprovisioned-secrets.yml:21:18 + | +21 | stuff: ${{ format('{0}', toJSON(secrets)) }} + | ------------------------------------- injects the entire secrets context into the runner + | + = note: audit confidence → High + +warning[overprovisioned-secrets]: excessively provisioned secrets + --> .github/workflows/overprovisioned-secrets.yml:31:25 + | +31 | secrets_json: ${{ toJSON(secrets) }} + | ---------------------- injects the entire secrets context into the runner + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/pull-request-target.yml:25:3 + | +25 | / vulnerable: +26 | | runs-on: ubuntu-latest +... | +39 | | npm install +40 | | npm build + | | - + | |____________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[dangerous-triggers]: use of fundamentally insecure workflow trigger + --> .github/workflows/pull-request-target.yml:20:1 + | +20 | / on: +21 | | # NOT OK: pull_request_target should almost never be used +22 | | pull_request_target: + | |______________________^ pull_request_target is almost always used insecurely + | + = note: audit confidence → Medium + +info[use-trusted-publishing]: prefer trusted publishing for authentication + --> .github/workflows/pypi-manual-credential.yml:27:9 + | +27 | uses: pypa/gh-action-pypi-publish@release/v1 + | -------------------------------------------- info: this step +28 | with: +29 | password: ${{ secrets.PYPI_TOKEN }} + | ----------------------------------- info: uses a manually-configured credential instead of Trusted Publishing + | + = note: audit confidence → High + +info[use-trusted-publishing]: prefer trusted publishing for authentication + --> .github/workflows/pypi-manual-credential.yml:58:9 + | +58 | uses: pypa/gh-action-pypi-publish@release/v1 + | -------------------------------------------- info: this step +59 | with: +60 | repository-url: https://upload.pypi.org/legacy/ +61 | password: ${{ secrets.PYPI_TOKEN }} + | ----------------------------------- info: uses a manually-configured credential instead of Trusted Publishing + | + = note: audit confidence → High + +info[use-trusted-publishing]: prefer trusted publishing for authentication + --> .github/workflows/pypi-manual-credential.yml:66:9 + | +66 | uses: pypa/gh-action-pypi-publish@release/v1 + | -------------------------------------------- info: this step +67 | with: +68 | repository-url: https://test.pypi.org/legacy/ +69 | password: ${{ secrets.TEST_PYPI_TOKEN }} + | ---------------------------------------- info: uses a manually-configured credential instead of Trusted Publishing + | + = note: audit confidence → High + +info[use-trusted-publishing]: prefer trusted publishing for authentication + --> .github/workflows/pypi-manual-credential.yml:73:9 + | +73 | uses: pypa/gh-action-pypi-publish@release/v1 + | -------------------------------------------- info: this step +74 | with: +75 | repository_url: https://upload.pypi.org/legacy/ +76 | password: ${{ secrets.PYPI_TOKEN }} + | ----------------------------------- info: uses a manually-configured credential instead of Trusted Publishing + | + = note: audit confidence → High + +info[use-trusted-publishing]: prefer trusted publishing for authentication + --> .github/workflows/pypi-manual-credential.yml:81:9 + | +81 | uses: pypa/gh-action-pypi-publish@release/v1 + | -------------------------------------------- info: this step +82 | with: +83 | repository_url: https://test.pypi.org/legacy/ +84 | password: ${{ secrets.TEST_PYPI_TOKEN }} + | ---------------------------------------- info: uses a manually-configured credential instead of Trusted Publishing + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/ref-confusion.yml:20:3 + | +20 | / commit: +21 | | runs-on: ubuntu-latest +22 | | steps: +23 | | # NOT OK: `confusable` is both a tag and a branch +24 | | - uses: woodruffw/gha-hazmat/ref-confusion@confusable + | | - + | |____________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/secrets-inherit.yml:1:1 + | + 1 | / # secrets-inherit.yml + 2 | | # +... | +32 | | # OK: no secrets forwarded +33 | | secrets: {} + | |________________- default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/secrets-inherit.yml:15:3 + | +15 | / call-workflow-vulnerable-1: +16 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main +17 | | # NOT OK: unconditionally inherits +18 | | secrets: inherit + | | - + | |____________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/secrets-inherit.yml:20:3 + | +20 | / call-workflow-not-vulnerable-2: +21 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main +22 | | # OK: explicitly forwards intended secrets +23 | | secrets: +24 | | special-secret: ${{ secrets.special-secret }} + | | - + | |___________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/secrets-inherit.yml:26:3 + | +26 | / call-workflow-not-vulnerable-3: +27 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main +28 | | # OK: no secrets forwarded + | | - + | |______________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/secrets-inherit.yml:30:3 + | +30 | / call-workflow-not-vulnerable-4: +31 | | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main +32 | | # OK: no secrets forwarded +33 | | secrets: {} + | | - + | |________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[secrets-inherit]: secrets unconditionally inherited by called workflow + --> .github/workflows/secrets-inherit.yml:16:5 + | +16 | uses: octo-org/example-repo/.github/workflows/called-workflow.yml@main + | ---------------------------------------------------------------------- this reusable workflow +17 | # NOT OK: unconditionally inherits +18 | secrets: inherit + | ---------------- inherits all parent secrets + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/self-hosted.yml:22:3 + | +22 | / vulnerable: +23 | | # NOT OK: self-hosted runners are difficult to secure in public repos +... | +27 | | - run: | +28 | | echo "hello from a self-hosted runner" + | | - + | |_________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/template-injection.yml:1:1 + | + 1 | / # template-injection.yml + 2 | | # +... | +127 | | run: | +128 | | ${{ some.context == 'success' }} + | |___________________________________________- default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/template-injection.yml:36:3 + | +36 | / vulnerable-1: +37 | | runs-on: ubuntu-latest +... | +94 | | run: | +95 | | echo "doing a thing: ${{ github.workspace }}" + | | - + | |_______________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/template-injection.yml:97:3 + | + 97 | / vulnerable-2: + 98 | | runs-on: ubuntu-latest +... | +106 | | run: | +107 | | echo "doing a thing: ${{ matrix.unknown-key }}" + | | - + | |_________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/template-injection.yml:110:3 + | +110 | / vulnerable-3: +111 | | runs-on: ubuntu-latest +... | +118 | | script: | +119 | | return "doing a thing: ${{ github.event.issue.title }}" + | | - + | |___________________________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/template-injection.yml:121:3 + | +121 | / not-vulnerable-4: +122 | | runs-on: ubuntu-latest +... | +127 | | run: | +128 | | ${{ some.context == 'success' }} + | | - + | |___________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[template-injection]: code injection via template expansion + --> .github/workflows/template-injection.yml:45:9 + | +45 | - name: vulnerable-1 + | ^^^^^^^^^^^^^^^^^^ this step +46 | # NOT OK: attacker controlled issue title +47 | / run: | +48 | | echo "issue created: ${{ github.event.issue.title }}" + | |_______________________________________________________________^ github.event.issue.title may expand into attacker-controllable code + | + = note: audit confidence → High + +error[template-injection]: code injection via template expansion + --> .github/workflows/template-injection.yml:50:9 + | +50 | - name: vulnerable-2 + | ^^^^^^^^^^^^^^^^^^ this step +51 | # NOT OK: attacker controlled workflow_dispatch input +52 | / run: | +53 | | echo "doing a thing: ${{ inputs.hackme }}" + | |____________________________________________________^ inputs.hackme may expand into attacker-controllable code + | + = note: audit confidence → Low + +error[template-injection]: code injection via template expansion + --> .github/workflows/template-injection.yml:60:9 + | +60 | - name: vulnerable-4 + | ^^^^^^^^^^^^^^^^^^ this step +61 | # NOT OK: `workflow_call` inputs may or may not be trusted +62 | / run: | +63 | | echo "doing a thing: ${{ inputs.hackme-call }}" + | |_________________________________________________________^ inputs.hackme-call may expand into attacker-controllable code + | + = note: audit confidence → Low + +warning[template-injection]: code injection via template expansion + --> .github/workflows/template-injection.yml:82:9 + | +82 | - name: vulnerable-8 + | ------------------ this step +83 | # NOT OK: matrix.dynamic is dynamic +84 | / run: | +85 | | echo "doing a thing: ${{ matrix.dynamic }}" + | |_____________________________________________________- matrix.dynamic may expand into attacker-controllable code + | + = note: audit confidence → Medium + +warning[template-injection]: code injection via template expansion + --> .github/workflows/template-injection.yml:104:9 + | +104 | - name: vulnerable-11 + | ------------------- this step +105 | # NOT OK: entire matrix is dynamic +106 | / run: | +107 | | echo "doing a thing: ${{ matrix.unknown-key }}" + | |_________________________________________________________- matrix.unknown-key may expand into attacker-controllable code + | + = note: audit confidence → Medium + +error[template-injection]: code injection via template expansion + --> .github/workflows/template-injection.yml:114:9 + | +114 | - name: vulnerable-12 + | ^^^^^^^^^^^^^^^^^^^ this step +115 | uses: actions/github-script@v7 +116 | with: +117 | # NOT OK: attacker-controlled issue title +118 | / script: | +119 | | return "doing a thing: ${{ github.event.issue.title }}" + | |___________________________________________________________________^ github.event.issue.title may expand into attacker-controllable code + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/unpinned.yml:16:3 + | +16 | / unpinned-0: +17 | | runs-on: ubuntu-latest +... | +37 | | args: hello! +38 | | + | |_-- this job + | | + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +warning[unpinned-uses]: unpinned action reference + --> .github/workflows/unpinned.yml:20:9 + | +20 | - uses: actions/checkout + | ---------------------- action is not pinned to a tag, branch, or hash ref + | + = note: audit confidence → High + +warning[unpinned-uses]: unpinned action reference + --> .github/workflows/unpinned.yml:25:9 + | +25 | - uses: github/codeql-action/upload-sarif + | --------------------------------------- action is not pinned to a tag, branch, or hash ref + | + = note: audit confidence → High + +warning[unpinned-uses]: unpinned action reference + --> .github/workflows/unpinned.yml:28:9 + | +28 | - uses: docker://ubuntu + | --------------------- action is not pinned to a tag, branch, or hash ref + | + = note: audit confidence → High + +warning[unpinned-uses]: unpinned action reference + --> .github/workflows/unpinned.yml:34:9 + | +34 | - uses: docker://ghcr.io/pypa/gh-action-pypi-publish + | -------------------------------------------------- action is not pinned to a tag, branch, or hash ref + | + = note: audit confidence → High + +warning[unredacted-secrets]: leaked secret values + --> .github/workflows/unredacted-secrets.yml:20:18 + | +20 | stuff: ${{ fromJSON(secrets.password) }} + | --------------------------------- bypasses secret redaction + | + = note: audit confidence → High + +warning[unredacted-secrets]: leaked secret values + --> .github/workflows/unredacted-secrets.yml:23:23 + | +23 | otherstuff: ${{ fromJson(secrets.otherstuff).field }} + | ----------------------------------------- bypasses secret redaction + | + = note: audit confidence → High + +warning[excessive-permissions]: overly broad permissions + --> .github/workflows/workflow-run.yml:23:3 + | +23 | / vulnerable: +24 | | runs-on: ubuntu-latest +... | +29 | | env: +30 | | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + | | - + | |________________________________________________| + | this job + | default permissions used due to no permissions: block + | + = note: audit confidence → Medium + +error[dangerous-triggers]: use of fundamentally insecure workflow trigger + --> .github/workflows/workflow-run.yml:17:1 + | +17 | / on: +18 | | # NOT OK: allows trivial third-party access to the upstream's context +19 | | workflow_run: +20 | | workflows: ["CI"] + | |_____________________^ workflow_run is almost always used insecurely + | + = note: audit confidence → Medium + +105 findings (36 suppressed): 0 unknown, 5 informational, 0 low, 39 medium, 25 high diff --git a/tests/snapshots/snapshot__artipacked-2.snap b/tests/integration/snapshots/integration__snapshot__artipacked-2.snap similarity index 80% rename from tests/snapshots/snapshot__artipacked-2.snap rename to tests/integration/snapshots/integration__snapshot__artipacked-2.snap index 81435082..83ef21bf 100644 --- a/tests/snapshots/snapshot__artipacked-2.snap +++ b/tests/integration/snapshots/integration__snapshot__artipacked-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"artipacked.yml\")).run()?" snapshot_kind: text --- warning[artipacked]: credential persistence through GitHub Actions artifacts diff --git a/tests/snapshots/snapshot__artipacked-3.snap b/tests/integration/snapshots/integration__snapshot__artipacked-3.snap similarity index 85% rename from tests/snapshots/snapshot__artipacked-3.snap rename to tests/integration/snapshots/integration__snapshot__artipacked-3.snap index a29439b0..ef56d573 100644 --- a/tests/snapshots/snapshot__artipacked-3.snap +++ b/tests/integration/snapshots/integration__snapshot__artipacked-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"artipacked.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- warning[artipacked]: credential persistence through GitHub Actions artifacts diff --git a/tests/snapshots/snapshot__artipacked-4.snap b/tests/integration/snapshots/integration__snapshot__artipacked-4.snap similarity index 75% rename from tests/snapshots/snapshot__artipacked-4.snap rename to tests/integration/snapshots/integration__snapshot__artipacked-4.snap index ce483f0f..58a6d6e8 100644 --- a/tests/snapshots/snapshot__artipacked-4.snap +++ b/tests/integration/snapshots/integration__snapshot__artipacked-4.snap @@ -1,6 +1,7 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"artipacked/issue-447-repro.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"artipacked/issue-447-repro.yml\")).args([\"--persona=auditor\"]).run()?" +snapshot_kind: text --- warning[artipacked]: credential persistence through GitHub Actions artifacts --> @@INPUT@@:19:9 diff --git a/tests/snapshots/snapshot__artipacked.snap b/tests/integration/snapshots/integration__snapshot__artipacked.snap similarity index 76% rename from tests/snapshots/snapshot__artipacked.snap rename to tests/integration/snapshots/integration__snapshot__artipacked.snap index 26cae408..670139f7 100644 --- a/tests/snapshots/snapshot__artipacked.snap +++ b/tests/integration/snapshots/integration__snapshot__artipacked.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"artipacked.yml\")).args([\"--persona=pedantic\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"artipacked.yml\")).args([\"--persona=pedantic\"]).run()?" snapshot_kind: text --- warning[artipacked]: credential persistence through GitHub Actions artifacts diff --git a/tests/snapshots/snapshot__bot_conditions.snap b/tests/integration/snapshots/integration__snapshot__bot_conditions.snap similarity index 92% rename from tests/snapshots/snapshot__bot_conditions.snap rename to tests/integration/snapshots/integration__snapshot__bot_conditions.snap index 8dca4d4d..cce18a6b 100644 --- a/tests/snapshots/snapshot__bot_conditions.snap +++ b/tests/integration/snapshots/integration__snapshot__bot_conditions.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"bot-conditions.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"bot-conditions.yml\")).run()?" snapshot_kind: text --- error[dangerous-triggers]: use of fundamentally insecure workflow trigger diff --git a/tests/snapshots/snapshot__cache_poisoning-10.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap similarity index 84% rename from tests/snapshots/snapshot__cache_poisoning-10.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap index 8b8705b1..63ba8c9e 100644 --- a/tests/snapshots/snapshot__cache_poisoning-10.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-10.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/publisher-step.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/publisher-step.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-11.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap similarity index 92% rename from tests/snapshots/snapshot__cache_poisoning-11.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap index 55c441b9..99939ac2 100644 --- a/tests/snapshots/snapshot__cache_poisoning-11.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-11.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/issue-343-repro.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/issue-343-repro.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-12.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap similarity index 81% rename from tests/snapshots/snapshot__cache_poisoning-12.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap index 295c4385..2c7fee64 100644 --- a/tests/snapshots/snapshot__cache_poisoning-12.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-12.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-not-configurable.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-not-configurable.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-13.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap similarity index 81% rename from tests/snapshots/snapshot__cache_poisoning-13.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap index e861ad57..ea206c1f 100644 --- a/tests/snapshots/snapshot__cache_poisoning-13.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-13.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/workflow-release-branch-trigger.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/workflow-release-branch-trigger.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap new file mode 100644 index 00000000..f36249b3 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-14.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/issue-378-repro.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/snapshots/snapshot__cache_poisoning-2.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap similarity index 79% rename from tests/snapshots/snapshot__cache_poisoning-2.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap index a6851489..c6e4391a 100644 --- a/tests/snapshots/snapshot__cache_poisoning-2.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-enabled-by-default.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-enabled-by-default.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-3.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap similarity index 79% rename from tests/snapshots/snapshot__cache_poisoning-3.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap index 155cdf1a..913beef4 100644 --- a/tests/snapshots/snapshot__cache_poisoning-3.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-boolean-toggle.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-boolean-toggle.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-4.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap similarity index 82% rename from tests/snapshots/snapshot__cache_poisoning-4.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap index 5f147850..8a274ced 100644 --- a/tests/snapshots/snapshot__cache_poisoning-4.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-4.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-expression.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-expression.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-5.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap similarity index 80% rename from tests/snapshots/snapshot__cache_poisoning-5.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap index ab1d0837..cea5d704 100644 --- a/tests/snapshots/snapshot__cache_poisoning-5.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-5.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-multi-value-toggle.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-multi-value-toggle.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap new file mode 100644 index 00000000..54783516 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-6.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-out.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap new file mode 100644 index 00000000..ff7444ec --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-7.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/no-cache-aware-steps.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/snapshots/snapshot__cache_poisoning-8.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap similarity index 81% rename from tests/snapshots/snapshot__cache_poisoning-8.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap index 55e18f40..93ac8502 100644 --- a/tests/snapshots/snapshot__cache_poisoning-8.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-8.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/workflow-tag-trigger.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/workflow-tag-trigger.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/snapshots/snapshot__cache_poisoning-9.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap similarity index 81% rename from tests/snapshots/snapshot__cache_poisoning-9.snap rename to tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap index e9c9113a..3e29fd23 100644 --- a/tests/snapshots/snapshot__cache_poisoning-9.snap +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning-9.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-in-boolish-toggle.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-opt-in-boolish-toggle.yml\")).run()?" snapshot_kind: text --- error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack diff --git a/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap b/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap new file mode 100644 index 00000000..8a29a7f7 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__cache_poisoning.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"cache-poisoning/caching-disabled-by-default.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/integration/snapshots/integration__snapshot__cant_retrieve.snap b/tests/integration/snapshots/integration__snapshot__cant_retrieve.snap new file mode 100644 index 00000000..3fc73692 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__cant_retrieve.snap @@ -0,0 +1,7 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().output(OutputMode::Stderr).offline(true).unsetenv(\"GH_TOKEN\").args([\"pypa/sampleproject\"]).run()?" +snapshot_kind: text +--- +error: can't retrieve repository: pypa/sampleproject + = note: try removing --offline or passing --gh-token diff --git a/tests/snapshots/snapshot__excessive_permissions-10.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap similarity index 83% rename from tests/snapshots/snapshot__excessive_permissions-10.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap index 8d6183cc..05ebc781 100644 --- a/tests/snapshots/snapshot__excessive_permissions-10.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-10.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-472-repro.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/issue-472-repro.yml\")).run()?" snapshot_kind: text --- warning[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-11.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap similarity index 81% rename from tests/snapshots/snapshot__excessive_permissions-11.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap index 17b6fbc5..0c7afc66 100644 --- a/tests/snapshots/snapshot__excessive_permissions-11.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-11.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/reusable-workflow-call.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/reusable-workflow-call.yml\")).run()?" snapshot_kind: text --- warning[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-12.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap similarity index 90% rename from tests/snapshots/snapshot__excessive_permissions-12.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap index 203bf0fd..ec7e9adf 100644 --- a/tests/snapshots/snapshot__excessive_permissions-12.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-12.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/reusable-workflow-other-triggers.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/reusable-workflow-other-triggers.yml\")).run()?" snapshot_kind: text --- warning[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-2.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap similarity index 65% rename from tests/snapshots/snapshot__excessive_permissions-2.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap index e59db81e..82a97d34 100644 --- a/tests/snapshots/snapshot__excessive_permissions-2.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).args([\"--pedantic\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).args([\"--pedantic\"]).run()?" snapshot_kind: text --- error[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-3.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap similarity index 85% rename from tests/snapshots/snapshot__excessive_permissions-3.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap index 69879d19..65806f55 100644 --- a/tests/snapshots/snapshot__excessive_permissions-3.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-default-perms.yml\")).args([\"--pedantic\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-default-perms.yml\")).args([\"--pedantic\"]).run()?" snapshot_kind: text --- warning[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-4.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap similarity index 66% rename from tests/snapshots/snapshot__excessive_permissions-4.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap index 5175b32a..000a9d29 100644 --- a/tests/snapshots/snapshot__excessive_permissions-4.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-4.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-read-all.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-read-all.yml\")).run()?" snapshot_kind: text --- warning[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-5.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap similarity index 66% rename from tests/snapshots/snapshot__excessive_permissions-5.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap index 233acb94..39f2297a 100644 --- a/tests/snapshots/snapshot__excessive_permissions-5.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-5.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-write-all.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-write-all.yml\")).run()?" snapshot_kind: text --- error[excessive-permissions]: overly broad permissions diff --git a/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap new file mode 100644 index 00000000..0b831e4a --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-6.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-empty-perms.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/snapshots/snapshot__excessive_permissions-7.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap similarity index 87% rename from tests/snapshots/snapshot__excessive_permissions-7.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap index faf42358..2da742ac 100644 --- a/tests/snapshots/snapshot__excessive_permissions-7.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-7.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/jobs-broaden-permissions.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/jobs-broaden-permissions.yml\")).run()?" snapshot_kind: text --- warning[excessive-permissions]: overly broad permissions diff --git a/tests/snapshots/snapshot__excessive_permissions-8.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap similarity index 83% rename from tests/snapshots/snapshot__excessive_permissions-8.snap rename to tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap index a7e0317a..df1e2276 100644 --- a/tests/snapshots/snapshot__excessive_permissions-8.snap +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-8.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-write-explicit.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-write-explicit.yml\")).run()?" snapshot_kind: text --- error[excessive-permissions]: overly broad permissions diff --git a/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap new file mode 100644 index 00000000..5d59b292 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions-9.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/workflow-default-perms-all-jobs-explicit.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! (1 suppressed) diff --git a/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap b/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap new file mode 100644 index 00000000..5bfd101a --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__excessive_permissions.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__github_env-2.snap b/tests/integration/snapshots/integration__snapshot__github_env-2.snap similarity index 79% rename from tests/snapshots/snapshot__github_env-2.snap rename to tests/integration/snapshots/integration__snapshot__github_env-2.snap index 4da738a7..ca6e9034 100644 --- a/tests/snapshots/snapshot__github_env-2.snap +++ b/tests/integration/snapshots/integration__snapshot__github_env-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"github-env/github-path.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"github-env/github-path.yml\")).run()?" snapshot_kind: text --- error[github-env]: dangerous use of environment file diff --git a/tests/snapshots/snapshot__github_env-3.snap b/tests/integration/snapshots/integration__snapshot__github_env-3.snap similarity index 78% rename from tests/snapshots/snapshot__github_env-3.snap rename to tests/integration/snapshots/integration__snapshot__github_env-3.snap index 1c35d7ca..47475598 100644 --- a/tests/snapshots/snapshot__github_env-3.snap +++ b/tests/integration/snapshots/integration__snapshot__github_env-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"github-env/issue-397-repro.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"github-env/issue-397-repro.yml\")).run()?" snapshot_kind: text --- error[github-env]: dangerous use of environment file diff --git a/tests/snapshots/snapshot__github_env.snap b/tests/integration/snapshots/integration__snapshot__github_env.snap similarity index 88% rename from tests/snapshots/snapshot__github_env.snap rename to tests/integration/snapshots/integration__snapshot__github_env.snap index 66559a79..75cb2431 100644 --- a/tests/snapshots/snapshot__github_env.snap +++ b/tests/integration/snapshots/integration__snapshot__github_env.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"github-env/action.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"github-env/action.yml\")).run()?" snapshot_kind: text --- error[github-env]: dangerous use of environment file diff --git a/tests/snapshots/snapshot__insecure_commands-2.snap b/tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap similarity index 76% rename from tests/snapshots/snapshot__insecure_commands-2.snap rename to tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap index bdf8f5a5..9b68189a 100644 --- a/tests/snapshots/snapshot__insecure_commands-2.snap +++ b/tests/integration/snapshots/integration__snapshot__insecure_commands-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"insecure-commands.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"insecure-commands.yml\")).run()?" snapshot_kind: text --- error[insecure-commands]: execution of insecure workflow commands is enabled diff --git a/tests/snapshots/snapshot__insecure_commands-3.snap b/tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap similarity index 85% rename from tests/snapshots/snapshot__insecure_commands-3.snap rename to tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap index 480d6062..c8cdbcae 100644 --- a/tests/snapshots/snapshot__insecure_commands-3.snap +++ b/tests/integration/snapshots/integration__snapshot__insecure_commands-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"insecure-commands/action.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"insecure-commands/action.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- error[insecure-commands]: execution of insecure workflow commands is enabled diff --git a/tests/snapshots/snapshot__insecure_commands.snap b/tests/integration/snapshots/integration__snapshot__insecure_commands.snap similarity index 81% rename from tests/snapshots/snapshot__insecure_commands.snap rename to tests/integration/snapshots/integration__snapshot__insecure_commands.snap index 33d09a12..013a40bb 100644 --- a/tests/snapshots/snapshot__insecure_commands.snap +++ b/tests/integration/snapshots/integration__snapshot__insecure_commands.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"insecure-commands.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"insecure-commands.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- error[insecure-commands]: execution of insecure workflow commands is enabled diff --git a/tests/snapshots/snapshot__invalid_inputs.snap b/tests/integration/snapshots/integration__snapshot__invalid_inputs.snap similarity index 71% rename from tests/snapshots/snapshot__invalid_inputs.snap rename to tests/integration/snapshots/integration__snapshot__invalid_inputs.snap index 6d94fe12..413b3be2 100644 --- a/tests/snapshots/snapshot__invalid_inputs.snap +++ b/tests/integration/snapshots/integration__snapshot__invalid_inputs.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().output(OutputMode::Stderr).offline(true).workflow(workflow_under_test(\"invalid/invalid-workflow.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().output(OutputMode::Stderr).offline(true).input(workflow_under_test(\"invalid/invalid-workflow.yml\")).run()?" snapshot_kind: text --- failed to register input: @@INPUT@@ diff --git a/tests/snapshots/snapshot__overprovisioned_secrets.snap b/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap similarity index 84% rename from tests/snapshots/snapshot__overprovisioned_secrets.snap rename to tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap index b1947703..bf0219c9 100644 --- a/tests/snapshots/snapshot__overprovisioned_secrets.snap +++ b/tests/integration/snapshots/integration__snapshot__overprovisioned_secrets.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"overprovisioned-secrets.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"overprovisioned-secrets.yml\")).run()?" snapshot_kind: text --- warning[overprovisioned-secrets]: excessively provisioned secrets diff --git a/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap b/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap new file mode 100644 index 00000000..33df2673 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__ref_confusion-2.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"ref-confusion/issue-518-repro.yml\")).offline(false).run()?" +snapshot_kind: text +--- +No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__ref_confusion.snap b/tests/integration/snapshots/integration__snapshot__ref_confusion.snap similarity index 73% rename from tests/snapshots/snapshot__ref_confusion.snap rename to tests/integration/snapshots/integration__snapshot__ref_confusion.snap index d5b98eb4..3802fcf2 100644 --- a/tests/snapshots/snapshot__ref_confusion.snap +++ b/tests/integration/snapshots/integration__snapshot__ref_confusion.snap @@ -1,6 +1,7 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"ref-confusion.yml\")).offline(false).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"ref-confusion.yml\")).offline(false).run()?" +snapshot_kind: text --- warning[ref-confusion]: git ref for action with ambiguous ref type --> @@INPUT@@:11:9 diff --git a/tests/snapshots/snapshot__secrets_inherit.snap b/tests/integration/snapshots/integration__snapshot__secrets_inherit.snap similarity index 81% rename from tests/snapshots/snapshot__secrets_inherit.snap rename to tests/integration/snapshots/integration__snapshot__secrets_inherit.snap index 255b47c2..22e79bad 100644 --- a/tests/snapshots/snapshot__secrets_inherit.snap +++ b/tests/integration/snapshots/integration__snapshot__secrets_inherit.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"secrets-inherit.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"secrets-inherit.yml\")).run()?" snapshot_kind: text --- warning[secrets-inherit]: secrets unconditionally inherited by called workflow diff --git a/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap new file mode 100644 index 00000000..9f72276d --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-2.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__self_hosted-3.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-3.snap similarity index 66% rename from tests/snapshots/snapshot__self_hosted-3.snap rename to tests/integration/snapshots/integration__snapshot__self_hosted-3.snap index 1764f428..ca70f562 100644 --- a/tests/snapshots/snapshot__self_hosted-3.snap +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-runner-label.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-runner-label.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- note[self-hosted-runner]: runs on a self-hosted runner diff --git a/tests/snapshots/snapshot__self_hosted-4.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-4.snap similarity index 66% rename from tests/snapshots/snapshot__self_hosted-4.snap rename to tests/integration/snapshots/integration__snapshot__self_hosted-4.snap index c4a53f5f..7a8d3b40 100644 --- a/tests/snapshots/snapshot__self_hosted-4.snap +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-4.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-runner-group.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-runner-group.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- note[self-hosted-runner]: runs on a self-hosted runner diff --git a/tests/snapshots/snapshot__self_hosted-5.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-5.snap similarity index 75% rename from tests/snapshots/snapshot__self_hosted-5.snap rename to tests/integration/snapshots/integration__snapshot__self_hosted-5.snap index 5ffc041e..f80f60f8 100644 --- a/tests/snapshots/snapshot__self_hosted-5.snap +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-5.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-matrix-dimension.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-matrix-dimension.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- note[self-hosted-runner]: runs on a self-hosted runner diff --git a/tests/snapshots/snapshot__self_hosted-6.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-6.snap similarity index 76% rename from tests/snapshots/snapshot__self_hosted-6.snap rename to tests/integration/snapshots/integration__snapshot__self_hosted-6.snap index 5af6dcc2..ef538e11 100644 --- a/tests/snapshots/snapshot__self_hosted-6.snap +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-6.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-matrix-inclusion.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-matrix-inclusion.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- note[self-hosted-runner]: runs on a self-hosted runner diff --git a/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap new file mode 100644 index 00000000..8277888e --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-7.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted/self-hosted-matrix-exclusion.yml\")).args([\"--persona=auditor\"]).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap b/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap new file mode 100644 index 00000000..1e78cb81 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__self_hosted-8.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted/issue-283-repro.yml\")).args([\"--persona=auditor\"]).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/snapshots/snapshot__self_hosted.snap b/tests/integration/snapshots/integration__snapshot__self_hosted.snap similarity index 70% rename from tests/snapshots/snapshot__self_hosted.snap rename to tests/integration/snapshots/integration__snapshot__self_hosted.snap index 27cab262..c609ea80 100644 --- a/tests/snapshots/snapshot__self_hosted.snap +++ b/tests/integration/snapshots/integration__snapshot__self_hosted.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"self-hosted.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- note[self-hosted-runner]: runs on a self-hosted runner diff --git a/tests/snapshots/snapshot__template_injection-2.snap b/tests/integration/snapshots/integration__snapshot__template_injection-2.snap similarity index 73% rename from tests/snapshots/snapshot__template_injection-2.snap rename to tests/integration/snapshots/integration__snapshot__template_injection-2.snap index 4740430e..e6eb5ca4 100644 --- a/tests/snapshots/snapshot__template_injection-2.snap +++ b/tests/integration/snapshots/integration__snapshot__template_injection-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/template-injection-dynamic-matrix.yml\")).args([\"--persona=auditor\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/template-injection-dynamic-matrix.yml\")).args([\"--persona=auditor\"]).run()?" snapshot_kind: text --- warning[template-injection]: code injection via template expansion diff --git a/tests/integration/snapshots/integration__snapshot__template_injection-3.snap b/tests/integration/snapshots/integration__snapshot__template_injection-3.snap new file mode 100644 index 00000000..57bec4a3 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__template_injection-3.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/issue-22-repro.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! (4 suppressed) diff --git a/tests/snapshots/snapshot__template_injection-4.snap b/tests/integration/snapshots/integration__snapshot__template_injection-4.snap similarity index 79% rename from tests/snapshots/snapshot__template_injection-4.snap rename to tests/integration/snapshots/integration__snapshot__template_injection-4.snap index aec05dc8..fc5c4af7 100644 --- a/tests/snapshots/snapshot__template_injection-4.snap +++ b/tests/integration/snapshots/integration__snapshot__template_injection-4.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/pr-317-repro.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/pr-317-repro.yml\")).run()?" snapshot_kind: text --- warning[template-injection]: code injection via template expansion diff --git a/tests/snapshots/snapshot__template_injection-5.snap b/tests/integration/snapshots/integration__snapshot__template_injection-5.snap similarity index 90% rename from tests/snapshots/snapshot__template_injection-5.snap rename to tests/integration/snapshots/integration__snapshot__template_injection-5.snap index 23a0e53d..760d472d 100644 --- a/tests/snapshots/snapshot__template_injection-5.snap +++ b/tests/integration/snapshots/integration__snapshot__template_injection-5.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/static-env.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/static-env.yml\")).run()?" snapshot_kind: text --- help[template-injection]: code injection via template expansion diff --git a/tests/snapshots/snapshot__template_injection-6.snap b/tests/integration/snapshots/integration__snapshot__template_injection-6.snap similarity index 82% rename from tests/snapshots/snapshot__template_injection-6.snap rename to tests/integration/snapshots/integration__snapshot__template_injection-6.snap index 130f8c2c..aae2609e 100644 --- a/tests/snapshots/snapshot__template_injection-6.snap +++ b/tests/integration/snapshots/integration__snapshot__template_injection-6.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/issue-339-repro.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/issue-339-repro.yml\")).run()?" snapshot_kind: text --- info[template-injection]: code injection via template expansion diff --git a/tests/integration/snapshots/integration__snapshot__template_injection-7.snap b/tests/integration/snapshots/integration__snapshot__template_injection-7.snap new file mode 100644 index 00000000..5da9ce92 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__template_injection-7.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/issue-418-repro.yml\")).run()?" +snapshot_kind: text +--- +No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__template_injection-8.snap b/tests/integration/snapshots/integration__snapshot__template_injection-8.snap similarity index 93% rename from tests/snapshots/snapshot__template_injection-8.snap rename to tests/integration/snapshots/integration__snapshot__template_injection-8.snap index 17a98cd5..9903b43a 100644 --- a/tests/snapshots/snapshot__template_injection-8.snap +++ b/tests/integration/snapshots/integration__snapshot__template_injection-8.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/pr-425-backstop/action.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/pr-425-backstop/action.yml\")).run()?" snapshot_kind: text --- error[template-injection]: code injection via template expansion diff --git a/tests/integration/snapshots/integration__snapshot__template_injection.snap b/tests/integration/snapshots/integration__snapshot__template_injection.snap new file mode 100644 index 00000000..7065e997 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__template_injection.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"template-injection/template-injection-static-matrix.yml\")).args([\"--persona=auditor\"]).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/snapshots/snapshot__unpinned_uses-2.snap b/tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap similarity index 90% rename from tests/snapshots/snapshot__unpinned_uses-2.snap rename to tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap index 74a7916f..6bd4a1ae 100644 --- a/tests/snapshots/snapshot__unpinned_uses-2.snap +++ b/tests/integration/snapshots/integration__snapshot__unpinned_uses-2.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"unpinned-uses.yml\")).run()?" snapshot_kind: text --- warning[unpinned-uses]: unpinned action reference diff --git a/tests/snapshots/snapshot__unpinned_uses-3.snap b/tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap similarity index 79% rename from tests/snapshots/snapshot__unpinned_uses-3.snap rename to tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap index 372ecb10..a7116c19 100644 --- a/tests/snapshots/snapshot__unpinned_uses-3.snap +++ b/tests/integration/snapshots/integration__snapshot__unpinned_uses-3.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses/action.yml\")).args([\"--pedantic\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"unpinned-uses/action.yml\")).args([\"--pedantic\"]).run()?" snapshot_kind: text --- help[unpinned-uses]: unpinned action reference diff --git a/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap b/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap new file mode 100644 index 00000000..df600c64 --- /dev/null +++ b/tests/integration/snapshots/integration__snapshot__unpinned_uses-4.snap @@ -0,0 +1,6 @@ +--- +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"unpinned-uses/issue-433-repro.yml\")).args([\"--pedantic\"]).run()?" +snapshot_kind: text +--- +No findings to report. Good job! diff --git a/tests/snapshots/snapshot__unpinned_uses.snap b/tests/integration/snapshots/integration__snapshot__unpinned_uses.snap similarity index 90% rename from tests/snapshots/snapshot__unpinned_uses.snap rename to tests/integration/snapshots/integration__snapshot__unpinned_uses.snap index 1d3a61f2..f4b8414b 100644 --- a/tests/snapshots/snapshot__unpinned_uses.snap +++ b/tests/integration/snapshots/integration__snapshot__unpinned_uses.snap @@ -1,6 +1,6 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses.yml\")).args([\"--pedantic\"]).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"unpinned-uses.yml\")).args([\"--pedantic\"]).run()?" snapshot_kind: text --- warning[unpinned-uses]: unpinned action reference diff --git a/tests/snapshots/snapshot__unredacted_secrets.snap b/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap similarity index 81% rename from tests/snapshots/snapshot__unredacted_secrets.snap rename to tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap index 217544fd..67f38f40 100644 --- a/tests/snapshots/snapshot__unredacted_secrets.snap +++ b/tests/integration/snapshots/integration__snapshot__unredacted_secrets.snap @@ -1,6 +1,7 @@ --- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"unredacted-secrets.yml\")).run()?" +source: tests/integration/snapshot.rs +expression: "zizmor().input(workflow_under_test(\"unredacted-secrets.yml\")).run()?" +snapshot_kind: text --- warning[unredacted-secrets]: leaked secret values --> @@INPUT@@:14:18 diff --git a/tests/test-data/artipacked.yml b/tests/integration/test-data/artipacked.yml similarity index 100% rename from tests/test-data/artipacked.yml rename to tests/integration/test-data/artipacked.yml diff --git a/tests/test-data/artipacked/issue-447-repro.yml b/tests/integration/test-data/artipacked/issue-447-repro.yml similarity index 100% rename from tests/test-data/artipacked/issue-447-repro.yml rename to tests/integration/test-data/artipacked/issue-447-repro.yml diff --git a/tests/test-data/bot-conditions.yml b/tests/integration/test-data/bot-conditions.yml similarity index 100% rename from tests/test-data/bot-conditions.yml rename to tests/integration/test-data/bot-conditions.yml diff --git a/tests/test-data/cache-poisoning.yml b/tests/integration/test-data/cache-poisoning.yml similarity index 100% rename from tests/test-data/cache-poisoning.yml rename to tests/integration/test-data/cache-poisoning.yml diff --git a/tests/test-data/cache-poisoning/caching-disabled-by-default.yml b/tests/integration/test-data/cache-poisoning/caching-disabled-by-default.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-disabled-by-default.yml rename to tests/integration/test-data/cache-poisoning/caching-disabled-by-default.yml diff --git a/tests/test-data/cache-poisoning/caching-enabled-by-default.yml b/tests/integration/test-data/cache-poisoning/caching-enabled-by-default.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-enabled-by-default.yml rename to tests/integration/test-data/cache-poisoning/caching-enabled-by-default.yml diff --git a/tests/test-data/cache-poisoning/caching-not-configurable.yml b/tests/integration/test-data/cache-poisoning/caching-not-configurable.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-not-configurable.yml rename to tests/integration/test-data/cache-poisoning/caching-not-configurable.yml diff --git a/tests/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml b/tests/integration/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml rename to tests/integration/test-data/cache-poisoning/caching-opt-in-boolean-toggle.yml diff --git a/tests/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml b/tests/integration/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml rename to tests/integration/test-data/cache-poisoning/caching-opt-in-boolish-toggle.yml diff --git a/tests/test-data/cache-poisoning/caching-opt-in-expression.yml b/tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-opt-in-expression.yml rename to tests/integration/test-data/cache-poisoning/caching-opt-in-expression.yml diff --git a/tests/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml b/tests/integration/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml rename to tests/integration/test-data/cache-poisoning/caching-opt-in-multi-value-toggle.yml diff --git a/tests/test-data/cache-poisoning/caching-opt-out.yml b/tests/integration/test-data/cache-poisoning/caching-opt-out.yml similarity index 100% rename from tests/test-data/cache-poisoning/caching-opt-out.yml rename to tests/integration/test-data/cache-poisoning/caching-opt-out.yml diff --git a/tests/test-data/cache-poisoning/issue-343-repro.yml b/tests/integration/test-data/cache-poisoning/issue-343-repro.yml similarity index 100% rename from tests/test-data/cache-poisoning/issue-343-repro.yml rename to tests/integration/test-data/cache-poisoning/issue-343-repro.yml diff --git a/tests/test-data/cache-poisoning/issue-378-repro.yml b/tests/integration/test-data/cache-poisoning/issue-378-repro.yml similarity index 100% rename from tests/test-data/cache-poisoning/issue-378-repro.yml rename to tests/integration/test-data/cache-poisoning/issue-378-repro.yml diff --git a/tests/test-data/cache-poisoning/no-cache-aware-steps.yml b/tests/integration/test-data/cache-poisoning/no-cache-aware-steps.yml similarity index 100% rename from tests/test-data/cache-poisoning/no-cache-aware-steps.yml rename to tests/integration/test-data/cache-poisoning/no-cache-aware-steps.yml diff --git a/tests/test-data/cache-poisoning/publisher-step.yml b/tests/integration/test-data/cache-poisoning/publisher-step.yml similarity index 100% rename from tests/test-data/cache-poisoning/publisher-step.yml rename to tests/integration/test-data/cache-poisoning/publisher-step.yml diff --git a/tests/test-data/cache-poisoning/workflow-release-branch-trigger.yml b/tests/integration/test-data/cache-poisoning/workflow-release-branch-trigger.yml similarity index 100% rename from tests/test-data/cache-poisoning/workflow-release-branch-trigger.yml rename to tests/integration/test-data/cache-poisoning/workflow-release-branch-trigger.yml diff --git a/tests/test-data/cache-poisoning/workflow-tag-trigger.yml b/tests/integration/test-data/cache-poisoning/workflow-tag-trigger.yml similarity index 100% rename from tests/test-data/cache-poisoning/workflow-tag-trigger.yml rename to tests/integration/test-data/cache-poisoning/workflow-tag-trigger.yml diff --git a/tests/test-data/excessive-permissions.yml b/tests/integration/test-data/excessive-permissions.yml similarity index 100% rename from tests/test-data/excessive-permissions.yml rename to tests/integration/test-data/excessive-permissions.yml diff --git a/tests/test-data/excessive-permissions/issue-336-repro.yml b/tests/integration/test-data/excessive-permissions/issue-336-repro.yml similarity index 100% rename from tests/test-data/excessive-permissions/issue-336-repro.yml rename to tests/integration/test-data/excessive-permissions/issue-336-repro.yml diff --git a/tests/test-data/excessive-permissions/issue-472-repro.yml b/tests/integration/test-data/excessive-permissions/issue-472-repro.yml similarity index 100% rename from tests/test-data/excessive-permissions/issue-472-repro.yml rename to tests/integration/test-data/excessive-permissions/issue-472-repro.yml diff --git a/tests/test-data/excessive-permissions/jobs-broaden-permissions.yml b/tests/integration/test-data/excessive-permissions/jobs-broaden-permissions.yml similarity index 100% rename from tests/test-data/excessive-permissions/jobs-broaden-permissions.yml rename to tests/integration/test-data/excessive-permissions/jobs-broaden-permissions.yml diff --git a/tests/test-data/excessive-permissions/reusable-workflow-call.yml b/tests/integration/test-data/excessive-permissions/reusable-workflow-call.yml similarity index 100% rename from tests/test-data/excessive-permissions/reusable-workflow-call.yml rename to tests/integration/test-data/excessive-permissions/reusable-workflow-call.yml diff --git a/tests/test-data/excessive-permissions/reusable-workflow-other-triggers.yml b/tests/integration/test-data/excessive-permissions/reusable-workflow-other-triggers.yml similarity index 100% rename from tests/test-data/excessive-permissions/reusable-workflow-other-triggers.yml rename to tests/integration/test-data/excessive-permissions/reusable-workflow-other-triggers.yml diff --git a/tests/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml b/tests/integration/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml similarity index 100% rename from tests/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml rename to tests/integration/test-data/excessive-permissions/workflow-default-perms-all-jobs-explicit.yml diff --git a/tests/test-data/excessive-permissions/workflow-default-perms.yml b/tests/integration/test-data/excessive-permissions/workflow-default-perms.yml similarity index 100% rename from tests/test-data/excessive-permissions/workflow-default-perms.yml rename to tests/integration/test-data/excessive-permissions/workflow-default-perms.yml diff --git a/tests/test-data/excessive-permissions/workflow-empty-perms.yml b/tests/integration/test-data/excessive-permissions/workflow-empty-perms.yml similarity index 100% rename from tests/test-data/excessive-permissions/workflow-empty-perms.yml rename to tests/integration/test-data/excessive-permissions/workflow-empty-perms.yml diff --git a/tests/test-data/excessive-permissions/workflow-read-all.yml b/tests/integration/test-data/excessive-permissions/workflow-read-all.yml similarity index 100% rename from tests/test-data/excessive-permissions/workflow-read-all.yml rename to tests/integration/test-data/excessive-permissions/workflow-read-all.yml diff --git a/tests/test-data/excessive-permissions/workflow-write-all.yml b/tests/integration/test-data/excessive-permissions/workflow-write-all.yml similarity index 100% rename from tests/test-data/excessive-permissions/workflow-write-all.yml rename to tests/integration/test-data/excessive-permissions/workflow-write-all.yml diff --git a/tests/test-data/excessive-permissions/workflow-write-explicit.yml b/tests/integration/test-data/excessive-permissions/workflow-write-explicit.yml similarity index 100% rename from tests/test-data/excessive-permissions/workflow-write-explicit.yml rename to tests/integration/test-data/excessive-permissions/workflow-write-explicit.yml diff --git a/tests/test-data/github-env/action.yml b/tests/integration/test-data/github-env/action.yml similarity index 100% rename from tests/test-data/github-env/action.yml rename to tests/integration/test-data/github-env/action.yml diff --git a/tests/test-data/github-env/github-path.yml b/tests/integration/test-data/github-env/github-path.yml similarity index 100% rename from tests/test-data/github-env/github-path.yml rename to tests/integration/test-data/github-env/github-path.yml diff --git a/tests/test-data/github-env/issue-397-repro.yml b/tests/integration/test-data/github-env/issue-397-repro.yml similarity index 100% rename from tests/test-data/github-env/issue-397-repro.yml rename to tests/integration/test-data/github-env/issue-397-repro.yml diff --git a/tests/test-data/github_env.yml b/tests/integration/test-data/github_env.yml similarity index 100% rename from tests/test-data/github_env.yml rename to tests/integration/test-data/github_env.yml diff --git a/tests/test-data/hardcoded-credentials.yml b/tests/integration/test-data/hardcoded-credentials.yml similarity index 100% rename from tests/test-data/hardcoded-credentials.yml rename to tests/integration/test-data/hardcoded-credentials.yml diff --git a/tests/test-data/inlined-ignores.yml b/tests/integration/test-data/inlined-ignores.yml similarity index 100% rename from tests/test-data/inlined-ignores.yml rename to tests/integration/test-data/inlined-ignores.yml diff --git a/tests/test-data/insecure-commands.yml b/tests/integration/test-data/insecure-commands.yml similarity index 100% rename from tests/test-data/insecure-commands.yml rename to tests/integration/test-data/insecure-commands.yml diff --git a/tests/test-data/insecure-commands/action.yml b/tests/integration/test-data/insecure-commands/action.yml similarity index 100% rename from tests/test-data/insecure-commands/action.yml rename to tests/integration/test-data/insecure-commands/action.yml diff --git a/tests/test-data/invalid/invalid-workflow.yml b/tests/integration/test-data/invalid/invalid-workflow.yml similarity index 100% rename from tests/test-data/invalid/invalid-workflow.yml rename to tests/integration/test-data/invalid/invalid-workflow.yml diff --git a/tests/test-data/overprovisioned-secrets.yml b/tests/integration/test-data/overprovisioned-secrets.yml similarity index 100% rename from tests/test-data/overprovisioned-secrets.yml rename to tests/integration/test-data/overprovisioned-secrets.yml diff --git a/tests/test-data/ref-confusion.yml b/tests/integration/test-data/ref-confusion.yml similarity index 100% rename from tests/test-data/ref-confusion.yml rename to tests/integration/test-data/ref-confusion.yml diff --git a/tests/test-data/ref-confusion/issue-518-repro.yml b/tests/integration/test-data/ref-confusion/issue-518-repro.yml similarity index 100% rename from tests/test-data/ref-confusion/issue-518-repro.yml rename to tests/integration/test-data/ref-confusion/issue-518-repro.yml diff --git a/tests/test-data/secrets-inherit.yml b/tests/integration/test-data/secrets-inherit.yml similarity index 100% rename from tests/test-data/secrets-inherit.yml rename to tests/integration/test-data/secrets-inherit.yml diff --git a/tests/test-data/self-hosted.yml b/tests/integration/test-data/self-hosted.yml similarity index 100% rename from tests/test-data/self-hosted.yml rename to tests/integration/test-data/self-hosted.yml diff --git a/tests/test-data/self-hosted/issue-283-repro.yml b/tests/integration/test-data/self-hosted/issue-283-repro.yml similarity index 100% rename from tests/test-data/self-hosted/issue-283-repro.yml rename to tests/integration/test-data/self-hosted/issue-283-repro.yml diff --git a/tests/test-data/self-hosted/self-hosted-matrix-dimension.yml b/tests/integration/test-data/self-hosted/self-hosted-matrix-dimension.yml similarity index 100% rename from tests/test-data/self-hosted/self-hosted-matrix-dimension.yml rename to tests/integration/test-data/self-hosted/self-hosted-matrix-dimension.yml diff --git a/tests/test-data/self-hosted/self-hosted-matrix-exclusion.yml b/tests/integration/test-data/self-hosted/self-hosted-matrix-exclusion.yml similarity index 100% rename from tests/test-data/self-hosted/self-hosted-matrix-exclusion.yml rename to tests/integration/test-data/self-hosted/self-hosted-matrix-exclusion.yml diff --git a/tests/test-data/self-hosted/self-hosted-matrix-inclusion.yml b/tests/integration/test-data/self-hosted/self-hosted-matrix-inclusion.yml similarity index 100% rename from tests/test-data/self-hosted/self-hosted-matrix-inclusion.yml rename to tests/integration/test-data/self-hosted/self-hosted-matrix-inclusion.yml diff --git a/tests/test-data/self-hosted/self-hosted-runner-group.yml b/tests/integration/test-data/self-hosted/self-hosted-runner-group.yml similarity index 100% rename from tests/test-data/self-hosted/self-hosted-runner-group.yml rename to tests/integration/test-data/self-hosted/self-hosted-runner-group.yml diff --git a/tests/test-data/self-hosted/self-hosted-runner-label.yml b/tests/integration/test-data/self-hosted/self-hosted-runner-label.yml similarity index 100% rename from tests/test-data/self-hosted/self-hosted-runner-label.yml rename to tests/integration/test-data/self-hosted/self-hosted-runner-label.yml diff --git a/tests/test-data/template-injection.yml b/tests/integration/test-data/template-injection.yml similarity index 100% rename from tests/test-data/template-injection.yml rename to tests/integration/test-data/template-injection.yml diff --git a/tests/test-data/template-injection/issue-22-repro.yml b/tests/integration/test-data/template-injection/issue-22-repro.yml similarity index 100% rename from tests/test-data/template-injection/issue-22-repro.yml rename to tests/integration/test-data/template-injection/issue-22-repro.yml diff --git a/tests/test-data/template-injection/issue-339-repro.yml b/tests/integration/test-data/template-injection/issue-339-repro.yml similarity index 100% rename from tests/test-data/template-injection/issue-339-repro.yml rename to tests/integration/test-data/template-injection/issue-339-repro.yml diff --git a/tests/test-data/template-injection/issue-418-repro.yml b/tests/integration/test-data/template-injection/issue-418-repro.yml similarity index 100% rename from tests/test-data/template-injection/issue-418-repro.yml rename to tests/integration/test-data/template-injection/issue-418-repro.yml diff --git a/tests/test-data/template-injection/pr-317-repro.yml b/tests/integration/test-data/template-injection/pr-317-repro.yml similarity index 100% rename from tests/test-data/template-injection/pr-317-repro.yml rename to tests/integration/test-data/template-injection/pr-317-repro.yml diff --git a/tests/test-data/template-injection/pr-425-backstop/action.yml b/tests/integration/test-data/template-injection/pr-425-backstop/action.yml similarity index 100% rename from tests/test-data/template-injection/pr-425-backstop/action.yml rename to tests/integration/test-data/template-injection/pr-425-backstop/action.yml diff --git a/tests/test-data/template-injection/static-env.yml b/tests/integration/test-data/template-injection/static-env.yml similarity index 100% rename from tests/test-data/template-injection/static-env.yml rename to tests/integration/test-data/template-injection/static-env.yml diff --git a/tests/test-data/template-injection/template-injection-dynamic-matrix.yml b/tests/integration/test-data/template-injection/template-injection-dynamic-matrix.yml similarity index 100% rename from tests/test-data/template-injection/template-injection-dynamic-matrix.yml rename to tests/integration/test-data/template-injection/template-injection-dynamic-matrix.yml diff --git a/tests/test-data/template-injection/template-injection-static-matrix.yml b/tests/integration/test-data/template-injection/template-injection-static-matrix.yml similarity index 100% rename from tests/test-data/template-injection/template-injection-static-matrix.yml rename to tests/integration/test-data/template-injection/template-injection-static-matrix.yml diff --git a/tests/test-data/unpinned-uses.yml b/tests/integration/test-data/unpinned-uses.yml similarity index 100% rename from tests/test-data/unpinned-uses.yml rename to tests/integration/test-data/unpinned-uses.yml diff --git a/tests/test-data/unpinned-uses/action.yml b/tests/integration/test-data/unpinned-uses/action.yml similarity index 100% rename from tests/test-data/unpinned-uses/action.yml rename to tests/integration/test-data/unpinned-uses/action.yml diff --git a/tests/test-data/unpinned-uses/issue-433-repro.yml b/tests/integration/test-data/unpinned-uses/issue-433-repro.yml similarity index 100% rename from tests/test-data/unpinned-uses/issue-433-repro.yml rename to tests/integration/test-data/unpinned-uses/issue-433-repro.yml diff --git a/tests/test-data/unredacted-secrets.yml b/tests/integration/test-data/unredacted-secrets.yml similarity index 100% rename from tests/test-data/unredacted-secrets.yml rename to tests/integration/test-data/unredacted-secrets.yml diff --git a/tests/test-data/use-trusted-publishing.yml b/tests/integration/test-data/use-trusted-publishing.yml similarity index 100% rename from tests/test-data/use-trusted-publishing.yml rename to tests/integration/test-data/use-trusted-publishing.yml diff --git a/tests/snapshots/snapshot__cache_poisoning-14.snap b/tests/snapshots/snapshot__cache_poisoning-14.snap deleted file mode 100644 index 98097edc..00000000 --- a/tests/snapshots/snapshot__cache_poisoning-14.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/issue-378-repro.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__cache_poisoning-6.snap b/tests/snapshots/snapshot__cache_poisoning-6.snap deleted file mode 100644 index 72bbfbbf..00000000 --- a/tests/snapshots/snapshot__cache_poisoning-6.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-opt-out.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__cache_poisoning-7.snap b/tests/snapshots/snapshot__cache_poisoning-7.snap deleted file mode 100644 index c659bea6..00000000 --- a/tests/snapshots/snapshot__cache_poisoning-7.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/no-cache-aware-steps.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__cache_poisoning.snap b/tests/snapshots/snapshot__cache_poisoning.snap deleted file mode 100644 index 73ba2da5..00000000 --- a/tests/snapshots/snapshot__cache_poisoning.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"cache-poisoning/caching-disabled-by-default.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__cant_retrieve.snap b/tests/snapshots/snapshot__cant_retrieve.snap deleted file mode 100644 index 8f777333..00000000 --- a/tests/snapshots/snapshot__cant_retrieve.snap +++ /dev/null @@ -1,7 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().output(OutputMode::Stderr).args([\"pypa/sampleproject\"]).run()?" -snapshot_kind: text ---- -error: can't retrieve repository: pypa/sampleproject - = note: try removing --offline or passing --gh-token diff --git a/tests/snapshots/snapshot__excessive_permissions-6.snap b/tests/snapshots/snapshot__excessive_permissions-6.snap deleted file mode 100644 index 872ac93d..00000000 --- a/tests/snapshots/snapshot__excessive_permissions-6.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-empty-perms.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__excessive_permissions-9.snap b/tests/snapshots/snapshot__excessive_permissions-9.snap deleted file mode 100644 index 6e09ba89..00000000 --- a/tests/snapshots/snapshot__excessive_permissions-9.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/workflow-default-perms-all-jobs-explicit.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__excessive_permissions.snap b/tests/snapshots/snapshot__excessive_permissions.snap deleted file mode 100644 index 28aea9b9..00000000 --- a/tests/snapshots/snapshot__excessive_permissions.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"excessive-permissions/issue-336-repro.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__ref_confusion-2.snap b/tests/snapshots/snapshot__ref_confusion-2.snap deleted file mode 100644 index 28715207..00000000 --- a/tests/snapshots/snapshot__ref_confusion-2.snap +++ /dev/null @@ -1,5 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"ref-confusion/issue-518-repro.yml\")).offline(false).run()?" ---- -No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__self_hosted-2.snap b/tests/snapshots/snapshot__self_hosted-2.snap deleted file mode 100644 index 500ee044..00000000 --- a/tests/snapshots/snapshot__self_hosted-2.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__self_hosted-7.snap b/tests/snapshots/snapshot__self_hosted-7.snap deleted file mode 100644 index e460dc75..00000000 --- a/tests/snapshots/snapshot__self_hosted-7.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted/self-hosted-matrix-exclusion.yml\")).args([\"--persona=auditor\"]).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__self_hosted-8.snap b/tests/snapshots/snapshot__self_hosted-8.snap deleted file mode 100644 index cd4e9050..00000000 --- a/tests/snapshots/snapshot__self_hosted-8.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"self-hosted/issue-283-repro.yml\")).args([\"--persona=auditor\"]).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__template_injection-3.snap b/tests/snapshots/snapshot__template_injection-3.snap deleted file mode 100644 index 2ef3d575..00000000 --- a/tests/snapshots/snapshot__template_injection-3.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/issue-22-repro.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! (4 suppressed) diff --git a/tests/snapshots/snapshot__template_injection-7.snap b/tests/snapshots/snapshot__template_injection-7.snap deleted file mode 100644 index 4c02f07c..00000000 --- a/tests/snapshots/snapshot__template_injection-7.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/issue-418-repro.yml\")).run()?" -snapshot_kind: text ---- -No findings to report. Good job! (1 suppressed) diff --git a/tests/snapshots/snapshot__template_injection.snap b/tests/snapshots/snapshot__template_injection.snap deleted file mode 100644 index 6ea4e0cc..00000000 --- a/tests/snapshots/snapshot__template_injection.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"template-injection/template-injection-static-matrix.yml\")).args([\"--persona=auditor\"]).run()?" -snapshot_kind: text ---- -No findings to report. Good job! diff --git a/tests/snapshots/snapshot__unpinned_uses-4.snap b/tests/snapshots/snapshot__unpinned_uses-4.snap deleted file mode 100644 index bc36fba4..00000000 --- a/tests/snapshots/snapshot__unpinned_uses-4.snap +++ /dev/null @@ -1,6 +0,0 @@ ---- -source: tests/snapshot.rs -expression: "zizmor().workflow(workflow_under_test(\"unpinned-uses/issue-433-repro.yml\")).args([\"--pedantic\"]).run()?" -snapshot_kind: text ---- -No findings to report. Good job!