mirror of
https://github.com/zizmorcore/zizmor.git
synced 2025-12-23 08:47:33 +00:00
chore: prep release v1.12.1 (#1083)
This commit is contained in:
William Woodruff
GitHub
parent
311392251d
commit
dbc12d4a21
7 changed files with 58 additions and 56 deletions
2
Cargo.lock
generated
2
Cargo.lock
generated
|
|
@ -3832,7 +3832,7 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "zizmor"
|
||||
version = "1.12.0"
|
||||
version = "1.12.1"
|
||||
dependencies = [
|
||||
"annotate-snippets",
|
||||
"anstream",
|
||||
|
|
|
|||
|
|
@ -63,12 +63,13 @@ impl<'de> Deserialize<'de> for RunsOn {
|
|||
// serde lacks the ability to do inter-field invariants at the derive
|
||||
// layer, so we enforce the invariant that a `RunsOn::Group`
|
||||
// has either a `group` or at least one label here.
|
||||
if let RunsOn::Group { group, labels } = &runs_on {
|
||||
if group.is_none() && labels.is_empty() {
|
||||
return Err(custom_error::<D>(
|
||||
"runs-on must provide either `group` or one or more `labels`",
|
||||
));
|
||||
}
|
||||
if let RunsOn::Group { group, labels } = &runs_on
|
||||
&& group.is_none()
|
||||
&& labels.is_empty()
|
||||
{
|
||||
return Err(custom_error::<D>(
|
||||
"runs-on must provide either `group` or one or more `labels`",
|
||||
));
|
||||
}
|
||||
|
||||
Ok(runs_on)
|
||||
|
|
|
|||
|
|
@ -874,35 +874,35 @@ fn apply_value_replacement(
|
|||
|
||||
if is_multiline_literal {
|
||||
// Check if this is a multiline string value
|
||||
if let serde_yaml::Value::String(string_content) = value {
|
||||
if string_content.contains('\n') {
|
||||
// For multiline literal blocks, use the raw string content
|
||||
let leading_whitespace = extract_leading_whitespace(doc, feature);
|
||||
let content_indent = format!("{leading_whitespace} "); // Key indent + 2 spaces for content
|
||||
if let serde_yaml::Value::String(string_content) = value
|
||||
&& string_content.contains('\n')
|
||||
{
|
||||
// For multiline literal blocks, use the raw string content
|
||||
let leading_whitespace = extract_leading_whitespace(doc, feature);
|
||||
let content_indent = format!("{leading_whitespace} "); // Key indent + 2 spaces for content
|
||||
|
||||
// Format as: key: |\n content\n more content
|
||||
let indented_content = string_content
|
||||
.lines()
|
||||
.map(|line| {
|
||||
if line.trim().is_empty() {
|
||||
String::new()
|
||||
} else {
|
||||
format!("{}{}", content_indent, line.trim_start())
|
||||
}
|
||||
})
|
||||
.collect::<Vec<_>>()
|
||||
.join("\n");
|
||||
// Format as: key: |\n content\n more content
|
||||
let indented_content = string_content
|
||||
.lines()
|
||||
.map(|line| {
|
||||
if line.trim().is_empty() {
|
||||
String::new()
|
||||
} else {
|
||||
format!("{}{}", content_indent, line.trim_start())
|
||||
}
|
||||
})
|
||||
.collect::<Vec<_>>()
|
||||
.join("\n");
|
||||
|
||||
// Find the position of | in the original content and include it
|
||||
let pipe_pos = value_part.find('|').unwrap();
|
||||
let key_with_pipe = ¤t_content_with_ws
|
||||
[..colon_pos + 1 + value_part[..pipe_pos].len() + 1];
|
||||
return Ok(format!(
|
||||
"{}\n{}",
|
||||
key_with_pipe.trim_end(),
|
||||
indented_content
|
||||
));
|
||||
}
|
||||
// Find the position of | in the original content and include it
|
||||
let pipe_pos = value_part.find('|').unwrap();
|
||||
let key_with_pipe = ¤t_content_with_ws
|
||||
[..colon_pos + 1 + value_part[..pipe_pos].len() + 1];
|
||||
return Ok(format!(
|
||||
"{}\n{}",
|
||||
key_with_pipe.trim_end(),
|
||||
indented_content
|
||||
));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
[package]
|
||||
name = "zizmor"
|
||||
description = "Static analysis for GitHub Actions"
|
||||
version = "1.12.0"
|
||||
version = "1.12.1"
|
||||
repository = "https://github.com/zizmorcore/zizmor"
|
||||
documentation = "https://docs.zizmor.sh"
|
||||
keywords = ["cli", "github-actions", "static-analysis", "security"]
|
||||
|
|
|
|||
|
|
@ -73,28 +73,27 @@ impl Audit for HardcodedContainerCredentials {
|
|||
}),
|
||||
..
|
||||
} = &config
|
||||
&& ExplicitExpr::from_curly(password).is_none()
|
||||
{
|
||||
if ExplicitExpr::from_curly(password).is_none() {
|
||||
findings.push(
|
||||
Self::finding()
|
||||
.severity(Severity::High)
|
||||
.confidence(Confidence::High)
|
||||
.add_location(
|
||||
job.location()
|
||||
.primary()
|
||||
.with_keys([
|
||||
"services".into(),
|
||||
service.as_str().into(),
|
||||
"credentials".into(),
|
||||
])
|
||||
.annotated(format!(
|
||||
"service {service}: container registry password is \
|
||||
findings.push(
|
||||
Self::finding()
|
||||
.severity(Severity::High)
|
||||
.confidence(Confidence::High)
|
||||
.add_location(
|
||||
job.location()
|
||||
.primary()
|
||||
.with_keys([
|
||||
"services".into(),
|
||||
service.as_str().into(),
|
||||
"credentials".into(),
|
||||
])
|
||||
.annotated(format!(
|
||||
"service {service}: container registry password is \
|
||||
hard-coded"
|
||||
)),
|
||||
)
|
||||
.build(workflow)?,
|
||||
)
|
||||
}
|
||||
)),
|
||||
)
|
||||
.build(workflow)?,
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -256,7 +256,7 @@ To do so, add the following to your `.pre-commit-config.yaml` `#!yaml repos:` se
|
|||
|
||||
```yaml
|
||||
- repo: https://github.com/zizmorcore/zizmor-pre-commit
|
||||
rev: v1.12.0 # (1)!
|
||||
rev: v1.12.1 # (1)!
|
||||
hooks:
|
||||
- id: zizmor
|
||||
```
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ of `zizmor`.
|
|||
|
||||
## Next (UNRELEASED)
|
||||
|
||||
## 1.12.1
|
||||
|
||||
### Bug Fixes 🐛
|
||||
|
||||
* Fixed a bug where the [cache-poisoning] would incorrectly detect the
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue