feat: discover zizmor.yaml config files

Signed-off-by: William Woodruff <william@yossarian.net>

crates/zizmor/src/config.rs

@@ -21,7 +21,12 @@ use crate::{
     registry::input::RepoSlug,
 };
 
-const CONFIG_CANDIDATES: &[&str] = &[".github/zizmor.yml", "zizmor.yml"];
+const CONFIG_CANDIDATES: &[&str] = &[
+    ".github/zizmor.yml",
+    ".github/zizmor.yaml",
+    "zizmor.yml",
+    "zizmor.yaml",
+];
 
 #[derive(Error, Debug)]
 #[error("configuration error in {path}")]

crates/zizmor/tests/integration/config.rs

@@ -164,6 +164,31 @@ fn test_discovers_config_in_dotgithub() -> anyhow::Result<()> {
     Ok(())
 }
 
+/// Ensures we correctly discover a `zizmor.yaml` configuration file in a `.github`
+/// subdirectory of a given input directory, i.e.
+/// `config-in-dotgithub/.github/zizmor.yaml` in this case.
+///
+/// This tests that both `.yml` and `.yaml` extensions are supported.
+#[test]
+fn test_discovers_dotyaml_config_in_dotgithub() -> anyhow::Result<()> {
+    insta::assert_snapshot!(
+        zizmor()
+            .input(input_under_test("config-scenarios/dotyaml-config-in-dotgithub"))
+            .setenv("RUST_LOG", "zizmor::config=debug")
+            .output(OutputMode::Both)
+            .run()?,
+        @r"
+    🌈 zizmor v@@VERSION@@
+    DEBUG zizmor::config: discovering config for local input `@@INPUT@@`
+    DEBUG zizmor::config: attempting config discovery in `@@INPUT@@`
+    DEBUG zizmor::config: found config candidate at `@@INPUT@@/.github/zizmor.yaml`
+    No findings to report. Good job! (1 ignored, 2 suppressed)
+    ",
+    );
+
+    Ok(())
+}
+
 /// Ensures we correctly discover a configuration file in a `.github`
 /// subdirectory from an input filename, i.e. going from
 /// `config-in-dotgithub/.github/workflows/hackme.yml`

crates/zizmor/tests/integration/test-data/config-scenarios/dotyaml-config-in-dotgithub/.github/workflows/hackme.yml

@@ -0,0 +1,16 @@
+name: hackme
+on:
+  issues:
+
+permissions: {}
+
+jobs:
+  inject-me:
+    name: inject-me
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # tag=v7.0.1
+        with:
+          script: |
+            return "doing a thing: ${{ github.event.issue.title }}"

crates/zizmor/tests/integration/test-data/config-scenarios/dotyaml-config-in-dotgithub/.github/zizmor.yaml

@@ -0,0 +1,4 @@
+rules:
+  template-injection:
+    ignore:
+      - hackme.yml

docs/configuration.md

@@ -9,7 +9,7 @@ description: zizmor's configuration file and configurable behaviors.
     Configuration support was added in `v0.2.0`.
 
 `zizmor` supports a small amount of configuration via [YAML] config files,
-typically named `zizmor.yml`.
+typically named `zizmor.yml` or `zizmor.yaml`.
 
 [YAML]: https://learnxinyminutes.com/docs/yaml/
 
@@ -41,9 +41,25 @@ typically named `zizmor.yml`.
     * File inputs (e.g. `zizmor path/to/workflow.yml`): `zizmor` performs
       directory discovery starting in the directory containing the given file.
 
-    * Directory inputs (e.g. `zizmor .`): `zizmor` looks for a `zizmor.yml` or
-      `.github/zizmor.yml` in the given directory or any parent, up to the
-      filesystem root or the first `.git` directory.
+    * Directory inputs (e.g. `zizmor .`): `zizmor` looks for a `zizmor.yml`
+      or `zizmor.yaml` file in the given directory, the `.github` child directory,
+      or any parent, up to the filesystem root or the first `.git` directory.
+      
+        !!! example
+        
+            Given an invocation like `zizmor ./repo/`, `zizmor` will attempt
+            to discover configuration files in the following order:
+            
+            1. `./repo/.github/zizmor.yml`
+            2. `./repo/.github/zizmor.yaml`
+            3. `./repo/zizmor.yml`
+            4. `./repo/zizmor.yaml`
+            5. `./repo/../.github/zizmor.yml`
+            6. `./repo/../.github/zizmor.yaml`
+            7. ...and so on, until the filesystem root or a `.git/` directory is found.
+            
+            
+            
 
         !!! note