chore: prep for release 1.6.0 (#681)

Cargo.lock

@@ -3229,7 +3229,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.5.2"
+version = "1.6.0"
 dependencies = [
  "annotate-snippets",
  "anstream",

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.5.2"
+version = "1.6.0"
 edition = "2024"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"

docs/release-notes.md

@@ -9,8 +9,17 @@ of `zizmor`.
 
 ## Next (UNRELEASED)
 
+## v1.6.0
+
 ### New Features 🌈
 
+* **New audit**: The [forbidden-uses] audit is a configurable audit
+  that allows allow- or denylisting of entire orgs, repos, or specific
+  action patterns. This audit must be configured; by default it has
+  no effect (#664)
+
+    Many thanks to @Holzhaus for proposing and initiating this new audit!
+
 * `zizmor` now supports `--format=github` as an output format.
   This format produces check annotations via GitHub workflow commands,
   e.g. `::warning` and `::error`. See the
@@ -691,3 +700,4 @@ This is one of `zizmor`'s bigger recent releases! Key enhancements include:
 [bot-conditions]: ./audits.md#bot-conditions
 [overprovisioned-secrets]: ./audits.md#overprovisioned-secrets
 [unredacted-secrets]: ./audits.md#unredacted-secrets
+[forbidden-uses]: ./audits.md#forbidden-uses

docs/usage.md

@@ -698,7 +698,7 @@ To do so, add the following to your `.pre-commit-config.yaml` `repos` section:
 
 ```yaml
 - repo: https://github.com/woodruffw/zizmor-pre-commit
-  rev: v1.5.2 # (1)!
+  rev: v1.6.0 # (1)!
   hooks:
   - id: zizmor
 ```