mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
745 commits 6 branches 118 tags 18 MiB
Commit graph

113 commits

Author SHA1 Message Date
William Woodruff
e4f41593d4
chore(ci): fix test path, remove an action (#971) 2025-06-24 22:45:38 -06:00
dependabot[bot]
10396ddf03
chore(deps): bump the github-actions group with 3 updates (#964) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-23 09:58:41 -06:00
William Woodruff
f03869f52b
feat: location subspans/subfeatures (#949) 2025-06-19 16:41:39 -04:00
dependabot[bot]
399b56d79b
chore(deps): bump the github-actions group with 3 updates (#946) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-16 10:56:50 -04:00
William Woodruff
d9fc0e1a23
chore(ci): address pedantic zizmor findings (#943) 2025-06-13 20:36:09 -04:00
dependabot[bot]
acf8a33588
chore(deps): bump the github-actions group with 2 updates (#925) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-09 10:22:21 -04:00
William Woodruff
eca3123b23
chore(ci): add missing setup-uv step to codegen workflow (#900) 2025-06-05 21:19:54 +00:00
William Woodruff
a4a657f9be
fix: remove spurious panic in env handling (#887) 2025-06-02 14:34:06 -04:00
dependabot[bot]
4a25b12fdf
chore(deps): bump docker/build-push-action in the github-actions group (#885) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-02 11:29:07 -04:00
Langston Barrett
502e82ad71
chore(ci): Small improvements around linting (#879) 2025-05-30 22:03:19 +00:00
William Woodruff
27a85f257d
feat(ci): check for Wolfi OS zizmor updates (#874) 2025-05-30 11:36:01 -04:00
dependabot[bot]
6c079da522
chore(deps): bump astral-sh/setup-uv in the github-actions group (#859) 2025-05-26 10:30:58 -04:00
William Woodruff
5d6a31931f
feat: add CodeQL injection sink data (#849) 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2025-05-25 12:14:56 -04:00
William Woodruff
46f61576d3
Extract context patterns from webhook schemata (#745) 2025-05-22 15:31:05 -04:00
William Woodruff
abee95815a
fix(ci): tell gh release upload where to go (#834) 2025-05-20 19:45:20 +00:00
William Woodruff
61c9880555
fix: don't use wildcards for in-workspace deps (#832) 2025-05-20 15:25:26 -04:00
William Woodruff
c1c655b452
refactor: bring in github-actions-models (#830) 2025-05-20 14:51:43 -04:00
William Woodruff
f21ace27fe
ci: experiment with a binary release build (#828) 2025-05-20 14:29:51 -04:00
William Woodruff
fafcebb161
refactor: bring yamlpath into repo (#825) 2025-05-19 16:09:54 -04:00
William Woodruff
19f739496e
chore(ci): unify release workflow names (#824) 2025-05-19 15:48:18 -04:00
dependabot[bot]
e2a8dd508b
chore(deps): bump zizmorcore/zizmor-action in the github-actions group (#822) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-19 09:56:51 -04:00
William Woodruff
5948f83884
chore: limit pinact to docs, document usage (#818) 2025-05-18 23:33:34 +00:00
William Woodruff
a851cc907c
chore: add pinact, apply pinact (#817) 2025-05-18 19:11:03 -04:00
William Woodruff
d4b065bdde
chore(ci): undo pinact experiment (#815) 2025-05-18 22:55:47 +00:00
William Woodruff
9853a951f4
fix(ci): drop dry-run from pinact.yml (#813) 2025-05-18 22:28:41 +00:00
William Woodruff
81f9ac31fd
chore(ci): experiment with pinact (#811) 2025-05-18 22:13:26 +00:00
William Woodruff
8f8704d6a8
chore(ci): bump actions, use zizmor-action (#809) 2025-05-18 11:05:09 -04:00
William Woodruff
d6f71bebf6
chore(ci): add notice to release-crate.yml (#798) 2025-05-16 02:06:05 +00:00
William Woodruff
29de4ac603
refactor: split expr parser into its own crate (#797) 2025-05-15 22:00:20 -04:00
William Woodruff
ce4ab32b60
chore: clean up issue forms (#796) 2025-05-15 13:05:35 -04:00
William Woodruff
19b6bd6cc1
refactor: switch to workspace layout (#792) 2025-05-13 21:29:19 -04:00
William Woodruff
71017267de
chore(docs): constrain permissions in workflow example (#781) 2025-05-11 02:24:57 -04:00
William Woodruff
b26815e26f
bugfix(ci): fix ZIZMOR_IMAGE for Docker builds (#777) 2025-05-10 00:15:19 +00:00
dependabot[bot]
7714e13917
chore(deps): bump the github-actions group with 3 updates (#747) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-05 09:52:39 -04:00
William Woodruff
fb8e3f63f3
refactor: begin splitting out syntax/sema error handling (#734) 2025-05-03 04:22:35 +00:00
William Woodruff
403df8a84c
chore(ci): add refresh-schemas workflow (#720) 2025-04-30 04:43:33 +00:00
dependabot[bot]
22fd0c3435
chore(deps): bump the github-actions group with 4 updates (#701) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-28 11:08:04 -04:00
dependabot[bot]
7e726e1eab
chore(deps): bump astral-sh/setup-uv in the github-actions group (#685) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-21 13:58:53 +00:00
dependabot[bot]
aeef8f6ebf
chore(deps): bump the github-actions group with 2 updates (#665) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-14 10:02:10 -04:00
William Woodruff
d2fa211efc
ci: pypi: bump to macos-15 (#618) 
Signed-off-by: William Woodruff <william@yossarian.net>
 2025-04-08 10:54:59 -04:00
William Woodruff
4d5c79a582
cli: add a "GitHub" output format (#634) 
* cli: add a "GitHub" output format

Closes #633.

Signed-off-by: William Woodruff <william@yossarian.net>

* try using SARIF path

Signed-off-by: William Woodruff <william@yossarian.net>

* fix lines

Signed-off-by: William Woodruff <william@yossarian.net>

* fmt

Signed-off-by: William Woodruff <william@yossarian.net>

* add --no-exit-codes

Signed-off-by: William Woodruff <william@yossarian.net>

* bump help snippet

Signed-off-by: William Woodruff <william@yossarian.net>

* bump snippet

Signed-off-by: William Woodruff <william@yossarian.net>

* integration test for github output

Signed-off-by: William Woodruff <william@yossarian.net>

* github: output tweaks

* update snapshot

* test-output: test GitHub output on just one file

* remove columns

* bump snapshot

* try something else

Signed-off-by: William Woodruff <william@yossarian.net>

* fixup snapshot

Signed-off-by: William Woodruff <william@yossarian.net>

* one last hack

Signed-off-by: William Woodruff <william@yossarian.net>

* add primary annotation to message

Signed-off-by: William Woodruff <william@yossarian.net>

* usage: document --format=github, add integration docs

Signed-off-by: William Woodruff <william@yossarian.net>

* docs: update release notes

---------

Signed-off-by: William Woodruff <william@yossarian.net>
 2025-04-07 19:51:19 -04:00
dependabot[bot]
e157aff546
chore(deps): bump the github-actions group with 2 updates (#652) 
Bumps the github-actions group with 2 updates: [PyO3/maturin-action](https://github.com/pyo3/maturin-action) and [github/codeql-action](https://github.com/github/codeql-action).


Updates `PyO3/maturin-action` from 1.47.3 to 1.48.1
- [Release notes](https://github.com/pyo3/maturin-action/releases)
- [Commits](22fe573c6e...44479ae1b6)

Updates `github/codeql-action` from 3.28.13 to 3.28.14
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](1b549b9259...fc7e4a0fa0)

---
updated-dependencies:
- dependency-name: PyO3/maturin-action
  dependency-version: 1.48.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 3.28.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-07 10:58:11 -04:00
dependabot[bot]
bd8493caf8
chore(deps): bump astral-sh/setup-uv in the github-actions group (#639) 
Bumps the github-actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `astral-sh/setup-uv` from 5.4.0 to 5.4.1
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](22695119d7...0c5e2b8115)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-31 14:27:45 -04:00
dependabot[bot]
9dfeafb3ae
chore(deps): bump the github-actions group with 6 updates (#627) 
Bumps the github-actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) | `2.7.7` | `2.7.8` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `5.3.1` | `5.4.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.1` | `4.6.2` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.1.9` | `4.2.1` |
| [PyO3/maturin-action](https://github.com/pyo3/maturin-action) | `1.47.2` | `1.47.3` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.28.11` | `3.28.13` |


Updates `Swatinem/rust-cache` from 2.7.7 to 2.7.8
- [Release notes](https://github.com/swatinem/rust-cache/releases)
- [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md)
- [Commits](f0deed1e0e...9d47c6ad4b)

Updates `astral-sh/setup-uv` from 5.3.1 to 5.4.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](f94ec6bedd...22695119d7)

Updates `actions/upload-artifact` from 4.6.1 to 4.6.2
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](4cec3d8aa0...ea165f8d65)

Updates `actions/download-artifact` from 4.1.9 to 4.2.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](cc20338598...95815c38cf)

Updates `PyO3/maturin-action` from 1.47.2 to 1.47.3
- [Release notes](https://github.com/pyo3/maturin-action/releases)
- [Commits](36db84001d...22fe573c6e)

Updates `github/codeql-action` from 3.28.11 to 3.28.13
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](6bb031afdd...1b549b9259)

---
updated-dependencies:
- dependency-name: Swatinem/rust-cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: astral-sh/setup-uv
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: PyO3/maturin-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-26 01:18:38 +02:00
William Woodruff
fcedd86d1a
bugfix: sarif: add working directory to invocation (#621) 
* bugfix: sarif: add working directory to invocation

Signed-off-by: William Woodruff <william@yossarian.net>

* ci: add test-sarif workflow

Signed-off-by: William Woodruff <william@yossarian.net>

* sarif: tweak tool name in debug mode

Signed-off-by: William Woodruff <william@yossarian.net>

* tweak name

Signed-off-by: William Woodruff <william@yossarian.net>

* change category

Signed-off-by: William Woodruff <william@yossarian.net>

* sarif: remove uri_base_id

Signed-off-by: William Woodruff <william@yossarian.net>

* Revert "sarif: remove uri_base_id"

This reverts commit 4d3f29784f.

* remove debug tweak

Signed-off-by: William Woodruff <william@yossarian.net>

* don't bother with file:// prefix

Signed-off-by: William Woodruff <william@yossarian.net>

* fix type

Signed-off-by: William Woodruff <william@yossarian.net>

* hackety hack

Signed-off-by: William Woodruff <william@yossarian.net>

* hackety hack

Signed-off-by: William Woodruff <william@yossarian.net>

* hackety hack

Signed-off-by: William Woodruff <william@yossarian.net>

* Revert "hackety hack"

This reverts commit 40c62246ed.

* re-add file://

Signed-off-by: William Woodruff <william@yossarian.net>

* Reapply "hackety hack"

This reverts commit c5ee0835c1.

* tweak sarif_path

Signed-off-by: William Woodruff <william@yossarian.net>

* remove all CWD handling

Signed-off-by: William Woodruff <william@yossarian.net>

* ci: try leaving a comment

Signed-off-by: William Woodruff <william@yossarian.net>

* fix perm

Signed-off-by: William Woodruff <william@yossarian.net>

* tweaks

Signed-off-by: William Woodruff <william@yossarian.net>

* docs: record changes

Signed-off-by: William Woodruff <william@yossarian.net>

* registry: document InputKey::sarif_path()

Signed-off-by: William Woodruff <william@yossarian.net>

* remove zizmor/ prefix

See #622.

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: William Woodruff <william@yossarian.net>
 2025-03-23 14:46:42 +00:00
dependabot[bot]
8638762747
chore(deps): bump docker/login-action in the github-actions group (#610) 
Bumps the github-actions group with 1 update: [docker/login-action](https://github.com/docker/login-action).


Updates `docker/login-action` from 3.3.0 to 3.4.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](9780b0c442...74a5d14239)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-19 17:16:40 +00:00
William Woodruff
730324ef64
ci: pypi: use manylinux_2_28 consistently (#603) 
* ci: pypi: use manylinux_2_28 consistently

Using auto causes us to default to exceptionally
old versions of glibc, along with containers that
struggle badly to build things like tree-sitter.

See: https://github.com/tree-sitter/tree-sitter/issues/4186

See: https://github.com/tree-sitter/tree-sitter/issues/4271

Signed-off-by: William Woodruff <william@yossarian.net>

* try ensurepip

Signed-off-by: William Woodruff <william@yossarian.net>

* hackety hack

Signed-off-by: William Woodruff <william@yossarian.net>

* drop back to 2_24 for aarch64 manylinux

Signed-off-by: William Woodruff <william@yossarian.net>

* continue to revert things

Signed-off-by: William Woodruff <william@yossarian.net>

* revert manylinux hell, try fixing build directly

Signed-off-by: William Woodruff <william@yossarian.net>

* try using CFLAGS

`cc` doesn't appear to respect CPPFLAGS.

Signed-off-by: William Woodruff <william@yossarian.net>

* try 2_24

Signed-off-by: William Woodruff <william@yossarian.net>

* pypi: try one last thing

Signed-off-by: William Woodruff <william@yossarian.net>

* use 2_28

Signed-off-by: William Woodruff <william@yossarian.net>

* remove sccache entirely

Signed-off-by: William Woodruff <william@yossarian.net>

* bump the remainder to 2_28

Signed-off-by: William Woodruff <william@yossarian.net>

* be more judicious about supported builds

Signed-off-by: William Woodruff <william@yossarian.net>

* docs: clarify wheel support policy

Signed-off-by: William Woodruff <william@yossarian.net>

* record change

Signed-off-by: William Woodruff <william@yossarian.net>

---------

Signed-off-by: William Woodruff <william@yossarian.net>
 2025-03-14 18:06:49 +00:00
William Woodruff
0822cf2353
ci: pypi: bump to macos-14 (#602) 
Signed-off-by: William Woodruff <william@yossarian.net>
 2025-03-13 15:39:44 +00:00
dependabot[bot]
3b5bcdecd2
chore(deps): bump the github-actions group with 2 updates (#593) 2025-03-10 09:36:40 -04:00
William Woodruff
43a1d5e7cd
feat(cli): fine-grained color control (#586) 
* feat(cli): fine-grained color control

This doesn't quite work yet, since tracing_indicatif
and anstream::AutoStream don't compose cleanly.

* main: hack on color controls more

Signed-off-by: William Woodruff <william@yossarian.net>

* cli: finalize color control

* remove dbg

* make snippets

* record changes

* usage: document --color option

* tests: proper color control and progress bar tests

* ci: enable tty-tests

* docs: document TTY tests

* better unbuffer failure errors

* ci: install expect for tty-tests

* remove unused import

---------

Signed-off-by: William Woodruff <william@yossarian.net>
 2025-03-09 16:16:23 -04:00