.github/workflows/ci.yml

@@ -44,7 +44,7 @@ jobs:
 
       - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
 
-      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      - uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
       - name: Test dependencies
         run: |
@@ -71,7 +71,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      - uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
       - name: Test site
         run: make site

.github/workflows/codegen.yml

@@ -31,7 +31,7 @@ jobs:
           make refresh-schemas
 
       - name: create PR
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           draft: true
           commit-message: "[BOT] update JSON schemas from SchemaStore"
@@ -63,14 +63,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      - uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
       - name: try to refresh context capabilities
         run: |
           make webhooks-to-contexts
 
       - name: create PR
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           draft: true
           commit-message: "[BOT] update context capabilities"
@@ -101,14 +101,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+      - uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
       - name: try to refresh CodeQL injection sinks
         run: |
           make codeql-injection-sinks
 
       - name: create PR
-        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           draft: true
           commit-message: "[BOT] update CodeQL injection sinks"

.github/workflows/release-binaries.yml

@@ -60,7 +60,7 @@ jobs:
         shell: bash
 
       - name: Upload artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: artifacts-${{ matrix.target }}
           path: ${{ steps.archive-release.outputs.filename }}
@@ -78,7 +78,7 @@ jobs:
 
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           pattern: artifacts-*
           path: distrib/

.github/workflows/release-docker.yml

@@ -86,7 +86,7 @@ jobs:
         shell: bash
 
       - name: Upload digest
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: digests-${{ matrix.image.platform-pair }}
           path: ${{ runner.temp }}/digests/*
@@ -107,7 +107,7 @@ jobs:
 
     steps:
       - name: Download digests
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*

.github/workflows/release-pypi.yml

@@ -47,7 +47,7 @@ jobs:
           args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
           manylinux: ${{ matrix.platform.manylinux }}
       - name: Upload wheels
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-linux-${{ matrix.platform.target }}
           path: dist
@@ -77,7 +77,7 @@ jobs:
           args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
           manylinux: musllinux_1_2
       - name: Upload wheels
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-musllinux-${{ matrix.platform.target }}
           path: dist
@@ -102,7 +102,7 @@ jobs:
           target: ${{ matrix.platform.target }}
           args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
       - name: Upload wheels
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-windows-${{ matrix.platform.target }}
           path: dist
@@ -127,7 +127,7 @@ jobs:
           target: ${{ matrix.platform.target }}
           args: --release --out dist --manifest-path crates/zizmor/Cargo.toml
       - name: Upload wheels
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-macos-${{ matrix.platform.target }}
           path: dist
@@ -145,7 +145,7 @@ jobs:
           command: sdist
           args: --out dist --manifest-path crates/zizmor/Cargo.toml
       - name: Upload sdist
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: wheels-sdist
           path: dist
@@ -161,7 +161,7 @@ jobs:
     permissions:
       id-token: write # Trusted Publishing + PEP 740 attestations
     steps:
-      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       - name: Attest
         uses: astral-sh/attest-action@2c727738cea36d6c97dd85eb133ea0e0e8fe754b # v0.0.4
         with:

.github/workflows/site.yml

@@ -31,7 +31,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+        uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
 
       - name: build site
         run: make site

.github/workflows/test-output.yml

@@ -67,27 +67,3 @@ jobs:
             --no-exit-codes \
             --format github \
             crates/zizmor/tests/integration/test-data/several-vulnerabilities.yml
-
-  test-plain-presentation:
-    name: Test plain text presentation
-    runs-on: ubuntu-latest
-    if: contains(github.event.pull_request.labels.*.name, 'test-plain-presentation')
-    permissions: {}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          persist-credentials: false
-
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
-
-      - name: Run zizmor
-        run: |
-          # Normally we'd want a workflow to fail if the audit fails,
-          # but we're only testing presentation here.
-          cargo run \
-            -- \
-            --no-exit-codes \
-            --format plain \
-            crates/zizmor/tests/integration/test-data/several-vulnerabilities.yml

Cargo.lock

@@ -307,9 +307,9 @@ dependencies = [
 
 [[package]]
 name = "camino"
-version = "1.2.2"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48"
+checksum = "276a59bf2b2c967788139340c9f0c5b12d7fd6630315c15c217e559de85d2609"
 dependencies = [
  "serde_core",
 ]
@@ -2129,9 +2129,9 @@ checksum = "7a2d987857b319362043e95f5353c0535c1f58eec5336fdfcf626430af7def58"
 
 [[package]]
 name = "reqwest"
-version = "0.12.26"
+version = "0.12.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b4c14b2d9afca6a60277086b0cc6a6ae0b568f6f7916c943a8cdc79f8be240f"
+checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -2993,9 +2993,9 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.8"
+version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
 dependencies = [
  "bitflags",
  "bytes",
@@ -3116,9 +3116,9 @@ dependencies = [
 
 [[package]]
 name = "tree-sitter"
-version = "0.26.3"
+version = "0.26.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "974d205cc395652cfa8b37daa053fe56eebd429acf8dc055503fee648dae981e"
+checksum = "2135256a14d38ef69702cf6afdb6a36805d8914523de06eb4e2756cee08736f2"
 dependencies = [
  "cc",
  "regex",
@@ -3140,7 +3140,7 @@ dependencies = [
 
 [[package]]
 name = "tree-sitter-iter"
-version = "0.0.3"
+version = "0.0.2"
 dependencies = [
  "tree-sitter",
  "tree-sitter-yaml",
@@ -3804,7 +3804,7 @@ checksum = "fdd20c5420375476fbd4394763288da7eb0cc0b8c11deed431a91562af7335d3"
 
 [[package]]
 name = "yamlpatch"
-version = "0.8.0"
+version = "0.7.0"
 dependencies = [
  "indexmap",
  "insta",
@@ -3820,7 +3820,7 @@ dependencies = [
 
 [[package]]
 name = "yamlpath"
-version = "0.31.0"
+version = "0.29.0"
 dependencies = [
  "line-index",
  "self_cell",
@@ -3944,7 +3944,7 @@ dependencies = [
 
 [[package]]
 name = "zizmor"
-version = "1.19.0"
+version = "1.18.0"
 dependencies = [
  "annotate-snippets",
  "anstream",

Cargo.toml

@@ -30,7 +30,7 @@ annotate-snippets = "0.12.10"
 anstream = "0.6.21"
 assert_cmd = "2.1.1"
 async-trait = "0.1.89"
-camino = "1.2.2"
+camino = "1.2.1"
 clap = "4.5.53"
 clap-verbosity-flag = { version = "3.0.4", default-features = false }
 clap_complete = "4.5.61"
@@ -52,7 +52,7 @@ line-index = "0.1.2"
 memchr = "2.7.6"
 owo-colors = "4.2.3"
 regex = "1.12.1"
-reqwest = { version = "0.12.25", default-features = false }
+reqwest = { version = "0.12.23", default-features = false }
 reqwest-middleware = "0.4.2"
 self_cell = "1"
 serde = { version = "1.0.228", features = ["derive"] }
@@ -69,14 +69,14 @@ tower-lsp-server = "0.23"
 tracing = "0.1.43"
 tracing-indicatif = "0.3.14"
 tracing-subscriber = "0.3.20"
-tree-sitter = "0.26.3"
+tree-sitter = "0.26.2"
 tree-sitter-bash = "0.25.1"
-tree-sitter-iter = { path = "crates/tree-sitter-iter", version = "0.0.3" }
+tree-sitter-iter = { path = "crates/tree-sitter-iter", version = "0.0.2" }
 # Exact version since the upstream performed a breaking change outside of semver.
 # See: https://github.com/zizmorcore/zizmor/pull/1427
 tree-sitter-powershell = "=0.25.10"
-yamlpath = { path = "crates/yamlpath", version = "0.31.0" }
-yamlpatch = { path = "crates/yamlpatch", version = "0.8.0" }
+yamlpath = { path = "crates/yamlpath", version = "0.29.0" }
+yamlpatch = { path = "crates/yamlpatch", version = "0.7.0" }
 tree-sitter-yaml = "0.7.2"
 tikv-jemallocator = "0.6"
 

crates/github-actions-models/src/dependabot/v2.rs

@@ -349,8 +349,6 @@ pub enum AllowDeny {
 #[derive(Deserialize, Debug, PartialEq)]
 #[serde(rename_all = "kebab-case")]
 pub enum PackageEcosystem {
-    /// `bazel`
-    Bazel,
     /// `bun`
     Bun,
     /// `bundler`
@@ -371,8 +369,6 @@ pub enum PackageEcosystem {
     DotnetSdk,
     /// `helm`
     Helm,
-    /// `julia`
-    Julia,
     /// `elm`
     Elm,
     /// `gitsubmodule`

crates/tree-sitter-iter/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "tree-sitter-iter"
 description = "A very simple pre-order iterator for tree-sitter CSTs"
-version = "0.0.3"
+version = "0.0.2"
 authors.workspace = true
 homepage.workspace = true
 edition.workspace = true

crates/yamlpatch/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "yamlpatch"
-version = "0.8.0"
+version = "0.7.0"
 description = "Comment and format-preserving YAML patch operations"
 repository = "https://github.com/zizmorcore/zizmor/tree/main/crates/yamlpatch"
 keywords = ["yaml", "patch"]

crates/yamlpath/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "yamlpath"
-version = "0.31.0"
+version = "0.29.0"
 description = "Format-preserving YAML feature extraction"
 repository = "https://github.com/zizmorcore/zizmor/tree/main/crates/yamlpath"
 readme = "README.md"

crates/zizmor/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "1.19.0"
+version = "1.18.0"
 repository = "https://github.com/zizmorcore/zizmor"
 documentation = "https://docs.zizmor.sh"
 keywords = ["cli", "github-actions", "static-analysis", "security"]

crates/zizmor/src/audit/excessive_permissions.rs

@@ -14,7 +14,6 @@ use crate::{
 static KNOWN_PERMISSIONS: LazyLock<HashMap<&str, Severity>> = LazyLock::new(|| {
     [
         ("actions", Severity::High),
-        ("artifact-metadata", Severity::Medium),
         ("attestations", Severity::High),
         ("checks", Severity::Medium),
         ("contents", Severity::High),
@@ -22,8 +21,6 @@ static KNOWN_PERMISSIONS: LazyLock<HashMap<&str, Severity>> = LazyLock::new(|| {
         ("discussions", Severity::Medium),
         ("id-token", Severity::High),
         ("issues", Severity::High),
-        // What does the write permission even do here?
-        ("models", Severity::Low),
         ("packages", Severity::High),
         ("pages", Severity::High),
         ("pull-requests", Severity::High),

crates/zizmor/src/data/dependabot-2.0.json

@@ -647,28 +647,24 @@
     },
     "package-ecosystem-values": {
       "enum": [
-        "bazel",
         "bun",
         "bundler",
         "cargo",
         "composer",
-        "conda",
         "devcontainers",
         "docker",
         "docker-compose",
         "dotnet-sdk",
         "elm",
-        "github-actions",
         "gitsubmodule",
+        "github-actions",
         "gomod",
         "gradle",
         "helm",
-        "julia",
         "maven",
         "mix",
         "npm",
         "nuget",
-        "opentofu",
         "pip",
         "pub",
         "rust-toolchain",

crates/zizmor/src/main.rs

@@ -118,15 +118,6 @@ struct App {
     #[arg(long, value_enum, default_value_t)]
     format: OutputFormat,
 
-    /// Whether to render OSC 8 links in the output.
-    ///
-    /// This affects links under audit IDs, as well as any links
-    /// produced by audit rules.
-    ///
-    /// Only affects `--format=plain` (the default).
-    #[arg(long, value_enum, default_value_t, env = "ZIZMOR_RENDER_LINKS")]
-    render_links: CliRenderLinks,
-
     /// Whether to render audit URLs in the output, separately from any URLs
     /// embedded in OSC 8 links.
     ///
@@ -334,44 +325,6 @@ pub(crate) enum OutputFormat {
     Github,
 }
 
-#[derive(Debug, Default, Copy, Clone, ValueEnum)]
-pub(crate) enum CliRenderLinks {
-    /// Render OSC 8 links in output if support is detected.
-    #[default]
-    Auto,
-    /// Always render OSC 8 links in output.
-    Always,
-    /// Never render OSC 8 links in output.
-    Never,
-}
-
-#[derive(Debug, Copy, Clone)]
-pub(crate) enum RenderLinks {
-    Always,
-    Never,
-}
-
-impl From<CliRenderLinks> for RenderLinks {
-    fn from(value: CliRenderLinks) -> Self {
-        match value {
-            CliRenderLinks::Auto => {
-                // We render links if stdout is a terminal. This is assumed
-                // to preclude CI environments and log files.
-                //
-                // TODO: Switch this to the support-hyperlinks crate?
-                // See: https://github.com/zkat/supports-hyperlinks/pull/8
-                if stdout().is_terminal() {
-                    RenderLinks::Always
-                } else {
-                    RenderLinks::Never
-                }
-            }
-            CliRenderLinks::Always => RenderLinks::Always,
-            CliRenderLinks::Never => RenderLinks::Never,
-        }
-    }
-}
-
 #[derive(Debug, Default, Copy, Clone, ValueEnum)]
 pub(crate) enum CliShowAuditUrls {
     /// Render audit URLs in output automatically based on output format and runtime context.
@@ -688,7 +641,6 @@ async fn run(app: &mut App) -> Result<ExitCode, Error> {
                 ColorMode::Never
             } else if std::env::var("FORCE_COLOR").is_ok()
                 || std::env::var("CLICOLOR_FORCE").is_ok()
-                || utils::is_ci()
             {
                 ColorMode::Always
             } else {
@@ -864,7 +816,6 @@ async fn run(app: &mut App) -> Result<ExitCode, Error> {
             &registry,
             &results,
             &app.show_audit_urls.into(),
-            &app.render_links.into(),
             app.naches,
         ),
         OutputFormat::Json | OutputFormat::JsonV1 => {

crates/zizmor/src/output/plain.rs

@@ -7,7 +7,7 @@ use anstream::{eprintln, print, println};
 use owo_colors::OwoColorize;
 
 use crate::{
-    RenderLinks, ShowAuditUrls,
+    ShowAuditUrls,
     finding::{
         Finding, Severity,
         location::{Location, LocationKind},
@@ -44,7 +44,6 @@ impl From<&Severity> for Level<'_> {
 pub(crate) fn finding_snippets<'doc>(
     registry: &'doc InputRegistry,
     finding: &'doc Finding<'doc>,
-    render_links_mode: &RenderLinks,
 ) -> Vec<Snippet<'doc, Annotation<'doc>>> {
     // Our finding might span multiple workflows, so we need to group locations
     // by their enclosing workflow to generate each snippet correctly.
@@ -69,20 +68,15 @@ pub(crate) fn finding_snippets<'doc>(
     for (input_key, locations) in locations_by_workflow {
         let input = registry.get_input(input_key);
 
-        let path = match render_links_mode {
-            RenderLinks::Always => input.link().unwrap_or(input_key.presentation_path()),
-            RenderLinks::Never => input_key.presentation_path(),
-        };
-
         snippets.push(
             Snippet::source(input.as_document().source())
                 .fold(true)
                 .line_start(1)
-                .path(path)
+                .path(input.link().unwrap_or(input_key.presentation_path()))
                 .annotations(locations.iter().map(|loc| {
-                    let annotation = match (loc.symbolic.link.as_deref(), render_links_mode) {
-                        (Some(link), RenderLinks::Always) => link,
-                        _ => &loc.symbolic.annotation,
+                    let annotation = match loc.symbolic.link {
+                        Some(ref link) => link,
+                        None => &loc.symbolic.annotation,
                     };
 
                     AnnotationKind::from(loc.symbolic.kind)
@@ -102,11 +96,10 @@ pub(crate) fn render_findings(
     registry: &InputRegistry,
     findings: &FindingRegistry,
     show_urls_mode: &ShowAuditUrls,
-    render_links_mode: &RenderLinks,
     naches_mode: bool,
 ) {
     for finding in findings.findings() {
-        render_finding(registry, finding, show_urls_mode, render_links_mode);
+        render_finding(registry, finding, show_urls_mode);
         println!();
     }
 
@@ -199,19 +192,11 @@ pub(crate) fn render_findings(
     }
 }
 
-fn render_finding(
-    registry: &InputRegistry,
-    finding: &Finding,
-    show_urls_mode: &ShowAuditUrls,
-    render_links_mode: &RenderLinks,
-) {
-    let mut title = Level::from(&finding.determinations.severity)
+fn render_finding(registry: &InputRegistry, finding: &Finding, show_urls_mode: &ShowAuditUrls) {
+    let title = Level::from(&finding.determinations.severity)
         .primary_title(finding.desc)
-        .id(finding.ident);
-
-    if matches!(render_links_mode, RenderLinks::Always) {
-        title = title.id_url(finding.url);
-    }
+        .id(finding.ident)
+        .id_url(finding.url);
 
     let confidence = format!(
         "audit confidence → {:?}",
@@ -219,7 +204,7 @@ fn render_finding(
     );
 
     let mut group = Group::with_title(title)
-        .elements(finding_snippets(registry, finding, render_links_mode))
+        .elements(finding_snippets(registry, finding))
         .element(Level::NOTE.message(confidence));
 
     if let Some(tip) = &finding.tip {

crates/zizmor/tests/integration/common.rs

@@ -42,7 +42,6 @@ pub struct Zizmor {
     stdin: Option<String>,
     unbuffer: bool,
     offline: bool,
-    gh_token: bool,
     inputs: Vec<String>,
     config: Option<String>,
     no_config: bool,
@@ -54,19 +53,13 @@ pub struct Zizmor {
 impl Zizmor {
     /// Create a new zizmor runner.
     pub fn new() -> Self {
-        let mut cmd = Command::new(cargo::cargo_bin!());
-
-        // Our child `zizmor` process starts with a clean environment, to
-        // ensure we explicitly test interactions with things like `CI`
-        // and `GH_TOKEN`.
-        cmd.env_clear();
+        let cmd = Command::new(cargo::cargo_bin!());
 
         Self {
             cmd,
             stdin: None,
             unbuffer: false,
             offline: true,
-            gh_token: true,
             inputs: vec![],
             config: None,
             no_config: false,
@@ -91,6 +84,11 @@ impl Zizmor {
         self
     }
 
+    pub fn unsetenv(mut self, key: &str) -> Self {
+        self.cmd.env_remove(key);
+        self
+    }
+
     pub fn input(mut self, input: impl Into<String>) -> Self {
         self.inputs.push(input.into());
         self
@@ -116,11 +114,6 @@ impl Zizmor {
         self
     }
 
-    pub fn gh_token(mut self, flag: bool) -> Self {
-        self.gh_token = flag;
-        self
-    }
-
     pub fn output(mut self, output: OutputMode) -> Self {
         self.output = output;
         self
@@ -154,12 +147,7 @@ impl Zizmor {
         } else {
             // If we're running in online mode, we pre-assert the
             // presence of GH_TOKEN to make configuration failures more obvious.
-            let token =
-                std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?;
-
-            if self.gh_token {
-                self.cmd.env("GH_TOKEN", token);
-            }
+            std::env::var("GH_TOKEN").context("online tests require GH_TOKEN to be set")?;
         }
 
         if self.no_config && self.config.is_some() {

crates/zizmor/tests/integration/e2e.rs

@@ -83,21 +83,13 @@ fn menagerie() -> Result<()> {
 
 #[test]
 fn color_control_basic() -> Result<()> {
-    // No terminal and not CI, so no color by default.
+    // No terminal, so no color by default.
     let no_color_default_output = zizmor()
         .output(OutputMode::Both)
         .input(input_under_test("e2e-menagerie"))
         .run()?;
     assert!(!no_color_default_output.contains("\x1b["));
 
-    // No terminal but CI, so color by default.
-    let color_default_ci_output = zizmor()
-        .setenv("CI", "true")
-        .output(OutputMode::Both)
-        .input(input_under_test("e2e-menagerie"))
-        .run()?;
-    assert!(color_default_ci_output.contains("\x1b["));
-
     // Force color via --color=always.
     let forced_color_via_arg_output = zizmor()
         .output(OutputMode::Both)
@@ -608,6 +600,7 @@ fn test_cant_retrieve_offline() -> Result<()> {
         zizmor()
             .expects_failure(true)
             .offline(true)
+            .unsetenv("GH_TOKEN")
             .args(["pypa/sampleproject"])
             .run()?,
         @r"
@@ -633,7 +626,7 @@ fn test_cant_retrieve_no_gh_token() -> Result<()> {
         zizmor()
             .expects_failure(true)
             .offline(false)
-            .gh_token(false)
+            .unsetenv("GH_TOKEN")
             .args(["pypa/sampleproject"])
             .run()?,
         @r"

docs/integrations.md

@@ -255,7 +255,7 @@ To do so, add the following to your `.pre-commit-config.yaml` `#!yaml repos:` se
 
 ```yaml
 - repo: https://github.com/zizmorcore/zizmor-pre-commit
-  rev: v1.19.0 # (1)!
+  rev: v1.18.0 # (1)!
   hooks:
   - id: zizmor
 ```

docs/release-notes.md

@@ -9,13 +9,6 @@ of `zizmor`.
 
 ## Next (UNRELEASED)
 
-### Enhancements 🌱
-
-* The [excessive-permissions] audit is now aware of the `artifact-metadata`
-  and `models` permissions (#1461)
-
-## 1.19.0
-
 ### New Features 🌈
 
 * **New audit**: [archived-uses] detects usages of archived repositories in
@@ -44,10 +37,6 @@ of `zizmor`.
 * zizmor now produces a more useful error message when input collection
   yields no inputs (#1439)
 
-* The `--render-links` flag now allows users to control `zizmor`'s OSC 8 terminal
-  link rendering behavior. This is particularly useful in environments that
-  advertise themselves as terminals but fail to correctly render or ignore
-  OSC 8 links (#1454)
  
 ### Performance Improvements 🚄
 
@@ -65,10 +54,6 @@ of `zizmor`.
 * Fixed a bug where the `opentofu` ecosystem was not recognized in
   Dependabot configuration files (#1452)
 
-* `--color=always` no longer implies `--render-links=always`, as some
-  environments (like GitHub Actions) support ANSI color codes but fail
-  to handle OSC escapes gracefully (#1454)
-
 ## 1.18.0
 
 ### Enhancements 🌱
@@ -1205,7 +1190,7 @@ This is one of `zizmor`'s bigger recent releases! Key enhancements include:
 
 ### What's Changed
 * fix(cli): remove '0 ignored' from another place by @woodruffw in #157
-* perf: speed up [impostor-commit]'s fast path by @woodruffw in #158
+* perf: speed up impostor-commit's fast path by @woodruffw in #158
 * fix(cli): fixup error printing by @woodruffw in #159
 
 ## v0.3.1
@@ -1358,6 +1343,5 @@ This is one of `zizmor`'s bigger recent releases! Key enhancements include:
 [dependabot-cooldown]: ./audits.md#dependabot-cooldown
 [concurrency-limits]: ./audits.md#concurrency-limits
 [archived-uses]: ./audits.md#archived-uses
-[impostor-commit]: ./audits.md#impostor-commit
 
 [exit code]: ./usage.md#exit-codes

docs/snippets/help.txt

@@ -28,8 +28,6 @@ Options:
           Don't show progress bars, even if the terminal supports them
       --format <FORMAT>
           The output format to emit. By default, cargo-style diagnostics will be emitted [default: plain] [possible values: plain, json, json-v1, sarif, github]
-      --render-links <RENDER_LINKS>
-          Whether to render OSC 8 links in the output [env: ZIZMOR_RENDER_LINKS=] [default: auto] [possible values: auto, always, never]
       --show-audit-urls <SHOW_AUDIT_URLS>
           Whether to render audit URLs in the output, separately from any URLs embedded in OSC 8 links [env: ZIZMOR_SHOW_AUDIT_URLS=] [default: auto] [possible values: auto, always, never]
       --color <MODE>