dependabot[bot] opened a new pull request, #15856: URL: https://github.com/apache/lucene/pull/15856
Bumps [zizmor](https://github.com/zizmorcore/zizmor) from 1.22.0 to 1.23.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/releases";>zizmor's releases</a>.</em></p> <blockquote> <h2>v1.23.1</h2> <h2>Bug Fixes ๐<a href="https://docs.zizmor.sh/release-notes/#bug-fixes";>๐</a></h2> <ul> <li>Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1724";>#1724</a>)</li> </ul> <h2>v1.23.0</h2> <h2>New Features ๐<a href="https://docs.zizmor.sh/release-notes/#new-features";>๐</a></h2> <ul> <li> <p>New audit: <a href="https://docs.zizmor.sh/audits/#secrets-outside-env";>secrets-outside-env</a> detects usage of the secrets context in jobs that don't have a corresponding environment (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1599";>#1599</a>)</p> </li> <li> <p>New audit: <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a> detects usage of actions that perform operations already provided by GitHub's own runner images (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1618";>#1618</a>)</p> </li> </ul> <h1>Enhancements ๐ฑ<a href="https://docs.zizmor.sh/release-notes/#enhancements";>๐</a></h1> <ul> <li> <p>zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1555";>#1555</a>)</p> </li> <li> <p>zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1566";>#1566</a>)</p> </li> <li> <p>zizmor now supports inputs that contain duplicated anchor names (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1575";>#1575</a>)</p> </li> <li> <p>zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1586";>#1586</a>)</p> </li> <li> <p>zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1641";>#1641</a>)</p> </li> <li> <p>The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1656";>#1656</a>)</p> </li> <li> <p>Added <a href="https://github.com/awalsh128/cache-apt-pkgs-action";>awalsh128/cache-apt-pkgs-action</a> as a cache-aware action to the cache-poisoning audit (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1708";>#1708</a>)</p> </li> </ul> <h2>Changes โ ๏ธ<a href="https://docs.zizmor.sh/release-notes/#changes";>๐</a></h2> <ul> <li> <p>SARIF categories have been regraded. zizmor's "medium" is changed from SARIF's "warning" to "low" (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1635";>#1635</a>) Bug Fixes ๐<a href="https://docs.zizmor.sh/release-notes/#bug-fixes";>๐</a></p> </li> <li> <p>Fixed a bug where zizmor would crash on uses: clauses containing non-significant whitespace while performing the <a href="https://docs.zizmor.sh/audits/#unpinned-uses";>unpinned-uses</a> audit (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1544";>#1544</a>)</p> </li> <li> <p>Fixed a bug in yamlpath where sequences containing anchors were splatted instead of being properly nested (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1557";>#1557</a>)</p> <p>Many thanks to <a href="https://github.com/DarkaMaul";><code>@โDarkaMaul</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a bug in yamlpath where anchor prefixes in sequences and mapping were not stripped during path queries (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1562";>#1562</a>)</p> </li> <li> <p>Fixed a bug where "merge into" autofixes would produce incorrect patches in the presence of multi-byte Unicode characters (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1581";>#1581</a>)</p> <p>Many thanks to <a href="https://github.com/ManuelLerchnerQC";><code>@โManuelLerchnerQC</code></a> for implementing this fix!</p> </li> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#template-injection";>template-injection</a> audit would produce duplicated pedantic-only findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1589";>#1589</a>)</p> </li> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#obfuscation";>obfuscation</a> audit would produce incorrect autofixes for a subset of constant-reducible expressions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1597";>#1597</a>)</p> </li> <li> <p>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#obfuscation";>obfuscation</a> audit would fail to apply fixes to a subset of inputs with leading whitespace (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1597";>#1597</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md";>zizmor's changelog</a>.</em></p> <blockquote> <h2>1.23.1</h2> <h3>Bug Fixes ๐</h3> <ul> <li> <p>Fixed a bug where <code>zizmor</code> would error if given both a <code>GH_TOKEN</code> and a <code>GITHUB_TOKEN</code> (or <code>ZIZMOR_GITHUB_TOKEN</code>) via the environment (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1724";>#1724</a>)</p> </li> <li> <p>Fixed a bug in [template-injection] where the <code>context</code> input of <code>docker/build-push-action</code> was incorrectly considered a code injection sink (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1705";>#1705</a>)</p> </li> </ul> <h3>Changes โ ๏ธ</h3> <ul> <li><code>artipacked</code> audit emits a pedantic finding if <code>persist-credentials</code> is an expression (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1735";>#1735</a>)</li> </ul> <h2>1.23.0</h2> <h3>New Features ๐</h3> <ul> <li> <p><strong>New audit</strong>: [secrets-outside-env] detects usage of the <code>secrets</code> context in jobs that don't have a corresponding <code>environment</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1599";>#1599</a>)</p> </li> <li> <p><strong>New audit</strong>: [superfluous-actions] detects usage of actions that perform operations already provided by GitHub's own runner images (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1618";>#1618</a>)</p> </li> </ul> <h3>Enhancements ๐ฑ</h3> <ul> <li> <p><code>zizmor</code>'s LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1555";>#1555</a>)</p> </li> <li> <p><code>zizmor</code> now reads the <code>GITHUB_TOKEN</code> environment variable as an alias/equivalent for <code>GH_TOKEN</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1566";>#1566</a>)</p> </li> <li> <p><code>zizmor</code> now supports inputs that contain duplicated anchor names (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1575";>#1575</a>)</p> </li> <li> <p><code>zizmor</code> now flags missing cooldowns on <code>opentofu</code> ecosystem definitions in Dependabot (again) (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1586";>#1586</a>)</p> </li> <li> <p><code>zizmor</code> now reads the <code>ZIZMOR_GITHUB_TOKEN</code> environment variable as an alias/equivalent for <code>GH_TOKEN</code> and <code>GITHUB_TOKEN</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1641";>#1641</a>)</p> </li> <li> <p>The SARIF output format now adds <code>zizmor/confidence</code>, <code>zizmor/persona</code> and <code>zizmor/severity</code> to the <code>properties</code> of findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1656";>#1656</a>)</p> </li> <li> <p>Added <a href="https://github.com/awalsh128/cache-apt-pkgs-action";>awalsh128/cache-apt-pkgs-action</a> as a cache-aware action to the cache-poisoning audit (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1708";>#1708</a>)</p> </li> </ul> <h3>Changes โ ๏ธ</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zizmorcore/zizmor/commit/0b77258cf93d4e0ae762c843422c333faf2793f6";><code>0b77258</code></a> zizmor v1.23.1 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1725";>#1725</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/d822fa69a847fff1b6d896d75bdf4c0a518f792c";><code>d822fa6</code></a> Remove conflict handling from GH_TOKEN aliases (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1724";>#1724</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/773439b9834fe7de258d464614a34f92361d4dc9";><code>773439b</code></a> Bump trophies (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1721";>#1721</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/f5c05f064bbd0f6b2c58887152c1039ecb94acbb";><code>f5c05f0</code></a> zizmor 1.23.0 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1719";>#1719</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/93858d8e016cc14654676b62dcd83415579d0463";><code>93858d8</code></a> zizmor 1.23.0-rc7 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1718";>#1718</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/76d3f1eb2ba6450f9fbbdc14b52bbf298cad09d9";><code>76d3f1e</code></a> yamlpatch 0.13.0 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1717";>#1717</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/7a71262abd81adf9a4c7b26ef4782419df100672";><code>7a71262</code></a> github-actions-expressions 0.0.15 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1716";>#1716</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/2255be674ac561f0fe79a3cb1c812158eb560832";><code>2255be6</code></a> zizmor 1.23.0-rc6 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1715";>#1715</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/a0f9dcbe0736d8af717d94845b548f3d1a759173";><code>a0f9dcb</code></a> Fix http-cache usage (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1689";>#1689</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/adabd2dbd9d01b26b14df81e0eb1e1d883ad919e";><code>adabd2d</code></a> Update pedantic persona example (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1714";>#1714</a>)</li> <li>Additional commits viewable in <a href="https://github.com/zizmorcore/zizmor/compare/v1.22.0...v1.23.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
