dependabot[bot] opened a new pull request, #16022: URL: https://github.com/apache/lucene/pull/16022
Bumps [zizmor](https://github.com/zizmorcore/zizmor) from 1.23.1 to 1.24.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/releases";>zizmor's releases</a>.</em></p> <blockquote> <h2>v1.24.1</h2> <h2>Bug Fixes 🐛<a href="https://docs.zizmor.sh/release-notes/#bug-fixes";>🔗</a></h2> <ul> <li>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#ref-version-mismatch";>ref-version-mismatch</a> audit would incorrectly flag some version comments as not containing an appropriate version (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1900";>#1900</a>)</li> </ul> <h2>v1.24.0</h2> <h2>New Features 🌈<a href="https://docs.zizmor.sh/release-notes/#new-features";>🔗</a></h2> <ul> <li>zizmor now allows users to audit from stdin, by passing zizmor - (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1611";>#1611</a>)</li> </ul> <h2>Enhancements 🌱<a href="https://docs.zizmor.sh/release-notes/#enhancements";>🔗</a></h2> <ul> <li> <p>The <a href="https://docs.zizmor.sh/audits/#use-trusted-publishing";>use-trusted-publishing</a> audit now detects bun publish and bunx npm publish patterns (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1737";>#1737</a>)</p> <p>Many thanks to <a href="https://github.com/shaanmajid";><code>@shaanmajid</code></a> for proposing and implementing this improvement!</p> </li> <li> <p>zizmor's CLI help and usage output now uses a custom color scheme for improved readability (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1747";>#1747</a>)</p> </li> <li> <p>The <a href="https://docs.zizmor.sh/audits/#secrets-outside-env";>secrets-outside-env</a> audit is now configurable with an allowlist of secret names that should not be flagged, even when referenced outside of an environment (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1759";>#1759</a>)</p> <p>Many thanks to <a href="https://github.com/rmuir";><code>@rmuir</code></a> for proposing and implementing this improvement!</p> </li> <li> <p>The <a href="https://docs.zizmor.sh/audits/#dependabot-cooldown";>dependabot-cooldown</a> audit now emits a pedantic finding whenever it encounters a cooldown used with a multi-ecosystem-group, as the two do not interact well (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1780";>#1780</a>)</p> </li> <li> <p>Recommend gh release upload as a replacement for <a href="https://github.com/svenstaro/upload-release-action";>svenstaro/upload-release-action</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1801";>#1801</a>)</p> </li> <li> <p>Recommend gh issue create as a replacement for <a href="https://github.com/dacbd/create-issue-action";>dacbd/create-issue-action</a> in <a href="https://docs.zizmor.sh/audits/#superfluous-actions";>superfluous-actions</a> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1873";>#1873</a>)</p> </li> <li> <p>The <a href="https://docs.zizmor.sh/audits/#obfuscation";>obfuscation</a> audit now emits a finding for with: ${{ expr }} clauses cannot be analyzed (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1772";>#1772</a>)</p> </li> <li> <p>zizmor --help is now rendered with option groups for improved readability (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1831";>#1831</a>)</p> <p>Many thanks to <a href="https://github.com/deckstose";><code>@deckstose</code></a> for implementing this improvement!</p> </li> <li> <p>zizmor's SARIF output now uses codeflows instead of related locations, improving its rendering behavior on GitHub Advanced Security (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1843";>#1843</a>)</p> </li> <li> <p>The <a href="https://docs.zizmor.sh/audits/#ref-version-mismatch";>ref-version-mismatch</a> audit now uses a more useful audit description for its findings (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1843";>#1843</a>)</p> </li> <li> <p>The <a href="https://docs.zizmor.sh/audits/#unpinned-images";>unpinned-images</a> audit now produces more precise findings for image references that are computed through expressions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1756";>#1756</a>)</p> <p>Many thanks to <a href="https://github.com/miketheman";><code>@miketheman</code></a> for implementing this improvement!</p> </li> <li> <p>The <a href="https://docs.zizmor.sh/audits/#ref-version-mismatch";>ref-version-mismatch</a> audit now detects missing version comments as well (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1849";>#1849</a>)</p> <p>Many thanks to <a href="https://github.com/shaanmajid";><code>@shaanmajid</code></a> for proposing and implementing this improvement!</p> </li> </ul> <h2>Bug Fixes 🐛<a href="https://docs.zizmor.sh/release-notes/#bug-fixes";>🔗</a></h2> <ul> <li>Fixed a bug where the <a href="https://docs.zizmor.sh/audits/#concurrency-limits";>concurrency-limits</a> audit reported findings at the job level instead of the workflow level (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1627";>#1627</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md";>zizmor's changelog</a>.</em></p> <blockquote> <h2>1.24.1</h2> <h3>Bug Fixes 🐛</h3> <ul> <li>Fixed a bug where the [ref-version-mismatch] audit would incorrectly flag some version comments as not containing an appropriate version (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1900";>#1900</a>)</li> </ul> <h2>1.24.0</h2> <h3>New Features 🌈</h3> <ul> <li><code>zizmor</code> now allows users to audit from stdin, by passing <code>zizmor -</code> (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1611";>#1611</a>)</li> </ul> <h3>Enhancements 🌱</h3> <ul> <li> <p>The [use-trusted-publishing] audit now detects <code>bun publish</code> and <code>bunx npm publish</code> patterns (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1737";>#1737</a>)</p> <p>Many thanks to <a href="https://github.com/shaanmajid";><code>@shaanmajid</code></a> for proposing and implementing this improvement!</p> </li> <li> <p><code>zizmor</code>'s CLI help and usage output now uses a custom color scheme for improved readability (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1747";>#1747</a>)</p> </li> <li> <p>The [secrets-outside-env] audit is now configurable with an allowlist of secret names that should not be flagged, even when referenced outside of an environment (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1759";>#1759</a>)</p> <p>Many thanks to <a href="https://github.com/rmuir";><code>@rmuir</code></a> for proposing and implementing this improvement!</p> </li> <li> <p>The [dependabot-cooldown] audit now emits a pedantic finding whenever it encounters a cooldown used with a multi-ecosystem-group, as the two do not interact well (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1780";>#1780</a>)</p> </li> <li> <p>Recommend <code>gh release upload</code> as a replacement for <code>@svenstaro/upload-release-action</code> in [superfluous-actions] (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1801";>#1801</a>)</p> </li> <li> <p>Recommend <code>gh issue create</code> as a replacement for <code>@dacbd/create-issue-action</code> in [superfluous-actions] (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1873";>#1873</a>)</p> </li> <li> <p>The [obfuscation] audit now emits a finding for <code>with: ${{ expr }}</code> clauses cannot be analyzed (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1772";>#1772</a>)</p> </li> <li> <p><code>zizmor --help</code> is now rendered with option groups for improved readability (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1831";>#1831</a>)</p> <p>Many thanks to <a href="https://github.com/deckstose";><code>@deckstose</code></a> for implementing this improvement!</p> </li> <li> <p>zizmor's SARIF output now uses codeflows instead of related locations, improving its rendering behavior on GitHub Advanced Security (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1843";>#1843</a>)</p> </li> <li> <p>The [ref-version-mismatch] audit now uses a more useful audit description</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zizmorcore/zizmor/commit/2eaf42bcccfed62978cee0905902acbc294d5123";><code>2eaf42b</code></a> ref-version-mismatch: handle version comments without v prefix (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1900";>#1900</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/a3b72b8f26946fd057c016d5ec83b77cc4cfdad2";><code>a3b72b8</code></a> chore(deps): bump the github-actions group with 3 updates (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1897";>#1897</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/d5aba605f4267b96e34775de183955ff0a3197ad";><code>d5aba60</code></a> zizmor v1.24.0 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1890";>#1890</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/1e762ac3c0354d68ddcac0ccc0af6879e8b38aa6";><code>1e762ac</code></a> zizmor v1.24.0-rc3 (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1889";>#1889</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/b79c9dc84c096d6c7becabd9581c61c9347bf4f7";><code>b79c9dc</code></a> Fix release CI (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1888";>#1888</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/eb113ad5c5f8c25c79dd0b4705d420096a35ba2d";><code>eb113ad</code></a> Unify crate versions and publishing (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1887";>#1887</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/91bcb96244214bea0d62982fba3bc825f9604af9";><code>91bcb96</code></a> Use the GitHub client's host correctly in two more places (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1881";>#1881</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/3ed8316a1ce22a3f9c887c1021992ca19d31dce4";><code>3ed8316</code></a> chore: use <code>tracing</code> for printing the welcome message (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1886";>#1886</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/484acedf381a7553f663309b44def3b7953fb4d8";><code>484aced</code></a> feat(ref-version-mismatch): detect missing version comments on SHA-pinned act...</li> <li><a href="https://github.com/zizmorcore/zizmor/commit/7ee374f5db0b69b96ef4f7ba89d0c33c8a93a7ba";><code>7ee374f</code></a> KATs for GitHub Actions expressions (<a href="https://redirect.github.com/zizmorcore/zizmor/issues/1857";>#1857</a>)</li> <li>Additional commits viewable in <a href="https://github.com/zizmorcore/zizmor/compare/v1.23.1...v1.24.1";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
