Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zizmor for openSUSE:Factory checked in at 2025-10-29 21:06:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zizmor (Old) and /work/SRC/openSUSE:Factory/.zizmor.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zizmor" Wed Oct 29 21:06:51 2025 rev:21 rq:1314255 version:1.16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/zizmor/zizmor.changes 2025-10-24 17:25:17.184086254 +0200 +++ /work/SRC/openSUSE:Factory/.zizmor.new.1980/zizmor.changes 2025-10-29 21:08:07.122312734 +0100 @@ -1,0 +2,10 @@ +Wed Oct 29 05:40:13 UTC 2025 - Johannes Kastl <[email protected]> + +- Update to version 1.16.1: + * Enhancements + - zizmor now produces a more useful error message when asked to + indirectly access a nonexistent or private repository via a + uses: clause (without a sufficiently privileged GitHub token) + (#1293) + +------------------------------------------------------------------- Old: ---- zizmor-1.16.0.obscpio New: ---- zizmor-1.16.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zizmor.spec ++++++ --- /var/tmp/diff_new_pack.DdShZt/_old 2025-10-29 21:08:07.770339969 +0100 +++ /var/tmp/diff_new_pack.DdShZt/_new 2025-10-29 21:08:07.770339969 +0100 @@ -17,7 +17,7 @@ Name: zizmor -Version: 1.16.0 +Version: 1.16.1 Release: 0 Summary: A static analysis tool for GitHub Actions License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.DdShZt/_old 2025-10-29 21:08:07.822342155 +0100 +++ /var/tmp/diff_new_pack.DdShZt/_new 2025-10-29 21:08:07.830342491 +0100 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">v1.16.0</param> + <param name="revision">v1.16.1</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.DdShZt/_old 2025-10-29 21:08:07.850343331 +0100 +++ /var/tmp/diff_new_pack.DdShZt/_new 2025-10-29 21:08:07.854343499 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/woodruffw/zizmor</param> - <param name="changesrevision">b40d0d2b6e111696a566740db7137b3df557d122</param></service></servicedata> + <param name="changesrevision">1a264aa6a1306bb1c9c2b734def360aeb93f97ef</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/zizmor/vendor.tar.zst /work/SRC/openSUSE:Factory/.zizmor.new.1980/vendor.tar.zst differ: char 7, line 1 ++++++ zizmor-1.16.0.obscpio -> zizmor-1.16.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/Cargo.lock new/zizmor-1.16.1/Cargo.lock --- old/zizmor-1.16.0/Cargo.lock 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/Cargo.lock 2025-10-29 02:07:02.000000000 +0100 @@ -3739,7 +3739,7 @@ [[package]] name = "yamlpatch" -version = "0.3.1" +version = "0.4.0" dependencies = [ "indexmap", "insta", @@ -3879,7 +3879,7 @@ [[package]] name = "zizmor" -version = "1.16.0" +version = "1.16.1" dependencies = [ "annotate-snippets", "anstream", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/Cargo.toml new/zizmor-1.16.1/Cargo.toml --- old/zizmor-1.16.0/Cargo.toml 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/Cargo.toml 2025-10-29 02:07:02.000000000 +0100 @@ -73,7 +73,7 @@ tree-sitter-iter = { path = "crates/tree-sitter-iter", version = "0.0.2" } tree-sitter-powershell = "0.25.9" yamlpath = { path = "crates/yamlpath", version = "0.27.0" } -yamlpatch = { path = "crates/yamlpatch", version = "0.3.1" } +yamlpatch = { path = "crates/yamlpatch", version = "0.4.0" } tree-sitter-yaml = "0.7.2" tikv-jemallocator = "0.6" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/yamlpatch/Cargo.toml new/zizmor-1.16.1/crates/yamlpatch/Cargo.toml --- old/zizmor-1.16.0/crates/yamlpatch/Cargo.toml 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/crates/yamlpatch/Cargo.toml 2025-10-29 02:07:02.000000000 +0100 @@ -1,6 +1,6 @@ [package] name = "yamlpatch" -version = "0.3.1" +version = "0.4.0" description = "Comment and format-preserving YAML patch operations" repository = "https://github.com/zizmorcore/zizmor/tree/main/crates/yamlpatch"; keywords = ["yaml", "patch"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/zizmor/Cargo.toml new/zizmor-1.16.1/crates/zizmor/Cargo.toml --- old/zizmor-1.16.0/crates/zizmor/Cargo.toml 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/crates/zizmor/Cargo.toml 2025-10-29 02:07:02.000000000 +0100 @@ -1,7 +1,7 @@ [package] name = "zizmor" description = "Static analysis for GitHub Actions" -version = "1.16.0" +version = "1.16.1" repository = "https://github.com/zizmorcore/zizmor"; documentation = "https://docs.zizmor.sh"; keywords = ["cli", "github-actions", "static-analysis", "security"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/zizmor/src/github.rs new/zizmor-1.16.1/crates/zizmor/src/github.rs --- old/zizmor-1.16.0/crates/zizmor/src/github.rs 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/crates/zizmor/src/github.rs 2025-10-29 02:07:02.000000000 +0100 @@ -148,6 +148,9 @@ /// between listing and fetching it. #[error("couldn't fetch file {file} from {slug}: is the branch/tag being modified?")] FileTOCTOU { file: String, slug: String }, + /// An accessed repository is missing or private. + #[error("can't access {owner}/{repo}: missing or you have no access")] + RepoMissingOrPrivate { owner: String, repo: String }, /// Any of the errors above, wrapped from concurrent contexts. #[error(transparent)] Inner(#[from] Arc<ClientError>), @@ -372,8 +375,20 @@ .body(req) .basic_auth("x-access-token", Some(&self.token.0)) .send() - .await? - .error_for_status()?; + .await?; + + let resp = match resp.status() { + StatusCode::OK => Ok(resp), + // NOTE: Versions of zizmor prior to 1.16.0 would silently + // skip private or missing repositories, as branch/tag lookups + // were done as a binary present/absent check. This caused + // false negatives. + StatusCode::NOT_FOUND => Err(ClientError::RepoMissingOrPrivate { + owner: owner.to_string(), + repo: repo.to_string(), + }), + _ => Err(resp.error_for_status().unwrap_err().into()), + }?; let mut remote_refs = vec![]; let content = resp.bytes().await?; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/zizmor/src/main.rs new/zizmor-1.16.1/crates/zizmor/src/main.rs --- old/zizmor-1.16.0/crates/zizmor/src/main.rs 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/crates/zizmor/src/main.rs 2025-10-29 02:07:02.000000000 +0100 @@ -849,55 +849,57 @@ Some(report) } - Error::Collection(err @ CollectionError::InvalidInput(..)) => { - let group = Group::with_title(Level::ERROR.primary_title(err.to_string())) - .element(Level::HELP.message(format!( - "valid inputs are files, directories, or GitHub {slug} slugs", - slug = "user/repo[@ref]".green() - ))) - .element(Level::HELP.message(format!( - "examples: {ex1}, {ex2}, {ex3}, or {ex4}", - ex1 = "path/to/workflow.yml".green(), - ex2 = ".github/".green(), - ex3 = "example/example".green(), - ex4 = "example/[email protected]".green() - ))); + Error::Collection(err) => match err.inner() { + CollectionError::DuplicateInput(..) => { + let group = Group::with_title(Level::ERROR.primary_title(err.to_string())) + .element(Level::HELP.message(format!( + "valid inputs are files, directories, or GitHub {slug} slugs", + slug = "user/repo[@ref]".green() + ))) + .element(Level::HELP.message(format!( + "examples: {ex1}, {ex2}, {ex3}, or {ex4}", + ex1 = "path/to/workflow.yml".green(), + ex2 = ".github/".green(), + ex3 = "example/example".green(), + ex4 = "example/[email protected]".green() + ))); - let renderer = Renderer::styled(); - let report = renderer.render(&[group]); + let renderer = Renderer::styled(); + let report = renderer.render(&[group]); - Some(report) - } - Error::Collection(err @ CollectionError::NoGitHubClient(_)) => { - let mut group = Group::with_title(Level::ERROR.primary_title(err.to_string())); + Some(report) + } + CollectionError::NoGitHubClient(..) => { + let mut group = + Group::with_title(Level::ERROR.primary_title(err.to_string())); - if app.offline { - group = group - .elements([Level::HELP + if app.offline { + group = group.elements([Level::HELP .message("remove --offline to audit remote repositories")]); - } else if app.gh_token.is_none() { - group = group - .elements([Level::HELP + } else if app.gh_token.is_none() { + group = group.elements([Level::HELP .message("set a GitHub token with --gh-token or GH_TOKEN")]); - } + } - let renderer = Renderer::styled(); - let report = renderer.render(&[group]); + let renderer = Renderer::styled(); + let report = renderer.render(&[group]); - Some(report) - } - Error::Collection(err @ CollectionError::Yamlpath(_)) => { - let group = Group::with_title(Level::ERROR.primary_title(err.to_string())).elements([ - Level::HELP.message("this typically indicates a bug in zizmor; please report it"), - Level::HELP.message( - "https://github.com/zizmorcore/zizmor/issues/new?template=bug-report.yml";, - ), - ]); - let renderer = Renderer::styled(); - let report = renderer.render(&[group]); + Some(report) + } + CollectionError::Yamlpath(..) => { + let group = Group::with_title(Level::ERROR.primary_title(err.to_string())).elements([ + Level::HELP.message("this typically indicates a bug in zizmor; please report it"), + Level::HELP.message( + "https://github.com/zizmorcore/zizmor/issues/new?template=bug-report.yml";, + ), + ]); + let renderer = Renderer::styled(); + let report = renderer.render(&[group]); - Some(report) - } + Some(report) + } + _ => None, + }, _ => None, }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/zizmor/src/registry/input.rs new/zizmor-1.16.1/crates/zizmor/src/registry/input.rs --- old/zizmor-1.16.0/crates/zizmor/src/registry/input.rs 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/crates/zizmor/src/registry/input.rs 2025-10-29 02:07:02.000000000 +0100 @@ -93,6 +93,19 @@ NoInputs, } +impl CollectionError { + /// Returns the "innermost" variant of this [`CollectionError`]. + /// + /// In practice this is always `&self` *unless* this is an + /// `Inner` variant, in which case it recurses into the inner error. + pub(crate) fn inner(&self) -> &Self { + match self { + CollectionError::Inner(inner, _, _) => inner.inner(), + _ => self, + } + } +} + #[derive(Debug, Copy, Clone, Eq, Hash, PartialEq, Serialize, PartialOrd, Ord)] pub(crate) enum InputKind { /// A workflow file. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/zizmor/tests/integration/e2e.rs new/zizmor-1.16.1/crates/zizmor/tests/integration/e2e.rs --- old/zizmor-1.16.0/crates/zizmor/tests/integration/e2e.rs 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/crates/zizmor/tests/integration/e2e.rs 2025-10-29 02:07:02.000000000 +0100 @@ -75,7 +75,7 @@ .output(OutputMode::Both) .args(["--collect=all"]) .input(input_under_test("e2e-menagerie")) - .run()? + .run()?, ); Ok(()) @@ -366,4 +366,32 @@ ); Ok(()) +} + +/// Regression test for #1286. +/// +/// Ensures that we produce a useful error when a user's input references +/// a private (or missing) repository. +#[cfg_attr(not(feature = "gh-token-tests"), ignore)] +#[test] +fn issue_1286() -> Result<()> { + insta::assert_snapshot!( + zizmor() + .expects_failure(true) + .output(OutputMode::Both) + .offline(false) + .input(input_under_test("issue-1286.yml")) + .run()?, + @r" + 🌈 zizmor v@@VERSION@@ + fatal: no audit was performed + ref-confusion failed on file://@@INPUT@@ + + Caused by: + 0: couldn't list branches for woodruffw-experiments/this-does-not-exist + 1: can't access woodruffw-experiments/this-does-not-exist: missing or you have no access + ", + ); + + Ok(()) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/crates/zizmor/tests/integration/test-data/issue-1286.yml new/zizmor-1.16.1/crates/zizmor/tests/integration/test-data/issue-1286.yml --- old/zizmor-1.16.0/crates/zizmor/tests/integration/test-data/issue-1286.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/zizmor-1.16.1/crates/zizmor/tests/integration/test-data/issue-1286.yml 2025-10-29 02:07:02.000000000 +0100 @@ -0,0 +1,19 @@ +# repro for #1286 + +name: issue-1286-repro + +on: [push, pull_request] + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + issue-1286-repro: + name: issue-1286-repro + runs-on: ubuntu-latest + steps: + - name: private + uses: woodruffw-experiments/[email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/index.md new/zizmor-1.16.1/docs/index.md --- old/zizmor-1.16.0/docs/index.md 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/docs/index.md 2025-10-29 02:07:02.000000000 +0100 @@ -36,7 +36,7 @@ [:octicons-arrow-right-24: Usage recipes](./usage.md) -- :material-robot-love:{.lg .middle} Integration +- :material-robot-love:{.lg .middle} Integrations --- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/installation.md new/zizmor-1.16.1/docs/installation.md --- old/zizmor-1.16.0/docs/installation.md 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/docs/installation.md 2025-10-29 02:07:02.000000000 +0100 @@ -8,7 +8,7 @@ `zizmor` is available within several packaging ecosystems. -=== ":simple-homebrew: Homebrew" +=== ":simple-homebrew: Homebrew" { #homebrew }  @@ -18,7 +18,7 @@ brew install zizmor ``` -=== ":simple-pypi: PyPI" +=== ":simple-pypi: PyPI" { #pypi }  @@ -45,7 +45,7 @@ uvx zizmor --help ``` -=== ":simple-rust: crates.io" +=== ":simple-rust: crates.io" { #cratesio }  @@ -61,7 +61,7 @@ cargo install --locked zizmor ``` -=== ":simple-docker: Docker" +=== ":simple-docker: Docker" { #docker } An official `zizmor` image is available from the [GitHub Container Registry](https://ghcr.io/zizmorcore/zizmor): @@ -69,7 +69,7 @@ docker pull ghcr.io/zizmorcore/zizmor:latest ``` -=== ":simple-anaconda: Conda" +=== ":simple-anaconda: Conda" { #conda } [](https://anaconda.org/conda-forge/zizmor) [](https://anaconda.org/conda-forge/zizmor) @@ -89,7 +89,7 @@ for additional information. -=== ":material-nix: Nix" +=== ":material-nix: Nix" { #nix } [](https://repology.org/project/zizmor/versions) @@ -105,7 +105,7 @@ nix profile install nixpkgs#zizmor ``` -=== ":simple-archlinux: Arch Linux" +=== ":simple-archlinux: Arch Linux" { #archlinux } [](https://repology.org/project/zizmor/versions) @@ -118,7 +118,7 @@ pacman -S zizmor ``` -=== "Chimera Linux" +=== "Chimera Linux" { #chimeralinux } [](https://repology.org/project/zizmor/versions) @@ -135,7 +135,7 @@ apk add zizmor ``` -=== ":simple-alpinelinux: Alpine Linux" +=== ":simple-alpinelinux: Alpine Linux" { #alpinelinux } [](https://repology.org/project/zizmor/versions) @@ -147,7 +147,7 @@ apk add zizmor ``` -=== "Other ecosystems" +=== "Other ecosystems" { #other-ecosystems } !!! info diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/integrations.md new/zizmor-1.16.1/docs/integrations.md --- old/zizmor-1.16.0/docs/integrations.md 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/docs/integrations.md 2025-10-29 02:07:02.000000000 +0100 @@ -99,7 +99,7 @@ persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Run zizmor 🌈 run: uvx zizmor --format=sarif . > results.sarif # (2)! @@ -107,7 +107,7 @@ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # (1)! - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: sarif_file: results.sarif category: zizmor @@ -168,7 +168,7 @@ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install the latest version of uv - uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 - name: Run zizmor 🌈 run: uvx zizmor --format=github . # (2)! @@ -256,7 +256,7 @@ ```yaml - repo: https://github.com/zizmorcore/zizmor-pre-commit - rev: v1.16.0 # (1)! + rev: v1.16.1 # (1)! hooks: - id: zizmor ``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/release-notes.md new/zizmor-1.16.1/docs/release-notes.md --- old/zizmor-1.16.0/docs/release-notes.md 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/docs/release-notes.md 2025-10-29 02:07:02.000000000 +0100 @@ -9,6 +9,14 @@ ## Next (UNRELEASED) +## 1.16.1 + +### Enhancements 🌱 + +* `zizmor` now produces a more useful error message when asked to indirectly + access a nonexistent or private repository via a `uses:` clause (without + a sufficiently privileged GitHub token) (#1293) + ## 1.16.0 ### New Features 🌈 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/snippets/trophies.md new/zizmor-1.16.1/docs/snippets/trophies.md --- old/zizmor-1.16.0/docs/snippets/trophies.md 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/docs/snippets/trophies.md 2025-10-29 02:07:02.000000000 +0100 @@ -615,6 +615,14 @@ - Instagram/LibCST#1262 +- { width="40" loading=lazy align=left } intel + + --- + + ??? example "Examples" + - intel/llvm#20437 + + - { width="40" loading=lazy align=left } ispc --- @@ -850,6 +858,7 @@ ??? example "Examples" - NixOS/infra#613 + - NixOS/nixpkgs#396451 - { width="40" loading=lazy align=left } NLnetLabs @@ -1228,6 +1237,15 @@ - rustls/webpki#299 +- { width="40" loading=lazy align=left } rustsec + + --- + + ??? example "Examples" + - rustsec/advisory-db#2444 + - rustsec/rustsec#1449 + + - { width="40" loading=lazy align=left } Saghen --- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/snippets/trophies.txt new/zizmor-1.16.1/docs/snippets/trophies.txt --- old/zizmor-1.16.0/docs/snippets/trophies.txt 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/docs/snippets/trophies.txt 2025-10-29 02:07:02.000000000 +0100 @@ -136,6 +136,7 @@ indygreg/apple-platform-rs@5bded60cbfc2b81e1bedd745ab41417e5c3a76ea indygreg/cryptography-rs@d0ae52a8040c7be8fd2024a5e2dc1cc1705c3469 indygreg/python-zstandard@d0bf56011d85faf1c76da38f63d174b275c2cdeb +intel/llvm#20437 Instagram/LibCST#1262 ispc/ispc#3589 jj-vcs/jj#5076 @@ -185,6 +186,7 @@ nextcloud/user_saml#947 nextcloud/.github#477 NixOS/infra#613 +NixOS/nixpkgs#396451 NLnetLabs/nsd#413 NLnetLabs/unbound#1204 numpy/numpy#27931 @@ -253,6 +255,8 @@ rolldown/rolldown#3861 rubygems/rubygems.org#5350 rubygems/rubygems#8702 +rustsec/advisory-db#2444 +rustsec/rustsec#1449 rust-lang/crates.io#10176 rust-lang/crates.io#11203 rust-lang/rust-clippy#13933 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/docs/troubleshooting.md new/zizmor-1.16.1/docs/troubleshooting.md --- old/zizmor-1.16.0/docs/troubleshooting.md 1970-01-01 01:00:00.000000000 +0100 +++ new/zizmor-1.16.1/docs/troubleshooting.md 2025-10-29 02:07:02.000000000 +0100 @@ -0,0 +1,115 @@ +This page documents some of the common issues that people run into when +installing or using `zizmor`. + +!!! tip + + Don't see your issue here? Let us know by opening an issue, + and consider contributing it! + +## Installation issues + +### `cargo install zizmor` fails + +If you install `zizmor` from crates.io using `cargo install zizmor`, you +may occasionally run into build errors that look like this: + +``` +error: failed to compile `zizmor vA.B.C`, intermediate artifacts can be found at `/SOME/TEMP/DIR`. +To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path. + +Caused by: + failed to select a version for the requirement `SOMEDEP = "^X.Y.Z"` + version X.Y.Z is yanked + location searched: crates.io index + required by package `zizmor vA.B.C` +``` + +This happens when one or more of `zizmor`'s dependencies has a yanked version +that the requested version of `zizmor` depends on. + +If you run into this issue, you have two options: + +1. Install `zizmor` from one of the binary distributions sources + recommended in the [installation docs](./installation.md). + **This is the recommended option.** +2. Use the `--locked` flag with `cargo install`: + + ```bash + cargo install --locked zizmor + ``` + + This will force `cargo` to use the exact dependencies specified in + `zizmor`'s `Cargo.lock` file, overriding any yanked versions. + +## Runtime errors + +### "can't access ORG/REPO: missing or you have no access" + +When running `zizmor` in an online mode, you might see an error like this: + +``` +fatal: no audit was performed +ref-confusion failed on https://github.com/example/repoA/.github/workflows/ci.yml + +Caused by: + 0: couldn't list branches for example/repoB + 1: can't access example/repoB: missing or you have no access +``` + +This error means that `zizmor` was able to retrieve your inputs, +but that those inputs include a _reference_ (such as a `#!yaml uses:` clause) +that `zizmor` cannot access. + +A common scenario that causes this is as follows: + +1. You enable `zizmor` in GitHub Actions on `example/repoA` (public _or_ + private), via @zizmorcore/zizmor-action. This action uses the default + `secrets.GITHUB_TOKEN` to perform online audits. +2. `example/repoA` has a workflow that uses an action or reusable workflow +from a different private repository, e.g. `example/repoB`. + + For example: + + ```yaml title="example/repoA/.github/workflows/ci.yml" + - uses: example/repoB/[email protected] + ``` + +3. `zizmor` tries to access `example/repoB` to analyze the referenced + action, but the `GITHUB_TOKEN` provided to the action only has access + to `example/repoA`, not `example/repoB`. + +This happens because the default `GITHUB_TOKEN` provided to GitHub Actions +does not have private repository access across different repositories, +by design. See orgs/community?46566 for additional information on this +behavior. + +If you run into this issue, you have two options: + +1. You can run `zizmor` in offline mode, e.g. with `--offline` or + `#!yaml online-audits: false` in the action's settings. This will prevent + all online accesses that could fail across repository boundaries, + at the cost of disabling online audits. + +2. You can provide a custom PAT to `zizmor` that provides read access to the + necessary repositories. You can do this by creating a new fine-grained PAT + with only the "Contents: read-only" permission for the relevant repositories. + + This PAT can then be provided to `zizmor` via `--gh-token` or `GITHUB_TOKEN` + on the command line, or via the `token` input to the GitHub Action + (once you've added your PAT to your repository secrets). + + For example, if you've configured the PAT as `ZIZMOR_GH_TOKEN` + in your repository secrets, you could do: + + ```yaml title="example/repoA/.github/workflows/ci.yml" hl_lines="3" + - uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + with: + token: ${{ secrets.ZIZMOR_GH_TOKEN }} + ``` + + !!! important + + The **only** permission that `zizmor` itself needs is "Contents: read-only". + + You should always reduce the risk of token leakage by granting + **only the minimum** necessary permissions. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/mkdocs.yml new/zizmor-1.16.1/mkdocs.yml --- old/zizmor-1.16.0/mkdocs.yml 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/mkdocs.yml 2025-10-29 02:07:02.000000000 +0100 @@ -14,6 +14,7 @@ - "quickstart.md" - "usage.md" - "integrations.md" + - "troubleshooting.md" - "release-notes.md" - "configuration.md" - "audits.md" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zizmor-1.16.0/pyproject.toml new/zizmor-1.16.1/pyproject.toml --- old/zizmor-1.16.0/pyproject.toml 2025-10-24 03:13:57.000000000 +0200 +++ new/zizmor-1.16.1/pyproject.toml 2025-10-29 02:07:02.000000000 +0100 @@ -6,7 +6,7 @@ # `uv run --only-group docs` from failing. [project] name = "zizmor" -dynamic = ["version", "readme"] +dynamic = ["version", "description", "readme", "urls", "authors", "license"] # Arbitrarily set to the oldest non-EOL Python. requires-python = ">=3.9" ++++++ zizmor.obsinfo ++++++ --- /var/tmp/diff_new_pack.DdShZt/_old 2025-10-29 21:08:08.418367204 +0100 +++ /var/tmp/diff_new_pack.DdShZt/_new 2025-10-29 21:08:08.426367540 +0100 @@ -1,5 +1,5 @@ name: zizmor -version: 1.16.0 -mtime: 1761268437 -commit: b40d0d2b6e111696a566740db7137b3df557d122 +version: 1.16.1 +mtime: 1761700022 +commit: 1a264aa6a1306bb1c9c2b734def360aeb93f97ef
