Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zizmor for openSUSE:Factory checked in at 2026-04-13 23:19:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zizmor (Old) and /work/SRC/openSUSE:Factory/.zizmor.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zizmor" Mon Apr 13 23:19:10 2026 rev:31 rq:1346343 version:1.24.0 Changes: -------- --- /work/SRC/openSUSE:Factory/zizmor/zizmor.changes 2026-03-09 16:24:40.513961612 +0100 +++ /work/SRC/openSUSE:Factory/.zizmor.new.21863/zizmor.changes 2026-04-13 23:20:05.715116755 +0200 @@ -1,0 +2,103 @@ +Mon Apr 13 05:08:03 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.24.0: + * New Features + - zizmor now allows users to audit from stdin, by passing + zizmor - (#1611) + * Enhancements + - The use-trusted-publishing audit now detects bun publish and + bunx npm publish patterns (#1737) + - zizmor's CLI help and usage output now uses a custom color + scheme for improved readability (#1747) + - The secrets-outside-env audit is now configurable with an + allowlist of secret names that should not be flagged, even + when referenced outside of an environment (#1759) + - The dependabot-cooldown audit now emits a pedantic finding + whenever it encounters a cooldown used with a + multi-ecosystem-group, as the two do not interact well + (#1780) + - Recommend gh release upload as a replacement for + svenstaro/upload-release-action in superfluous-actions + (#1801) + - Recommend gh issue create as a replacement for + dacbd/create-issue-action in superfluous-actions (#1873) + - The obfuscation audit now emits a finding for with: ${{ expr + }} clauses cannot be analyzed (#1772) + - zizmor --help is now rendered with option groups for improved + readability (#1831) + - zizmor's SARIF output now uses codeflows instead of related + locations, improving its rendering behavior on GitHub + Advanced Security (#1843) + - The ref-version-mismatch audit now uses a more useful audit + description for its findings (#1843) + - The unpinned-images audit now produces more precise findings + for image references that are computed through expressions + (#1756) + - The ref-version-mismatch audit now detects missing version + comments as well (#1849) + * Bug Fixes + - Fixed a bug where the concurrency-limits audit reported + findings at the job level instead of the workflow level + (#1627) + - Fixed a bug where with: ${{ expr }} clauses would cause a + crash. artipacked audit emits a pedantic finding on such + clauses. (#1772) + - Fixed a bug where auto-fixes for the template-injection audit + would fail to preserve an environment variable's casing + (#1766) + - Fixed a bug where the secrets-outside-env audit would + incorrectly flag reusable workflows (#1777) + - Fixed a bug where expressions containing Infinity or NaN + would fail to parse (#1778) + - Fixed several bugs where some parenthetical forms in + expressions would fail to parse (#1779, #1856) + - Fixed a bug where expressions with invalid identifiers (such + as -Inf) would be incorrectly accepted (#1794) + - Fixed a bug where the known-vulnerable-actions audit would + fail to handle multiple discrete packages in a single + advisory (#1810) + - Fixed a bug where the template-injection audit would + incorrectly flag needs.*.result as an injection risk in the + default persona (#1814) + - Fixed a bug where the unpinned-uses audit would product + incorrect auto-fixes for actions with subpaths (#1841) + - Fixed a bug where the ref-version-mismatch audit would fail + to produce findings for comments containing nonexistent refs + (#1853) + - Fixed a bug where expressions containing NaN would be + constant-evaluated incorrectly (#1858) + - Fixed a bug where nix would not be recognized as a + package-ecosystem in dependabot.yml (#1867) + - Fixed a bug where the ref-version-mismatch audit would + incorrectly parse prerelease version comments (such as # + v6-beta), causing some findings to appear unresolvable + (#1870) + - Fixed a bug where various string comparisons in expressions + did not perfectly match GitHub's own special uppercasing + semantics (#1879) + - Fixed a bug where zizmor would incorrectly contact github.com + instead of the user's requested --gh-hostname for some online + requests (#1874) + - Fixed a bug where the artipacked audit would fail to honor + the --no-online-audits flag (#1874) + * Changes + - The secrets-outside-env audit now only flags findings with + the 'auditor' persona, due to numerous false positives and + negatives caused by GitHub's platform limitations (primarily + around interactions between environment secrets and reusable + workflows) (#1777) + - zizmor's handling of GitHub Actions expressions has been made + stricter, and now rejects unknown functions and function + calls with incorrect arities (#1823, #1826) + - The superfluous-actions audit now uses the "pedantic" persona + for some findings along with a medium or low confidence + marker to signal when a action may not be easily replaced + with built-in functionality (#1822, #1859) + - The unpinned-uses audit no longer suggests auto-fixes for Git + references that don't look like version tags, such as main + (#1860) + - The template-injection audit now considers more "URL-shaped" + contexts to be fully attacker-controllable, rather than + partially controllable (#1868) + +------------------------------------------------------------------- Old: ---- zizmor-1.23.1.obscpio New: ---- zizmor-1.24.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zizmor.spec ++++++ --- /var/tmp/diff_new_pack.bPDpUl/_old 2026-04-13 23:20:06.675156382 +0200 +++ /var/tmp/diff_new_pack.bPDpUl/_new 2026-04-13 23:20:06.679156547 +0200 @@ -17,7 +17,7 @@ Name: zizmor -Version: 1.23.1 +Version: 1.24.0 Release: 0 Summary: A static analysis tool for GitHub Actions License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.bPDpUl/_old 2026-04-13 23:20:06.743159189 +0200 +++ /var/tmp/diff_new_pack.bPDpUl/_new 2026-04-13 23:20:06.747159354 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">v1.23.1</param> + <param name="revision">v1.24.0</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.bPDpUl/_old 2026-04-13 23:20:06.799161500 +0200 +++ /var/tmp/diff_new_pack.bPDpUl/_new 2026-04-13 23:20:06.803161666 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/woodruffw/zizmor</param> - <param name="changesrevision">0b77258cf93d4e0ae762c843422c333faf2793f6</param></service></servicedata> + <param name="changesrevision">d5aba605f4267b96e34775de183955ff0a3197ad</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/zizmor/vendor.tar.zst /work/SRC/openSUSE:Factory/.zizmor.new.21863/vendor.tar.zst differ: char 7, line 1 ++++++ zizmor-1.23.1.obscpio -> zizmor-1.24.0.obscpio ++++++ ++++ 25457 lines of diff (skipped) ++++++ zizmor.obsinfo ++++++ --- /var/tmp/diff_new_pack.bPDpUl/_old 2026-04-13 23:20:07.623195514 +0200 +++ /var/tmp/diff_new_pack.bPDpUl/_new 2026-04-13 23:20:07.631195844 +0200 @@ -1,5 +1,5 @@ name: zizmor -version: 1.23.1 -mtime: 1772988185 -commit: 0b77258cf93d4e0ae762c843422c333faf2793f6 +version: 1.24.0 +mtime: 1776045964 +commit: d5aba605f4267b96e34775de183955ff0a3197ad
