Bump zizmor from 1.19.0 to 1.22.0 in /.github/workflows

[dependabot]

Bumps zizmor from 1.19.0 to 1.22.0.

Release notes

Sourced from zizmor's releases.

v1.22.0

Changes ⚠️🔗

• The misfeature audit now only shows non-"well known" shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛🔗

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the unpinned-uses audit (#1536)

v1.21.0

New Features 🌈🔗

• New audit: misfeature detects usage of GitHub Actions features that are considered "misfeatures." (#1517)

Enhancements 🌱🔗

• zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the exit code documentation for details (#1515)

• The unpinned-uses audit now supports auto-fixes for many findings (#1525)

Changes ⚠️🔗

• The obfuscation audit no longer flags shell: cmd. That check has been moved to the new misfeature audit. Users may need to update their ignore comments and/or configuration (#1517)

Bug Fixes 🐛🔗

• The unpinned-uses audit now flags reusable workflows that are unpinned, in addition to actions (#1509)

  Many thanks to @​johnbillion for implementing this fix!

v1.20.0

Enhancements 🌱🔗

• The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#1461)

• The cache-poisoning audit is now aware of the ramsey/composer-install action (#1489)

• The unpinned-images audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#1482)

Changes ⚠️🔗

• The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml
rules:
unpinned-uses:
</tr></table>

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.22.0

Changes ⚠️

• The [misfeature] audit now only shows non-"well known" #!yaml shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the [unpinned-uses] audit (#1536)

1.21.0

New Features 🌈

• New audit: [misfeature] detects usage of GitHub Actions features that are considered "misfeatures." (#1517)

Enhancements 🌱

• zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the [exit code] documentation for details (#1515)

• The [unpinned-uses] audit now supports auto-fixes for many findings (#1525)

Changes ⚠️

• The [obfuscation] audit no longer flags #!yaml shell: cmd. That check has been moved to the new [misfeature] audit. Users may need to update their ignore comments and/or configuration (#1517)

Bug Fixes 🐛

• The [unpinned-uses] audit now flags reusable workflows that are unpinned, in addition to actions (#1509)

  Many thanks to @​johnbillion for implementing this fix!

1.20.0

Enhancements 🌱

• The [excessive-permissions] audit is now aware of the artifact-metadata and models permissions (#1461)

• The [cache-poisoning] audit is now aware of the @​ramsey/composer-install action (#1489)

... (truncated)

Commits

• 94308f6 zizmor 1.22.0 (#1539)
• 951d2c8 Add 'crater' tests (#1538)
• 13c1b65 Handle CRLF in EmplaceComment (#1536)
• 601bbba Bump trophies (#1535)
• de617a2 Drop 'custom shell' finding to auditor persona (#1532)
• 5175a6c zizmor 1.21.0 (#1529)
• b3f84f4 yamlpatch 0.10.0 (#1528)
• 20b24ff yamlpath 0.33.0 (#1527)
• 4815c16 Support auto-fixes for unpinned-uses (#1525)
• e611eae Document hk integration (#1522)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)