Skip to content

v0.2.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 May 13:03
· 218 commits to main since this release
v0.2.1
3c7da1c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Patch Changes

  • #14 0b4fa3a Thanks @toiroakr! - Promote every Planned zizmor rule in the catalogue to Implemented and drive
    per-rule upstream parity against zizmor --pedantic --no-online-audits to
    missing=0 / extra=0 on the vendored fixtures (engine-wide divergences are
    recorded in the parity allowlist instead of being silently absorbed).

    Promoted (zizmor): anonymous-definition, undocumented-permissions,
    forbidden-uses, github-app, dependabot-execution, archived-uses,
    impostor-commit, ref-version-mismatch, overprovisioned-secrets,
    insecure-commands, unsound-condition, unredacted-secrets, misfeature,
    unpinned-tools, unpinned-images, self-hosted-runner,
    superfluous-actions, github-env, obfuscation, use-trusted-publishing,
    dependabot-cooldown, artipacked, cache-poisoning, excessive-permissions,
    template-injection.

    Promoted (actionlint): yaml-anchor-issues ships a full implementation
    (re-scans the raw source for &name / *name tokens since the YAML parser
    resolves them away).

    Preview implementations were added for the actionlint-side matrix-values
    and deprecated-action-inputs rules (still Planned in the catalogue
    pending broader coverage work).

    Known engine-wide divergences absorbed via the parity allowlist:

    • # zizmor: ignore[…] is parsed file-wide instead of per-node, so
      fixtures that mute a single step also drop neighbouring findings.
    • Local zizmor.yml config discovery is not implemented, so
      config-scenarios/*/hackme.yml reports the unconfigured baseline.
    • self-hosted-runner is gated to --persona=auditor upstream but fires
      unconditionally in karinto.
Assets 2
Loading