Zizmor

This release comes with one new audit ([overprovisioned-secrets](https://woodruffw.github.io/zizmor/audits/#overprovisioned-secrets)), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with a special easter egg for those who wish to kvell about their audit results.

New Features 🌈[🔗](https://woodruffw.github.io/zizmor/release-notes/#new-features)

* New audit: [overprovisioned-secrets](https://woodruffw.github.io/zizmor/audits/#overprovisioned-secrets) detects uses of the secrets context that result in excessive secret provisioning ([485](https://github.com/woodruffw/zizmor/issues/485))
* Added a special naches mode for when you're feeling particularly proud of your audit results ([490](https://github.com/woodruffw/zizmor/issues/490))

Improvements 🌱[🔗](https://woodruffw.github.io/zizmor/release-notes/#improvements)

* zizmor produces slightly more informative error messages when given an invalid input file ([482](https://github.com/woodruffw/zizmor/issues/482))
* Case insensitivity in contexts is now handeled more consistently and pervasively ([491](https://github.com/woodruffw/zizmor/issues/491))

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

* Fixed a bug where zizmor would fail to discover actions within subdirectories of .github/workflows ([477](https://github.com/woodruffw/zizmor/issues/477))
* Fixed a bug where zizmor would fail to parse composite action definitions with no name field ([487](https://github.com/woodruffw/zizmor/issues/487))

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- The [excessive-permissions](https://woodruffw.github.io/zizmor/audits/#excessive-permissions) audit is now more precise about both reusable workflows and reusable workflow calls ([473](https://github.com/woodruffw/zizmor/issues/473))

Improvements 🌱[🔗](https://woodruffw.github.io/zizmor/release-notes/#improvements)

- Fetch failures when running zizmor org/repo are now more informative ([475](https://github.com/woodruffw/zizmor/issues/475))

This is a small corrective release for some SARIF behavior that changed with v1.2.0.

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- SARIF outputs now use relative paths again, but more correctly than before [v1.2.0](https://woodruffw.github.io/zizmor/release-notes/#v120) ([469](https://github.com/woodruffw/zizmor/issues/469))

This release comes with one new audit ([bot-conditions](https://woodruffw.github.io/zizmor/audits/#bot-conditions)), plus a handful of bugfixes and analysis improvements to existing audits.

One bugfix in this release is also a slight behavior change: zizmor now emits SARIF outputs with absolute paths. This should not affect most users, but may make it slightly harder to share SARIF outputs between machines without fully reproducing exact file paths. If this affects you, [please let us know](https://github.com/woodruffw/zizmor/issues/new?template=bug-report.yml)!

New Features 🌈[🔗](https://woodruffw.github.io/zizmor/release-notes/#new-features)

- New audit: [bot-conditions](https://woodruffw.github.io/zizmor/audits/#bot-conditions) detects spoofable uses of github.actor within dangerous triggers ([460](https://github.com/woodruffw/zizmor/issues/460))

Improvements 🌱[🔗](https://woodruffw.github.io/zizmor/release-notes/#improvements)

- The [unpinned-uses](https://woodruffw.github.io/zizmor/audits/#unpinned-uses) audit no longer flags local reusable workflows or actions as unpinned/unhashed ([439](https://github.com/woodruffw/zizmor/issues/439))
- The [excessive-permissions](https://woodruffw.github.io/zizmor/audits/#excessive-permissions) audit has been refactored, and better captures both true positive and true negative cases ([441](https://github.com/woodruffw/zizmor/issues/441))
- The SARIF output mode (--format=sarif) now always returns absolute paths in its location information, rather than attempting to infer a (sometimes incorrect) repository-relative path ([453](https://github.com/woodruffw/zizmor/issues/453))
- zizmor now provides manylinux wheel builds for aarch64 ([457](https://github.com/woodruffw/zizmor/issues/457))

Bug Fixes 🐛[🔗](https://woodruffw.github.io/zizmor/release-notes/#bug-fixes)

- The [template-injection](https://woodruffw.github.io/zizmor/audits/#template-injection) audit no longer considers github.event.pull_request.base.sha dangerous ([445](https://github.com/woodruffw/zizmor/issues/445))
- The [artipacked](https://woodruffw.github.io/zizmor/audits/#artipacked) audit now correctly handles the strings 'true' and 'false' as their boolean counterparts ([448](https://github.com/woodruffw/zizmor/issues/448))
- Expressions that span multiple source lines are now parsed correctly ([461](https://github.com/woodruffw/zizmor/issues/461))
- Workflows that contain timeout-minutes: ${{ expr }} are now parsed correctly ([462](https://github.com/woodruffw/zizmor/issues/462))

Fixed

* Fixed a regression where workflows with calls to unpinned reusable workflows
would fail to parse (437)

This release comes with one new audit ([secrets-inherit](https://woodruffw.github.io/zizmor/audits/#secrets-inherit)), plus a slew of bugfixes and internal refactors that unblock future improvements!

Added[🔗](https://woodruffw.github.io/zizmor/release-notes/#added)

- New audit: [secrets-inherit](https://woodruffw.github.io/zizmor/audits/#secrets-inherit) detects use of secrets: inherit with reusable workflow calls ([408](https://github.com/woodruffw/zizmor/issues/408))

Improved[🔗](https://woodruffw.github.io/zizmor/release-notes/#improved)

- The [template-injection](https://woodruffw.github.io/zizmor/audits/#template-injection) audit now detects injections in calls to [azure/cli](https://github.com/azure/cli) and [azure/powershell](https://github.com/azure/powershell) ([#421](https://github.com/woodruffw/zizmor/issues/421))

Fixed[🔗](https://woodruffw.github.io/zizmor/release-notes/#fixed)

- The [template-injection](https://woodruffw.github.io/zizmor/audits/#template-injection) audit no longer consider github.server_url dangerous ([412](https://github.com/woodruffw/zizmor/issues/412))
- The [template-injection](https://woodruffw.github.io/zizmor/audits/#template-injection) audit no longer crashes when evaluating the static-ness of an environment for a uses: step ([420](https://github.com/woodruffw/zizmor/issues/420))