Zizmor

This is a small quality and bugfix release. Thank you to everybody
who helped by reporting and shaking out bugs from our first stable release!

Improved

* The [github-env] audit now detects dangerous writes to `GITHUB_PATH`,
is more precise, and can produce multiple findings per run block (391)

Fixed

* `workflow_call.secrets` keys with missing values are now parsed correctly (388)
* The [cache-poisoning] audit no longer incorrectly treats `docker/build-push-action` as
a publishing workflow is `push: false` is explicitly set (389)
* The [template-injection] audit no longer considers `github.action_path`
to be a potentially dangerous expansion (402)
* The [github-env] audit no longer skips `run:` steps with non-trivial
`shell:` stanzas (403)


[excessive-permissions]: ./audits.mdexcessive-permissions
[cache-poisoning]: ./audits.mdcache-poisoning
[github-env]: ./audits.mdgithub-env
[template-injection]: ./audits.mdtemplate-injection

This is the first stable release of `zizmor`!

Starting with this release, `zizmor` will use [Semantic Versioning] for
its versioning scheme. In short, this means that breaking changes will only
happen with a new major version.

[Semantic Versioning]: https://semver.org/

This stable release comes with a large number of new features as well
as stability commitments for existing features; read more below!

Added

* Composite actions (i.e. `action.yml` where the action is *not* a Docker
or JavaScript action) are now supported, and are audited by default
when running `zizmor` on a directory or remote repository (331)

!!! tip

Composite action discovery and auditing can be disabled by passing
`--collect=workflows-only`. Conversely, workflow discovery and auditing
can be disabled by passing `--collect=actions-only`.

See 350 for the status of each audit's support for analyzing
composite actions.

* The GitHub host to connect to can now be configured with `--gh-hostname`
or `GH_HOST` in the environment (371)

This can be used to connect to a GitHub Enterprise (GHE) instance
instead of the default `github.com` instance.

Improved

* The [cache-poisoning] audit is now aware of common publishing actions
and uses then to determine whether to produce a finding (338, 341)
* The [cache-poisoning] audit is now aware of configuration-free caching
actions, such as Mozilla-Actions/sccache-action (345)
* The [cache-poisoning] audit is now aware of even more caching actions
(346)
* The [cache-poisoning] audit is now aware of common publishing triggers
(such as pushing to a release branch) and uses them to determine whether
to produce a finding (352)
* The [github-env] audit is now significantly more precise on `bash` and `pwsh`
inputs (354)

Fixed

* The [excessive-permissions] audit is now less noisy on single-job workflows (337)
* Expressions like `function().foo.bar` are now parsed correctly (340)
* The [cache-poisoning] defaults for `setup-go` were fixed (343)
* `uses:` matching is now case-insensitive where appropriate (353)
* Quoted YAML keys (like `'on': foo`) are now parsed correctly (368)

[excessive-permissions]: ./audits.mdexcessive-permissions
[cache-poisoning]: ./audits.mdcache-poisoning
[github-env]: ./audits.mdgithub-env

<!-- Release notes generated using configuration in .github/release.yml at v0.10.0 -->

What's Changed
New Features 🌈
* feat: handle powershell in github-env audit by woodruffw in https://github.com/woodruffw/zizmor/pull/227
* feat: template-injection: filter static envs by woodruffw in https://github.com/woodruffw/zizmor/pull/318
* feat: add 'primary' locations by woodruffw in https://github.com/woodruffw/zizmor/pull/328
* feat: initial cache-poisoning audit by ubiratansoares in https://github.com/woodruffw/zizmor/pull/294
* feat: Fix Sarif schema and add rules to Sarif files by fcasal in https://github.com/woodruffw/zizmor/pull/330
Bug Fixes 🐛
* fix: template-injection: more safe contexts by woodruffw in https://github.com/woodruffw/zizmor/pull/309
* fix: expands_to_static_values considers expressions inside strings by woodruffw in https://github.com/woodruffw/zizmor/pull/317
* fix: sarif: add result and kind by woodruffw in https://github.com/woodruffw/zizmor/pull/68
* fix: sarif: use ResultKind for kind by woodruffw in https://github.com/woodruffw/zizmor/pull/326
Performance Improvements 🚄
* refactor: use http-cache for caching, optimize network calls by woodruffw in https://github.com/woodruffw/zizmor/pull/304
Documentation Improvements 📖
* docs: support commits in trophy case by woodruffw in https://github.com/woodruffw/zizmor/pull/303
* docs: Fix typo in development.md by JustusFluegel in https://github.com/woodruffw/zizmor/pull/305

New Contributors
* jsoref made their first contribution in https://github.com/woodruffw/zizmor/pull/299
* JustusFluegel made their first contribution in https://github.com/woodruffw/zizmor/pull/305
* fcasal made their first contribution in https://github.com/woodruffw/zizmor/pull/330

**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.9.2...v0.10.0

<!-- Release notes generated using configuration in .github/release.yml at v0.9.2 -->

What's Changed
Bug Fixes 🐛
* fix: template-injection: consider runner.tool_cache safe by woodruffw in https://github.com/woodruffw/zizmor/pull/297
Documentation Improvements 📖
* docs: more trophies by woodruffw in https://github.com/woodruffw/zizmor/pull/296


**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.9.1...v0.9.2

<!-- Release notes generated using configuration in .github/release.yml at v0.9.1 -->

What's Changed
Bug Fixes 🐛
* fix: dont crash when an expression does not expand a matrix by ubiratansoares in https://github.com/woodruffw/zizmor/pull/284


**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.9.0...v0.9.1

<!-- Release notes generated using configuration in .github/release.yml at v0.9.0 -->

What's Changed
New Features 🌈
* refactor: experiment with tracing by woodruffw in https://github.com/woodruffw/zizmor/pull/232
* feat: remove --no-progress by woodruffw in https://github.com/woodruffw/zizmor/pull/248
Bug Fixes 🐛
* fix: handle non-static env: in job steps by woodruffw in https://github.com/woodruffw/zizmor/pull/246
* fix: template-injection: ignore another safe context by woodruffw in https://github.com/woodruffw/zizmor/pull/254
* fix: download both .yml and .yaml from repos by woodruffw in https://github.com/woodruffw/zizmor/pull/265
* fix: bump annotate-snippets to fix crash by woodruffw in https://github.com/woodruffw/zizmor/pull/264
* fix: move artipacked pendantic finding to auditor by woodruffw in https://github.com/woodruffw/zizmor/pull/272
* fix: template-injection: ignore runner.temp by woodruffw in https://github.com/woodruffw/zizmor/pull/277
Performance Improvements 🚄
* feat: evaluates a matrix expansion only once by ubiratansoares in https://github.com/woodruffw/zizmor/pull/274
Documentation Improvements 📖
* docs: document installing with PyPI by woodruffw in https://github.com/woodruffw/zizmor/pull/242
* docs: add a trophy case by woodruffw in https://github.com/woodruffw/zizmor/pull/243
* docs: update pre-commit docs to point to new repo by woodruffw in https://github.com/woodruffw/zizmor/pull/247
* docs: switch GHA example to uvx by woodruffw in https://github.com/woodruffw/zizmor/pull/255
* docs: add template-injection tips by woodruffw in https://github.com/woodruffw/zizmor/pull/259
* docs: audits: add another env hacking reference by woodruffw in https://github.com/woodruffw/zizmor/pull/266
* docs: Rename "unsecure" to insecure by szepeviktor in https://github.com/woodruffw/zizmor/pull/270
* docs: more trophies by woodruffw in https://github.com/woodruffw/zizmor/pull/276
* docs: make the trophy case prettier by woodruffw in https://github.com/woodruffw/zizmor/pull/279

New Contributors
* szepeviktor made their first contribution in https://github.com/woodruffw/zizmor/pull/270

**Full Changelog**: https://github.com/woodruffw/zizmor/compare/v0.8.0...v0.9.0