Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zizmor for openSUSE:Factory checked in at 2025-05-09 18:51:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zizmor (Old) and /work/SRC/openSUSE:Factory/.zizmor.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zizmor" Fri May 9 18:51:15 2025 rev:9 rq:1276064 version:1.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/zizmor/zizmor.changes 2025-03-25 22:17:47.307979451 +0100 +++ /work/SRC/openSUSE:Factory/.zizmor.new.30101/zizmor.changes 2025-05-09 18:53:23.478153189 +0200 @@ -1,0 +2,126 @@ +Fri May 09 05:25:08 UTC 2025 - Johannes Kastl <[email protected]> + +- add shell completion subpackages +- Update to version 1.7.0: + This release comes with four new audits: obfuscation, + stale-action-refs, unsound-contains, and unpinned-images. It also + includes several improvements to existing audits and zizmor's + output formats and error reporting behavior. + Additionally, this release comes with bugfixes for the SARIF + output format as well as input collection in some edge cases when + collecting from remote repositories. + * New Features + - New audit: The obfuscation audit detects obfuscatory patterns + in GitHub Actions usages. These patterns are not themselves + dangerous, but may indicate an attempt to obscure malicious + behavior (#683) + - New audit: The stale-action-refs pedantic audit detects + pinned action references which don't point to a Git tag + (#713) + - New audit: The unsound-contains audit detects uses of the + contains() function that can be bypassed (#577) + - New audit: The unpinned-images audit detects uses of Docker + images that are unpinned or pinned to :latest (#733) + - zizmor now reports much clearer error messages when auditing + fails due to an invalid workflow or action definition (#719) + - zizmor now has a --strict-collection flag that turns skipped + workflow or action definition warnings into errors. Passing + this flag changes zizmor's behavior back to the default in + v1.6.0 and earlier, which was to terminate the audit if any + collected input could not be parsed (#734) + - The forbidden-uses audit can now be configured with patterns + that match exact uses: clauses, including refs. For example, + exactly actions/checkout@v4 can now be explicitly allowed or + forbidden, rather than every ref that matches + actions/checkout (#750) + - zizmor now has a --completions=<shell> flag that generates + shell completion scripts (#765) + * Bug Fixes + - The SARIF output format now uses zizmor/{id} for rule IDs + instead of bare IDs, reducing the chance of conflict or + confusion with other tools (#710) + - The SARIF output format now includes a rule name for each + rule descriptor, which should improve rendering behavior in + SARIF viewers like the VS Code SARIF Viewer extension (#710) + - Fixed a bug where zizmor would fail to collection actions + defined within subdirectories of .github/workflows when + collecting from a remote source (#731) + * Upcoming Changes + Starting with v1.8.0, zizmor will migrate from @woodruffw on + GitHub to @zizmorcore. This should not cause any breakage as + GitHub will handle redirects, but users who explicitly + reference @woodruffw/zizmor should consider updating their + references to @zizmorcore/zizmor once the migration occurs. + See #758 for details. + * Dependencies + - chore(deps): bump the github-actions group with 3 updates + (#747) + - chore(deps): cargo update (#722) + - chore(deps): bump insta from 1.42.2 to 1.43.0 in the cargo + group (#702) + - chore(deps): bump the cargo group with 2 updates (#686) + - chore(deps): bump astral-sh/setup-uv in the github-actions + group (#685) + +------------------------------------------------------------------- +Sun Apr 20 06:34:57 UTC 2025 - Johannes Kastl <[email protected]> + +- Update to version 1.6.0: + * New Features + - New audit: The forbidden-uses audit is a configurable audit + that allows allow- or denylisting of entire orgs, repos, or + specific action patterns. This audit must be configured; by + default it has no effect (#664) + - zizmor now supports --format=github as an output format. This + format produces check annotations via GitHub workflow + commands, e.g. ::warning and ::error. See the Output formats + documentation for more information on annotations, including + key limitations (#634) + - The unpinned-uses audit has been completely rewritten, with + two key changes: + - The audit now has configurable policies that give users + more control over the audit's behavior. In particular, + users can now define policies that mirror their actual + threat model, such as trusting their own GitHub + organizations while leaving others untrusted. + - The audit's default policy is more precise and + conservative: official GitHub actions (e.g. those under + actions/* and similar) are allowed to be pinned by branch + or tag, but all other actions are required to be pinned by + SHA. This is a change from the previous policy, which was + to only flag completely unpinned actions by default. + * Improvements + - The SARIF output format now marks each rule as a "security" + rule, which helps GitHub's presentation of the results (#631) + - The template-injection audit is now performs dataflow + analysis to determine whether contexts actually expand in an + unsafe manner, making it significantly more accurate (#640) + - The cache-poisoning audit is now aware of jdx/mise-action + (#645) + - The cache-poisoning audit is now significantly more accurate + when analyzing workflows that use docker/setup-buildx-action + (#644) + - --format=json is now an alias for --format=json-v1, enabling + future JSON formats. The policy for the --format=json alias + is documented under Output formats - JSON (#657) + - Configuration file loading is now stricter, and produces a + more useful error message when the configuration file is + invalid (#663) + * Bug Fixes + - The template-injection audit no longer considers + github.event.pull_request.head.sha dangerous (#636) + - Fixed a bug where zizmor would fail to parse workflows with + workflow_call triggers that specified inputs without the + required field being present (#646) + - Fixed a bug where zizmor would fail to parse workflows with + pull_request or pull_request_target triggers that specified + types as a scalar value (#653) + - Fixed a crash where zizmor would fail to generate correct + concrete location spans for YAML inputs with comments inside + block sequences (#660) + - The template-injection audit no longer considers github.job + dangerous (#661) + - The template-injection audit no longer considers + github.event.pull_request.head.repo.fork dangerous (#675) + +------------------------------------------------------------------- Old: ---- zizmor-1.5.2.obscpio New: ---- zizmor-1.7.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zizmor.spec ++++++ --- /var/tmp/diff_new_pack.hs5joV/_old 2025-05-09 18:53:24.158181477 +0200 +++ /var/tmp/diff_new_pack.hs5joV/_new 2025-05-09 18:53:24.162181643 +0200 @@ -17,21 +17,57 @@ Name: zizmor -Version: 1.5.2 +Version: 1.7.0 Release: 0 Summary: A static analysis tool for GitHub Actions License: MIT URL: https://github.com/woodruffw/zizmor Source0: %{name}-%{version}.tar.gz Source1: vendor.tar.zst +BuildRequires: bash-completion BuildRequires: cargo >= 1.80 BuildRequires: cargo-packaging +BuildRequires: fish +BuildRequires: zsh ExcludeArch: %{ix86} armv7hl %description zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups. +%package -n %{name}-bash-completion +Summary: Bash Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: bash-completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description -n %{name}-bash-completion +Bash command line completion support for %{name}. + +%package -n %{name}-fish-completion +Summary: Fish Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: fish +Supplements: (%{name} and fish) +BuildArch: noarch + +%description -n %{name}-fish-completion +Fish command line completion support for %{name}. + +%package -n %{name}-zsh-completion +Summary: Zsh Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: zsh +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description -n %{name}-zsh-completion +zsh command line completion support for %{name}. + %prep %autosetup -p 1 -a 1 @@ -42,6 +78,18 @@ install -D -d -m 0755 %{buildroot}%{_bindir} install -m 0755 %{_builddir}/%{name}-%{version}/target/release/%{name} %{buildroot}%{_bindir}/%{name} +# create the bash completion file +mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/ +%{buildroot}/%{_bindir}/%{name} --completions=bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{name} + +# create the fish completion file +mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/ +%{buildroot}/%{_bindir}/%{name} --completions=fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{name}.fish + +# create the zsh completion file +mkdir -p %{buildroot}%{_datarootdir}/zsh/site-functions/ +%{buildroot}/%{_bindir}/%{name} --completions=zsh > %{buildroot}%{_datarootdir}/zsh/site-functions/_%{name} + %check %{cargo_test} @@ -50,3 +98,12 @@ %license LICENSE %{_bindir}/zizmor +%files -n %{name}-bash-completion +%{_datarootdir}/bash-completion/completions/%{name} + +%files -n %{name}-fish-completion +%{_datarootdir}/fish/vendor_completions.d/%{name}.fish + +%files -n %{name}-zsh-completion +%{_datarootdir}/zsh/site-functions/_%{name} + ++++++ _service ++++++ --- /var/tmp/diff_new_pack.hs5joV/_old 2025-05-09 18:53:24.210183639 +0200 +++ /var/tmp/diff_new_pack.hs5joV/_new 2025-05-09 18:53:24.214183806 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">v1.5.2</param> + <param name="revision">v1.7.0</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.hs5joV/_old 2025-05-09 18:53:24.234184638 +0200 +++ /var/tmp/diff_new_pack.hs5joV/_new 2025-05-09 18:53:24.238184804 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/woodruffw/zizmor</param> - <param name="changesrevision">0c590a6e147e743fac5f6e66a87c07a2ae113476</param></service></servicedata> + <param name="changesrevision">beba48976c4911c25c0f23e27426fbb8f2bd950f</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/zizmor/vendor.tar.zst /work/SRC/openSUSE:Factory/.zizmor.new.30101/vendor.tar.zst differ: char 7, line 1 ++++++ zizmor-1.5.2.obscpio -> zizmor-1.7.0.obscpio ++++++ ++++ 18998 lines of diff (skipped) ++++++ zizmor.obsinfo ++++++ --- /var/tmp/diff_new_pack.hs5joV/_old 2025-05-09 18:53:24.518196452 +0200 +++ /var/tmp/diff_new_pack.hs5joV/_new 2025-05-09 18:53:24.526196785 +0200 @@ -1,5 +1,5 @@ name: zizmor -version: 1.5.2 -mtime: 1742741579 -commit: 0c590a6e147e743fac5f6e66a87c07a2ae113476 +version: 1.7.0 +mtime: 1746759051 +commit: beba48976c4911c25c0f23e27426fbb8f2bd950f
