Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zizmor for openSUSE:Factory checked in at 2026-03-09 16:20:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zizmor (Old) and /work/SRC/openSUSE:Factory/.zizmor.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zizmor" Mon Mar 9 16:20:14 2026 rev:30 rq:1337616 version:1.23.1 Changes: -------- --- /work/SRC/openSUSE:Factory/zizmor/zizmor.changes 2026-01-19 18:41:54.155486048 +0100 +++ /work/SRC/openSUSE:Factory/.zizmor.new.8177/zizmor.changes 2026-03-09 16:24:40.513961612 +0100 @@ -1,0 +2,77 @@ +Mon Mar 09 06:53:13 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.23.1: + * Bug Fixes + - Fixed a bug where zizmor would error if given both a GH_TOKEN + and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the + environment (#1724) +- Update to version 1.23.0: + * New Features + - New audit: secrets-outside-env detects usage of the secrets + context in jobs that don't have a corresponding environment + (#1599) + - New audit: superfluous-actions detects usage of actions that + perform operations already provided by GitHub's own runner + images (#1618) + * Enhancements + - zizmor's LSP mode is now configuration-aware, and will load + configuration files relative to workspace roots (#1555) + - zizmor now reads the GITHUB_TOKEN environment variable as an + alias/equivalent for GH_TOKEN (#1566) + - zizmor now supports inputs that contain duplicated anchor + names (#1575) + - zizmor now flags missing cooldowns on opentofu ecosystem + definitions in Dependabot (again) (#1586) + - zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable + as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#1641) + - The SARIF output format now adds zizmor/confidence, + zizmor/persona and zizmor/severity to the properties of + findings (#1656) + - Added awalsh128/cache-apt-pkgs-action as a cache-aware action + to the cache-poisoning audit (#1708) + * Changes + - SARIF categories have been regraded. zizmor's "medium" is + changed from SARIF's "warning" to "low" (#1635) + * Bug Fixes + - Fixed a bug where zizmor would crash on uses: clauses + containing non-significant whitespace while performing the + unpinned-uses audit (#1544) + - Fixed a bug in yamlpath where sequences containing anchors + were splatted instead of being properly nested (#1557) + - Fixed a bug in yamlpath where anchor prefixes in sequences + and mapping were not stripped during path queries (#1562) + - Fixed a bug where "merge into" autofixes would produce + incorrect patches in the presence of multi-byte Unicode + characters (#1581) + - Fixed a bug where the template-injection audit would produce + duplicated pedantic-only findings (#1589) + - Fixed a bug where the obfuscation audit would produce + incorrect autofixes for a subset of constant-reducible + expressions (#1597) + - Fixed a bug where the obfuscation audit would fail to apply + fixes to a subset of inputs with leading whitespace (#1597) + - Fixed a bug where the concurrency-limits audit would + incorrectly flag reusable-only workflows as needing a + concurrency: key (#1620) + - Fixed a bug where the known-vulnerable-actions audit would + fail when applying some fixes (#1640) + - Fixed a bug where the pre-commit ecosystem was not recognized + in Dependabot configuration files (#1637) + - Fixed a bug where the template-injection audit would + incorrectly flag github.triggering_actor as an injection risk + in the default persona (#1645) + - Fixed a bug where zizmor's expression parser did not + correctly handle number literals in GitHub Actions + expressions (#1625) + - Fixed a bug where the template-injection audit would crash on + some forms of multi-line expressions (#1669) + - Fixed a bug where deserialization of a workflow containing + fractional minutes would fail (#1675) + - Fixed a bug where deserialization of a workflow where a + workflow_run with a scalar types would fail (#1676) + - Fixed a bug where zizmor would crash on workflows containing + bare numeric values in if: conditions (#1683) + - Fixed a bug where GitHub Actions expression string + comparisons were not case-insensitive (#1687) + +------------------------------------------------------------------- Old: ---- zizmor-1.22.0.obscpio New: ---- zizmor-1.23.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zizmor.spec ++++++ --- /var/tmp/diff_new_pack.fQrWvQ/_old 2026-03-09 16:24:41.662008729 +0100 +++ /var/tmp/diff_new_pack.fQrWvQ/_new 2026-03-09 16:24:41.666008893 +0100 @@ -17,7 +17,7 @@ Name: zizmor -Version: 1.22.0 +Version: 1.23.1 Release: 0 Summary: A static analysis tool for GitHub Actions License: MIT @@ -25,6 +25,7 @@ Source0: %{name}-%{version}.tar.gz Source1: vendor.tar.zst BuildRequires: bash-completion +BuildRequires: ca-certificates-mozilla BuildRequires: cargo >= 1.80 BuildRequires: cargo-packaging BuildRequires: fish ++++++ _service ++++++ --- /var/tmp/diff_new_pack.fQrWvQ/_old 2026-03-09 16:24:41.726011356 +0100 +++ /var/tmp/diff_new_pack.fQrWvQ/_new 2026-03-09 16:24:41.730011520 +0100 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">v1.22.0</param> + <param name="revision">v1.23.1</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fQrWvQ/_old 2026-03-09 16:24:41.774013325 +0100 +++ /var/tmp/diff_new_pack.fQrWvQ/_new 2026-03-09 16:24:41.778013490 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/woodruffw/zizmor</param> - <param name="changesrevision">94308f638c114a3f42c4c842abee9cf46f166890</param></service></servicedata> + <param name="changesrevision">0b77258cf93d4e0ae762c843422c333faf2793f6</param></service></servicedata> (No newline at EOF) ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/zizmor/vendor.tar.zst /work/SRC/openSUSE:Factory/.zizmor.new.8177/vendor.tar.zst differ: char 7, line 1 ++++++ zizmor-1.22.0.obscpio -> zizmor-1.23.1.obscpio ++++++ ++++ 11602 lines of diff (skipped) ++++++ zizmor.obsinfo ++++++ --- /var/tmp/diff_new_pack.fQrWvQ/_old 2026-03-09 16:24:42.478042220 +0100 +++ /var/tmp/diff_new_pack.fQrWvQ/_new 2026-03-09 16:24:42.490042713 +0100 @@ -1,5 +1,5 @@ name: zizmor -version: 1.22.0 -mtime: 1768626608 -commit: 94308f638c114a3f42c4c842abee9cf46f166890 +version: 1.23.1 +mtime: 1772988185 +commit: 0b77258cf93d4e0ae762c843422c333faf2793f6
