dependabot[bot] opened a new pull request, #16329:
URL: https://github.com/apache/lucene/pull/16329

   Bumps [zizmor](https://github.com/zizmorcore/zizmor) from 1.25.2 to 1.26.1.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a 
href="https://github.com/zizmorcore/zizmor/releases";>zizmor's 
releases</a>.</em></p>
   <blockquote>
   <h2>v1.26.1</h2>
   <p>This is a small corrective release for <a 
href="https://docs.zizmor.sh/release-notes/%5B#1260%5D(https://redirect.github.com/zizmorcore/zizmor/issues/1260)">1.26.0</a>.</p>
   <h2>v1.26.0</h2>
   <h2>New Features 🌈<a 
href="https://docs.zizmor.sh/release-notes/#new-features";>🔗</a></h2>
   <ul>
   <li>
   <p>New audit: <a 
href="https://docs.zizmor.sh/audits/#typosquat-uses";>typosquat-uses</a> detects 
uses: clauses that reference likely typoed actions (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/1985";>#1985</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/andrew";><code>@​andrew</code></a> for proposing and 
implementing this improvement!</p>
   </li>
   <li>
   <p>New audit: <a 
href="https://docs.zizmor.sh/audits/#unsound-ternary";>unsound-ternary</a> 
detects pseudo-ternary expressions that don't evaluate as expected (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2085";>#2085</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/terror";><code>@​terror</code></a> for proposing and 
implementing this improvement!</p>
   </li>
   <li>
   <p>New audit: <a 
href="https://docs.zizmor.sh/audits/#adhoc-packages";>adhoc-packages</a> detects 
run: steps that install packages in an ad-hoc manner (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2061";>#2061</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/connorshea";><code>@​connorshea</code></a> for 
proposing and implementing this improvement!</p>
   </li>
   </ul>
   <h2>Enhancements 🌱<a 
href="https://docs.zizmor.sh/release-notes/#enhancements";>🔗</a></h2>
   <ul>
   <li>
   <p>The <a 
href="https://docs.zizmor.sh/audits/#cache-poisoning";>cache-poisoning</a> audit 
now detects additional cache disablement heuristics (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2053";>#2053</a>)</p>
   </li>
   <li>
   <p>The <a 
href="https://docs.zizmor.sh/audits/#known-vulnerable-actions";>known-vulnerable-actions</a>
 audit is now configurable. See <a 
href="https://docs.zizmor.sh/audits/#known-vulnerable-actions-configuration";>the
 configuration documentation</a> for details (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2084";>#2084</a>)</p>
   </li>
   <li>
   <p>The <a 
href="https://docs.zizmor.sh/audits/#excessive-permissions";>excessive-permissions</a>
 audit is now aware of the code-quality permission (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2088";>#2088</a>)</p>
   </li>
   <li>
   <p>The <a 
href="https://docs.zizmor.sh/audits/#unpinned-uses";>unpinned-uses</a> audit's 
auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a 
major-version ref (e.g. <a href="https://github.com/v6";><code>@​v6</code></a>) 
(<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2127";>#2127</a>)</p>
   </li>
   </ul>
   <h2>Performance Improvements 🚄<a 
href="https://docs.zizmor.sh/release-notes/#performance-improvements";>🔗</a></h2>
   <ul>
   <li>
   <p>Most online audits are significantly faster, thanks to more precise retry 
handling (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2036";>#2036</a>)
   Bug Fixes 🐛<a 
href="https://docs.zizmor.sh/release-notes/#bug-fixes";>🔗</a></p>
   </li>
   <li>
   <p>Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files 
in its default configuration (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2026";>#2026</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/fionn";><code>@​fionn</code></a> for implementing this 
fix!</p>
   </li>
   <li>
   <p>Fixed a bug where <a 
href="https://docs.zizmor.sh/audits/#ref-version-mismatch";>ref-version-mismatch</a>
 would fail to fully match some version comments (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2040";>#2040</a>)</p>
   </li>
   <li>
   <p>Fixed a bug where <a 
href="https://docs.zizmor.sh/audits/#dependabot-cooldown";>dependabot-cooldown</a>
 would fail to honor the user's configured days when performing autofixes (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2055";>#2055</a>)</p>
   </li>
   <li>
   <p>Steps and jobs gated by statically-false if: conditions (e.g. if: false, 
if: ${{ false }}) are now skipped during auditing, since they cannot execute 
(<a href="https://redirect.github.com/zizmorcore/zizmor/issues/2059";>#2059</a>, 
<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2069";>#2069</a>)</p>
   </li>
   <li>
   <p>Fixed a bug where <a 
href="https://docs.zizmor.sh/audits/#ref-version-mismatch";>ref-version-mismatch</a>
 would fail to identify some valid version comments (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2073";>#2073</a>)</p>
   </li>
   <li>
   <p>Fixed a bug where <a 
href="https://docs.zizmor.sh/audits/#unpinned-images";>unpinned-images</a> would 
incorrectly flag empty matrix expansions as unpinned container image references 
(<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2102";>#2102</a>)</p>
   </li>
   <li>
   <p>Fixed a bug where <a 
href="https://docs.zizmor.sh/audits/#unpinned-images";>unpinned-images</a> would 
incorrectly flag some matrix expansions as unpinned (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2098";>#2098</a>)</p>
   </li>
   <li>
   <p>The SARIF (--format=sarif) and GitHub Annotations (--format=github) 
output formats now provide more correct/useful paths, particularly when the 
user provides a relative path as input to zizmor rather than zizmor . (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/1748";>#1748</a>, <a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2095";>#2095</a>)</p>
   </li>
   </ul>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a 
href="https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md";>zizmor's
 changelog</a>.</em></p>
   <blockquote>
   <h2>1.26.1</h2>
   <p>This is a small corrective release for <a 
href="%5B#1260%5D(https://redirect.github.com/zizmorcore/zizmor/issues/1260)">1.26.0</a>.</p>
   <h2>1.26.0</h2>
   <h3>New Features 🌈</h3>
   <ul>
   <li>
   <p><strong>New audit</strong>: [typosquat-uses] detects <code>#!yaml 
uses:</code> clauses that reference likely
   typoed actions (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/1985";>#1985</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/andrew";><code>@​andrew</code></a> for proposing and 
implementing this improvement!</p>
   </li>
   <li>
   <p><strong>New audit</strong>: [unsound-ternary] detects pseudo-ternary 
expressions that
   don't evaluate as expected (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2085";>#2085</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/terror";><code>@​terror</code></a> for proposing and 
implementing this improvement!</p>
   </li>
   <li>
   <p><strong>New audit</strong>: [adhoc-packages] detects <code>#!yaml 
run:</code> steps that install packages
   in an ad-hoc manner (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2061";>#2061</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/connorshea";><code>@​connorshea</code></a> for 
proposing and implementing this improvement!</p>
   </li>
   </ul>
   <h3>Enhancements 🌱</h3>
   <ul>
   <li>
   <p>The [cache-poisoning] audit now detects additional cache disablement
   heuristics (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2053";>#2053</a>)</p>
   </li>
   <li>
   <p>The [known-vulnerable-actions] audit is now configurable.
   See <a 
href="https://github.com/zizmorcore/zizmor/blob/main/docs/audits.md#known-vulnerable-actions-configuration";>the
 configuration documentation</a>
   for details (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2084";>#2084</a>)</p>
   </li>
   <li>
   <p>The [excessive-permissions] audit is now aware of the 
<code>code-quality</code> permission (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2088";>#2088</a>)</p>
   </li>
   <li>
   <p>The [unpinned-uses] audit's auto-fix now uses the fully qualified version 
tag
   (e.g. <code># v6.0.2</code>) when fixing a major-version ref (e.g. 
<code>@v6</code>) (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2127";>#2127</a>)</p>
   </li>
   </ul>
   <h3>Performance Improvements 🚄</h3>
   <ul>
   <li>Most online audits are significantly faster, thanks to more precise 
retry handling (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2036";>#2036</a>)</li>
   </ul>
   <h3>Bug Fixes 🐛</h3>
   <ul>
   <li>
   <p>Fixed a bug where zizmor's LSP would not recognize 
<code>dependabot.yaml</code>
   files in its default configuration (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2026";>#2026</a>)</p>
   <p>Many thanks to <a 
href="https://github.com/fionn";><code>@​fionn</code></a> for implementing this 
fix!</p>
   </li>
   <li>
   <p>Fixed a bug where [ref-version-mismatch] would fail to fully match some
   version comments (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2040";>#2040</a>)</p>
   </li>
   </ul>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/597db4d7dc5730bdc1370197bf5678a5ca028abb";><code>597db4d</code></a>
 zizmor 1.26.1 (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2137";>#2137</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/97037cdcb9a53859f18ff2050bd7b2cb2ab0ebd0";><code>97037cd</code></a>
 zizmor 1.26.0 (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2136";>#2136</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/3fecda6f410be0467a54e56e188fac7c6318bbe2";><code>3fecda6</code></a>
 Bump trophies (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2135";>#2135</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/cdaf53634db6c62526aefe31d926db42136b3844";><code>cdaf536</code></a>
 Add InputGroup::root (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2095";>#2095</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/d7672f9f14691bbea6a20df2765a333540149211";><code>d7672f9</code></a>
 docs: fix release note references (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2132";>#2132</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/5420162f2a2691c5a43d609db84ce5d1a3f41c57";><code>5420162</code></a>
 docs: pin manual uvx zizmor examples (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2131";>#2131</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/e9d4a44282e852d2f3845ed3584d2818d5759d7d";><code>e9d4a44</code></a>
 feat(unpinned-uses): pin to full version when fixing a major ref (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2127";>#2127</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/e638658d5fa4040cf835da0e196e721bb6f4ef25";><code>e638658</code></a>
 [BOT] update JSON schemas from SchemaStore (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2126";>#2126</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/2c47399698078ae969b5191c37b4a7b7748afce9";><code>2c47399</code></a>
 chore(deps): bump http from 1.4.1 to 1.4.2 in the cargo group (<a 
href="https://redirect.github.com/zizmorcore/zizmor/issues/2125";>#2125</a>)</li>
   <li><a 
href="https://github.com/zizmorcore/zizmor/commit/cd68f658438bd699ee730b202471996e06204177";><code>cd68f65</code></a>
 chore(deps): bump the github-actions group across 1 directory with 3 updates 
...</li>
   <li>Additional commits viewable in <a 
href="https://github.com/zizmorcore/zizmor/compare/v1.25.2...v1.26.1";>compare 
view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zizmor&package-manager=uv&previous-version=1.25.2&new-version=1.26.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to