Thanks to visit codestin.com
Credit goes to github.com

Skip to content

zizmor 1.25.0#282882

Merged
BrewTestBot merged 2 commits into
mainfrom
bump-zizmor-1.25.0
May 14, 2026
Merged

zizmor 1.25.0#282882
BrewTestBot merged 2 commits into
mainfrom
bump-zizmor-1.25.0

Conversation

@BrewTestBot

Copy link
Copy Markdown
Contributor

Created by brew bump


Created with brew bump-formula-pr.

Details

release notes
## New Features 🌈[🔗](https://docs.zizmor.sh/release-notes/#new-features)
  • zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

    Many thanks to @Proximyst for proposing and implementing this improvement!

  • New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)

  • New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

  • zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

  • zizmor's LSP now honors the --persona flag on the CLI (#1943)

  • zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements🔗

Performance Improvements 🚄🔗

  • The impostor-commit audit is now significantly faster (in addition to being more correct) when the user has pinned their action to a tag SHA instead of a commit SHA (#1998)
    Bug Fixes 🐛🔗

  • Fixed a crash in the template-injection audit when a workflow uses a parenthesized compound expression in context position (#1904)

  • Fixed a bug where local directory input collection could miss workflows for relative-path invocations from within .github subdirectories (#1909)

  • Fixed a bug where the unpinned-images audit would miss images defined in container: clauses (#1944)

  • Fixed a bug where inline ignore comments could not be easily applied to superfluous-actions findings (#1945)

  • Fixed a bug where the cache-poisoning audit would fail to detect some release trigger patterns (#1946)

  • Fixed a bug where inline ignore comments could not be easily applied to cache-poisoning findings (#1962)

  • Fixed a class of imprecisions where the cache-poisoning audit would incorrectly flag cache usage that doesn't actually occur on release events (#1940)

    Many thanks to @reubenwong97 for implementing this fix!

  • Fixed a bug where dependabot.yml files containing a private cargo repository couldn't be parsed (#1976)

  • Fixed a bug where zizmor's input validation warnings lacked a mention of which files failed to validate (#1980)

  • Fixed a bug where the impostor-commit audit would falsely indicate impostor commits if an action was pinned to a tag SHA instead of a commit SHA (#1998)

View the full release notes at https://github.com/zizmorcore/zizmor/releases/tag/v1.25.0.


@github-actions github-actions Bot added rust Rust use is a significant feature of the PR or issue bump-formula-pr PR was created using `brew bump-formula-pr` labels May 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.

@github-actions github-actions Bot added the CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. label May 14, 2026
@BrewTestBot BrewTestBot enabled auto-merge May 14, 2026 21:52
@BrewTestBot BrewTestBot added this pull request to the merge queue May 14, 2026
Merged via the queue into main with commit ce9c064 May 14, 2026
22 checks passed
@BrewTestBot BrewTestBot deleted the bump-zizmor-1.25.0 branch May 14, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bump-formula-pr PR was created using `brew bump-formula-pr` CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. rust Rust use is a significant feature of the PR or issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants