Enhancements 🌱🔗
-
zizmor now produces a more useful error message when asked to collect only workflows from a remote input that contains no workflows (#1324)
-
zizmor now produces more precise severities on actions/checkout versions that have more misuse-resistant credentials persistence behavior (#1353)
Many thanks to @ManuelLerchnerQC for proposing and implementing this improvement!
-
The use-trusted-publishing audit now correctly detecting more "dry-run" patterns, making it significantly more accurate (#1357)
-
The obfuscation audit now detects usages of shell: cmd and similar, as the Windows CMD shell lacks a formal grammar and limits analysis of run: blocks in other audits (#1361)
Performance Improvements 🚄🔗
- zizmor's core has been refactored to be asynchronous, making online and I/O-heavy audits significantly faster. Typical user workloads should see speedups of 40% to 70% (#1314)
Bug Fixes 🐛🔗
-
Fixed a bug where auto-fixes would fail to preserve a document's final newline (#1323)
-
zizmor now uses the native (OS) TLS roots when performing HTTPS requests, improving compatibility with user environments that perform TLS interception (#1328)
-
The github-env audit now falls back to assuming bash-like shell syntax in run: blocks if it can't infer the shell being used (#1336)
-
The concurrency-limits audit now correctly detects job-level concurrency settings, in addition to workflow-level settings (#1338)
-
Fixed a bug where zizmor would fail to collect workflows with names that overlapped with other input types (e.g. action.yml and dependabot.yml) when passed explicitly by path (#1345)