Skip to content

Bump zizmorcore/zizmor from 1.18.0 to 1.23.1#24694

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/docker_compose/zizmorcore/zizmor-1.23.1
Open

Bump zizmorcore/zizmor from 1.18.0 to 1.23.1#24694
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/docker_compose/zizmorcore/zizmor-1.23.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 1, 2026

Bumps zizmorcore/zizmor from 1.18.0 to 1.23.1.

Release notes

Sourced from zizmorcore/zizmor's releases.

v1.23.1

Bug Fixes 🐛🔗

  • Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#1724)

v1.23.0-rc1

This is a prerelease, and is not considered stable. It exists only to shake out release process bugs prior to a real release.

v1.23.0-rc2

No release notes provided.

v1.23.0-rc3

No release notes provided.

v1.23.0-rc4

No release notes provided.

v1.23.0-rc5

No release notes provided.

v1.23.0-rc6

No release notes provided.

v1.23.0-rc7

No release notes provided.

v1.23.0

New Features 🌈🔗

  • New audit: secrets-outside-env detects usage of the secrets context in jobs that don't have a corresponding environment (#1599)

  • New audit: superfluous-actions detects usage of actions that perform operations already provided by GitHub's own runner images (#1618)

Enhancements 🌱🔗

  • zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (#1555)

  • zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (#1566)

  • zizmor now supports inputs that contain duplicated anchor names (#1575)

  • zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (#1586)

  • zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#1641)

  • The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (#1656)

  • Added awalsh128/cache-apt-pkgs-action as a cache-aware action to the cache-poisoning audit (#1708)

Changes ⚠️🔗

... (truncated)

Changelog

Sourced from zizmorcore/zizmor's changelog.

1.23.1

Bug Fixes 🐛

  • Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#1724)

  • Fixed a bug in [template-injection] where the context input of docker/build-push-action was incorrectly considered a code injection sink (#1705)

Changes ⚠️

  • artipacked audit emits a pedantic finding if persist-credentials is an expression (#1735)

1.23.0

New Features 🌈

  • New audit: [secrets-outside-env] detects usage of the secrets context in jobs that don't have a corresponding environment (#1599)

  • New audit: [superfluous-actions] detects usage of actions that perform operations already provided by GitHub's own runner images (#1618)

Enhancements 🌱

  • zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (#1555)

  • zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (#1566)

  • zizmor now supports inputs that contain duplicated anchor names (#1575)

  • zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (#1586)

  • zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#1641)

  • The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (#1656)

  • Added awalsh128/cache-apt-pkgs-action as a cache-aware action to the cache-poisoning audit (#1708)

Changes ⚠️

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump zizmorcore/zizmor from 1.18.0 to 1.23.1
25c77fc 
Bumps [zizmorcore/zizmor](https://github.com/zizmorcore/zizmor) from 1.18.0 to 1.23.1.
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.18.0...v1.23.1)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor
  dependency-version: 1.23.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file docker_compose Pull requests that update docker_compose code labels Apr 1, 2026
@eviljeff
Copy link
Copy Markdown
Member

eviljeff commented Apr 2, 2026

There seem to have been a number of changes between 1.18 and 1.23 - there are some new rules in particular we are now hitting:

The former is probably useful, and can be easily applied (at a cost of more dependabot PRs, this time for action updates); the latter depends on us setting up environments for addons-server, which we either don't have an at org level, or I don't currently have access to. It would also mean redefining all our secrets in an environment, and I suspect we don't have copies of all (any?) of them.

@diox
Copy link
Copy Markdown
Member

diox commented Apr 2, 2026

Starting with zizmor v1.20.0, the default policy for unpinned-uses is to require hash-pinning on all actions, not just third-party ones. The previous behavior (of allowing actions/* and similar to be ref-pinned) is no longer the default but can be re-enabled via configuration; see the configuration section below for details.

This is the main difference with before when it comes to pinning uses:. We do pin uses: already, but with the following strategy:

  • Our own internal actions inside the same repos are not pinned
  • "Built-in" actions/* are pinned using tags, which are technically not guaranteed to be immutable but more convenient to use
  • Third-party actions are pinned using hashes

We could consider pinning the built-in ones using hashes too... I suspect they are fairly low traffic anyway... In this repo that'd mean:

  • actions/checkout@v6
  • actions/configure-pages@v5
  • actions/deploy-pages@v4
  • actions/upload-pages-artifact@v4
  • actions/setup-node@v6 (for the make tests)
  • actions/setup-python@v6 (for the health check)

@diox
Copy link
Copy Markdown
Member

diox commented Apr 7, 2026

Regarding https://docs.zizmor.sh/audits/#secrets-outside-env I think we should start by allowing the current secrets we're using through secrets-outside-env.config.allow for now, and then try to migrate them one by one later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file docker_compose Pull requests that update docker_compose code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eviljeff @diox