Update dependency zizmor to v1.10.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
zizmor (source)	1.9.0 -> 1.10.0

---

Release Notes

zizmorcore/zizmor (zizmor)

v1.10.0

Compare Source

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#​937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#​896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#​899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#​905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#​911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#​919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#​956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#​949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#​958)
• The obfuscation audit now returns precise spans for flagged expressions (#​969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#​969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#​887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#​905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#​916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#​958)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.