Skip to content

Bump zizmor from 1.19.0 to 1.22.0 in /.github/workflows#164

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/dot-github/workflows/zizmor-1.22.0
Open

Bump zizmor from 1.19.0 to 1.22.0 in /.github/workflows#164
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/dot-github/workflows/zizmor-1.22.0

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Feb 1, 2026

Bumps zizmor from 1.19.0 to 1.22.0.

Release notes

Sourced from zizmor's releases.

v1.22.0

Changes ⚠️🔗

  • The misfeature audit now only shows non-"well known" shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛🔗

  • Fixed a bug where inputs containing CRLF line endings were not patched correctly by the unpinned-uses audit (#1536)

v1.21.0

New Features 🌈🔗

  • New audit: misfeature detects usage of GitHub Actions features that are considered "misfeatures." (#1517)

Enhancements 🌱🔗

  • zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the exit code documentation for details (#1515)

  • The unpinned-uses audit now supports auto-fixes for many findings (#1525)

Changes ⚠️🔗

  • The obfuscation audit no longer flags shell: cmd. That check has been moved to the new misfeature audit. Users may need to update their ignore comments and/or configuration (#1517)

Bug Fixes 🐛🔗

v1.20.0

Enhancements 🌱🔗

Changes ⚠️🔗

  • The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

    Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml

rules:
unpinned-uses:
</tr></table>

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.22.0

Changes ⚠️

  • The [misfeature] audit now only shows non-"well known" #!yaml shell: findings when running with the "auditor" persona (#1532)

Bug Fixes 🐛

  • Fixed a bug where inputs containing CRLF line endings were not patched correctly by the [unpinned-uses] audit (#1536)

1.21.0

New Features 🌈

  • New audit: [misfeature] detects usage of GitHub Actions features that are considered "misfeatures." (#1517)

Enhancements 🌱

  • zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the [exit code] documentation for details (#1515)

  • The [unpinned-uses] audit now supports auto-fixes for many findings (#1525)

Changes ⚠️

  • The [obfuscation] audit no longer flags #!yaml shell: cmd. That check has been moved to the new [misfeature] audit. Users may need to update their ignore comments and/or configuration (#1517)

Bug Fixes 🐛

  • The [unpinned-uses] audit now flags reusable workflows that are unpinned, in addition to actions (#1509)

    Many thanks to @​johnbillion for implementing this fix!

1.20.0

Enhancements 🌱

  • The [excessive-permissions] audit is now aware of the artifact-metadata and models permissions (#1461)

  • The [cache-poisoning] audit is now aware of the @​ramsey/composer-install action (#1489)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump zizmor from 1.19.0 to 1.22.0 in /.github/workflows
b62249d 
Bumps [zizmor](https://github.com/zizmorcore/zizmor) from 1.19.0 to 1.22.0.
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](zizmorcore/zizmor@v1.19.0...v1.22.0)

---
updated-dependencies:
- dependency-name: zizmor
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Feb 1, 2026
@dependabot dependabot Bot mentioned this pull request Feb 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants