Bump zizmorcore/zizmor from 1.25.2 to 1.26.1

[dependabot]

Bumps zizmorcore/zizmor from 1.25.2 to 1.26.1.

Release notes

Sourced from zizmorcore/zizmor's releases.

v1.26.1

This is a small corrective release for 1.26.0.

v1.26.0

New Features 🌈🔗

• New audit: typosquat-uses detects uses: clauses that reference likely typoed actions (#1985)

  Many thanks to @​andrew for proposing and implementing this improvement!

• New audit: unsound-ternary detects pseudo-ternary expressions that don't evaluate as expected (#2085)

  Many thanks to @​terror for proposing and implementing this improvement!

• New audit: adhoc-packages detects run: steps that install packages in an ad-hoc manner (#2061)

  Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱🔗

• The cache-poisoning audit now detects additional cache disablement heuristics (#2053)

• The known-vulnerable-actions audit is now configurable. See the configuration documentation for details (#2084)

• The excessive-permissions audit is now aware of the code-quality permission (#2088)

• The unpinned-uses audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. @​v6) (#2127)

Performance Improvements 🚄🔗

• Most online audits are significantly faster, thanks to more precise retry handling (#2036) Bug Fixes 🐛🔗

• Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

  Many thanks to @​fionn for implementing this fix!

• Fixed a bug where ref-version-mismatch would fail to fully match some version comments (#2040)

• Fixed a bug where dependabot-cooldown would fail to honor the user's configured days when performing autofixes (#2055)

• Steps and jobs gated by statically-false if: conditions (e.g. if: false, if: ${{ false }}) are now skipped during auditing, since they cannot execute (#2059, #2069)

• Fixed a bug where ref-version-mismatch would fail to identify some valid version comments (#2073)

• Fixed a bug where unpinned-images would incorrectly flag empty matrix expansions as unpinned container image references (#2102)

• Fixed a bug where unpinned-images would incorrectly flag some matrix expansions as unpinned (#2098)

• The SARIF (--format=sarif) and GitHub Annotations (--format=github) output formats now provide more correct/useful paths, particularly when the user provides a relative path as input to zizmor rather than zizmor . (#1748, #2095)

... (truncated)

Changelog

Sourced from zizmorcore/zizmor's changelog.

1.26.1

This is a small corrective release for 1.26.0.

1.26.0

New Features 🌈

• New audit: [typosquat-uses] detects #!yaml uses: clauses that reference likely typoed actions (#1985)

  Many thanks to @​andrew for proposing and implementing this improvement!

• New audit: [unsound-ternary] detects pseudo-ternary expressions that don't evaluate as expected (#2085)

  Many thanks to @​terror for proposing and implementing this improvement!

• New audit: [adhoc-packages] detects #!yaml run: steps that install packages in an ad-hoc manner (#2061)

  Many thanks to @​connorshea for proposing and implementing this improvement!

Enhancements 🌱

• The [cache-poisoning] audit now detects additional cache disablement heuristics (#2053)

• The [known-vulnerable-actions] audit is now configurable. See the configuration documentation for details (#2084)

• The [excessive-permissions] audit is now aware of the code-quality permission (#2088)

• The [unpinned-uses] audit's auto-fix now uses the fully qualified version tag (e.g. # v6.0.2) when fixing a major-version ref (e.g. @v6) (#2127)

Performance Improvements 🚄

• Most online audits are significantly faster, thanks to more precise retry handling (#2036)

Bug Fixes 🐛

• Fixed a bug where zizmor's LSP would not recognize dependabot.yaml files in its default configuration (#2026)

  Many thanks to @​fionn for implementing this fix!

• Fixed a bug where [ref-version-mismatch] would fail to fully match some version comments (#2040)

... (truncated)

Commits

• 597db4d zizmor 1.26.1 (#2137)
• 97037cd zizmor 1.26.0 (#2136)
• 3fecda6 Bump trophies (#2135)
• cdaf536 Add InputGroup::root (#2095)
• d7672f9 docs: fix release note references (#2132)
• 5420162 docs: pin manual uvx zizmor examples (#2131)
• e9d4a44 feat(unpinned-uses): pin to full version when fixing a major ref (#2127)
• e638658 [BOT] update JSON schemas from SchemaStore (#2126)
• 2c47399 chore(deps): bump http from 1.4.1 to 1.4.2 in the cargo group (#2125)
• cd68f65 chore(deps): bump the github-actions group across 1 directory with 3 updates ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)