Bump zizmor from 1.22.0 to 1.23.1

[dependabot]

Bumps zizmor from 1.22.0 to 1.23.1.

Release notes

Sourced from zizmor's releases.

v1.23.1

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#1724)

v1.23.0

New Features 🌈🔗

• New audit: secrets-outside-env detects usage of the secrets context in jobs that don't have a corresponding environment (#1599)

• New audit: superfluous-actions detects usage of actions that perform operations already provided by GitHub's own runner images (#1618)

Enhancements 🌱🔗

• zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (#1555)

• zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (#1566)

• zizmor now supports inputs that contain duplicated anchor names (#1575)

• zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (#1586)

• zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#1641)

• The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (#1656)

• Added awalsh128/cache-apt-pkgs-action as a cache-aware action to the cache-poisoning audit (#1708)

Changes ⚠️🔗

• SARIF categories have been regraded. zizmor's "medium" is changed from SARIF's "warning" to "low" (#1635) Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash on uses: clauses containing non-significant whitespace while performing the unpinned-uses audit (#1544)

• Fixed a bug in yamlpath where sequences containing anchors were splatted instead of being properly nested (#1557)

  Many thanks to @​DarkaMaul for implementing this fix!

• Fixed a bug in yamlpath where anchor prefixes in sequences and mapping were not stripped during path queries (#1562)

• Fixed a bug where "merge into" autofixes would produce incorrect patches in the presence of multi-byte Unicode characters (#1581)

  Many thanks to @​ManuelLerchnerQC for implementing this fix!

• Fixed a bug where the template-injection audit would produce duplicated pedantic-only findings (#1589)

• Fixed a bug where the obfuscation audit would produce incorrect autofixes for a subset of constant-reducible expressions (#1597)

• Fixed a bug where the obfuscation audit would fail to apply fixes to a subset of inputs with leading whitespace (#1597)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.23.1

Bug Fixes 🐛

• Fixed a bug where zizmor would error if given both a GH_TOKEN and a GITHUB_TOKEN (or ZIZMOR_GITHUB_TOKEN) via the environment (#1724)

1.23.0

New Features 🌈

• New audit: [secrets-outside-env] detects usage of the secrets context in jobs that don't have a corresponding environment (#1599)

• New audit: [superfluous-actions] detects usage of actions that perform operations already provided by GitHub's own runner images (#1618)

Enhancements 🌱

• zizmor's LSP mode is now configuration-aware, and will load configuration files relative to workspace roots (#1555)

• zizmor now reads the GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN (#1566)

• zizmor now supports inputs that contain duplicated anchor names (#1575)

• zizmor now flags missing cooldowns on opentofu ecosystem definitions in Dependabot (again) (#1586)

• zizmor now reads the ZIZMOR_GITHUB_TOKEN environment variable as an alias/equivalent for GH_TOKEN and GITHUB_TOKEN (#1641)

• The SARIF output format now adds zizmor/confidence, zizmor/persona and zizmor/severity to the properties of findings (#1656)

• Added awalsh128/cache-apt-pkgs-action as a cache-aware action to the cache-poisoning audit (#1708)

Changes ⚠️

• SARIF categories have been regraded. zizmor's "medium" is changed from SARIF's "warning" to "low" (#1635)

Bug Fixes 🐛

• Fixed a bug where zizmor would crash on uses: clauses containing non-significant whitespace while performing the [unpinned-uses] audit (#1544)

• Fixed a bug in yamlpath where sequences containing anchors were splatted

... (truncated)

Commits

• 0b77258 zizmor v1.23.1 (#1725)
• d822fa6 Remove conflict handling from GH_TOKEN aliases (#1724)
• 773439b Bump trophies (#1721)
• f5c05f0 zizmor 1.23.0 (#1719)
• 93858d8 zizmor 1.23.0-rc7 (#1718)
• 76d3f1e yamlpatch 0.13.0 (#1717)
• 7a71262 github-actions-expressions 0.0.15 (#1716)
• 2255be6 zizmor 1.23.0-rc6 (#1715)
• a0f9dcb Fix http-cache usage (#1689)
• adabd2d Update pedantic persona example (#1714)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)