cargo: bump edition (#585)

* cargo: bump edition Signed-off-by: William Woodruff <[email protected]> * cargo fmt Signed-off-by: William Woodruff <[email protected]> * cargo clippy --fix Signed-off-by: William Woodruff <[email protected]> * cargo fmt Signed-off-by: William Woodruff <[email protected]> * ci: pypi: don't do release on workflow_dispatch Signed-off-by: William Woodruff <[email protected]> * try macos-13 Signed-off-by: William Woodruff <[email protected]> * ci: pypi: add TODO Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: William Woodruff <[email protected]>
woodruffw · Mar 5, 2025 · fcc08c9 · fcc08c9
1 parent 19222e6
commit fcc08c9
Show file tree

Hide file tree

Showing 34 changed files with 615 additions and 463 deletions.
diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -112,9 +112,11 @@ jobs:
     strategy:
       matrix:
         platform:
+          # TODO: Bump to macos-15 once Rust 1.85+ is available.
+          # See: https://github.com/actions/runner-images/issues/11637
           - runner: macos-13
             target: x86_64
-          - runner: macos-14
+          - runner: macos-13
             target: aarch64
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -155,7 +157,7 @@ jobs:
     environment:
       name: pypi
       url: https://pypi.org/p/zizmor
-    if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }}
+    if: ${{ startsWith(github.ref, 'refs/tags/') }}
     needs: [linux, musllinux, windows, macos, sdist]
     permissions:
       # Use to sign the release artifacts

diff --git a/Cargo.toml b/Cargo.toml
@@ -2,15 +2,15 @@
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
 version = "1.4.1"
-edition = "2021"
+edition = "2024"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"
 documentation = "https://woodruffw.github.io/zizmor/"
 authors = ["William Woodruff <[email protected]>"]
 license = "MIT"
 keywords = ["cli", "github-actions", "static-analysis", "security"]
 categories = ["command-line-utilities"]
-rust-version = "1.80.1"
+rust-version = "1.85.0"
 
 [features]
 # Test-only: enable online audits that make use of a GitHub token via GH_TOKEN.

diff --git a/src/audit/artipacked.rs b/src/audit/artipacked.rs
@@ -2,16 +2,16 @@ use std::ops::Deref as _;
 
 use anyhow::Result;
 use github_actions_models::{
-    common::{expr::ExplicitExpr, EnvValue, Uses},
+    common::{EnvValue, Uses, expr::ExplicitExpr},
     workflow::job::StepBody,
 };
 use itertools::Itertools as _;
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::utils::split_patterns;
 use crate::{
     finding::{Confidence, Finding, Persona, Severity},
-    models::{uses::RepositoryUsesExt as _, JobExt},
+    models::{JobExt, uses::RepositoryUsesExt as _},
     state::AuditState,
 };
 

diff --git a/src/audit/bot_conditions.rs b/src/audit/bot_conditions.rs
@@ -1,6 +1,6 @@
-use github_actions_models::common::{expr::ExplicitExpr, If};
+use github_actions_models::common::{If, expr::ExplicitExpr};
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::{
     expr::{self, Context, Expr},
     finding::{Confidence, Severity},

diff --git a/src/audit/cache_poisoning.rs b/src/audit/cache_poisoning.rs
@@ -2,10 +2,10 @@ use std::str::FromStr;
 use std::sync::LazyLock;
 
 use github_actions_models::common::Uses;
-use github_actions_models::workflow::event::{BareEvent, BranchFilters, OptionalBody};
 use github_actions_models::workflow::Trigger;
+use github_actions_models::workflow::event::{BareEvent, BranchFilters, OptionalBody};
 
-use crate::audit::{audit_meta, Audit};
+use crate::audit::{Audit, audit_meta};
 use crate::finding::{Confidence, Finding, Severity};
 use crate::models::coordinate::{ActionCoordinate, Control, ControlFieldType, Toggle, Usage};
 use crate::models::{JobExt as _, NormalJob, Step, StepCommon, Steps};

diff --git a/src/audit/dangerous_triggers.rs b/src/audit/dangerous_triggers.rs
@@ -1,6 +1,6 @@
 use anyhow::Result;
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::finding::{Confidence, Finding, Severity};
 use crate::models::Workflow;
 use crate::state::AuditState;

diff --git a/src/audit/excessive_permissions.rs b/src/audit/excessive_permissions.rs
@@ -2,11 +2,11 @@ use std::{collections::HashMap, sync::LazyLock};
 
 use github_actions_models::common::{BasePermission, Permission, Permissions};
 
-use super::{audit_meta, Audit, Job};
+use super::{Audit, Job, audit_meta};
 use crate::models::JobExt as _;
 use crate::{
-    finding::{Confidence, Persona, Severity, SymbolicLocation},
     AuditState,
+    finding::{Confidence, Persona, Severity, SymbolicLocation},
 };
 
 // Subjective mapping of permissions to severities, when given `write` access.

diff --git a/src/audit/github_env.rs b/src/audit/github_env.rs
@@ -9,7 +9,7 @@ use regex::Regex;
 use streaming_iterator::StreamingIterator;
 use tree_sitter::{Language, Parser, Query, QueryCapture, QueryCursor, QueryMatches, Tree};
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::finding::{Confidence, Finding, Severity};
 use crate::models::{JobExt as _, Step};
 use crate::state::AuditState;
@@ -445,8 +445,8 @@ impl Audit for GitHubEnv {
 
 #[cfg(test)]
 mod tests {
-    use crate::audit::github_env::{GitHubEnv, GITHUB_ENV_WRITE_CMD};
     use crate::audit::Audit;
+    use crate::audit::github_env::{GITHUB_ENV_WRITE_CMD, GitHubEnv};
     use crate::github_api::GitHubHost;
     use crate::state::AuditState;
 
@@ -563,18 +563,45 @@ mod tests {
             ("foo >> $ENV:GITHUB_ENV", true),
             ("foo >> $ENV:GitHub_Env", true),
             // Out-File cases
-            ("echo \"CUDA_PATH=$env:CUDA_PATH\" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append", true),
-            ("\"PYTHON_BIN=$PYTHON_BIN\" | Out-File -FilePath $env:GITHUB_ENV -Append", true),
-            ("echo \"SOLUTION_PATH=${slnPath}\" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append", true),
+            (
+                "echo \"CUDA_PATH=$env:CUDA_PATH\" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append",
+                true,
+            ),
+            (
+                "\"PYTHON_BIN=$PYTHON_BIN\" | Out-File -FilePath $env:GITHUB_ENV -Append",
+                true,
+            ),
+            (
+                "echo \"SOLUTION_PATH=${slnPath}\" | Out-File $env:GITHUB_ENV -Encoding utf8 -Append",
+                true,
+            ),
             // // Add-Content cases
-            ("Add-Content -Path $env:GITHUB_ENV -Value \"RELEASE_VERSION=$releaseVersion\"", true),
-            ("Add-Content $env:GITHUB_ENV \"DOTNET_ROOT=$Env:USERPROFILE\\.dotnet\"", true),
+            (
+                "Add-Content -Path $env:GITHUB_ENV -Value \"RELEASE_VERSION=$releaseVersion\"",
+                true,
+            ),
+            (
+                "Add-Content $env:GITHUB_ENV \"DOTNET_ROOT=$Env:USERPROFILE\\.dotnet\"",
+                true,
+            ),
             // Set-Content cases
-            ("Set-Content -Path $env:GITHUB_ENV -Value \"tag=$tag\"", true),
-            ("[System.Text.Encoding]::UTF8.GetBytes(\"RELEASE_NOTES<<EOF`n$releaseNotes`nEOF\") |\nSet-Content -Path $Env:GITHUB_ENV -NoNewline -Encoding Byte", true),
+            (
+                "Set-Content -Path $env:GITHUB_ENV -Value \"tag=$tag\"",
+                true,
+            ),
+            (
+                "[System.Text.Encoding]::UTF8.GetBytes(\"RELEASE_NOTES<<EOF`n$releaseNotes`nEOF\") |\nSet-Content -Path $Env:GITHUB_ENV -NoNewline -Encoding Byte",
+                true,
+            ),
             // Tee-Object cases
-            ("echo \"BRANCH=${{ env.BRANCH_NAME }}\" | Tee-Object -Append -FilePath \"${env:GITHUB_ENV}\"", true),
-            ("echo \"JAVA_HOME=${Env:JAVA_HOME_11_X64}\" | Tee-Object -FilePath $env:GITHUB_ENV -Append", true),
+            (
+                "echo \"BRANCH=${{ env.BRANCH_NAME }}\" | Tee-Object -Append -FilePath \"${env:GITHUB_ENV}\"",
+                true,
+            ),
+            (
+                "echo \"JAVA_HOME=${Env:JAVA_HOME_11_X64}\" | Tee-Object -FilePath $env:GITHUB_ENV -Append",
+                true,
+            ),
             // Case insensitivity
             ("echo \"foo\" | out-file $Env:GitHub_Env -Append", true),
             ("echo \"foo\" | out-File $Env:GitHub_Env -Append", true),
@@ -588,7 +615,10 @@ mod tests {
             ),
             ("foo >> GITHUB_ENV", false), // GITHUB_ENV is not a variable
             ("foo >> $GITHUB_ENV", false), // variable but not an envvar
-            ("\"PYTHON_BIN=$PYTHON_BIN\" | Out-File -FilePath GITHUB_ENV -Append", false), // GITHUB_ENV is not a variable
+            (
+                "\"PYTHON_BIN=$PYTHON_BIN\" | Out-File -FilePath GITHUB_ENV -Append",
+                false,
+            ), // GITHUB_ENV is not a variable
         ] {
             let audit_state = AuditState {
                 no_online_audits: false,

diff --git a/src/audit/hardcoded_container_credentials.rs b/src/audit/hardcoded_container_credentials.rs
@@ -3,7 +3,7 @@ use github_actions_models::{
     workflow::job::{Container, DockerCredentials},
 };
 
-use super::{audit_meta, Audit, Job};
+use super::{Audit, Job, audit_meta};
 use crate::{
     finding::{Confidence, Severity},
     models::JobExt as _,

diff --git a/src/audit/impostor_commit.rs b/src/audit/impostor_commit.rs
@@ -5,14 +5,14 @@
 //!
 //! [`clank`]: https://github.com/chainguard-dev/clank
 
-use anyhow::{anyhow, Result};
+use anyhow::{Result, anyhow};
 use github_actions_models::common::{RepositoryUses, Uses};
 
-use super::{audit_meta, Audit, Job};
+use super::{Audit, Job, audit_meta};
 use crate::{
     finding::{Confidence, Finding, Severity},
     github_api::{self, ComparisonStatus},
-    models::{uses::RepositoryUsesExt as _, JobExt as _, Workflow},
+    models::{JobExt as _, Workflow, uses::RepositoryUsesExt as _},
     state::AuditState,
 };
 

diff --git a/src/audit/insecure_commands.rs b/src/audit/insecure_commands.rs
@@ -6,7 +6,7 @@ use github_actions_models::common::expr::LoE;
 use github_actions_models::common::{Env, EnvValue};
 use github_actions_models::workflow::job::StepBody;
 
-use super::{audit_meta, Job};
+use super::{Job, audit_meta};
 use crate::audit::Audit;
 use crate::finding::{Confidence, Finding, Persona, Severity, SymbolicLocation};
 use crate::models::{JobExt as _, Steps, Workflow};

diff --git a/src/audit/known_vulnerable_actions.rs b/src/audit/known_vulnerable_actions.rs
@@ -5,10 +5,10 @@
 //!
 //! See: <https://docs.github.com/en/rest/security-advisories/global-advisories?apiVersion=2022-11-28>
 
-use anyhow::{anyhow, Context, Result};
+use anyhow::{Context, Result, anyhow};
 use github_actions_models::common::{RepositoryUses, Uses};
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::finding::Finding;
 use crate::models::CompositeStep;
 use crate::{

diff --git a/src/audit/overprovisioned_secrets.rs b/src/audit/overprovisioned_secrets.rs
@@ -4,7 +4,7 @@ use crate::{
     utils::extract_expressions,
 };
 
-use super::{audit_meta, Audit, AuditInput};
+use super::{Audit, AuditInput, audit_meta};
 
 pub(crate) struct OverprovisionedSecrets;
 

diff --git a/src/audit/ref_confusion.rs b/src/audit/ref_confusion.rs
@@ -6,10 +6,10 @@
 //! but the upstream repository may host *both* a branch and a tag named
 //! `foo`, making it unclear to the end user which is selected.
 
-use anyhow::{anyhow, Result};
+use anyhow::{Result, anyhow};
 use github_actions_models::common::{RepositoryUses, Uses};
 
-use super::{audit_meta, Audit, Job};
+use super::{Audit, Job, audit_meta};
 use crate::finding::Finding;
 use crate::models::{CompositeStep, JobExt as _};
 use crate::{

diff --git a/src/audit/secrets_inherit.rs b/src/audit/secrets_inherit.rs
@@ -1,6 +1,6 @@
 use github_actions_models::workflow::job::Secrets;
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::{finding::Confidence, models::JobExt as _};
 
 pub(crate) struct SecretsInherit;

diff --git a/src/audit/self_hosted_runner.rs b/src/audit/self_hosted_runner.rs
@@ -11,12 +11,12 @@ use github_actions_models::{
     workflow::job::RunsOn,
 };
 
-use super::{audit_meta, Audit, Job};
+use super::{Audit, Job, audit_meta};
 use crate::models::Matrix;
 use crate::{
+    AuditState,
     finding::{Confidence, Persona, Severity},
     models::JobExt as _,
-    AuditState,
 };
 
 pub(crate) struct SelfHostedRunner;

diff --git a/src/audit/template_injection.rs b/src/audit/template_injection.rs
@@ -11,15 +11,15 @@
 //! expressions that an attacker can't control.
 
 use github_actions_models::{
-    common::{expr::LoE, Uses},
+    common::{Uses, expr::LoE},
     workflow::job::Strategy,
 };
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::{
     expr::{BinOp, Expr, UnOp},
     finding::{Confidence, Persona, Severity, SymbolicLocation},
-    models::{self, uses::RepositoryUsesExt as _, StepCommon},
+    models::{self, StepCommon, uses::RepositoryUsesExt as _},
     state::AuditState,
     utils::extract_expressions,
 };

diff --git a/src/audit/unpinned_uses.rs b/src/audit/unpinned_uses.rs
@@ -1,8 +1,8 @@
 use github_actions_models::common::Uses;
 
-use super::{audit_meta, Audit, AuditState, Finding, Step};
+use super::{Audit, AuditState, Finding, Step, audit_meta};
 use crate::finding::{Confidence, Persona, Severity};
-use crate::models::{uses::UsesExt as _, CompositeStep};
+use crate::models::{CompositeStep, uses::UsesExt as _};
 
 pub(crate) struct UnpinnedUses;
 

diff --git a/src/audit/unredacted_secrets.rs b/src/audit/unredacted_secrets.rs
@@ -1,11 +1,11 @@
 use crate::{
+    Confidence, Severity,
     expr::{Context, Expr},
     finding::{Feature, Location},
     utils::extract_expressions,
-    Confidence, Severity,
 };
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 
 pub(crate) struct UnredactedSecrets;
 

diff --git a/src/audit/use_trusted_publishing.rs b/src/audit/use_trusted_publishing.rs
@@ -7,7 +7,7 @@ use github_actions_models::{
 };
 use indexmap::IndexMap;
 
-use super::{audit_meta, Audit};
+use super::{Audit, audit_meta};
 use crate::{
     finding::{Confidence, Severity},
     models::uses::RepositoryUsesExt as _,

diff --git a/src/config.rs b/src/config.rs
@@ -1,9 +1,9 @@
 use std::{collections::HashMap, fs, num::NonZeroUsize, str::FromStr};
 
-use anyhow::{anyhow, Context as _, Result};
-use serde::{de, Deserialize};
+use anyhow::{Context as _, Result, anyhow};
+use serde::{Deserialize, de};
 
-use crate::{finding::Finding, App};
+use crate::{App, finding::Finding};
 
 #[derive(Clone, Debug, PartialEq)]
 pub(crate) struct WorkflowRule {