Bump zizmor from 1.19.0 to 1.20.0

[dependabot]

Bumps zizmor from 1.19.0 to 1.20.0.

Release notes

Sourced from zizmor's releases.

v1.20.0

Enhancements 🌱🔗

• The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#1461)

• The cache-poisoning audit is now aware of the ramsey/composer-install action (#1489)

• The unpinned-images audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#1482)

Changes ⚠️🔗

• The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml
rules:
unpinned-uses:
config:
policies:
actions/: ref-pin
github/: ref-pin
dependabot/*: ref-pin

Bug Fixes 🐛🔗

• The dependabot-cooldown audit no longer flags missing cooldowns on ecosystems that don't (yet) support cooldowns, such as opentofu (#1480)

• Fixed a false positive in the cache-poisoning audit where zizmor would treat empty strings (e.g. cache: '') as enabling rather than disabling caching (#1482)

• Fixed two gaps in the use-trusted-publishing audit's detection of common yarn publishing commands (#1495)

Miscellaneous 🛠🔗

• zizmor's configuration now has an official JSON schema that will be available via SchemaStore soon!

  Many thanks to @​kiwamizamurai for implementing this improvement!

Changelog

Sourced from zizmor's changelog.

1.20.0

Enhancements 🌱

• The [excessive-permissions] audit is now aware of the artifact-metadata and models permissions (#1461)

• The [cache-poisoning] audit is now aware of the @​ramsey/composer-install action (#1489)

• The [unpinned-images] audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#1482)

Changes ⚠️

• The default policy for the [unpinned-uses] audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

  rules:
    unpinned-uses:
      config:
        policies:
          actions/*: ref-pin
          github/*: ref-pin
          dependabot/*: ref-pin

Bug Fixes 🐛

• The [dependabot-cooldown] audit no longer flags missing cooldowns on ecosystems that don't (yet) support cooldowns, such as opentofu (#1480)

• Fixed a false positive in the [cache-poisoning] audit where zizmor would treat empty strings (e.g. cache: '') as enabling rather than disabling caching (#1482)

• Fixed two gaps in the [use-trusted-publishing] audit's detection of common yarn publishing commands (#1495)

Miscellaneous 🛠

• zizmor's configuration now has an official JSON schema that is available via SchemaStore!

... (truncated)

Commits

• 2780ee5 zizmor 1.20.0 (#1506)
• d508548 github-actions-models 0.43.0 (#1505)
• 6e766ea github-actions-expressions 0.0.12 (#1504)
• 43b1c3a yamlpatch 0.9.0 (#1503)
• 9a27026 yamlpath 0.32.0 (#1502)
• 2828132 [BOT] update JSON schemas from SchemaStore (#1499)
• 204783b chore(deps): bump the cargo group with 3 updates (#1500)
• bead484 docs: bump trophies (#1497)
• 7f0ad71 feat: handle matrix expressions in container image clauses (#1482)
• 2d3fa2f docs: bump trophies (#1496)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)