Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump the dependencies group with 2 updates #2805

Merged
merged 1 commit into from
Mar 4, 2025
Merged

build(deps): bump the dependencies group with 2 updates #2805

merged 1 commit into from
Mar 4, 2025
+2 −2

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 3, 2025
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the dependencies group with 2 updates: cryptography and zizmor.

Updates cryptography from 44.0.1 to 44.0.2

Changelog

Sourced from cryptography's changelog.

44.0.2 - 2025-03-01


* We now build wheels for PyPy 3.11.

.. _v44-0-1:

Commits

Updates zizmor from 1.3.1 to 1.4.1

Release notes

Sourced from zizmor's releases.

v1.4.1

This is a small corrective release for v1.4.0.

Bug Fixes 🐛🔗

  • Findings produced by (unredacted-secrets) now use the correct ID and link to the correct URL in the audit documentation (#566)

v1.4.0

This release comes with one new audit (unredacted-secrets), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with improvements to SARIF presentation, ignore comments, as well as an official Docker image!

New Features 🌈🔗

Improvements 🌱🔗

  • SARIF outputs are now slightly more aligned with GitHub Code Scanning expectations (#528)
  • # zizmor: ignore[rule] comments can now have trailing explanations, e.g. # zizmor: ignore[rule] because reasons (#531)
  • The bot-conditions audit now detects github.triggering_actor as another spoofable actor check (#559)

Bug Fixes 🐛🔗

  • Fixed a bug where zizmor would fail to parse workflows with workflow_dispatch triggers that contained non-string inputs (#563)

Upcoming Changes 🚧🔗

  • The next minor release of zizmor will be built with Rust 2024. This should have no effect on most users, but may require users who build zizmor from source to update their Rust toolchain.
Changelog

Sourced from zizmor's changelog.

v1.4.1

This is a small corrective release for v1.4.0.

Bug Fixes 🐛

  • Findings produced by ([unredacted-secrets]) now use the correct ID and link to the correct URL in the audit documentation (#566)

v1.4.0

This release comes with one new audit ([unredacted-secrets]), plus a handful of bugfixes and analysis improvements to existing audits. It also comes with improvements to SARIF presentation, ignore comments, as well as an official Docker image!

New Features 🌈

  • zizmor now has official Docker images! You can find them on the GitHub Container Registry under ghcr.io/woodruffw/zizmor (#532)
  • New audit: [unredacted-secrets] detects secret accesses that are not redacted in logs (#549)

Improvements 🌱

  • SARIF outputs are now slightly more aligned with GitHub Code Scanning expectations (#528)
  • # zizmor: ignore[rule] comments can now have trailing explanations, e.g. # zizmor: ignore[rule] because reasons (#531)
  • The [bot-conditions] audit now detects github.triggering_actor as another spoofable actor check (#559)

Bug Fixes 🐛

  • Fixed a bug where zizmor would fail to parse workflows with workflow_dispatch triggers that contained non-string inputs (#563)

Upcoming Changes 🚧

  • The next minor release of zizmor will be built with Rust 2024. This should have no effect on most users, but may require users who build zizmor from source to update their Rust toolchain.
Commits
  • 7c7e415 chore: prep 1.4.1 release (#568)
  • be5d9e8 docker: use ZIZMOR_VERSION correctly (#567)
  • 75035f7 bugfix: fix audit id for unredacted secrets audit (#566)
  • ff55188 chore: prep for 1.4.0 release (#565)
  • 6363412 bugfix: bump github-actions-models to 0.26.0 (#563)
  • 6928433 chore(deps): bump the github-actions group with 5 updates (#561)
  • 8543192 chore(deps): bump the cargo group with 8 updates (#560)
  • 02d4bac feat: bot-conditions: check github.triggering_actor (#559)
  • 976879f docs: fix release notes for Rust 2024 (#557)
  • 92f27a8 Revert "chore: cargo: actually bump the edition (#553)" (#554)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the dependencies group with 2 updates

Verified

This commit was signed with the committer’s verified signature.
primeos Michael Weiss
GPG key ID: 5BE487C4D4771D83
Verified
Learn about vigilant mode
Loading
Loading status checks…
699c3ee 
Bumps the dependencies group with 2 updates: [cryptography](https://github.com/pyca/cryptography) and [zizmor](https://github.com/woodruffw/zizmor).


Updates `cryptography` from 44.0.1 to 44.0.2
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@44.0.1...44.0.2)

Updates `zizmor` from 1.3.1 to 1.4.1
- [Release notes](https://github.com/woodruffw/zizmor/releases)
- [Changelog](https://github.com/woodruffw/zizmor/blob/main/docs/release-notes.md)
- [Commits](woodruffw/zizmor@v1.3.1...v1.4.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: zizmor
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team as a code owner March 3, 2025 21:48
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Mar 3, 2025
@jku jku merged commit 8df9f0f into develop Mar 4, 2025
17 checks passed
@dependabot dependabot bot deleted the dependabot/pip/dependencies-14d9fac859 branch March 4, 2025 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@jku