chore(deps-dev): Bump zizmor from 1.24.1 to 1.25.0

[dependabot]

Bumps zizmor from 1.24.1 to 1.25.0.

Release notes

Sourced from zizmor's releases.

v1.25.0

New Features 🌈🔗

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: github-app detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements🔗

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions

• Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions

• tibdex/github-app-token is now recognized as an archived action by archived-uses (#1910)

• The [dangerous-triggers] audit now explicitly exempts workflows that only invoke actions/labeler (#1956)

• The unpinned-images audit now detects unpinned image references in Docker-based action definitions (#1965)

• zizmor's SARIF output now provides slightly more detailed finding messages (#1972)

• The archived-uses audit now detects more archived actions (#1978)

• deno is now recognized as a package-ecosystem in dependabot.yml (#1991)

Performance Improvements 🚄🔗

• The impostor-commit audit is now significantly faster (in addition to being more correct) when the user has pinned their action to a tag SHA instead of a commit SHA (#1998) Bug Fixes 🐛🔗

• Fixed a crash in the template-injection audit when a workflow uses a parenthesized compound expression in context position (#1904)

• Fixed a bug where local directory input collection could miss workflows for relative-path invocations from within .github subdirectories (#1909)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.25.0

New Features 🌈

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: [github-app] detects dangerous usages of GitHub App installation tokens (#1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#1935)

• zizmor's LSP now honors the --persona flag on the CLI (#1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#1965)

Enhancements

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for @​actions-ecosystem/action-add-labels in [superfluous-actions]

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for @​actions-ecosystem/action-remove-labels in [superfluous-actions]

• Recommend jq as a replacement for @​sergeysova/jq-action in [superfluous-actions]

• Recommend git add, git commit, and git push as a replacement for @​stefanzweifel/git-auto-commit-action in [superfluous-actions]

• Recommend git add, git commit, and git push as a replacement for @​EndBug/add-and-commit in [superfluous-actions]

• @​tibdex/github-app-token is now recognized as an archived action by [archived-uses] (#1910)

• The [dangerous-triggers] audit now explicitly exempts workflows that only invoke @​actions/labeler (#1956)

• The [unpinned-images] audit now detects unpinned image references in Docker-based action definitions (#1965)

• zizmor's SARIF output now provides slightly more detailed finding messages (#1972)

... (truncated)

Commits

• ee07597 Prep zizmor 1.25.0 (#2001)
• 77e92cf Bump trophies (#1999)
• bf0362d Add some gatekeeping that instructs agents to refer their operator to the AI ...
• 5594c39 impostor-commit: handle tag SHAs properly (#1998)
• 205979a chore(deps): bump the cargo group with 3 updates (#1987)
• bcafe88 chore(deps): bump the github-actions group with 2 updates (#1988)
• 6690c00 [BOT] update JSON schemas from SchemaStore (#1986)
• 3b3b29a Add deno as a known Dependabot ecosystem (#1991)
• ef54d44 Bump sponsors (#1990)
• fd14ab6 Make trophy handling less cumbersome (#1982)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)