Bump zizmor from 1.16.1 to 1.18.0 in /.github/workflows

[dependabot]

Bumps zizmor from 1.16.1 to 1.18.0.

Release notes

Sourced from zizmor's releases.

v1.18.0

Enhancements 🌱🔗

• The use-trusted-publishing audit now detects NuGet publishing commands (#1369)

• The dependabot-cooldown audit now flags cooldown periods of less than 7 days by default (#1375)

• The dependabot-cooldown audit can now be configured with a custom minimum cooldown period via rules.dependabot-cooldown.config.days (#1377)

• zizmor now produces slightly more useful error messages when the user supplies an invalid configuration for the forbidden-uses audit (#1381)

Bug Fixes 🐛🔗

• Fixed additional edge cases where auto-fixed would fail to preserve a document's final newline (#1372)

v1.18.0-rc3

No release notes provided.

v1.18.0-rc2

No release notes provided.

v1.18.0-rc1

No release notes provided.

v1.17.0

Enhancements 🌱🔗

• zizmor now produces a more useful error message when asked to collect only workflows from a remote input that contains no workflows (#1324)

• zizmor now produces more precise severities on actions/checkout versions that have more misuse-resistant credentials persistence behavior (#1353)

  Many thanks to @​ManuelLerchnerQC for proposing and implementing this improvement!

• The use-trusted-publishing audit now correctly detecting more "dry-run" patterns, making it significantly more accurate (#1357)

• The obfuscation audit now detects usages of shell: cmd and similar, as the Windows CMD shell lacks a formal grammar and limits analysis of run: blocks in other audits (#1361)

Performance Improvements 🚄🔗

• zizmor's core has been refactored to be asynchronous, making online and I/O-heavy audits significantly faster. Typical user workloads should see speedups of 40% to 70% (#1314)

Bug Fixes 🐛🔗

• Fixed a bug where auto-fixes would fail to preserve a document's final newline (#1323)

• zizmor now uses the native (OS) TLS roots when performing HTTPS requests, improving compatibility with user environments that perform TLS interception (#1328)

• The github-env audit now falls back to assuming bash-like shell syntax in run: blocks if it can't infer the shell being used (#1336)

• The concurrency-limits audit now correctly detects job-level concurrency settings, in addition to workflow-level settings (#1338)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.18.0

Enhancements 🌱

• The [use-trusted-publishing] audit now detects NuGet publishing commands (#1369)

• The [dependabot-cooldown] audit now flags cooldown periods of less than 7 days by default (#1375)

• The [dependabot-cooldown] audit can now be configured with a custom minimum cooldown period via rules.dependabot-cooldown.config.days (#1377)

• zizmor now produces slightly more useful error messages when the user supplies an invalid configuration for the [forbidden-uses] audit (#1381)

Bug Fixes 🐛

• Fixed additional edge cases where auto-fixed would fail to preserve a document's final newline (#1372)

1.17.0

Enhancements 🌱

• zizmor now produces a more useful error message when asked to collect only workflows from a remote input that contains no workflows (#1324)

• zizmor now produces more precise severities on @​actions/checkout versions that have more misuse-resistant credentials persistence behavior (#1353)

  Many thanks to @​ManuelLerchnerQC for proposing and implementing this improvement!

• The [use-trusted-publishing] audit now correctly detecting more "dry-run" patterns, making it significantly more accurate (#1357)

• The [obfuscation] audit now detects usages of #!yaml shell: cmd and similar, as the Windows CMD shell lacks a formal grammar and limits analysis of #!yaml run: blocks in other audits (#1361)

Performance Improvements 🚄

• zizmor's core has been refactored to be asynchronous, making online and I/O-heavy audits significantly faster. Typical user workloads should see speedups of 40% to 70% (#1314)

Bug Fixes 🐛

• Fixed a bug where auto-fixes would fail to preserve a document's final

... (truncated)

Commits

• f203b45 chore: prep for 1.18.0 (#1390)
• aed6f8c Update README (#1389)
• 6323373 chore: attempt to fix sdist metadata, prep another RC (#1388)
• 5f5f1fa chore: prep 1.18.0-rc2 release (#1387)
• ea64e40 chore: prep 1.18.0-rc1 release (#1386)
• 545d63a chore: bump yamlpatch to 0.7.0 (#1385)
• c393ca8 chore: bump yamlpath to 0.29.0 (#1384)
• e52043c ci: add PEP 740 attestations to PyPI release workflow (#1383)
• 097dd5d tests: remove a duped config test (#1382)
• d182743 feat: improve forbidden-uses error message on invalid config (#1381)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #162.