chore(deps): update python

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
yamllint	==1.37.1 → ==1.38.0
zizmor (source)	==1.18.0 → ==1.22.0

---

Release Notes

adrienverge/yamllint (yamllint)

v1.38.0

Compare Source

• Add support for Python 3.14, drop support for Python 3.9
• Require pathspec ≥ 1.0.0
• Config: Follow gitignore implementation in yaml-files and ignore
• Config: Use "mapping" instead of "dict" for user-facing errors
• Rule indentation: Fix error message for check-multi-line-strings
• Rule quoted-strings: Add quote-type: consistent
• Docs: Update the name of BSD ports
• Docs: Enhance wording of recursive directory lint in README
• Docs: Add Alpine Linux installation instructions in README

zizmorcore/zizmor (zizmor)

v1.22.0

Compare Source

Changes ⚠️🔗

• The misfeature audit now only shows non-"well known" shell: findings when running with the "auditor" persona (#​1532)

Bug Fixes 🐛🔗

• Fixed a bug where inputs containing CRLF line endings were not patched correctly by the unpinned-uses audit (#​1536)

v1.21.0

Compare Source

New Features 🌈🔗

• New audit: misfeature detects usage of GitHub Actions features that are considered "misfeatures." (#​1517)

Enhancements 🌱🔗

• zizmor now uses exit code 3 to signal an audit that has failed because no input files were collected. See the exit code documentation for details (#​1515)

• The unpinned-uses audit now supports auto-fixes for many findings (#​1525)

Changes ⚠️🔗

• The obfuscation audit no longer flags shell: cmd. That check has been moved to the new misfeature audit. Users may need to update their ignore comments and/or configuration (#​1517)

Bug Fixes 🐛🔗

• The unpinned-uses audit now flags reusable workflows that are unpinned, in addition to actions (#​1509)

  Many thanks to @​johnbillion for implementing this fix!

v1.20.0

Compare Source

Enhancements 🌱🔗

• The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#​1461)

• The cache-poisoning audit is now aware of the ramsey/composer-install action (#​1489)

• The unpinned-images audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#​1482)

Changes ⚠️🔗

• The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml

rules:
  unpinned-uses:
    config:
      policies:
        actions/*: ref-pin
        github/*: ref-pin
        dependabot/*: ref-pin

Bug Fixes 🐛🔗

• The dependabot-cooldown audit no longer flags missing cooldowns on ecosystems that don't (yet) support cooldowns, such as opentofu (#​1480)

• Fixed a false positive in the cache-poisoning audit where zizmor would treat empty strings (e.g. cache: '') as enabling rather than disabling caching (#​1482)

• Fixed two gaps in the use-trusted-publishing audit's detection of common yarn publishing commands (#​1495)

Miscellaneous 🛠🔗

• zizmor's configuration now has an official JSON schema that will be available via SchemaStore soon!

  Many thanks to @​kiwamizamurai for implementing this improvement!

v1.19.0

Compare Source

New Features 🌈🔗

• New audit: archived-uses detects usages of archived repositories in uses: clauses (#​1411)

Enhancements 🌱🔗

• The use-trusted-publishing audit now detects additional publishing command patterns, including common "wrapped" patterns like bundle exec gem publish (#​1394)

• zizmor now produces better error messages on a handful of error cases involving invalid input files. Specifically, a subset of syntax and schema errors now produce more detailed and actionable error messages (#​1396)

• The use-trusted-publishing audit now detects additional publishing command patterns, including uv run ..., uvx ..., and poetry publish (#​1402)

• zizmor now produces more useful and less ambiguous spans for many findings, particularly those from the anonymous-definition audit (#​1416)

• zizmor now discovers configuration files named zizmor.yaml, in addition to zizmor.yml (#​1431)

• zizmor now produces a more useful error message when input collection yields no inputs (#​1439)

• The --render-links flag now allows users to control zizmor's OSC 8 terminal link rendering behavior. This is particularly useful in environments that advertise themselves as terminals but fail to correctly render or ignore OSC 8 links (#​1454)

Performance Improvements 🚄🔗

• The [impostor-commit] audit is now significantly faster on true positives, making true positive detection virtually as fast as true negative detection. In practice, true positive runs are over 100 times faster than before (#​1429)

Bug Fixes 🐛🔗

• Fixed a bug where the obfuscation audit would crash if it encountered a CMD shell that was defined outside of the current step block (i.e. as a job or workflow default) (#​1418)

• Fixed a bug where the opentofu ecosystem was not recognized in Dependabot configuration files (#​1452)

• --color=always no longer implies --render-links=always, as some environments (like GitHub Actions) support ANSI color codes but fail to handle OSC escapes gracefully (#​1454)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.50%. Comparing base (0e03a9c) to head (3457491).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1824   +/-   ##
=======================================
  Coverage   77.50%   77.50%           
=======================================
  Files          19       19           
  Lines        1209     1209           
=======================================
  Hits          937      937           
  Misses        176      176           
  Partials       96       96           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.