Bump zizmor from 1.23.1 to 1.24.1 in /.github/workflows

[dependabot]

Bumps zizmor from 1.23.1 to 1.24.1.

Release notes

Sourced from zizmor's releases.

v1.24.1

Bug Fixes 🐛🔗

• Fixed a bug where the ref-version-mismatch audit would incorrectly flag some version comments as not containing an appropriate version (#1900)

v1.24.0

New Features 🌈🔗

• zizmor now allows users to audit from stdin, by passing zizmor - (#1611)

Enhancements 🌱🔗

• The use-trusted-publishing audit now detects bun publish and bunx npm publish patterns (#1737)

  Many thanks to @​shaanmajid for proposing and implementing this improvement!

• zizmor's CLI help and usage output now uses a custom color scheme for improved readability (#1747)

• The secrets-outside-env audit is now configurable with an allowlist of secret names that should not be flagged, even when referenced outside of an environment (#1759)

  Many thanks to @​rmuir for proposing and implementing this improvement!

• The dependabot-cooldown audit now emits a pedantic finding whenever it encounters a cooldown used with a multi-ecosystem-group, as the two do not interact well (#1780)

• Recommend gh release upload as a replacement for svenstaro/upload-release-action in superfluous-actions (#1801)

• Recommend gh issue create as a replacement for dacbd/create-issue-action in superfluous-actions (#1873)

• The obfuscation audit now emits a finding for with: ${{ expr }} clauses cannot be analyzed (#1772)

• zizmor --help is now rendered with option groups for improved readability (#1831)

  Many thanks to @​deckstose for implementing this improvement!

• zizmor's SARIF output now uses codeflows instead of related locations, improving its rendering behavior on GitHub Advanced Security (#1843)

• The ref-version-mismatch audit now uses a more useful audit description for its findings (#1843)

• The unpinned-images audit now produces more precise findings for image references that are computed through expressions (#1756)

  Many thanks to @​miketheman for implementing this improvement!

• The ref-version-mismatch audit now detects missing version comments as well (#1849)

  Many thanks to @​shaanmajid for proposing and implementing this improvement!

Bug Fixes 🐛🔗

• Fixed a bug where the concurrency-limits audit reported findings at the job level instead of the workflow level (#1627)

... (truncated)

Changelog

Sourced from zizmor's changelog.

1.24.1

Bug Fixes 🐛

• Fixed a bug where the [ref-version-mismatch] audit would incorrectly flag some version comments as not containing an appropriate version (#1900)

1.24.0

New Features 🌈

• zizmor now allows users to audit from stdin, by passing zizmor - (#1611)

Enhancements 🌱

• The [use-trusted-publishing] audit now detects bun publish and bunx npm publish patterns (#1737)

  Many thanks to @​shaanmajid for proposing and implementing this improvement!

• zizmor's CLI help and usage output now uses a custom color scheme for improved readability (#1747)

• The [secrets-outside-env] audit is now configurable with an allowlist of secret names that should not be flagged, even when referenced outside of an environment (#1759)

  Many thanks to @​rmuir for proposing and implementing this improvement!

• The [dependabot-cooldown] audit now emits a pedantic finding whenever it encounters a cooldown used with a multi-ecosystem-group, as the two do not interact well (#1780)

• Recommend gh release upload as a replacement for @​svenstaro/upload-release-action in [superfluous-actions] (#1801)

• Recommend gh issue create as a replacement for @​dacbd/create-issue-action in [superfluous-actions] (#1873)

• The [obfuscation] audit now emits a finding for with: ${{ expr }} clauses cannot be analyzed (#1772)

• zizmor --help is now rendered with option groups for improved readability (#1831)

  Many thanks to @​deckstose for implementing this improvement!

• zizmor's SARIF output now uses codeflows instead of related locations, improving its rendering behavior on GitHub Advanced Security (#1843)

• The [ref-version-mismatch] audit now uses a more useful audit description

... (truncated)

Commits

• 2eaf42b ref-version-mismatch: handle version comments without v prefix (#1900)
• a3b72b8 chore(deps): bump the github-actions group with 3 updates (#1897)
• d5aba60 zizmor v1.24.0 (#1890)
• 1e762ac zizmor v1.24.0-rc3 (#1889)
• b79c9dc Fix release CI (#1888)
• eb113ad Unify crate versions and publishing (#1887)
• 91bcb96 Use the GitHub client's host correctly in two more places (#1881)
• 3ed8316 chore: use tracing for printing the welcome message (#1886)
• 484aced feat(ref-version-mismatch): detect missing version comments on SHA-pinned act...
• 7ee374f KATs for GitHub Actions expressions (#1857)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)