build(deps): bump the test-and-lint-dependencies group with 2 updates

[dependabot]

Bumps the test-and-lint-dependencies group with 2 updates: ruff and zizmor.

Updates ruff from 0.11.5 to 0.11.6

Release notes

Sourced from ruff's releases.

0.11.6

Release Notes

Preview features

• Avoid adding whitespace to the end of a docstring after an escaped quote (#17216)
• [airflow] Extract AIR311 from AIR301 rules (AIR301, AIR311) (#17310, #17422)

Bug fixes

• Raise syntax error when \ is at end of file (#17409)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​Lee-W
• @​MatthewMckee4
• @​MichaReiser
• @​cake-monotone
• @​carljm
• @​charliermarsh
• @​dcreager
• @​dhruvmanila
• @​github-actions
• @​maxmynter
• @​mishamsk
• @​mtshiba
• @​ntBre
• @​renovate
• @​sharkdp

Install ruff 0.11.6

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/astral-sh/ruff/releases/download/0.11.6/ruff-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/astral-sh/ruff/releases/download/0.11.6/ruff-installer.ps1 | iex"

Download ruff 0.11.6

File	Platform	Checksum

... (truncated)

Changelog

Sourced from ruff's changelog.

0.11.6

Preview features

• Avoid adding whitespace to the end of a docstring after an escaped quote (#17216)
• [airflow] Extract AIR311 from AIR301 rules (AIR301, AIR311) (#17310, #17422)

Bug fixes

• Raise syntax error when \ is at end of file (#17409)

Commits

• fcd50a0 Bump 0.11.6 (#17449)
• 3ada36b Auto generate visit_source_order (#17180)
• bd89838 [red-knot] Initial tests for protocols (#17436)
• b32407b [red-knot] Dataclasses: synthesize __init__ with proper signature (#17428)
• b4de245 [red-knot] Dataclasses: support order=True (#17406)
• 914095d [red-knot] Super-basic generic inference at call sites (#17301)
• 5350288 [red-knot] Check assignability of bound methods to callables (#17430)
• 649610c [red-knot] Support super (#17174)
• 1a79722 [airflow] Extend AIR311 rules (#17422)
• b67590b [red-knot] simplify union size limit handling (#17429)
• Additional commits viewable in compare view

Updates zizmor from 1.5.2 to 1.6.0

Release notes

Sourced from zizmor's releases.

v1.6.0

See https://woodruffw.github.io/zizmor/release-notes/#v160 for full release notes.

Changelog

Sourced from zizmor's changelog.

v1.6.0

New Features 🌈

• New audit: The [forbidden-uses] audit is a configurable audit that allows allow- or denylisting of entire orgs, repos, or specific action patterns. This audit must be configured; by default it has no effect (#664)

  Many thanks to @​Holzhaus for proposing and initiating this new audit!

• zizmor now supports --format=github as an output format. This format produces check annotations via GitHub workflow commands, e.g. ::warning and ::error. See the Output formats documentation for more information on annotations, including key limitations (#634)

• The [unpinned-uses] audit has been completely rewritten, with two key changes:

  • The audit now has configurable policies that give users more control over the audit's behavior. In particular, users can now define policies that mirror their actual threat model, such as trusting their own GitHub organizations while leaving others untrusted.
  • The audit's default policy is more precise and conservative: official GitHub actions (e.g. those under actions/* and similar) are allowed to be pinned by branch or tag, but all other actions are required to be pinned by SHA. This is a change from the previous policy, which was to only flag completely unpinned actions by default.

  Many thanks to @​Holzhaus for motivating this change! (#663, #574)

Improvements 🌱

• The SARIF output format now marks each rule as a "security" rule, which helps GitHub's presentation of the results (#631)
• The [template-injection] audit is now performs dataflow analysis to determine whether contexts actually expand in an unsafe manner, making it significantly more accurate (#640)
• The [cache-poisoning] audit is now aware of @​jdx/mise-action (#645)
• The [cache-poisoning] audit is now significantly more accurate when analyzing workflows that use @​docker/setup-buildx-action (#644)
• --format=json is now an alias for --format=json-v1, enabling future JSON formats. The policy for the --format=json alias is documented under Output formats - JSON (#657)
• Configuration file loading is now stricter, and produces a more useful error message when the configuration file is invalid (#663)

Bug Fixes 🐛

... (truncated)

Commits

• fb8520b chore: prep for release 1.6.0 (#681)
• 9689f0e chore: bump github-actions-models to 0.28.1 (#679)
• d922717 feat: generalize RepositoryUsesPattern (#670)
• db30721 bugfix: template-injection: mark another context as safe (#675)
• 07d2c24 docs: bump trophies (#671)
• 8b23a9e feat: new audit: forbidden-uses (#664)
• c4600e9 chore(docs): bump trophies (#668)
• a32d8bd ci: convert Dockerfile to Wolfi (#667)
• aeef8f6 chore(deps): bump the github-actions group with 2 updates (#665)
• 957f02e chore(deps): bump the cargo group with 4 updates (#666)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions