build(deps): bump the test-and-lint-dependencies group with 2 updates

[dependabot]

Bumps the test-and-lint-dependencies group with 2 updates: ruff and zizmor.

Updates ruff from 0.11.8 to 0.11.9

Release notes

Sourced from ruff's releases.

0.11.9

Release Notes

Preview features

• Default to latest supported Python version for version-related syntax errors (#17529)
• Implement deferred annotations for Python 3.14 (#17658)
• [airflow] Fix SQLTableCheckOperator typo (AIR302) (#17946)
• [airflow] Remove airflow.utils.dag_parsing_context.get_parsing_context (AIR301) (#17852)
• [airflow] Skip attribute check in try catch block (AIR301) (#17790)
• [flake8-bandit] Mark tuples of string literals as trusted input in S603 (#17801)
• [isort] Check full module path against project root(s) when categorizing first-party imports (#16565)
• [ruff] Add new rule in-empty-collection (RUF060) (#16480)

Bug fixes

• Fix missing combine call for lint.typing-extensions setting (#17823)
• [flake8-async] Fix module name in ASYNC110, ASYNC115, and ASYNC116 fixes (#17774)
• [pyupgrade] Add spaces between tokens as necessary to avoid syntax errors in UP018 autofix (#17648)
• [refurb] Fix false positive for float and complex numbers in FURB116 (#17661)
• [parser] Flag single unparenthesized generator expr with trailing comma in arguments. (#17893)

Documentation

• Add instructions on how to upgrade to a newer Rust version (#17928)
• Update code of conduct email address (#17875)
• Add fix safety sections to PLC2801, PLR1722, and RUF013 (#17825, #17826, #17759)
• Add link to check-typed-exception from S110 and S112 (#17786)

Other changes

• Allow passing a virtual environment to ruff analyze graph (#17743)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​Gankra
• @​Glyphack
• @​InSyncWithFoo
• @​LaBatata101
• @​Lee-W
• @​MichaReiser
• @​VascoSch92
• @​abhijeetbodas2001
• @​carljm
• @​charliermarsh
• @​dcreager
• @​dhruvmanila
• @​dylwil3
• @​ercbot

... (truncated)

Changelog

Sourced from ruff's changelog.

0.11.9

Preview features

• Default to latest supported Python version for version-related syntax errors (#17529)
• Implement deferred annotations for Python 3.14 (#17658)
• [airflow] Fix SQLTableCheckOperator typo (AIR302) (#17946)
• [airflow] Remove airflow.utils.dag_parsing_context.get_parsing_context (AIR301) (#17852)
• [airflow] Skip attribute check in try catch block (AIR301) (#17790)
• [flake8-bandit] Mark tuples of string literals as trusted input in S603 (#17801)
• [isort] Check full module path against project root(s) when categorizing first-party imports (#16565)
• [ruff] Add new rule in-empty-collection (RUF060) (#16480)

Bug fixes

• Fix missing combine call for lint.typing-extensions setting (#17823)
• [flake8-async] Fix module name in ASYNC110, ASYNC115, and ASYNC116 fixes (#17774)
• [pyupgrade] Add spaces between tokens as necessary to avoid syntax errors in UP018 autofix (#17648)
• [refurb] Fix false positive for float and complex numbers in FURB116 (#17661)
• [parser] Flag single unparenthesized generator expr with trailing comma in arguments. (#17893)

Documentation

• Add instructions on how to upgrade to a newer Rust version (#17928)
• Update code of conduct email address (#17875)
• Add fix safety sections to PLC2801, PLR1722, and RUF013 (#17825, #17826, #17759)
• Add link to check-typed-exception from S110 and S112 (#17786)

Other changes

• Allow passing a virtual environment to ruff analyze graph (#17743)

Commits

• 2370297 Bump 0.11.9 (#17986)
• a137cb1 [ty] Display "All checks passed!" message in green (#17982)
• 03a4d56 [ty] Change range of revealed-type diagnostic to be the range of the argume...
• 642eac4 [ty] Recursive protocols (#17929)
• c1b8757 [ty] CLI reference (#17978)
• 6cd8a49 [ty] Update salsa (#17964)
• 12ce445 [ty] Document configuration schema (#17950)
• f46ed8d [ty] Add --config CLI arg (#17697)
• 6c177e2 [ty] primer updates (#17903)
• 3d2485e [ty] fix more ecosystem/fuzzer panics with fixpoint (#17758)
• Additional commits viewable in compare view

Updates zizmor from 1.6.0 to 1.7.0

Release notes

Sourced from zizmor's releases.

v1.7.0

See https://docs.zizmor.sh/release-notes/#v170 for full release notes.

Changelog

Sourced from zizmor's changelog.

v1.7.0

This release comes with four new audits: [obfuscation], [stale-action-refs], [unsound-contains], and [unpinned-images]. It also includes several improvements to existing audits and zizmor's output formats and error reporting behavior.

Additionally, this release comes with bugfixes for the SARIF output format as well as input collection in some edge cases when collecting from remote repositories.

New Features 🌈

• New audit: The [obfuscation] audit detects obfuscatory patterns in GitHub Actions usages. These patterns are not themselves dangerous, but may indicate an attempt to obscure malicious behavior (#683)

• New audit: The [stale-action-refs] pedantic audit detects pinned action references which don't point to a Git tag (#713)

  Many thanks to @​Marcono1234 for proposing and implementing this audit!

• New audit: The [unsound-contains] audit detects uses of the contains() function that can be bypassed (#577)

  Many thanks to @​Holzhaus for proposing and implementing this audit!

• New audit: The [unpinned-images] audit detects uses of Docker images that are unpinned or pinned to :latest (#733)

  Many thanks to @​trumant for proposing and implementing this audit!

• zizmor now reports much clearer error messages when auditing fails due to an invalid workflow or action definition (#719)

  Many thanks to @​reandreev for implementing these improvements!

• zizmor now has a --strict-collection flag that turns skipped workflow or action definition warnings into errors. Passing this flag changes zizmor's behavior back to the default in v1.6.0 and earlier, which was to terminate the audit if any collected input could not be parsed (#734)

• The [forbidden-uses] audit can now be configured with patterns that match exact uses: clauses, including refs. For example, exactly actions/checkout@v4 can now be explicitly allowed or forbidden, rather than every ref that matches actions/checkout (#750)

• zizmor now has a --completions=<shell> flag that generates shell completion scripts (#765)

... (truncated)

Commits

• beba489 chore: prep for v1.7.0 release (#768)
• a542e7d chore(docs): update release notes (#767)
• a284f58 feat: tab completion (#765)
• d957f6e chore(docs): bump trophies (#763)
• 5a02ad2 chore(docs): bump trophies (#761)
• 50c3d5a chore(docs): bump trophies (#760)
• d151afc chore(docs): mention @​zizmorecore plans (#759)
• ebd5391 chore(docs): add Discord badge to README and docs (#757)
• e63b729 chore: cleanup (#753)
• f420fa1 refactor: remove old repo matching APIs (#752)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[coveralls]

coverage: 97.064%. remained the same
when pulling f5b2acf on dependabot/pip/test-and-lint-dependencies-7682f5adcf
into b0aa482 on develop.