[BUG]: ref-version-mismatch failed when using YAML anchor #1304
Description
Pre-submission checks
- I am not filing a feature request. These should be filed via the feature request form instead.
- I have checked the Troubleshooting Guide for my problem.
- I have looked through both the open and closed issues for a duplicate report.
zizmor version
1.16.1
Expected behavior
No error reported.
Actual behavior
Zizmor errors out with the following message:
fatal: no audit was performed
ref-version-mismatch failed on file://test.yml
Caused by:
mapping has no key `uses`
Reproduction steps
Run zizmor on this workflow file:
name: Test
on:
push:
branches:
- main
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- &checkout
name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
test2:
name: Test2
runs-on: ubuntu-latest
steps:
- *checkout
- name: Test
run: echo "Test"
Logs
🌈 zizmor v1.16.1
DEBUG collect_inputs: zizmor::config: discovering config for local input `test.yml`
DEBUG collect_inputs: zizmor::config: attempting config discovery in `.`
DEBUG collect_inputs: zizmor::config: found `/home/daniel/git/test/.git`, stopping search
DEBUG collect_inputs: zizmor::registry::input: registering workflow input as with key file://test.yml
WARN audit: zizmor: one or more inputs contains YAML anchors; you may encounter crashes or unpredictable behavior
WARN audit: zizmor: for more information, see: https://docs.zizmor.sh/usage/#yaml-anchors
DEBUG audit: zizmor: running artipacked on file://test.yml
DEBUG audit: zizmor: running unsound-contains on file://test.yml
DEBUG audit: zizmor: running excessive-permissions on file://test.yml
DEBUG audit: zizmor: running dangerous-triggers on file://test.yml
DEBUG audit: zizmor: running impostor-commit on file://test.yml
DEBUG audit:audit{input=Workflow(file://test.yml)}:list_tags{owner="actions" repo="checkout"}: reqwest::connect: starting new connection: https://github.com/
DEBUG audit:audit{input=Workflow(file://test.yml)}:list_tags{owner="actions" repo="checkout"}: hyper_util::client::legacy::connect::http: connecting to 140.82.121.3:443
DEBUG audit:audit{input=Workflow(file://test.yml)}:list_tags{owner="actions" repo="checkout"}: hyper_util::client::legacy::connect::http: connected to 140.82.121.3:443
DEBUG hyper_util::client::legacy::pool: pooling idle connection for ("https", github.com)
DEBUG audit: zizmor: running ref-confusion on file://test.yml
DEBUG audit: zizmor: running use-trusted-publishing on file://test.yml
DEBUG audit: zizmor: running template-injection on file://test.yml
DEBUG audit: zizmor: running hardcoded-container-credentials on file://test.yml
DEBUG audit: zizmor: running self-hosted-runner on file://test.yml
DEBUG audit: zizmor: running known-vulnerable-actions on file://test.yml
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: zizmor::github: Request URL: https://api.github.com/advisories?ecosystem=actions&affects=actions%2Fcheckout%40v5.0.0
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: reqwest::connect: starting new connection: https://api.github.com/
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: hyper_util::client::legacy::connect::http: connecting to 140.82.121.5:443
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: hyper_util::client::legacy::connect::http: connected to 140.82.121.5:443
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: hyper_util::client::legacy::pool: pooling idle connection for ("https", api.github.com)
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: zizmor::github: Memory cache was Miss
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: zizmor::github: Request URL: https://api.github.com/advisories?ecosystem=actions&affects=actions%2Fcheckout%40v5.0.0
DEBUG audit:audit{input=Workflow(file://test.yml)}:gha_advisories{owner="actions" repo="checkout" version="v5.0.0"}: zizmor::github: File cache was Hit
DEBUG audit: zizmor: running unpinned-uses on file://test.yml
DEBUG audit: zizmor: running undocumented-permissions on file://test.yml
DEBUG audit: zizmor: running insecure-commands on file://test.yml
DEBUG audit: zizmor: running github-env on file://test.yml
DEBUG audit: zizmor: running cache-poisoning on file://test.yml
DEBUG audit: zizmor: running secrets-inherit on file://test.yml
DEBUG audit: zizmor: running bot-conditions on file://test.yml
DEBUG audit: zizmor: running overprovisioned-secrets on file://test.yml
DEBUG audit: zizmor: running unredacted-secrets on file://test.yml
DEBUG audit: zizmor: running forbidden-uses on file://test.yml
DEBUG audit: zizmor: running obfuscation on file://test.yml
DEBUG audit: zizmor: running stale-action-refs on file://test.yml
DEBUG audit: zizmor: running unpinned-images on file://test.yml
DEBUG audit: zizmor: running anonymous-definition on file://test.yml
DEBUG audit: zizmor: running unsound-condition on file://test.yml
DEBUG audit: zizmor: running ref-version-mismatch on file://test.yml
DEBUG audit:audit{input=Workflow(file://test.yml)}:commit_for_ref{owner="actions" repo="checkout" git_ref="v5.0.0"}: zizmor::github: Finding commit for reference v5.0.0
fatal: no audit was performed
ref-version-mismatch failed on file://test.yml
Caused by:
mapping has no key `uses`
Additional context
This is just a minimal reproduction test case that I devised while encountering this issue on one of my workflow files that had a fair bit of duplicated steps between jobs.