build(deps): bump zizmor from 1.19.0 to 1.20.0 in the test-and-lint-dependencies group

[dependabot]

Bumps the test-and-lint-dependencies group with 1 update: zizmor.

Updates zizmor from 1.19.0 to 1.20.0

Release notes

Sourced from zizmor's releases.

v1.20.0

Enhancements 🌱🔗

• The excessive-permissions audit is now aware of the artifact-metadata and models permissions (#1461)

• The cache-poisoning audit is now aware of the ramsey/composer-install action (#1489)

• The unpinned-images audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#1482)

Changes ⚠️🔗

• The default policy for the unpinned-uses audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

zizmor.yml
rules:
unpinned-uses:
config:
policies:
actions/: ref-pin
github/: ref-pin
dependabot/*: ref-pin

Bug Fixes 🐛🔗

• The dependabot-cooldown audit no longer flags missing cooldowns on ecosystems that don't (yet) support cooldowns, such as opentofu (#1480)

• Fixed a false positive in the cache-poisoning audit where zizmor would treat empty strings (e.g. cache: '') as enabling rather than disabling caching (#1482)

• Fixed two gaps in the use-trusted-publishing audit's detection of common yarn publishing commands (#1495)

Miscellaneous 🛠🔗

• zizmor's configuration now has an official JSON schema that will be available via SchemaStore soon!

  Many thanks to @​kiwamizamurai for implementing this improvement!

Changelog

Sourced from zizmor's changelog.

1.20.0

Enhancements 🌱

• The [excessive-permissions] audit is now aware of the artifact-metadata and models permissions (#1461)

• The [cache-poisoning] audit is now aware of the @​ramsey/composer-install action (#1489)

• The [unpinned-images] audit is now significantly more precise in the presence of matrix references, e.g. image: ${{ matrix.image }} (#1482)

Changes ⚠️

• The default policy for the [unpinned-uses] audit has changed from allowing ref-pinning for first-party actions (those under actions/* and similar) to requiring hash-pinning. This makes the default policy more strict, as well as more consistent across the actions ecosystem.

  Users who with to retain the old (permissive policy) for first-party actions may configure it explicitly in their zizmor.yml:

  rules:
    unpinned-uses:
      config:
        policies:
          actions/*: ref-pin
          github/*: ref-pin
          dependabot/*: ref-pin

Bug Fixes 🐛

• The [dependabot-cooldown] audit no longer flags missing cooldowns on ecosystems that don't (yet) support cooldowns, such as opentofu (#1480)

• Fixed a false positive in the [cache-poisoning] audit where zizmor would treat empty strings (e.g. cache: '') as enabling rather than disabling caching (#1482)

• Fixed two gaps in the [use-trusted-publishing] audit's detection of common yarn publishing commands (#1495)

Miscellaneous 🛠

• zizmor's configuration now has an official JSON schema that is available via SchemaStore!

... (truncated)

Commits

• 2780ee5 zizmor 1.20.0 (#1506)
• d508548 github-actions-models 0.43.0 (#1505)
• 6e766ea github-actions-expressions 0.0.12 (#1504)
• 43b1c3a yamlpatch 0.9.0 (#1503)
• 9a27026 yamlpath 0.32.0 (#1502)
• 2828132 [BOT] update JSON schemas from SchemaStore (#1499)
• 204783b chore(deps): bump the cargo group with 3 updates (#1500)
• bead484 docs: bump trophies (#1497)
• 7f0ad71 feat: handle matrix expressions in container image clauses (#1482)
• 2d3fa2f docs: bump trophies (#1496)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions