Release 2.68.24

.github/workflows/ci.yml

@@ -134,7 +134,7 @@ jobs:
         if: startsWith(matrix.os, 'windows')
       - name: Test cmd
         run: just --version & shfmt --version & protoc --version
-        shell: cmd
+        shell: cmd # zizmor: ignore[misfeature] used for compatibility testing
         if: startsWith(matrix.os, 'windows')
       # We use the version output to check the version of cargo-binstall, but they
       # several times change the version output format in the past so we need to

.github/zizmor.yml

@@ -10,7 +10,3 @@ rules:
       policies:
         taiki-e/*: any
         '*': ref-pin
-  misfeature:
-    ignore:
-      # We use `shell: cmd` to test compatibility.
-      - ci.yml

.gitignore

@@ -1,5 +1,6 @@
 target
 Cargo.lock
+mutants.out*
 tmp
 
 # For platform and editor specific settings, it is recommended to add to

CHANGELOG.md

@@ -10,6 +10,18 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.68.24] - 2026-03-08
+
+- Avoid triggering [zizmor ref-confusion](https://docs.zizmor.sh/audits/#ref-confusion) when using this action in form of `uses: taiki-e/install-action@v2` or `uses: taiki-e/install-action@<tool_name>`.
+
+## [2.68.23] - 2026-03-08
+
+- Update `zizmor@latest` to 1.23.0.
+
+- Update `tombi@latest` to 0.9.3.
+
+- Update `mise@latest` to 2026.3.5.
+
 ## [2.68.22] - 2026-03-07
 
 - Update `release-plz@latest` to 0.3.157.
@@ -5827,7 +5839,9 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.68.22...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.68.24...HEAD
+[2.68.24]: https://github.com/taiki-e/install-action/compare/v2.68.23...v2.68.24
+[2.68.23]: https://github.com/taiki-e/install-action/compare/v2.68.22...v2.68.23
 [2.68.22]: https://github.com/taiki-e/install-action/compare/v2.68.21...v2.68.22
 [2.68.21]: https://github.com/taiki-e/install-action/compare/v2.68.20...v2.68.21
 [2.68.20]: https://github.com/taiki-e/install-action/compare/v2.68.19...v2.68.20

manifests/mise.json

@@ -28,13 +28,39 @@
   },
   "license_markdown": "[MIT](https://github.com/jdx/mise/blob/main/LICENSE)",
   "latest": {
-    "version": "2026.3.4"
+    "version": "2026.3.5"
   },
   "2026": {
-    "version": "2026.3.4"
+    "version": "2026.3.5"
   },
   "2026.3": {
-    "version": "2026.3.4"
+    "version": "2026.3.5"
+  },
+  "2026.3.5": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE7CA8EF4B602D",
+      "checksum": "eae3d01230d11cf73a6cfae3433514b5a80e117a73f9e385a467ac8d7430629e"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE7CA8F1A3768C",
+      "checksum": "7897a373cded573fc8ed68d35b2d18db31b76d567e1361e44aac93175a240a6e"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE7CA8F26FA50B",
+      "checksum": "deb8a94e079d4b8de0d6fd747e685ca8f68d3f06f20dc6686772134e0ab456bd"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE7CA8EB5AECC7",
+      "checksum": "fd18ceb54f19cacaa5615fd70f959c3569fe7446e398faced6bbca3b9c13d2de"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE7CA8F0C250FF",
+      "checksum": "f6f009e9f547abe4ee949fbf362944228fd64c0849c76bc9139a4b805b157776"
+    },
+    "aarch64_windows": {
+      "etag": "0x8DE7CA8F21FE2E7",
+      "checksum": "1fffc0d662f52e3c1473f95cb6a47cd0bc2c6447634f8079254fe68d083700d7"
+    }
   },
   "2026.3.4": {
     "x86_64_linux_musl": {

manifests/tombi.json

@@ -22,10 +22,36 @@
   },
   "license_markdown": "[MIT](https://github.com/tombi-toml/tombi/blob/main/LICENSE)",
   "latest": {
-    "version": "0.9.2"
+    "version": "0.9.3"
   },
   "0.9": {
-    "version": "0.9.2"
+    "version": "0.9.3"
+  },
+  "0.9.3": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE7CD825537A64",
+      "checksum": "9f17f6766f908d27294f22a928a498f49fb3957c206bfd7b73975de11761d096"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE7CD8255B39DE",
+      "checksum": "93610b36efe99f09ab3a109dad47327b569bdd2aedfd5ddba37d08ecb0d70489"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE7CD8255D5A57",
+      "checksum": "1d052e8e814252bfb85d0cddc9d6c39bfe5c8d8dce3c962e7ec575e355ddc6fb"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE7CD82547C7B2",
+      "checksum": "38b9352a7e06e1bf10f6de3b3247b35ef9e109134567677da30a44375bed7d5d"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE7CD825C01A0D",
+      "checksum": "385f61c90ef854f0b96fa525f2eedcfae705befaa74d2b99ae5c95013f0db4e5"
+    },
+    "aarch64_windows": {
+      "etag": "0x8DE7CD825ED1201",
+      "checksum": "76c80b423a2ded65a28810533f18ee60a924a1bb79a7426f1c12e3a08d83746e"
+    }
   },
   "0.9.2": {
     "x86_64_linux_musl": {

manifests/zizmor.json

@@ -19,10 +19,35 @@
   },
   "license_markdown": "[MIT](https://github.com/zizmorcore/zizmor/blob/main/LICENSE)",
   "latest": {
-    "version": "1.22.0"
+    "version": "1.23.0"
   },
   "1": {
-    "version": "1.22.0"
+    "version": "1.23.0"
+  },
+  "1.23": {
+    "version": "1.23.0"
+  },
+  "1.23.0": {
+    "x86_64_linux_gnu": {
+      "etag": "0x8DE7CDA7B7E46D6",
+      "checksum": "5c86c299a6f59e7b91e43fa6b3826add93edf3b1468d24775992604a5e41797b"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE7CDA7B7D369A",
+      "checksum": "791750aaa9948dfd75c8aa92d58577e20c91e434562347328c84572f8f94048b"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE7CDA7B7DAB4B",
+      "checksum": "7707de90a63a516b653a632d7348b1e089bf7f2c5daf90cc45cbc4661eb324a0"
+    },
+    "aarch64_linux_gnu": {
+      "etag": "0x8DE7CDA7B8BF314",
+      "checksum": "e140f07a78e7c05ffc86273c4a4935cbe76bba24a322e0e6ee237a9c4662c65d"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE7CDA7B82D5A8",
+      "checksum": "2263ca6af1248539bfb2962a1966183709139e2e87bdf4023a913b06ebbde6c4"
+    }
   },
   "1.22": {
     "version": "1.22.0"

tools/codegen/src/lib.rs

@@ -2,14 +2,11 @@
 
 #![allow(clippy::missing_panics_doc, clippy::too_long_first_doc_paragraph)]
 
-use std::{env, path::PathBuf};
+use std::{env, path::Path};
 
 pub use install_action_manifest_schema::*;
 
 #[must_use]
-pub fn workspace_root() -> PathBuf {
-    let mut dir = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
-    dir.pop(); // codegen
-    dir.pop(); // tools
-    dir
+pub fn workspace_root() -> &'static Path {
+    Path::new(env!("CARGO_MANIFEST_DIR").strip_suffix("tools/codegen").unwrap())
 }

tools/codegen/src/main.rs

@@ -32,7 +32,7 @@ fn main() -> Result<()> {
     let version_req_given = version_req.is_some();
     let skip_existing_manifest_versions = std::env::var("SKIP_EXISTING_MANIFEST_VERSIONS").is_ok();
 
-    let workspace_root = &workspace_root();
+    let workspace_root = workspace_root();
     let manifest_path = &workspace_root.join("manifests").join(format!("{package}.json"));
     let download_cache_dir = &workspace_root.join("tools/codegen/tmp/cache").join(package);
     fs::create_dir_all(manifest_path.parent().unwrap())?;

tools/codegen/src/tools-markdown.rs

@@ -40,9 +40,9 @@ fn main() -> Result<()> {
 
     let workspace_root = workspace_root();
 
-    let mut manifest_dir = workspace_root.clone();
+    let mut manifest_dir = workspace_root.to_owned();
     manifest_dir.push("manifests");
-    let mut base_info_dir = workspace_root.clone();
+    let mut base_info_dir = workspace_root.to_owned();
     base_info_dir.push("tools");
     base_info_dir.push("codegen");
     base_info_dir.push("base");
@@ -112,7 +112,7 @@ fn main() -> Result<()> {
 
     tools.sort_by(|x, y| x.name.cmp(&y.name));
 
-    let mut markdown_file = workspace_root.clone();
+    let mut markdown_file = workspace_root.to_owned();
     markdown_file.push("TOOLS.md");
 
     let mut file = BufWriter::new(fs::File::create(markdown_file).unwrap()); // Buffered because it is written many times.

tools/publish.sh

@@ -121,9 +121,9 @@ retry git push origin refs/heads/main
 retry git push origin refs/tags/"${tag}"
 
 major_version_tag="v${version%%.*}"
-git branch "${major_version_tag}"
+git branch "releases/${major_version_tag}"
 git tag -f "${major_version_tag}"
-refs=("refs/heads/${major_version_tag}" "+refs/tags/${major_version_tag}")
+refs=("refs/heads/releases/${major_version_tag}" "+refs/tags/${major_version_tag}")
 
 tools=()
 for tool in tools/codegen/base/*.json; do
@@ -142,8 +142,9 @@ tools+=(
 # Non-manifest-based tools.
 tools+=(valgrind)
 
+branches=()
 for tool in "${tools[@]}"; do
-  git checkout -b "${tool}"
+  git checkout -b "releases/${tool}"
   sed -E "${in_place[@]}" action.yml \
     -e "s/required: true/required: false/g" \
     -e "s/# default: #publish:tool/default: ${tool}/g"
@@ -151,11 +152,12 @@ for tool in "${tools[@]}"; do
   git commit -m "${tool}"
   git tag -f "${tool}"
   git checkout main
-  refs+=("+refs/heads/${tool}" "+refs/tags/${tool}")
+  refs+=("+refs/heads/releases/${tool}" "+refs/tags/${tool}")
+  branches+=("releases/${tool}")
 done
 retry git push origin --atomic "${refs[@]}"
-git branch -d "${major_version_tag}"
-git branch -D "${tools[@]}"
+git branch -d "releases/${major_version_tag}"
+git branch -D "${branches[@]}"
 
 schema_workspace=/tmp/workspace
 rm -rf -- "${schema_workspace}"

tools/tidy.sh

@@ -909,8 +909,21 @@ EOF
             JOB_DEFAULT_SHELL="${default_shell}"
           fi
           for step in $(jq -c '.steps[]' <<<"${job}"); do
+            uses=''
+            # https://github.com/vmactions: prepare, run
+            # https://github.com/cross-platform-actions/action: run, shell
+            # https://github.com/uraimo/run-on-arch-action: setup, install, run, shell
             prepare=''
-            eval "$(jq -r 'if .run then @sh "RUN=\(.run) shell=\(.shell)" else @sh "RUN=\(.with.run) prepare=\(.with.prepare) shell=\(.with.shell)" end' <<<"${step}")"
+            setup=''
+            install=''
+            eval "$(jq -r 'if .run then @sh "RUN=\(.run) shell=\(.shell)" else @sh "uses=\(.uses) FALLBACK=\(.with.fallback) RUN=\(.with.run) prepare=\(.with.prepare) setup=\(.with.setup) install=\(.with.install) shell=\(.with.shell)" end' <<<"${step}")"
+            if [[ "${uses}" == */install-action@* ]]; then
+              if [[ "${FALLBACK}" != 'none' ]]; then
+                error "'fallback: none' must be set for install-action (${name}.steps[${n}])"
+              fi
+              _=$((n++))
+              continue
+            fi
             if [[ "${RUN}" == 'null' ]]; then
               _=$((n++))
               continue
@@ -924,8 +937,14 @@ EOF
                 shell='sh'
               fi
             fi
-            shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].run"
-            shellcheck_for_gha "${prepare:-null}" 'sh' "${workflow_path} ${name}.steps[${n}].run"
+            if [[ -z "${uses}" ]]; then
+              shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].run"
+            else
+              shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].with.run"
+            fi
+            shellcheck_for_gha "${prepare:-null}" 'sh' "${workflow_path} ${name}.steps[${n}].with.prepare"
+            shellcheck_for_gha "${setup:-null}" "${shell}" "${workflow_path} ${name}.steps[${n}].with.setup"
+            shellcheck_for_gha "${install:-null}" "${shell}" "${workflow_path} ${name}.steps[${n}].with.install"
             _=$((n++))
           done
         done