Release 2.68.24

.github/workflows/ci.yml

@@ -134,7 +134,7 @@ jobs:
         if: startsWith(matrix.os, 'windows')
       - name: Test cmd
         run: just --version & shfmt --version & protoc --version
-        shell: cmd
+        shell: cmd # zizmor: ignore[misfeature] used for compatibility testing
         if: startsWith(matrix.os, 'windows')
       # We use the version output to check the version of cargo-binstall, but they
       # several times change the version output format in the past so we need to

.github/zizmor.yml

@@ -10,7 +10,3 @@ rules:
       policies:
         taiki-e/*: any
         '*': ref-pin
-  misfeature:
-    ignore:
-      # We use `shell: cmd` to test compatibility.
-      - ci.yml

.gitignore

@@ -1,5 +1,6 @@
 target
 Cargo.lock
+mutants.out*
 tmp
 
 # For platform and editor specific settings, it is recommended to add to

CHANGELOG.md

@@ -10,6 +10,10 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.68.24] - 2026-03-08
+
+- Avoid triggering [zizmor ref-confusion](https://docs.zizmor.sh/audits/#ref-confusion) when using this action in form of `uses: taiki-e/install-action@v2` or `uses: taiki-e/install-action@<tool_name>`.
+
 ## [2.68.23] - 2026-03-08
 
 - Update `zizmor@latest` to 1.23.0.
@@ -5835,7 +5839,8 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.68.23...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.68.24...HEAD
+[2.68.24]: https://github.com/taiki-e/install-action/compare/v2.68.23...v2.68.24
 [2.68.23]: https://github.com/taiki-e/install-action/compare/v2.68.22...v2.68.23
 [2.68.22]: https://github.com/taiki-e/install-action/compare/v2.68.21...v2.68.22
 [2.68.21]: https://github.com/taiki-e/install-action/compare/v2.68.20...v2.68.21

tools/codegen/src/lib.rs

@@ -2,14 +2,11 @@
 
 #![allow(clippy::missing_panics_doc, clippy::too_long_first_doc_paragraph)]
 
-use std::{env, path::PathBuf};
+use std::{env, path::Path};
 
 pub use install_action_manifest_schema::*;
 
 #[must_use]
-pub fn workspace_root() -> PathBuf {
-    let mut dir = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
-    dir.pop(); // codegen
-    dir.pop(); // tools
-    dir
+pub fn workspace_root() -> &'static Path {
+    Path::new(env!("CARGO_MANIFEST_DIR").strip_suffix("tools/codegen").unwrap())
 }

tools/codegen/src/main.rs

@@ -32,7 +32,7 @@ fn main() -> Result<()> {
     let version_req_given = version_req.is_some();
     let skip_existing_manifest_versions = std::env::var("SKIP_EXISTING_MANIFEST_VERSIONS").is_ok();
 
-    let workspace_root = &workspace_root();
+    let workspace_root = workspace_root();
     let manifest_path = &workspace_root.join("manifests").join(format!("{package}.json"));
     let download_cache_dir = &workspace_root.join("tools/codegen/tmp/cache").join(package);
     fs::create_dir_all(manifest_path.parent().unwrap())?;

tools/codegen/src/tools-markdown.rs

@@ -40,9 +40,9 @@ fn main() -> Result<()> {
 
     let workspace_root = workspace_root();
 
-    let mut manifest_dir = workspace_root.clone();
+    let mut manifest_dir = workspace_root.to_owned();
     manifest_dir.push("manifests");
-    let mut base_info_dir = workspace_root.clone();
+    let mut base_info_dir = workspace_root.to_owned();
     base_info_dir.push("tools");
     base_info_dir.push("codegen");
     base_info_dir.push("base");
@@ -112,7 +112,7 @@ fn main() -> Result<()> {
 
     tools.sort_by(|x, y| x.name.cmp(&y.name));
 
-    let mut markdown_file = workspace_root.clone();
+    let mut markdown_file = workspace_root.to_owned();
     markdown_file.push("TOOLS.md");
 
     let mut file = BufWriter::new(fs::File::create(markdown_file).unwrap()); // Buffered because it is written many times.

tools/publish.sh

@@ -121,9 +121,9 @@ retry git push origin refs/heads/main
 retry git push origin refs/tags/"${tag}"
 
 major_version_tag="v${version%%.*}"
-git branch "${major_version_tag}"
+git branch "releases/${major_version_tag}"
 git tag -f "${major_version_tag}"
-refs=("refs/heads/${major_version_tag}" "+refs/tags/${major_version_tag}")
+refs=("refs/heads/releases/${major_version_tag}" "+refs/tags/${major_version_tag}")
 
 tools=()
 for tool in tools/codegen/base/*.json; do
@@ -142,8 +142,9 @@ tools+=(
 # Non-manifest-based tools.
 tools+=(valgrind)
 
+branches=()
 for tool in "${tools[@]}"; do
-  git checkout -b "${tool}"
+  git checkout -b "releases/${tool}"
   sed -E "${in_place[@]}" action.yml \
     -e "s/required: true/required: false/g" \
     -e "s/# default: #publish:tool/default: ${tool}/g"
@@ -151,11 +152,12 @@ for tool in "${tools[@]}"; do
   git commit -m "${tool}"
   git tag -f "${tool}"
   git checkout main
-  refs+=("+refs/heads/${tool}" "+refs/tags/${tool}")
+  refs+=("+refs/heads/releases/${tool}" "+refs/tags/${tool}")
+  branches+=("releases/${tool}")
 done
 retry git push origin --atomic "${refs[@]}"
-git branch -d "${major_version_tag}"
-git branch -D "${tools[@]}"
+git branch -d "releases/${major_version_tag}"
+git branch -D "${branches[@]}"
 
 schema_workspace=/tmp/workspace
 rm -rf -- "${schema_workspace}"

tools/tidy.sh

@@ -909,8 +909,21 @@ EOF
             JOB_DEFAULT_SHELL="${default_shell}"
           fi
           for step in $(jq -c '.steps[]' <<<"${job}"); do
+            uses=''
+            # https://github.com/vmactions: prepare, run
+            # https://github.com/cross-platform-actions/action: run, shell
+            # https://github.com/uraimo/run-on-arch-action: setup, install, run, shell
             prepare=''
-            eval "$(jq -r 'if .run then @sh "RUN=\(.run) shell=\(.shell)" else @sh "RUN=\(.with.run) prepare=\(.with.prepare) shell=\(.with.shell)" end' <<<"${step}")"
+            setup=''
+            install=''
+            eval "$(jq -r 'if .run then @sh "RUN=\(.run) shell=\(.shell)" else @sh "uses=\(.uses) FALLBACK=\(.with.fallback) RUN=\(.with.run) prepare=\(.with.prepare) setup=\(.with.setup) install=\(.with.install) shell=\(.with.shell)" end' <<<"${step}")"
+            if [[ "${uses}" == */install-action@* ]]; then
+              if [[ "${FALLBACK}" != 'none' ]]; then
+                error "'fallback: none' must be set for install-action (${name}.steps[${n}])"
+              fi
+              _=$((n++))
+              continue
+            fi
             if [[ "${RUN}" == 'null' ]]; then
               _=$((n++))
               continue
@@ -924,8 +937,14 @@ EOF
                 shell='sh'
               fi
             fi
-            shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].run"
-            shellcheck_for_gha "${prepare:-null}" 'sh' "${workflow_path} ${name}.steps[${n}].run"
+            if [[ -z "${uses}" ]]; then
+              shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].run"
+            else
+              shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].with.run"
+            fi
+            shellcheck_for_gha "${prepare:-null}" 'sh' "${workflow_path} ${name}.steps[${n}].with.prepare"
+            shellcheck_for_gha "${setup:-null}" "${shell}" "${workflow_path} ${name}.steps[${n}].with.setup"
+            shellcheck_for_gha "${install:-null}" "${shell}" "${workflow_path} ${name}.steps[${n}].with.install"
             _=$((n++))
           done
         done