feat: bot-conditions: check github.triggering_actor (#559)

docs/release-notes.md

@@ -23,6 +23,8 @@ of `zizmor`.
   expectations (#528)
 * `# zizmor: ignore[rule]` comments can now have trailing explanations,
   e.g. `# zizmor: ignore[rule] because reasons` (#531)
+* The [bot-conditions] audit now detects `github.triggering_actor`
+  as another spoofable actor check (#559)
 
 ### Upcoming Changes 🚧
 

src/audit/bot_conditions.rs

@@ -11,6 +11,8 @@ pub(crate) struct BotConditions;
 
 audit_meta!(BotConditions, "bot-conditions", "spoofable bot actor check");
 
+const SPOOFABLE_ACTOR_CONTEXTS: &[&str] = &["github.actor", "github.triggering_actor"];
+
 impl Audit for BotConditions {
     fn new(_state: super::AuditState) -> anyhow::Result<Self>
     where
@@ -52,7 +54,7 @@ impl Audit for BotConditions {
                         .add_location(
                             loc.with_keys(&["if".into()])
                                 .primary()
-                                .annotated("github.actor may be spoofable"),
+                                .annotated("actor context may be spoofable"),
                         )
                         .build(job.parent())?,
                 );
@@ -94,7 +96,11 @@ impl BotConditions {
                 expr::BinOp::Eq => match (lhs.as_ref(), rhs.as_ref()) {
                     (Expr::Context(ctx), Expr::String(s))
                     | (Expr::String(s), Expr::Context(ctx)) => {
-                        if ctx == "github.actor" && s.ends_with("[bot]") {
+                        // NOTE: Can't use `contains` here because we need
+                        // Context's `PartialEq` for case insensitive matching.
+                        if SPOOFABLE_ACTOR_CONTEXTS.iter().any(|x| ctx == *x)
+                            && s.ends_with("[bot]")
+                        {
                             (true, true)
                         } else {
                             (false, true)
@@ -171,6 +177,10 @@ mod tests {
             ("'dependabot[bot]' == github.actor", Confidence::High),
             ("'dependabot[bot]' == GitHub.actor", Confidence::High),
             ("'dependabot[bot]' == GitHub.ACTOR", Confidence::High),
+            (
+                "'dependabot[bot]' == GitHub.triggering_actor",
+                Confidence::High,
+            ),
             // Dominating cases with OR.
             (
                 "'dependabot[bot]' == github.actor || true",

tests/snapshots/snapshot__bot_conditions.snap

@@ -15,31 +15,31 @@ error[bot-conditions]: spoofable bot actor check
  --> @@INPUT@@:8:5
   |
 8 |     if: github.actor == 'dependabot[bot]'
-  |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ github.actor may be spoofable
+  |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
   |
   = note: audit confidence → High
 
 error[bot-conditions]: spoofable bot actor check
   --> @@INPUT@@:12:9
    |
 12 |         if: ${{ github.actor == 'dependabot[bot]' }}
-   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ github.actor may be spoofable
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
    |
    = note: audit confidence → High
 
 error[bot-conditions]: spoofable bot actor check
   --> @@INPUT@@:16:9
    |
 16 |         if: ${{ github.actor == 'dependabot[bot]' && github.repository == 'example/example' }}
-   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ github.actor may be spoofable
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
    |
    = note: audit confidence → Medium
 
 error[bot-conditions]: spoofable bot actor check
   --> @@INPUT@@:20:9
    |
 20 |         if: github.actor == 'renovate[bot]'
-   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ github.actor may be spoofable
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
    |
    = note: audit confidence → High