feat: remote auditing

[woodruffw]

WIP.

Once finished, this will enable zizmor foo/bar, where foo/bar is a GitHub repo that zizmor will extract workflows to audit from.

(The @-prefix is not a firm design choice -- I might remove that.)

Closes #50

Closes #177

CC @miketheman as an interested party 🙂

[miketheman]

Woohoo, thanks for taking this on!

(The @-prefix is not a firm design choice -- I might remove that.)

I agree - especially considering that we cannot predict the future of Naming Things.

In my head, it's absolutely fine and fair to use the entire repo URL as the input - and this don't have to "teach" a new thing.

[miketheman]

For completeness, an example:

zizmor https://github.com/foo/bar

[woodruffw]

In my head, it's absolutely fine and fair to use the entire repo URL as the input - and this don't have to "teach" a new thing.

True -- the only reason why I'm shying away from this is because I don't want to have to teach zizmor how to validate URLs, versus being given a slug that it can make correct-by-construction into a GitHub URL.

For example, I don't want to get bug reports for ssh:// URLs, or GHE deployments, or for http://random-filehost.example.com/why-is-there-a-workflow-here.yml 🙂

As a middle ground, I think I'll drop the @ prefix but go with a convention that's already universal on GitHub, namely org/repo(@ref)?. That can be disambiguated easily from a local file by testing for presence, and leaves open changing to a full URL input in the future if/when that becomes pressing. That way no new syntax is invented here, at least.