From 0f495b85ef2b06777bc91367008b54f73bbffa55 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Jan 2026 23:01:33 +0000
Subject: [PATCH 1/2] build(deps): bump the test-and-lint-dependencies group
 with 2 updates

Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [zizmor](https://github.com/zizmorcore/zizmor).


Updates `ruff` from 0.14.11 to 0.14.13
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.14.11...0.14.13)

Updates `zizmor` from 1.20.0 to 1.22.0
- [Release notes](https://github.com/zizmorcore/zizmor/releases)
- [Changelog](https://github.com/zizmorcore/zizmor/blob/main/docs/release-notes.md)
- [Commits](https://github.com/zizmorcore/zizmor/compare/v1.20.0...v1.22.0)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.14.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: zizmor
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements/lint.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/lint.txt b/requirements/lint.txt
index dcbc97b83a..2119b97831 100644
--- a/requirements/lint.txt
+++ b/requirements/lint.txt
@@ -6,9 +6,9 @@
 # Lint tools
 # (We are not so interested in the specific versions of the tools: the versions
 # are pinned to prevent unexpected linting failures when tools update)
-ruff==0.14.11
+ruff==0.14.13
 mypy==1.19.1
-zizmor==1.20.0
+zizmor==1.22.0
 
 # Required for type stubs
 freezegun==1.5.5

From bf5ddf8a00ad57045fcfae11e3c5e89ccb9cfae8 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Fri, 30 Jan 2026 16:12:21 +0200
Subject: [PATCH 2/2] workflows: Add zizmor ignore comment

Should be fine to use check-latest-spec-version from master.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 .github/workflows/specification-version-check.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml
index aa8c1e685d..8a372cbe13 100644
--- a/.github/workflows/specification-version-check.yml
+++ b/.github/workflows/specification-version-check.yml
@@ -33,6 +33,6 @@ jobs:
       contents: read
       issues: write
     needs: get-supported-tuf-version
-    uses: theupdateframework/specification/.github/workflows/check-latest-spec-version.yml@master
+    uses: theupdateframework/specification/.github/workflows/check-latest-spec-version.yml@master # zizmor: ignore[unpinned-uses]
     with:
       tuf-version: ${{needs.get-supported-tuf-version.outputs.version}}