Pre-submission checks

• I am not filing a feature request. These should be filed via the feature request form instead.
• I have looked through the open issues for a duplicate report.

zizmor version

1.11.0

Expected behavior

I tried out the new VSCode extension with the latest zizmor version. Thanks a lot for that, very helpful!

I have a zizmor.yml where unpinned-uses is configured for certain actions to be allow ref-pin. I have a file in the repo .github/actions/some-action/action.yaml that uses one of those actions but the zizmor vscode extension still reports a violation for each action use with a ref-pin.

zizmor itself does not:

$ zizmor .github/actions/docker-build/action.yaml
 INFO zizmor::registry: skipping impostor-commit: can't run without a GitHub API token
 INFO zizmor::registry: skipping ref-confusion: can't run without a GitHub API token
 INFO zizmor::registry: skipping known-vulnerable-actions: can't run without a GitHub API token
 INFO zizmor::registry: skipping forbidden-uses: audit not configured
 INFO zizmor::registry: skipping stale-action-refs: can't run without a GitHub API token
 INFO audit: zizmor: 🌈 completed .github/actions/docker-build/action.yaml
No findings to report. Good job! (2 ignored, 2 suppressed)

The relevant file is here: https://github.com/opalmedapps/.github/blob/main/.github/actions/docker-build/action.yaml

Actual behavior

Match the report of zizmor, i.e., no violation in this particular use case.

Reproduction steps

1. Clone repo: https://github.com/opalmedapps/.github
2. Open in vscode with the zizmor extension installed and enabled
3. Open .github/actions/docker-build/action.yaml

Logs

Additional context

No response