Feature: Detect missing version comments on SHA-pinned actions

[shaanmajid]

Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through both the open and closed issues for a duplicate request.

What's the problem this feature will solve?

When an action is pinned to a commit SHA without a version comment, it hurts readability and may play poorly with tooling (e.g., dependency update tools).

# What version is this? No way to tell without looking up the SHA and wasting 30s of my life :p
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

# Clear and tool-friendly :D
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Zizmor today already has some handling for version comments, e.g., validating the accuracy for existing comments with ref-version-mismatch, or generating them for unpinned-uses auto-fixes. It seems sensible to add functionality to mandate that a versioncomment exists at all.

Describe the solution you'd like

Detect SHA-pinned uses: that lack a version comment. Similar to other documentation audits such as undocumented-permissions, this should likely be pedantic only, since it alone does not constitute a security vulnerability.

The auto-fix would use longest_tag_for_commit to resolve the SHA to a tag and add the comment via EmplaceComment. If no tag exists for the commit, zizmor should skip the finding (as we can't add a comment for something with no tag).

This could be added as a new pedantic finding extending the existing ref-version-mismatch, or as a new, standalone audit (e.g., missing-version-comment)

Additional context

Happy to create a PR if there's support :)

[woodruffw]

Hi @shaanmajid, thanks for opening this! I could have sworn that ref-version-mismatch included a missing comment check, but that might be me remembering that I wanted one.

Adding it to ref-version-mismatch makes the most sense to me 🙂