fix(zsh-navigation-tools): quote some potential space-filled strings (#13567)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.2 to 4.32.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](45cbd0c69e...9e907b5e64)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,6 +7,7 @@
 - [ ] I have read the contribution guide and followed all the instructions.
 - [ ] The code follows the code style guide detailed in the wiki.
 - [ ] The code is mine or it's from somewhere with an MIT-compatible license.
+- [ ] If I used AI tools (ChatGPT, Claude, Gemini, etc.) to assist with this contribution, I've disclosed it below.
 - [ ] The code is efficient, to the best of my ability, and does not waste computer resources.
 - [ ] The code is stable and I have tested it myself, to the best of my abilities.
 - [ ] If the code introduces new aliases, I provide a valid use case for all plugin users down below.

.github/workflows/dependencies.yml

@@ -13,12 +13,12 @@ jobs:
       contents: write # this is needed to push commits and branches
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Authenticate as @ohmyzsh
@@ -28,7 +28,7 @@ jobs:
           app-id: ${{ secrets.OHMYZSH_APP_ID }}
           private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
       - name: Setup Python
-        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.12"
           cache: "pip"

.github/workflows/installer.yml

@@ -26,12 +26,12 @@ jobs:
           - macos-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
       - name: Set up git repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install zsh
         if: runner.os == 'Linux'
         run: sudo apt-get update; sudo apt-get install zsh
@@ -47,12 +47,12 @@ jobs:
       - test
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install Vercel CLI
         run: npm install -g vercel
       - name: Setup project and deploy

.github/workflows/main.yml

@@ -24,12 +24,12 @@ jobs:
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
       - name: Set up git repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install zsh
         run: sudo apt-get update; sudo apt-get install zsh
       - name: Check syntax

.github/workflows/project.yml

@@ -17,7 +17,7 @@ jobs:
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
       - name: Authenticate as @ohmyzsh

.github/workflows/scorecard.yml

@@ -36,12 +36,12 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -60,6 +60,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           sarif_file: results.sarif

CONTRIBUTING.md

@@ -20,6 +20,7 @@ you would make is not already covered.
   - [Getting started](#getting-started)
   - [You have a solution](#you-have-a-solution)
   - [You have an addition](#you-have-an-addition)
+- [A note on AI-assisted contributions](#a-note-on-ai-assisted-contributions)
 - [Use the Search, Luke](#use-the-search-luke)
 - [Commit Guidelines](#commit-guidelines)
   - [Format](#format)
@@ -125,6 +126,30 @@ Because of this, from now on, we require that new aliases follow these condition
 This list is not exhaustive! Please remember that your alias will be in the machines of many people,
 so it should be justified why they should have it.
 
+## A note on AI-assisted contributions
+
+We'll admit it: AI tools can be pretty helpful for coding tasks, and we're not here to gatekeep how you get your work done. We use these tools ourselves! 🤖
+
+But here's the thing—Oh My Zsh is maintained by a small team of volunteers who do this in their spare time. We already have hundreds of pending PRs, and we want to make sure we're spending our limited time effectively.
+
+If you used AI tools meaningfully in your contribution (code generation, agentic coding assistants, etc.), please mention it in your PR description. Basic autocomplete doesn't count, but if an AI wrote substantial parts of your code, just let us know.
+
+**Examples of good disclosure:**
+- "Used ChatGPT to help generate the initial regex pattern for parsing git status output"
+- "Claude assisted with writing the unit tests for this feature"  
+- "Generated with Gemini and then reviewed/tested manually"
+- Or simply: "AI-assisted" in your PR description
+
+Here's what we're looking for:
+
+- **You understand your code**: You should be able to explain what your contribution does and how it works. We want to collaborate with humans who are invested in the project.
+- **Context matters**: Tell us what problem you're solving, how you tested it, and link to relevant docs. Small, incremental changes work better than massive generated overhauls.
+- **Quality over quantity**: We'd rather have one thoughtful, well-tested contribution than ten AI-generated PRs that need extensive review.
+
+The disclosure helps us know how much guidance to offer. If we're just reviewing AI output that you can't explain or improve, that changes the dynamic—and frankly, it's not a great use of anyone's time.
+
+As always, we reserve the right to decline any contribution. PRs that appear to be unreviewed AI output, or code the contributor can't explain, may be closed without extensive feedback.
+
 ----
 
 ## Use the Search, Luke

lib/theme-and-appearance.zsh

@@ -40,9 +40,9 @@ if [[ -z "$LS_COLORS" ]]; then
 fi
 
 function test-ls-args {
-  local cmd="$1"          # ls, gls, colorls, ...
+  # Usage: test-ls-args cmd args...
-  local args="${@[2,-1]}" # arguments except the first one
+  # e.g. test-ls-args gls --color
-  command "$cmd" "$args" /dev/null &>/dev/null
+  command "$@" /dev/null &>/dev/null
 }
 
 # Find the option for using colors in ls, depending on the version

plugins/command-not-found/README.md

@@ -22,14 +22,15 @@ Try: sudo apt install <selected package>
 
 It works out of the box with the command-not-found packages for:
 
-- [Ubuntu](https://www.porcheron.info/command-not-found-for-zsh/)
+- [Ubuntu](https://launchpad.net/ubuntu/+source/command-not-found)
 - [Debian](https://packages.debian.org/search?keywords=command-not-found)
-- [Arch Linux](https://wiki.archlinux.org/index.php/Pkgfile#Command_not_found)
+- [Arch Linux](https://wiki.archlinux.org/title/Zsh#pkgfile_"command_not_found"_handler)
-- [macOS (Homebrew)](https://github.com/Homebrew/homebrew-command-not-found)
+- [macOS (Homebrew)](https://github.com/Homebrew/brew/blob/main/docs/Command-Not-Found.md)
 - [Fedora](https://fedoraproject.org/wiki/Features/PackageKitCommandNotFound)
 - [NixOS](https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/programs/command-not-found)
 - [Termux](https://github.com/termux/command-not-found)
 - [SUSE](https://www.unix.com/man-page/suse/1/command-not-found/)
 - [Gentoo](https://github.com/AndrewAmmerlaan/command-not-found-gentoo/tree/main)
+- [Void Linux](https://codeberg.org/classabbyamp/xbps-command-not-found)
 
 You can add support for other platforms by submitting a Pull Request.

plugins/command-not-found/command-not-found.plugin.zsh

@@ -1,13 +1,15 @@
 ## Platforms with a built-in command-not-found handler init file
 
 for file (
-  # Arch Linux. Must have pkgfile installed: https://wiki.archlinux.org/index.php/Pkgfile#Command_not_found
+  # Arch Linux. Must have pkgfile installed: https://wiki.archlinux.org/title/Zsh#pkgfile_"command_not_found"_handler
   /usr/share/doc/pkgfile/command-not-found.zsh
-  # Homebrew: https://github.com/Homebrew/homebrew-command-not-found
+  # Void Linux: https://codeberg.org/classabbyamp/xbps-command-not-found
+  /usr/share/zsh/plugins/xbps-command-not-found/xbps-command-not-found.zsh
+  # Homebrew: https://github.com/Homebrew/brew/blob/main/docs/Command-Not-Found.md
   /opt/homebrew/Library/Homebrew/command-not-found/handler.sh
   /usr/local/Homebrew/Library/Homebrew/command-not-found/handler.sh
   /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/command-not-found/handler.sh
-	# Old homebrew implementation
+  # Old homebrew implementation
   /opt/homebrew/Library/Taps/homebrew/homebrew-command-not-found/handler.sh
   /usr/local/Homebrew/Library/Taps/homebrew/homebrew-command-not-found/handler.sh
   /home/linuxbrew/.linuxbrew/Homebrew/Library/Taps/homebrew/homebrew-command-not-found/handler.sh

plugins/dnf/dnf.plugin.zsh

@@ -6,14 +6,22 @@ command -v dnf5 > /dev/null && dnfprog=dnf5
 
 alias dnfl="${dnfprog} list"                       # List packages
 alias dnfli="${dnfprog} list installed"            # List installed packages
-alias dnfgl="${dnfprog} grouplist"                 # List package groups
 alias dnfmc="${dnfprog} makecache"                 # Generate metadata cache
 alias dnfp="${dnfprog} info"                       # Show package information
 alias dnfs="${dnfprog} search"                     # Search package
 
 alias dnfu="sudo ${dnfprog} upgrade"               # Upgrade package
 alias dnfi="sudo ${dnfprog} install"               # Install package
-alias dnfgi="sudo ${dnfprog} groupinstall"         # Install package group
 alias dnfr="sudo ${dnfprog} remove"                # Remove package
-alias dnfgr="sudo ${dnfprog} groupremove"          # Remove package group
 alias dnfc="sudo ${dnfprog} clean all"             # Clean cache
+
+# Conditional aliases based on dnfprog value
+if [[ "${dnfprog}" == "dnf5" ]]; then
+    alias dnfgl="${dnfprog} group list"            # List package groups (dnf5)
+    alias dnfgi="sudo ${dnfprog} group install"    # Install package group (dnf5)
+    alias dnfgr="sudo ${dnfprog} group remove"     # Remove package group (dnf5)
+else
+    alias dnfgl="${dnfprog} grouplist"             # List package groups (dnf)
+    alias dnfgi="sudo ${dnfprog} groupinstall"     # Install package group (dnf)
+    alias dnfgr="sudo ${dnfprog} groupremove"      # Remove package group (dnf)
+fi

plugins/dotenv/README.md

@@ -78,6 +78,14 @@ change.
 NOTE: if a directory is found in both the allowed and disallowed lists, the disallowed list
 takes preference, _i.e._ the .env file will never be sourced.
 
+## Named Pipe (FIFO) Support
+
+The plugin supports `.env` files provided as UNIX named pipes (FIFOs) in addition to regular files.
+This is useful when secrets managers like [1Password Environments](https://developer.1password.com/docs/environment/)
+mount `.env` files as named pipes to inject secrets on-the-fly without writing them to disk.
+
+No additional configuration is required — the plugin automatically detects and sources named pipes.
+
 ## Version Control
 
 **It's strongly recommended to add `.env` file to `.gitignore`**, because usually it contains sensitive information such as your credentials, secret keys, passwords etc. You don't want to commit this file, it's supposed to be local only.

plugins/dotenv/dotenv.plugin.zsh

@@ -11,7 +11,7 @@
 ## Functions
 
 source_env() {
-  if [[ ! -f "$ZSH_DOTENV_FILE" ]]; then
+  if [[ ! -f "$ZSH_DOTENV_FILE" ]] && [[ ! -p "$ZSH_DOTENV_FILE" ]]; then
     return
   fi
 

plugins/gitignore/README.md

@@ -1,6 +1,6 @@
 # gitignore
 
-This plugin enables you the use of [gitignore.io](https://www.toptal.com/developers/gitignore) from the command line. You need an active internet connection.
+This plugin enables you to use [gitignore.io](https://www.gitignore.io) from the command line. You need an active internet connection to fetch templates. The plugin uses the gitignore.io CDN endpoint to simplify access and improve reliability.
 
 To use it, add `gitignore` to the plugins array in your zshrc file:
 
@@ -14,4 +14,4 @@ plugins=(... gitignore)
 
 * `gi [TEMPLATENAME]`: Show git-ignore output on the command line, e.g. `gi java` to exclude class and package files.
 
-* `gi [TEMPLATENAME] >> .gitignore`: Appending programming language settings to your projects .gitignore.
+* `gi [TEMPLATENAME] >> .gitignore`: Append the template rules to your project's `.gitignore` file.

plugins/gitignore/gitignore.plugin.zsh

@@ -1,12 +1,21 @@
-function gi() { curl -fLw '\n' https://www.toptal.com/developers/gitignore/api/"${(j:,:)@}" }
+# gitignore plugin for oh-my-zsh
+# Uses gitignore.io CDN endpoint
+function _gi_curl() {
+  curl -sfL "https://www.gitignore.io/api/$1"
+}
+
+function gi() {
+  local query="${(j:,:)@}"
+  _gi_curl "$query" || return 1
+}
 
 _gitignoreio_get_command_list() {
-  curl -sfL https://www.toptal.com/developers/gitignore/api/list | tr "," "\n"
+  _gi_curl "list" | tr "," "\n"
 }
 
 _gitignoreio () {
   compset -P '*,'
-  compadd -S '' `_gitignoreio_get_command_list`
+  compadd -S '' $(_gitignoreio_get_command_list)
 }
 
 compdef _gitignoreio gi

plugins/zsh-navigation-tools/n-list

@@ -55,9 +55,9 @@ _nlist_cursor_visibility() {
         [ "$1" = "1" ] && { tput cvvis; tput cnorm }
         [ "$1" = "0" ] && tput civis
     elif [ "$_nlist_has_terminfo" = "1" ]; then
-        [ "$1" = "1" ] && { [ -n $terminfo[cvvis] ] && echo -n $terminfo[cvvis];
+        [ "$1" = "1" ] && { [ -n "$terminfo[cvvis]" ] && echo -n "$terminfo[cvvis]";
-                           [ -n $terminfo[cnorm] ] && echo -n $terminfo[cnorm] }
+                           [ -n "$terminfo[cnorm]" ] && echo -n "$terminfo[cnorm]" }
-        [ "$1" = "0" ] && [ -n $terminfo[civis] ] && echo -n $terminfo[civis]
+        [ "$1" = "0" ] && [ -n "$terminfo[civis]" ] && echo -n "$terminfo[civis]"
     fi 
 }