diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 735e9f0af..35e3a6acb 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -8,6 +8,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nims: name: Check NIMS @@ -18,9 +20,14 @@ jobs: check_nimg: name: Check NIMG uses: ./.github/workflows/check_nimg.yml + check_workflows: + name: Check workflows + uses: ./.github/workflows/check_workflows.yml + permissions: + security-events: write checks_succeeded: name: Checks succeeded - needs: [check_nims, check_nims_docs, check_nimg] + needs: [check_nims, check_nims_docs, check_nimg, check_workflows] runs-on: ubuntu-latest steps: - run: exit 0 diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index 0f56f9ce4..d0bce575d 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -12,10 +12,13 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: run_ci: name: Run CI uses: ./.github/workflows/CI.yml permissions: checks: write - pull-requests: write \ No newline at end of file + pull-requests: write + security-events: write \ No newline at end of file diff --git a/.github/workflows/check_examples.yml b/.github/workflows/check_examples.yml index 07d90bab6..525544b0f 100644 --- a/.github/workflows/check_examples.yml +++ b/.github/workflows/check_examples.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_examples: name: Check examples @@ -11,6 +13,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/check_nimg.yml b/.github/workflows/check_nimg.yml index 06e87f206..d693a37ab 100644 --- a/.github/workflows/check_nimg.yml +++ b/.github/workflows/check_nimg.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nimg: name: Check NIMG @@ -21,6 +23,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/check_nims.yml b/.github/workflows/check_nims.yml index 2f6e5eb43..b578cba13 100644 --- a/.github/workflows/check_nims.yml +++ b/.github/workflows/check_nims.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nims: name: Check NIMS @@ -23,6 +25,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/check_nims_docs.yml b/.github/workflows/check_nims_docs.yml index 3dbc3f115..8b05fef72 100644 --- a/.github/workflows/check_nims_docs.yml +++ b/.github/workflows/check_nims_docs.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nims: name: Check NIMS Docs @@ -17,6 +19,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python @@ -30,4 +33,4 @@ jobs: mkdir -p docs poetry run sphinx-build _docs_source docs -b html -W - name: Revert docs - run: rm -rf docs \ No newline at end of file + run: rm -rf docs diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml new file mode 100644 index 000000000..bbf458d5d --- /dev/null +++ b/.github/workflows/check_workflows.yml @@ -0,0 +1,21 @@ +name: Check workflows + +on: + workflow_call: + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Check out repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ee06ccdd7..c5b9beb6d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -35,6 +35,8 @@ env: "service": "ni_measurement_plugin_sdk_service" } +permissions: {} + jobs: # Do not call check_examples.yml because the examples may depend on the version we are releasing. check_nimg: @@ -56,10 +58,14 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Check project version if: github.event_name == 'release' uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 @@ -105,10 +111,14 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Get version id: get-version run: echo "version=$(poetry version --short)" >> "$GITHUB_OUTPUT" @@ -122,7 +132,7 @@ jobs: mkdir -p dist git archive -o dist/${EXAMPLE_ARCHIVE}.zip ${GITHUB_REF}:examples/ git archive -o dist/${EXAMPLE_ARCHIVE}.tar.gz --prefix ${EXAMPLE_ARCHIVE}/ ${GITHUB_REF}:examples/ - - name: Upload release assets + - name: Upload release assets # zizmor: ignore[superfluous-actions] if: ${{ startsWith(github.event.release.target_commitish, 'main') || startsWith(github.event.release.target_commitish, 'releases/') }} uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: @@ -143,10 +153,14 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false # Create one pull request that updates all three packages. - name: Update generator project version uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml index 59b075d92..046121d7e 100644 --- a/.github/workflows/report_test_results.yml +++ b/.github/workflows/report_test_results.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: report_test_results: name: Report test results @@ -14,6 +16,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download test results uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -26,4 +30,4 @@ jobs: uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0 with: files: "test_results/**/*.xml" - if: always() \ No newline at end of file + if: always() diff --git a/.github/workflows/run_system_tests.yml b/.github/workflows/run_system_tests.yml index 6dd74c9ae..6d8d3566e 100644 --- a/.github/workflows/run_system_tests.yml +++ b/.github/workflows/run_system_tests.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: run_system_tests: name: Run system tests @@ -22,6 +24,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Copy and rename .env.simulation to .env run: cp examples/.env.simulation .env diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index bbf3eaf45..ef8cbf80f 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: run_unit_tests: name: Run unit tests @@ -19,6 +21,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml index cd32c3502..a1a09bdd2 100644 --- a/.github/workflows/sync_github_issues_to_azdo.yml +++ b/.github/workflows/sync_github_issues_to_azdo.yml @@ -8,21 +8,13 @@ on: issue_comment: types: [created, edited, deleted] +permissions: {} + jobs: alert: if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }} runs-on: ubuntu-latest steps: - - name: Choose work item type - id: choose_work_item_type - run: | - if [ "${{ contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story') }}" == "true" ]; then - echo "work_item_type=User Story" >> $GITHUB_OUTPUT - elif [ "${{ contains(github.event.issue.labels.*.name, 'tech debt') }}" == "true" ]; then - echo "work_item_type=Technical Debt" >> $GITHUB_OUTPUT - else - echo "work_item_type=Bug" >> $GITHUB_OUTPUT - fi - uses: danhellem/github-actions-issue-to-work-item@45eb3b46e684f2acd2954f02ef70350c835ee4bb # v2.4 env: ado_token: "${{ secrets.AZDO_WORK_ITEM_TOKEN }}" @@ -30,7 +22,10 @@ jobs: ado_organization: "ni" ado_project: "DevCentral" ado_area_path: "DevCentral\\Product RnD\\Platform HW and SW\\SW New Invest and Tech\\ETW\\InstrumentStudio\\Core\\Platform" - ado_wit: "${{ steps.choose_work_item_type.outputs.work_item_type }}" + ado_wit: "${{ case( + contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story'), 'User Story', + contains(github.event.issue.labels.*.name, 'tech debt'), 'Technical Debt', + 'Bug') }}" ado_new_state: "New" ado_active_state: "Active" ado_close_state: "Closed"