From eb065578ed31a5f8f5eb282a124c78e89d003a18 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 17:53:57 -0500 Subject: [PATCH 1/6] github: Set persist-credentials: false --- .github/workflows/check_examples.yml | 2 ++ .github/workflows/check_nimg.yml | 2 ++ .github/workflows/check_nims.yml | 1 + .github/workflows/check_nims_docs.yml | 3 ++- .github/workflows/publish.yml | 6 ++++++ .github/workflows/report_test_results.yml | 4 +++- .github/workflows/run_system_tests.yml | 2 ++ .github/workflows/run_unit_tests.yml | 2 ++ 8 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check_examples.yml b/.github/workflows/check_examples.yml index 07d90bab6..4f6786d72 100644 --- a/.github/workflows/check_examples.yml +++ b/.github/workflows/check_examples.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/check_nimg.yml b/.github/workflows/check_nimg.yml index 06e87f206..1017ecdf8 100644 --- a/.github/workflows/check_nimg.yml +++ b/.github/workflows/check_nimg.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/check_nims.yml b/.github/workflows/check_nims.yml index 2f6e5eb43..37783fb04 100644 --- a/.github/workflows/check_nims.yml +++ b/.github/workflows/check_nims.yml @@ -23,6 +23,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/check_nims_docs.yml b/.github/workflows/check_nims_docs.yml index 3dbc3f115..983cd4c9b 100644 --- a/.github/workflows/check_nims_docs.yml +++ b/.github/workflows/check_nims_docs.yml @@ -17,6 +17,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python @@ -30,4 +31,4 @@ jobs: mkdir -p docs poetry run sphinx-build _docs_source docs -b html -W - name: Revert docs - run: rm -rf docs \ No newline at end of file + run: rm -rf docs diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ee06ccdd7..b81e9664b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -56,6 +56,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry @@ -105,6 +107,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry @@ -143,6 +147,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml index 59b075d92..2f6f486a8 100644 --- a/.github/workflows/report_test_results.yml +++ b/.github/workflows/report_test_results.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download test results uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: @@ -26,4 +28,4 @@ jobs: uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0 with: files: "test_results/**/*.xml" - if: always() \ No newline at end of file + if: always() diff --git a/.github/workflows/run_system_tests.yml b/.github/workflows/run_system_tests.yml index 6dd74c9ae..1f1301f71 100644 --- a/.github/workflows/run_system_tests.yml +++ b/.github/workflows/run_system_tests.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Copy and rename .env.simulation to .env run: cp examples/.env.simulation .env diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index bbf3eaf45..a770916b5 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -19,6 +19,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python From add2837700a2d99bcf1687767c46f1caf69b9af9 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 17:55:47 -0500 Subject: [PATCH 2/6] github: Set empty permissions by default --- .github/workflows/CI.yml | 2 ++ .github/workflows/PR.yml | 2 ++ .github/workflows/check_examples.yml | 2 ++ .github/workflows/check_nimg.yml | 2 ++ .github/workflows/check_nims.yml | 2 ++ .github/workflows/check_nims_docs.yml | 2 ++ .github/workflows/publish.yml | 2 ++ .github/workflows/report_test_results.yml | 2 ++ .github/workflows/run_system_tests.yml | 2 ++ .github/workflows/run_unit_tests.yml | 2 ++ .github/workflows/sync_github_issues_to_azdo.yml | 2 ++ 11 files changed, 22 insertions(+) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 735e9f0af..a98e04204 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -8,6 +8,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nims: name: Check NIMS diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index 0f56f9ce4..f9d54547c 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -12,6 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: run_ci: name: Run CI diff --git a/.github/workflows/check_examples.yml b/.github/workflows/check_examples.yml index 4f6786d72..525544b0f 100644 --- a/.github/workflows/check_examples.yml +++ b/.github/workflows/check_examples.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_examples: name: Check examples diff --git a/.github/workflows/check_nimg.yml b/.github/workflows/check_nimg.yml index 1017ecdf8..d693a37ab 100644 --- a/.github/workflows/check_nimg.yml +++ b/.github/workflows/check_nimg.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nimg: name: Check NIMG diff --git a/.github/workflows/check_nims.yml b/.github/workflows/check_nims.yml index 37783fb04..b578cba13 100644 --- a/.github/workflows/check_nims.yml +++ b/.github/workflows/check_nims.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nims: name: Check NIMS diff --git a/.github/workflows/check_nims_docs.yml b/.github/workflows/check_nims_docs.yml index 983cd4c9b..8b05fef72 100644 --- a/.github/workflows/check_nims_docs.yml +++ b/.github/workflows/check_nims_docs.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nims: name: Check NIMS Docs diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b81e9664b..6e1b0ac4e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -35,6 +35,8 @@ env: "service": "ni_measurement_plugin_sdk_service" } +permissions: {} + jobs: # Do not call check_examples.yml because the examples may depend on the version we are releasing. check_nimg: diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml index 2f6f486a8..046121d7e 100644 --- a/.github/workflows/report_test_results.yml +++ b/.github/workflows/report_test_results.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: report_test_results: name: Report test results diff --git a/.github/workflows/run_system_tests.yml b/.github/workflows/run_system_tests.yml index 1f1301f71..6d8d3566e 100644 --- a/.github/workflows/run_system_tests.yml +++ b/.github/workflows/run_system_tests.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: run_system_tests: name: Run system tests diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index a770916b5..ef8cbf80f 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: run_unit_tests: name: Run unit tests diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml index cd32c3502..62b1c9c9e 100644 --- a/.github/workflows/sync_github_issues_to_azdo.yml +++ b/.github/workflows/sync_github_issues_to_azdo.yml @@ -8,6 +8,8 @@ on: issue_comment: types: [created, edited, deleted] +permissions: {} + jobs: alert: if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }} From 53b17c94a47d12e25bf125524eb701676a53a865 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:09:26 -0500 Subject: [PATCH 3/6] github: Use case function for sync_github_issues_to_azdo.yml --- .github/workflows/sync_github_issues_to_azdo.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml index 62b1c9c9e..a1a09bdd2 100644 --- a/.github/workflows/sync_github_issues_to_azdo.yml +++ b/.github/workflows/sync_github_issues_to_azdo.yml @@ -15,16 +15,6 @@ jobs: if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }} runs-on: ubuntu-latest steps: - - name: Choose work item type - id: choose_work_item_type - run: | - if [ "${{ contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story') }}" == "true" ]; then - echo "work_item_type=User Story" >> $GITHUB_OUTPUT - elif [ "${{ contains(github.event.issue.labels.*.name, 'tech debt') }}" == "true" ]; then - echo "work_item_type=Technical Debt" >> $GITHUB_OUTPUT - else - echo "work_item_type=Bug" >> $GITHUB_OUTPUT - fi - uses: danhellem/github-actions-issue-to-work-item@45eb3b46e684f2acd2954f02ef70350c835ee4bb # v2.4 env: ado_token: "${{ secrets.AZDO_WORK_ITEM_TOKEN }}" @@ -32,7 +22,10 @@ jobs: ado_organization: "ni" ado_project: "DevCentral" ado_area_path: "DevCentral\\Product RnD\\Platform HW and SW\\SW New Invest and Tech\\ETW\\InstrumentStudio\\Core\\Platform" - ado_wit: "${{ steps.choose_work_item_type.outputs.work_item_type }}" + ado_wit: "${{ case( + contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story'), 'User Story', + contains(github.event.issue.labels.*.name, 'tech debt'), 'Technical Debt', + 'Bug') }}" ado_new_state: "New" ado_active_state: "Active" ado_close_state: "Closed" From df33eca15baa9c7032f14d286fb447e87471a2ad Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:11:40 -0500 Subject: [PATCH 4/6] github: Disable setup-poetry caching for publish.yml --- .github/workflows/publish.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6e1b0ac4e..c5bbda90f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -64,6 +64,8 @@ jobs: uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Check project version if: github.event_name == 'release' uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 @@ -115,6 +117,8 @@ jobs: uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Get version id: get-version run: echo "version=$(poetry version --short)" >> "$GITHUB_OUTPUT" @@ -155,6 +159,8 @@ jobs: uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false # Create one pull request that updates all three packages. - name: Update generator project version uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 From 1f51c54c4648c62caba600082b16bceba986c36d Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:15:32 -0500 Subject: [PATCH 5/6] github: Ignore superfluous-actions warning in publish.yml --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c5bbda90f..c5b9beb6d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -132,7 +132,7 @@ jobs: mkdir -p dist git archive -o dist/${EXAMPLE_ARCHIVE}.zip ${GITHUB_REF}:examples/ git archive -o dist/${EXAMPLE_ARCHIVE}.tar.gz --prefix ${EXAMPLE_ARCHIVE}/ ${GITHUB_REF}:examples/ - - name: Upload release assets + - name: Upload release assets # zizmor: ignore[superfluous-actions] if: ${{ startsWith(github.event.release.target_commitish, 'main') || startsWith(github.event.release.target_commitish, 'releases/') }} uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: From 2d50e54f4ab687a667b3740d3055796496c5a915 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:17:47 -0500 Subject: [PATCH 6/6] github: Add check_workflows.yml --- .github/workflows/CI.yml | 7 ++++++- .github/workflows/PR.yml | 3 ++- .github/workflows/check_workflows.yml | 21 +++++++++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/check_workflows.yml diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index a98e04204..35e3a6acb 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -20,9 +20,14 @@ jobs: check_nimg: name: Check NIMG uses: ./.github/workflows/check_nimg.yml + check_workflows: + name: Check workflows + uses: ./.github/workflows/check_workflows.yml + permissions: + security-events: write checks_succeeded: name: Checks succeeded - needs: [check_nims, check_nims_docs, check_nimg] + needs: [check_nims, check_nims_docs, check_nimg, check_workflows] runs-on: ubuntu-latest steps: - run: exit 0 diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index f9d54547c..d0bce575d 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -20,4 +20,5 @@ jobs: uses: ./.github/workflows/CI.yml permissions: checks: write - pull-requests: write \ No newline at end of file + pull-requests: write + security-events: write \ No newline at end of file diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml new file mode 100644 index 000000000..bbf458d5d --- /dev/null +++ b/.github/workflows/check_workflows.yml @@ -0,0 +1,21 @@ +name: Check workflows + +on: + workflow_call: + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Check out repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 \ No newline at end of file