From 2e8a1fbb39b62a9ba75767da779e381b9ef788c2 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 18:42:32 -0500 Subject: [PATCH 01/11] github: Use case function --- .github/workflows/sync_github_issues_to_azdo.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml index a6421549a..e763b1e03 100644 --- a/.github/workflows/sync_github_issues_to_azdo.yml +++ b/.github/workflows/sync_github_issues_to_azdo.yml @@ -13,16 +13,6 @@ jobs: if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }} runs-on: ubuntu-latest steps: - - name: Choose work item type - id: choose_work_item_type - run: | - if [ "${{ contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story') }}" == "true" ]; then - echo "work_item_type=User Story" >> $GITHUB_OUTPUT - elif [ "${{ contains(github.event.issue.labels.*.name, 'tech debt') }}" == "true" ]; then - echo "work_item_type=Technical Debt" >> $GITHUB_OUTPUT - else - echo "work_item_type=Bug" >> $GITHUB_OUTPUT - fi - uses: danhellem/github-actions-issue-to-work-item@45eb3b46e684f2acd2954f02ef70350c835ee4bb # v2.4 env: ado_token: "${{ secrets.AZDO_WORK_ITEM_TOKEN }}" @@ -30,7 +20,10 @@ jobs: ado_organization: "ni" ado_project: "DevCentral" ado_area_path: "DevCentral\\Product RnD\\Platform HW and SW\\Core SW and Drivers\\Platform HW and Drivers\\Drivers\\Venus" - ado_wit: "${{ steps.choose_work_item_type.outputs.work_item_type }}" + ado_wit: "${{ case( + contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story'), 'User Story', + contains(github.event.issue.labels.*.name, 'tech debt'), 'Technical Debt', + 'Bug') }}" ado_new_state: "New" ado_active_state: "Active" ado_close_state: "Closed" From c35ac39c9ff96c36706a7f7dfc5ed207d0ac422b Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 18:43:54 -0500 Subject: [PATCH 02/11] github: Set persist-credentials: false --- .github/workflows/build.yml | 1 + .github/workflows/generate_docs.yml | 4 +++- .github/workflows/publish.yml | 4 ++++ .github/workflows/report_test_results.yml | 2 ++ .github/workflows/run_system_tests.yml | 2 ++ .github/workflows/run_unit_tests.yml | 6 +++++- 6 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db72e8a6e..d57bb2fda 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,6 +19,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/generate_docs.yml b/.github/workflows/generate_docs.yml index 7e22b9ce7..0dc275f0d 100644 --- a/.github/workflows/generate_docs.yml +++ b/.github/workflows/generate_docs.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python @@ -28,4 +30,4 @@ jobs: python -m pip install --upgrade pip poetry install - name: Generate docs - run: poetry run tox -e docs \ No newline at end of file + run: poetry run tox -e docs diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8626ed658..f2af35050 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry @@ -90,6 +92,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml index 4b8e3d894..8cd66cabb 100644 --- a/.github/workflows/report_test_results.yml +++ b/.github/workflows/report_test_results.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download test results uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: diff --git a/.github/workflows/run_system_tests.yml b/.github/workflows/run_system_tests.yml index 465515b9e..007898fc3 100644 --- a/.github/workflows/run_system_tests.yml +++ b/.github/workflows/run_system_tests.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Import DAQmx config run: C:\nidaqmxconfig\targets\win64U\x64\msvc-14.0\release\nidaqmxconfig.exe --eraseconfig --import tests\max_config\nidaqmxMaxConfig.ini - name: Set up Python diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index 54bf4af73..94551a167 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -22,6 +22,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python @@ -55,6 +57,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python @@ -73,4 +77,4 @@ jobs: python -m pip install --upgrade pip poetry install --only main - name: check installdriver subcommand can be invoked - run: poetry run nidaqmx installdriver --help \ No newline at end of file + run: poetry run nidaqmx installdriver --help From 088722c9baac6c2d365bbdaefd043761560282f2 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 18:45:20 -0500 Subject: [PATCH 03/11] github: Set empty permissions by default --- .github/workflows/CI.yml | 3 +++ .github/workflows/PR.yml | 2 ++ .github/workflows/build.yml | 3 +++ .github/workflows/generate_docs.yml | 3 +++ .github/workflows/publish.yml | 2 ++ .github/workflows/report_test_results.yml | 2 ++ .github/workflows/run_system_tests.yml | 3 +++ .github/workflows/run_unit_tests.yml | 3 +++ .github/workflows/sync_github_issues_to_azdo.yml | 2 ++ 9 files changed, 23 insertions(+) diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 3426a0fe7..317d76aac 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -7,6 +7,9 @@ on: - 'releases/**' workflow_call: workflow_dispatch: + +permissions: {} + jobs: build: name: Build diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index ce1ed546e..e6ab53d02 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -12,6 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: run_ci: name: Run CI diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d57bb2fda..5f69c98a2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,6 +3,9 @@ name: Build on: workflow_call: workflow_dispatch: + +permissions: {} + jobs: build: name: Build diff --git a/.github/workflows/generate_docs.yml b/.github/workflows/generate_docs.yml index 0dc275f0d..202dbd732 100644 --- a/.github/workflows/generate_docs.yml +++ b/.github/workflows/generate_docs.yml @@ -3,6 +3,9 @@ name: Generate docs on: workflow_call: workflow_dispatch: + +permissions: {} + jobs: generate_docs: name: Generate docs diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f2af35050..5a2f7b3fe 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -30,6 +30,8 @@ env: } } +permissions: {} + jobs: check_nidaqmx: name: Check nidaqmx diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml index 8cd66cabb..da7e9e985 100644 --- a/.github/workflows/report_test_results.yml +++ b/.github/workflows/report_test_results.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: report_test_results: name: Report test results diff --git a/.github/workflows/run_system_tests.yml b/.github/workflows/run_system_tests.yml index 007898fc3..80771b749 100644 --- a/.github/workflows/run_system_tests.yml +++ b/.github/workflows/run_system_tests.yml @@ -3,6 +3,9 @@ name: Run system tests on: workflow_call: workflow_dispatch: + +permissions: {} + jobs: run_system_tests: name: Run system tests diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index 94551a167..2d2d5b5e1 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -3,6 +3,9 @@ name: Run unit tests on: workflow_call: workflow_dispatch: + +permissions: {} + jobs: run_unit_tests: name: Run unit tests diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml index e763b1e03..a919049c4 100644 --- a/.github/workflows/sync_github_issues_to_azdo.yml +++ b/.github/workflows/sync_github_issues_to_azdo.yml @@ -8,6 +8,8 @@ on: issue_comment: types: [created, edited, deleted] +permissions: {} + jobs: alert: if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }} From f9d03bbd9244f3c45b02c43462af31cf835bbecc Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 18:54:23 -0500 Subject: [PATCH 04/11] github: Use shell to expand env vars --- .github/workflows/run_unit_tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index 2d2d5b5e1..73fbb5315 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -40,9 +40,9 @@ jobs: path: .venv key: nidaqmx-with-test-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('poetry.lock') }} - name: Install test dependencies - run: poetry install --only main,test ${{ env.install-opts }} + run: poetry install --only main,test ${install-opts} - name: Run unit tests - run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${{ env.pytest-opts }} + run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${pytest-opts} - name: Upload test results uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: From 9c0d97edb04b2250b15f9ee42b5766c4e2ba3117 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 18:56:16 -0500 Subject: [PATCH 05/11] github: Add check_workflows.yml --- .github/workflows/CI.yml | 5 +++++ .github/workflows/check_workflows.yml | 21 +++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 .github/workflows/check_workflows.yml diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 317d76aac..e8a001939 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -22,6 +22,11 @@ jobs: name: Generate docs uses: ./.github/workflows/generate_docs.yml needs: [build] + check_workflows: + name: Check workflows + uses: ./.github/workflows/check_workflows.yml + permissions: + security-events: write run_system_tests: name: Run system tests uses: ./.github/workflows/run_system_tests.yml diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml new file mode 100644 index 000000000..bbf458d5d --- /dev/null +++ b/.github/workflows/check_workflows.yml @@ -0,0 +1,21 @@ +name: Check workflows + +on: + workflow_call: + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Check out repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 \ No newline at end of file From 286bdb18b852f0bc753a1cfe2fd804e3f9a9a2fc Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 18:58:37 -0500 Subject: [PATCH 06/11] github: Disable setup-poetry caching for publish.yml --- .github/workflows/publish.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5a2f7b3fe..2c1c6a31c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -52,6 +52,8 @@ jobs: uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Check project version if: github.event_name == 'release' uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 @@ -100,5 +102,7 @@ jobs: uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Update project version uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 From 1e4da3d933fca7ff42d3a1b8abd393a63a45e737 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:00:19 -0500 Subject: [PATCH 07/11] docs: Update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71e06c3ba..14e212436 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,7 +36,7 @@ All notable changes to this project will be documented in this file. * ... * ### Major Changes - * ... + * [zizmor](https://zizmor.sh/) is now used for GitHub Actions static analysis. * ### Known Issues * ... From b2875c68f92e723f4ecb346cb2dfb9c98e20e699 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:03:58 -0500 Subject: [PATCH 08/11] github: Fix PR->CI permissions passing --- .github/workflows/PR.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index e6ab53d02..ff793aa73 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -22,3 +22,4 @@ jobs: contents: read checks: write pull-requests: write + security-events: write \ No newline at end of file From 4040a238b0f4ae2237e801603e9447ee87cfa957 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:07:02 -0500 Subject: [PATCH 09/11] cspell: Add zizmor to project-software-terms.txt --- .config/cspell/project-software-terms.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.config/cspell/project-software-terms.txt b/.config/cspell/project-software-terms.txt index 489872e3a..0613a25ef 100644 --- a/.config/cspell/project-software-terms.txt +++ b/.config/cspell/project-software-terms.txt @@ -61,3 +61,4 @@ varargs # Standard library: ctypes venv # Python tooling (directory/artifact names, not real words) xlabel # Dependency: matplotlib ylabel # Dependency: matplotlib +zizmor # Dependency: zizmor \ No newline at end of file From 2380c1816846a1f728ffe8a98057e49160b2b477 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:23:17 -0500 Subject: [PATCH 10/11] github: Rename run_unit_tests.yml env vars to remove dash --- .github/workflows/run_unit_tests.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index 73fbb5315..d80207b9c 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -20,8 +20,8 @@ jobs: fail-fast: false env: # grpcio does not have binary wheels for pypy or free-threading, as of version 1.75.1. - install-opts: ${{ !(startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '--extras grpc' || '' }} - pytest-opts: ${{ (startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '-k "not grpc"' || '' }} + INSTALL_OPTS: ${{ !(startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '--extras grpc' || '' }} + PYTEST_OPTS: ${{ (startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '-k "not grpc"' || '' }} steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -40,9 +40,9 @@ jobs: path: .venv key: nidaqmx-with-test-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('poetry.lock') }} - name: Install test dependencies - run: poetry install --only main,test ${install-opts} + run: poetry install --only main,test ${INSTALL_OPTS} - name: Run unit tests - run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${pytest-opts} + run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${PYTEST_OPTS} - name: Upload test results uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: From 8b9a4a48454a2104ea434004e7cfff18787a9f17 Mon Sep 17 00:00:00 2001 From: Brad Keryan Date: Fri, 5 Jun 2026 19:40:11 -0500 Subject: [PATCH 11/11] github: Rework run_unit_tests.yml logic --- .github/workflows/run_unit_tests.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index d80207b9c..067538fbc 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -20,8 +20,11 @@ jobs: fail-fast: false env: # grpcio does not have binary wheels for pypy or free-threading, as of version 1.75.1. - INSTALL_OPTS: ${{ !(startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '--extras grpc' || '' }} - PYTEST_OPTS: ${{ (startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '-k "not grpc"' || '' }} + GRPC_SUPPORTED: ${{ case( + startsWith(matrix.python-version, 'pypy'), 'false', + endsWith(matrix.python-version, 't'), 'false', + 'true' + ) }} steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -40,9 +43,9 @@ jobs: path: .venv key: nidaqmx-with-test-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('poetry.lock') }} - name: Install test dependencies - run: poetry install --only main,test ${INSTALL_OPTS} + run: poetry install --only main,test ${{ case(env.GRPC_SUPPORTED == 'true', '--extras grpc', '') }} - name: Run unit tests - run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${PYTEST_OPTS} + run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${{ case(env.GRPC_SUPPORTED == 'true', '', '-k "not grpc"') }} - name: Upload test results uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: