diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 95069a0b..d9fb490f 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -8,6 +8,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nitypes: name: Check nitypes @@ -15,9 +17,14 @@ jobs: check_docs: name: Check docs uses: ./.github/workflows/check_docs.yml + check_workflows: + name: Check workflows + uses: ./.github/workflows/check_workflows.yml + permissions: + security-events: write checks_succeeded: name: Checks succeeded - needs: [check_nitypes, check_docs] + needs: [check_nitypes, check_docs, check_workflows] runs-on: ubuntu-latest steps: - run: exit 0 diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml index 2886cc3b..ee4485ef 100644 --- a/.github/workflows/PR.yml +++ b/.github/workflows/PR.yml @@ -12,6 +12,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: {} + jobs: run_ci: name: Run CI @@ -19,4 +21,5 @@ jobs: permissions: contents: read checks: write - pull-requests: write \ No newline at end of file + pull-requests: write + security-events: write \ No newline at end of file diff --git a/.github/workflows/check_docs.yml b/.github/workflows/check_docs.yml index 732bddf2..f4ff8983 100644 --- a/.github/workflows/check_docs.yml +++ b/.github/workflows/check_docs.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_docs: name: Check docs @@ -11,6 +13,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python @@ -31,4 +35,4 @@ jobs: uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: nitypes-docs - path: docs/_build/ \ No newline at end of file + path: docs/_build/ diff --git a/.github/workflows/check_nitypes.yml b/.github/workflows/check_nitypes.yml index e46b1620..9258d66c 100644 --- a/.github/workflows/check_nitypes.yml +++ b/.github/workflows/check_nitypes.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: check_nitypes: name: Check nitypes @@ -17,6 +19,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 with: @@ -26,4 +30,4 @@ jobs: - name: Analyze Python project uses: ni/python-actions/analyze-project@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Bandit security checks - run: poetry run bandit -c pyproject.toml -r src/nitypes \ No newline at end of file + run: poetry run bandit -c pyproject.toml -r src/nitypes diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml new file mode 100644 index 00000000..bbf458d5 --- /dev/null +++ b/.github/workflows/check_workflows.yml @@ -0,0 +1,21 @@ +name: Check workflows + +on: + workflow_call: + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Check out repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 95ce9a79..0fbfddfa 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -30,6 +30,8 @@ env: } } +permissions: {} + jobs: check_nitypes: name: Check nitypes @@ -44,10 +46,14 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Check project version if: github.event_name == 'release' uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 @@ -90,9 +96,13 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 - name: Set up Poetry uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 + with: + use-cache: false - name: Update project version uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml index 31a20924..57678ee9 100644 --- a/.github/workflows/report_test_results.yml +++ b/.github/workflows/report_test_results.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: report_test_results: name: Report test results @@ -15,6 +17,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Download test results uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index 36a8d82a..83a25167 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: run_unit_tests: name: Run unit tests @@ -18,6 +20,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/run_unit_tests_oldest_deps.yml b/.github/workflows/run_unit_tests_oldest_deps.yml index d0f0ed39..778594c0 100644 --- a/.github/workflows/run_unit_tests_oldest_deps.yml +++ b/.github/workflows/run_unit_tests_oldest_deps.yml @@ -4,6 +4,8 @@ on: workflow_call: workflow_dispatch: +permissions: {} + jobs: run_unit_tests_oldest_deps: name: Run unit tests (oldest deps) @@ -18,6 +20,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2 id: setup-python diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml index e531a0b4..850e8bef 100644 --- a/.github/workflows/sync_github_issues_to_azdo.yml +++ b/.github/workflows/sync_github_issues_to_azdo.yml @@ -8,6 +8,8 @@ on: issue_comment: types: [created, edited, deleted] +permissions: {} + jobs: alert: if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }}