From e9afa2fc861c18d0b208470de5695984c7d86dd4 Mon Sep 17 00:00:00 2001
From: Brad Keryan <brad.keryan@ni.com>
Date: Fri, 5 Jun 2026 17:21:28 -0500
Subject: [PATCH 1/5] github: Use persist-credentials: false

---
 .github/workflows/check_docs.yml                 | 4 +++-
 .github/workflows/check_nitypes.yml              | 4 +++-
 .github/workflows/publish.yml                    | 4 ++++
 .github/workflows/report_test_results.yml        | 2 ++
 .github/workflows/run_unit_tests.yml             | 2 ++
 .github/workflows/run_unit_tests_oldest_deps.yml | 2 ++
 6 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check_docs.yml b/.github/workflows/check_docs.yml
index 732bddf2..43b73168 100644
--- a/.github/workflows/check_docs.yml
+++ b/.github/workflows/check_docs.yml
@@ -11,6 +11,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python
@@ -31,4 +33,4 @@ jobs:
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: nitypes-docs
-          path: docs/_build/
\ No newline at end of file
+          path: docs/_build/
diff --git a/.github/workflows/check_nitypes.yml b/.github/workflows/check_nitypes.yml
index e46b1620..3b8501cd 100644
--- a/.github/workflows/check_nitypes.yml
+++ b/.github/workflows/check_nitypes.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         with:
@@ -26,4 +28,4 @@ jobs:
       - name: Analyze Python project
         uses: ni/python-actions/analyze-project@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Bandit security checks
-        run:  poetry run bandit -c pyproject.toml -r src/nitypes
\ No newline at end of file
+        run:  poetry run bandit -c pyproject.toml -r src/nitypes
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 95ce9a79..6583d63e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
@@ -90,6 +92,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml
index 31a20924..735cc826 100644
--- a/.github/workflows/report_test_results.yml
+++ b/.github/workflows/report_test_results.yml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Download test results
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml
index 36a8d82a..18321685 100644
--- a/.github/workflows/run_unit_tests.yml
+++ b/.github/workflows/run_unit_tests.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python
diff --git a/.github/workflows/run_unit_tests_oldest_deps.yml b/.github/workflows/run_unit_tests_oldest_deps.yml
index d0f0ed39..12fb940e 100644
--- a/.github/workflows/run_unit_tests_oldest_deps.yml
+++ b/.github/workflows/run_unit_tests_oldest_deps.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python

From 47550723cd991dfe46b0fff71a268bd4fc26f773 Mon Sep 17 00:00:00 2001
From: Brad Keryan <brad.keryan@ni.com>
Date: Fri, 5 Jun 2026 17:24:29 -0500
Subject: [PATCH 2/5] github: Set empty permissions by default

---
 .github/workflows/CI.yml                         | 2 ++
 .github/workflows/PR.yml                         | 2 ++
 .github/workflows/check_docs.yml                 | 2 ++
 .github/workflows/check_nitypes.yml              | 2 ++
 .github/workflows/publish.yml                    | 2 ++
 .github/workflows/report_test_results.yml        | 2 ++
 .github/workflows/run_unit_tests.yml             | 2 ++
 .github/workflows/run_unit_tests_oldest_deps.yml | 2 ++
 .github/workflows/sync_github_issues_to_azdo.yml | 2 ++
 9 files changed, 18 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 95069a0b..f34aab9a 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -8,6 +8,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_nitypes:
     name: Check nitypes
diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml
index 2886cc3b..e52b1f97 100644
--- a/.github/workflows/PR.yml
+++ b/.github/workflows/PR.yml
@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   run_ci:
     name: Run CI
diff --git a/.github/workflows/check_docs.yml b/.github/workflows/check_docs.yml
index 43b73168..f4ff8983 100644
--- a/.github/workflows/check_docs.yml
+++ b/.github/workflows/check_docs.yml
@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_docs:
     name: Check docs
diff --git a/.github/workflows/check_nitypes.yml b/.github/workflows/check_nitypes.yml
index 3b8501cd..9258d66c 100644
--- a/.github/workflows/check_nitypes.yml
+++ b/.github/workflows/check_nitypes.yml
@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_nitypes:
     name: Check nitypes
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6583d63e..b61cff9c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -30,6 +30,8 @@ env:
       }
     }
 
+permissions: {}
+
 jobs:
   check_nitypes:
     name: Check nitypes
diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml
index 735cc826..57678ee9 100644
--- a/.github/workflows/report_test_results.yml
+++ b/.github/workflows/report_test_results.yml
@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   report_test_results:
     name: Report test results
diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml
index 18321685..83a25167 100644
--- a/.github/workflows/run_unit_tests.yml
+++ b/.github/workflows/run_unit_tests.yml
@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   run_unit_tests:
     name: Run unit tests
diff --git a/.github/workflows/run_unit_tests_oldest_deps.yml b/.github/workflows/run_unit_tests_oldest_deps.yml
index 12fb940e..778594c0 100644
--- a/.github/workflows/run_unit_tests_oldest_deps.yml
+++ b/.github/workflows/run_unit_tests_oldest_deps.yml
@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   run_unit_tests_oldest_deps:
     name: Run unit tests (oldest deps)
diff --git a/.github/workflows/sync_github_issues_to_azdo.yml b/.github/workflows/sync_github_issues_to_azdo.yml
index e531a0b4..850e8bef 100644
--- a/.github/workflows/sync_github_issues_to_azdo.yml
+++ b/.github/workflows/sync_github_issues_to_azdo.yml
@@ -8,6 +8,8 @@ on:
   issue_comment:
     types: [created, edited, deleted]
 
+permissions: {}
+
 jobs:
   alert:
     if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }}

From 5f14cb74a492aad240553460433be42812d40a34 Mon Sep 17 00:00:00 2001
From: Brad Keryan <brad.keryan@ni.com>
Date: Fri, 5 Jun 2026 17:27:44 -0500
Subject: [PATCH 3/5] github: Add check_workflows.yml

---
 .github/workflows/CI.yml              |  7 ++++++-
 .github/workflows/check_workflows.yml | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/check_workflows.yml

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index f34aab9a..d9fb490f 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -17,9 +17,14 @@ jobs:
   check_docs:
     name: Check docs
     uses: ./.github/workflows/check_docs.yml
+  check_workflows:
+    name: Check workflows
+    uses: ./.github/workflows/check_workflows.yml
+    permissions:
+      security-events: write
   checks_succeeded:
     name: Checks succeeded
-    needs: [check_nitypes, check_docs]
+    needs: [check_nitypes, check_docs, check_workflows]
     runs-on: ubuntu-latest
     steps:
       - run: exit 0
diff --git a/.github/workflows/check_workflows.yml b/.github/workflows/check_workflows.yml
new file mode 100644
index 00000000..bbf458d5
--- /dev/null
+++ b/.github/workflows/check_workflows.yml
@@ -0,0 +1,21 @@
+name: Check workflows
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
\ No newline at end of file

From 49952a88ac450e66e7648db632be28c167a48c3c Mon Sep 17 00:00:00 2001
From: Brad Keryan <brad.keryan@ni.com>
Date: Fri, 5 Jun 2026 17:29:35 -0500
Subject: [PATCH 4/5] github: Disable setup-poetry caching in publish.yml

---
 .github/workflows/publish.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b61cff9c..0fbfddfa 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -52,6 +52,8 @@ jobs:
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
         uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
+        with:
+          use-cache: false
       - name: Check project version
         if: github.event_name == 'release'
         uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
@@ -100,5 +102,7 @@ jobs:
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
         uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
+        with:
+          use-cache: false
       - name: Update project version
         uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2

From 8f9f3581b17b7851ead71214ca2b089457892271 Mon Sep 17 00:00:00 2001
From: Brad Keryan <brad.keryan@ni.com>
Date: Fri, 5 Jun 2026 17:31:04 -0500
Subject: [PATCH 5/5] github: Fix PR->CI permissions passing

---
 .github/workflows/PR.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml
index e52b1f97..ee4485ef 100644
--- a/.github/workflows/PR.yml
+++ b/.github/workflows/PR.yml
@@ -21,4 +21,5 @@ jobs:
     permissions:
       contents: read
       checks: write
-      pull-requests: write
\ No newline at end of file
+      pull-requests: write
+      security-events: write
\ No newline at end of file