github: Enable GitHub Actions static analysis with zizmor

.config/cspell/project-software-terms.txt

@@ -61,3 +61,4 @@ varargs           # Standard library: ctypes
 venv              # Python tooling (directory/artifact names, not real words)
 xlabel            # Dependency: matplotlib
 ylabel            # Dependency: matplotlib
+zizmor            # Dependency: zizmor

.github/workflows/CI.yml

@@ -7,6 +7,9 @@ on:
       - 'releases/**'
   workflow_call:
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   build:
     name: Build
@@ -19,6 +22,11 @@ jobs:
     name: Generate docs
     uses: ./.github/workflows/generate_docs.yml
     needs: [build]
+  check_workflows:
+    name: Check workflows
+    uses: ./.github/workflows/check_workflows.yml
+    permissions:
+      security-events: write
   run_system_tests:
     name: Run system tests
     uses: ./.github/workflows/run_system_tests.yml

.github/workflows/PR.yml

@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   run_ci:
     name: Run CI
@@ -20,3 +22,4 @@ jobs:
       contents: read
       checks: write
       pull-requests: write
+      security-events: write

.github/workflows/build.yml

@@ -3,6 +3,9 @@ name: Build
 on:
   workflow_call:
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   build:
     name: Build
@@ -19,6 +22,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python

.github/workflows/check_workflows.yml

@@ -0,0 +1,21 @@
+name: Check workflows
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6

.github/workflows/generate_docs.yml

@@ -3,6 +3,9 @@ name: Generate docs
 on:
   workflow_call:
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   generate_docs:
     name: Generate docs
@@ -11,6 +14,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python
@@ -28,4 +33,4 @@ jobs:
           python -m pip install --upgrade pip
           poetry install
       - name: Generate docs
-        run: poetry run tox -e docs
+        run: poetry run tox -e docs

.github/workflows/publish.yml

@@ -30,6 +30,8 @@ env:
       }
     }
 
+permissions: {}
+
 jobs:
   check_nidaqmx:
     name: Check nidaqmx
@@ -44,10 +46,14 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
         uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
+        with:
+          use-cache: false
       - name: Check project version
         if: github.event_name == 'release'
         uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
@@ -90,9 +96,13 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
         uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
+        with:
+          use-cache: false
       - name: Update project version
         uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2

.github/workflows/report_test_results.yml

@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   report_test_results:
     name: Report test results
@@ -15,6 +17,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Download test results
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:

.github/workflows/run_system_tests.yml

@@ -3,6 +3,9 @@ name: Run system tests
 on:
   workflow_call:
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   run_system_tests:
     name: Run system tests
@@ -21,6 +24,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Import DAQmx config
         run: C:\nidaqmxconfig\targets\win64U\x64\msvc-14.0\release\nidaqmxconfig.exe --eraseconfig --import tests\max_config\nidaqmxMaxConfig.ini
       - name: Set up Python

.github/workflows/run_unit_tests.yml

@@ -3,6 +3,9 @@ name: Run unit tests
 on:
   workflow_call:
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   run_unit_tests:
     name: Run unit tests
@@ -17,11 +20,16 @@ jobs:
       fail-fast: false
     env:
       # grpcio does not have binary wheels for pypy or free-threading, as of version 1.75.1.
-      install-opts: ${{ !(startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '--extras grpc' || '' }}
-      pytest-opts: ${{ (startsWith(matrix.python-version, 'pypy') || matrix.python-version == '3.14t') && '-k "not grpc"' || '' }}
+      GRPC_SUPPORTED: ${{ case(
+                            startsWith(matrix.python-version, 'pypy'), 'false',
+                            endsWith(matrix.python-version, 't'), 'false',
+                            'true'
+                          ) }}
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python
@@ -35,9 +43,9 @@ jobs:
           path: .venv
           key: nidaqmx-with-test-${{ runner.os }}-py${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('poetry.lock') }}
       - name: Install test dependencies
-        run: poetry install --only main,test ${{ env.install-opts }}
+        run: poetry install --only main,test ${{ case(env.GRPC_SUPPORTED == 'true', '--extras grpc', '') }}
       - name: Run unit tests
-        run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${{ env.pytest-opts }}
+        run: poetry run pytest -v --cov=generated/nidaqmx --junitxml=test_results/unit-${{ matrix.os }}-py${{ matrix.python-version }}.xml tests/unit ${{ case(env.GRPC_SUPPORTED == 'true', '', '-k "not grpc"') }}
       - name: Upload test results
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
@@ -55,6 +63,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python
@@ -73,4 +83,4 @@ jobs:
           python -m pip install --upgrade pip
           poetry install --only main
       - name: check installdriver subcommand can be invoked
-        run: poetry run nidaqmx installdriver --help
+        run: poetry run nidaqmx installdriver --help

.github/workflows/sync_github_issues_to_azdo.yml

@@ -8,29 +8,24 @@ on:
   issue_comment:
     types: [created, edited, deleted]
 
+permissions: {}
+
 jobs:
   alert:
     if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }}
     runs-on: ubuntu-latest
     steps:
-      - name: Choose work item type
-        id: choose_work_item_type
-        run: |
-          if [ "${{ contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story') }}" == "true" ]; then
-            echo "work_item_type=User Story" >> $GITHUB_OUTPUT
-          elif [ "${{ contains(github.event.issue.labels.*.name, 'tech debt') }}" == "true" ]; then
-            echo "work_item_type=Technical Debt" >> $GITHUB_OUTPUT
-          else
-            echo "work_item_type=Bug" >> $GITHUB_OUTPUT
-          fi
       - uses: danhellem/github-actions-issue-to-work-item@45eb3b46e684f2acd2954f02ef70350c835ee4bb # v2.4
         env:
           ado_token: "${{ secrets.AZDO_WORK_ITEM_TOKEN }}"
           github_token: "${{ secrets.GH_REPO_TOKEN }}"
           ado_organization: "ni"
           ado_project: "DevCentral"
           ado_area_path: "DevCentral\\Product RnD\\Platform HW and SW\\Core SW and Drivers\\Platform HW and Drivers\\Drivers\\Venus"
-          ado_wit: "${{ steps.choose_work_item_type.outputs.work_item_type }}"
+          ado_wit: "${{ case(
+            contains(github.event.issue.labels.*.name, 'enhancement') || contains(github.event.issue.labels.*.name, 'user story'), 'User Story',
+            contains(github.event.issue.labels.*.name, 'tech debt'), 'Technical Debt',
+            'Bug') }}"
           ado_new_state: "New"
           ado_active_state: "Active"
           ado_close_state: "Closed"

CHANGELOG.md

@@ -36,7 +36,7 @@ All notable changes to this project will be documented in this file.
     * ...
 
 * ### Major Changes
-    * ...
+    * [zizmor](https://zizmor.sh/) is now used for GitHub Actions static analysis.
 
 * ### Known Issues
     * ...