github: Enable GitHub Actions static analysis with zizmor

.github/workflows/CI.yml

@@ -8,16 +8,23 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_nitypes:
     name: Check nitypes
     uses: ./.github/workflows/check_nitypes.yml
   check_docs:
     name: Check docs
     uses: ./.github/workflows/check_docs.yml
+  check_workflows:
+    name: Check workflows
+    uses: ./.github/workflows/check_workflows.yml
+    permissions:
+      security-events: write
   checks_succeeded:
     name: Checks succeeded
-    needs: [check_nitypes, check_docs]
+    needs: [check_nitypes, check_docs, check_workflows]
     runs-on: ubuntu-latest
     steps:
       - run: exit 0

.github/workflows/PR.yml

@@ -12,11 +12,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   run_ci:
     name: Run CI
     uses: ./.github/workflows/CI.yml
     permissions:
       contents: read
       checks: write
-      pull-requests: write
+      pull-requests: write
+      security-events: write

.github/workflows/check_docs.yml

@@ -4,13 +4,17 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_docs:
     name: Check docs
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python
@@ -31,4 +35,4 @@ jobs:
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: nitypes-docs
-          path: docs/_build/
+          path: docs/_build/

.github/workflows/check_nitypes.yml

@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_nitypes:
     name: Check nitypes
@@ -17,6 +19,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         with:
@@ -26,4 +30,4 @@ jobs:
       - name: Analyze Python project
         uses: ni/python-actions/analyze-project@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Bandit security checks
-        run:  poetry run bandit -c pyproject.toml -r src/nitypes
+        run:  poetry run bandit -c pyproject.toml -r src/nitypes

.github/workflows/check_workflows.yml

@@ -0,0 +1,21 @@
+name: Check workflows
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6

.github/workflows/publish.yml

@@ -30,6 +30,8 @@ env:
       }
     }
 
+permissions: {}
+
 jobs:
   check_nitypes:
     name: Check nitypes
@@ -44,10 +46,14 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
         uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
+        with:
+          use-cache: false
       - name: Check project version
         if: github.event_name == 'release'
         uses: ni/python-actions/check-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
@@ -90,9 +96,13 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
       - name: Set up Poetry
         uses: ni/python-actions/setup-poetry@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
+        with:
+          use-cache: false
       - name: Update project version
         uses: ni/python-actions/update-project-version@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2

.github/workflows/report_test_results.yml

@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   report_test_results:
     name: Report test results
@@ -15,6 +17,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Download test results
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:

.github/workflows/run_unit_tests.yml

@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   run_unit_tests:
     name: Run unit tests
@@ -18,6 +20,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python

.github/workflows/run_unit_tests_oldest_deps.yml

@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   run_unit_tests_oldest_deps:
     name: Run unit tests (oldest deps)
@@ -18,6 +20,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2894c635a2cba635a1086c1f89796fec2c52f74 # v0.7.2
         id: setup-python

.github/workflows/sync_github_issues_to_azdo.yml

@@ -8,6 +8,8 @@ on:
   issue_comment:
     types: [created, edited, deleted]
 
+permissions: {}
+
 jobs:
   alert:
     if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }}