ni · bkeryan · May 18, 2026
@@ -8,7 +8,14 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
+  check_actions:
+    name: Check actions
+    uses: ./.github/workflows/check_actions.yml
+    permissions:
+      security-events: write
   test_actions:
     name: Test actions
     uses: ./.github/workflows/test_actions.yml
@@ -8,11 +8,15 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
   run_ci:
     name: Run CI
-    uses: ./.github/workflows/CI.yml
+    uses: ./.github/workflows/CI.yml
+    permissions:
+      security-events: write
@@ -0,0 +1,21 @@
+name: Check actions
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
@@ -8,6 +8,8 @@ on:
   issue_comment:
     types: [created, edited, deleted]
 
+permissions: {}
+
 jobs:
   alert:
     if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }}

@@ -4,6 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test_setup_python:
     name: Test setup-python
@@ -16,6 +18,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:
@@ -51,6 +55,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:
@@ -78,6 +84,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:
@@ -110,6 +118,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:
@@ -139,6 +149,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
       - name: Set up Poetry
@@ -173,6 +185,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
       - name: Set up Poetry
@@ -225,6 +239,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:
@@ -324,6 +340,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:
@@ -382,6 +400,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ./setup-python
         with:

@@ -42,7 +42,9 @@ If there are extra command-line arguments you need to install from your
 pyproject.toml, specify them with this input. You can specify any arguments that
 work with `poetry install` including `--extras` and `--with`. These
 `install-args` will be appended to the basic command line which is `poetry
-install -v`. For example,
+install -v`. Do not pass untrusted user input.
+
+For example,
 
 ```yaml
 - uses: ni/python-actions/analyze-project@v0

@@ -1,6 +1,6 @@
 name: Analyze project
 description: >
-  This workflow analyzes the code quality of a Python project using various
+  This action analyzes the code quality of a Python project using various
   linters and type checkers including ni-python-styleguide,
   mypy (if the 'mypy' package is installed), and pyright (if the 'pyright'
   package is installed).
@@ -11,14 +11,22 @@ inputs:
     default: ${{ github.workspace }}
   install-args:
     # E.g. "--extras 'drivers addons' --with examples,docs"
-    description: 'Extra arguments. Install command will be "poetry install <install-args>".'
+    description: >
+      Extra arguments. Install command will be "poetry install -v <install-args>".
+      Do not pass untrusted user input.
     default: ''
     required: false
     type: string
 
 runs:
   using: composite
   steps:
+    - name: Validate event type
+      if: ${{ github.event_name == 'pull_request_target' || github.event_name == 'workflow_run' }}
+      run: |
+        echo "::error title=Analyze Project Error::Unsupported event '$GITHUB_EVENT_NAME'"
+        exit 1
+      shell: bash
     - name: Get project info
       id: get_project_info
       run: |
@@ -36,25 +44,30 @@ runs:
       shell: bash
       working-directory: ${{ inputs.project-directory }}
     - name: Check for lock changes
-      run: poetry check --lock -C "${{ inputs.project-directory }}"
+      run: poetry check --lock
       shell: bash
+      working-directory: ${{ inputs.project-directory }}
     - name: Generate install args hash
       id: install_args_hash
       run: |
-        install_args_hash=$(echo "${{ inputs.install-args }}" | sha256sum | cut -d ' ' -f1)
+        install_args_hash=$(echo "$INSTALL_ARGS" | sha256sum | cut -d ' ' -f1)
         echo "hash=$install_args_hash" >> "$GITHUB_OUTPUT"
       shell: bash
+      env:
+        INSTALL_ARGS: ${{ inputs.install-args }}
     - name: Cache virtualenv
       uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ${{ steps.get_project_info.outputs.venv-path }}
         key: ${{ steps.get_project_info.outputs.name }}-${{ runner.os }}-py${{ env.pythonVersion }}-${{ hashFiles(format('{0}/poetry.lock', inputs.project-directory)) }}-${{ steps.install_args_hash.outputs.hash }}
     - name: Install ${{ steps.get_project_info.outputs.name }}
       run: |
-        install_cmd="poetry install -v ${{ inputs.install-args }}"
+        install_cmd="poetry install -v $INSTALL_ARGS"
         eval $install_cmd
       working-directory: ${{ inputs.project-directory }}
       shell: bash
+      env:
+        INSTALL_ARGS: ${{ inputs.install-args }}
     - name: Lint
       run: poetry run ni-python-styleguide lint
       working-directory: ${{ inputs.project-directory }}
@@ -79,9 +92,12 @@ runs:
       shell: poetry run python {0}
     - name: Echo check_tools outputs
       run: |
-        echo "mypy installed: ${{ steps.check_tools.outputs.mypy }}"
-        echo "pyright installed: ${{ steps.check_tools.outputs.pyright }}"
+        echo "mypy installed: $MYPY_INSTALLED"
+        echo "pyright installed: $PYRIGHT_INSTALLED"
       shell: bash
+      env:
+        MYPY_INSTALLED: ${{ steps.check_tools.outputs.mypy }}
+        PYRIGHT_INSTALLED: ${{ steps.check_tools.outputs.pyright }}
     - name: Mypy static analysis
       if: steps.check_tools.outputs.mypy == 'true'
       run: poetry run mypy
@@ -90,7 +106,7 @@ runs:
     - name: Add virtualenv to the path for pyright-action
       if: steps.check_tools.outputs.pyright == 'true'
       shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env] # intentionally add project venv to the path
         echo "$(dirname $(poetry env info --executable))" >> $GITHUB_PATH
       working-directory: ${{ inputs.project-directory }}
     - name: Pyright static analysis

@@ -13,33 +13,35 @@ inputs:
 runs:
   using: composite
   steps:
-  - name: Check project version
-    run: |
-      project_version="$(poetry version --short)"
-      expected_version="${{ inputs.expected-version }}"
-      # Strip the leading 'v', in case this is a GitHub release tag.
-      expected_version="${expected_version#v}"
+    - name: Check project version
+      run: |
+        project_version="$(poetry version --short)"
+        expected_version="$EXPECTED_VERSION"
+        # Strip the leading 'v', in case this is a GitHub release tag.
+        expected_version="${expected_version#v}"
 
-      error_message="$(cat <<EOF
-      The project version in pyproject.toml does not match the expected version.
-
-      If this workflow was triggered by a GitHub release, verify that the
-      release was tagged with the correct version. If they don't match, you
-      should either update pyproject.toml or delete and re-create the release
-      with the correct tag.
+        error_message="$(cat <<EOF
+        The project version in pyproject.toml does not match the expected version.
+        
+        If this workflow was triggered by a GitHub release, verify that the
+        release was tagged with the correct version. If they don't match, you
+        should either update pyproject.toml or delete and re-create the release
+        with the correct tag.
 
-      Project version: $project_version
-      Expected version: $expected_version
-      EOF
-      )"
+        Project version: $project_version
+        Expected version: $expected_version
+        EOF
+        )"
 
-      # Convert newline to %0A so that GitHub includes the entire error message
-      # in the annotation.
-      error_message="$(echo "$error_message" | sed -z 's/\n/%0A/g;s/%0A$/\n/')"
+        # Convert newline to %0A so that GitHub includes the entire error message
+        # in the annotation.
+        error_message="$(echo "$error_message" | sed -z 's/\n/%0A/g;s/%0A$/\n/')"
 
-      if [ x"$project_version" != x"$expected_version" ]; then
-        echo "::error title=Project Version Error::$error_message"
-        exit 1
-      fi
-    shell: bash
-    working-directory: ${{ inputs.project-directory }}
+        if [ x"$project_version" != x"$expected_version" ]; then
+          echo "::error title=Project Version Error::$error_message"
+          exit 1
+        fi
+      shell: bash
+      working-directory: ${{ inputs.project-directory }}
+      env:
+        EXPECTED_VERSION: ${{ inputs.expected-version }}
@@ -25,7 +25,7 @@ runs:
         fi 
       shell: bash
     - name: Set paths
-      run: |
+      run: | # zizmor: ignore[github-env] # paths are based on RUNNER_TEMP, not user input
         poetry_root="$RUNNER_TEMP/poetry"
         poetry_home="$poetry_root/home"
         poetry_bin="$poetry_root/bin"
@@ -62,11 +62,17 @@ runs:
     - name: Install Poetry
       if: steps.cache-poetry.outputs.cache-hit != 'true'
       run: |
+        if [[ ! "$POETRY_VERSION" =~ ^([0-9]+)\.([0-9]+)(\.([0-9]+))?((a|b|rc)[0-9]+)?(\.post[0-9]+)?$ ]]; then
+          echo "::error title=Setup Poetry Error::Invalid version number: '$POETRY_VERSION'"
+          exit 1
+        fi
         python -m venv "$POETRY_HOME"
-        "$POETRY_HOME_BIN/python" -m pip install poetry==${{ inputs.poetry-version }}
+        "$POETRY_HOME_BIN/python" -m pip install "poetry==$POETRY_VERSION"
         mkdir -p "$POETRY_BIN_DIR"
         ln -s "$POETRY_HOME_BIN/poetry"* "$POETRY_BIN_DIR/"
       shell: bash
+      env:
+        POETRY_VERSION: ${{ inputs.poetry-version }}
     - name: Print Poetry version
       run: poetry --version
       shell: bash

@@ -33,5 +33,8 @@ runs:
             print(f"python-version={version}", file=output)
       shell: python
     - name: Add pythonVersion environment variable
-      run: echo "pythonVersion=${{ steps.get-python-version.outputs.python-version }}" >> "$GITHUB_ENV"
-      shell: bash
+      run: | # zizmor: ignore[github-env] # value is queried from the installed Python interpreter, not user input
+        echo "pythonVersion=$PYTHON_VERSION" >> "$GITHUB_ENV"
+      shell: bash
+      env:
+        PYTHON_VERSION: ${{ steps.get-python-version.outputs.python-version }}