diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index eca413c4..b212f05f 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -14,6 +14,9 @@ env: MAIN_PYTHON_VERSION: 3.13 DOCUMENTATION_CNAME: tools.docs.pyansys.com +permissions: + contents: read + jobs: update-changelog: @@ -24,7 +27,7 @@ jobs: contents: write pull-requests: write steps: - - uses: ansys/actions/doc-deploy-changelog@v10 + - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -35,32 +38,43 @@ jobs: # name: "Check library vulnerabilities" # runs-on: ubuntu-latest # steps: - # - uses: ansys/actions/check-vulnerabilities@v10.0 + # - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 # with: # python-version: ${{ env.MAIN_PYTHON_VERSION }} # token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} # python-package-name: ${{ env.PACKAGE_NAME }} # dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: Check actions security + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + style: - name: Code style - runs-on: ubuntu-latest - steps: - - name: PyAnsys code style checks - uses: ansys/actions/code-style@v10 - with: - python-version: ${{ env.MAIN_PYTHON_VERSION }} + name: Code style + runs-on: ubuntu-latest + steps: + - name: PyAnsys code style checks + uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + smoke-tests: - name: Build and Smoke tests - runs-on: ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - python-version: ['3.10', '3.11', '3.12'] - steps: + name: Build and Smoke tests + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest, macos-latest] + python-version: ['3.10', '3.11', '3.12'] + steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@v10 + uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} @@ -77,12 +91,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - cache: 'pip' - name: Install uv and create venv run: | @@ -97,7 +112,7 @@ jobs: uv pip install tests/launcher/pkg_with_entrypoint uv run pytest - # - uses: codecov/codecov-action@v5 + # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 # name: 'Upload coverage to CodeCov' # with: # token: ${{ secrets.CODECOV_TOKEN }} @@ -107,7 +122,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys documentation style checks - uses: ansys/actions/doc-style@v10 + uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -117,21 +132,21 @@ jobs: runs-on: ubuntu-latest steps: - name: Build documentation - uses: ansys/actions/doc-build@v10 + uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} check-links: false # Delete after first release package: - name: Package library - runs-on: ubuntu-latest - needs: [tests, doc-build] - steps: - - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@v10 - with: - library-name: ${{ env.PACKAGE_NAME }} - python-version: ${{ env.MAIN_PYTHON_VERSION }} + name: Package library + runs-on: ubuntu-latest + needs: [tests, doc-build] + steps: + - name: Build library source and wheel artifacts + uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + library-name: ${{ env.PACKAGE_NAME }} + python-version: ${{ env.MAIN_PYTHON_VERSION }} release: name: Release project @@ -159,14 +174,14 @@ jobs: # skip-existing: false - name: "Release to the private PyPI repository" - uses: ansys/actions/release-pypi-private@v9 + uses: ansys/actions/release-pypi-private@495ca3d79c1627f5b96c469cfbe799718e9dc35f # v9.0.13 with: library-name: "ansys-tools-common" twine-username: "__token__" twine-token: ${{ secrets.PYANSYS_PYPI_PRIVATE_PAT }} - name: Release to GitHub - uses: ansys/actions/release-github@v10 + uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} library-name: ${{ env.PACKAGE_NAME }} @@ -176,11 +191,13 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: Deploy the stable documentation - uses: ansys/actions/doc-deploy-stable@v10 + uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} - bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} \ No newline at end of file + bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 65bf3a36..3d5bd78f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: label-syncer: @@ -24,6 +26,8 @@ jobs: pull-requests: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -78,6 +82,7 @@ jobs: labels: bug commenter: + name: Suggest labels if none assigned runs-on: ubuntu-latest permissions: contents: read @@ -106,10 +111,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: ansys/actions/doc-changelog@v10 + - uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} use-conventional-commits: true use-default-towncrier-config: true bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} - bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} \ No newline at end of file + bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index 6bcd891e..6736237e 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -13,11 +13,16 @@ env: PACKAGE_NAME: ansys-tools-common MAIN_PYTHON_VERSION: 3.13 +permissions: + contents: read + packages: read + jobs: build-tests: + name: Build tests runs-on: ubuntu-22.04 container: - image: ghcr.io/ansys/mapdl:v22.2-ubuntu + image: ghcr.io/ansys/mapdl:v22.2-ubuntu@sha256:024c587f4a8190e99cc3f08a2dc231583032e784a8ef7d7659f8dd9748116697 options: "-u=0:0 --entrypoint /bin/bash" credentials: username: ${{ secrets.GH_USERNAME }} @@ -27,9 +32,11 @@ jobs: ON_UBUNTU: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Install uv and create venv @@ -40,12 +47,14 @@ jobs: run: | uv sync --extra tests - name: Run tests + env: + PACKAGE_NAMESPACE: ${{ env.PACKAGE_NAMESPACE }} run: | uv sync --extra tests --no-dev uv pip install tests/launcher/pkg_with_entrypoint - uv run pytest -vx --cov=${{ env.PACKAGE_NAMESPACE }} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html + uv run pytest -vx --cov=${PACKAGE_NAMESPACE} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html - # - uses: codecov/codecov-action@v5 + # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 # name: 'Upload coverage to CodeCov' # with: - # token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file + # token: ${{ secrets.CODECOV_TOKEN }} diff --git a/doc/changelog.d/41.maintenance.md b/doc/changelog.d/41.maintenance.md new file mode 100644 index 00000000..e925973f --- /dev/null +++ b/doc/changelog.d/41.maintenance.md @@ -0,0 +1 @@ +Add \`\`ansys/actions/check-actions-security\`\` action and related fixes diff --git a/pyproject.toml b/pyproject.toml index 5e6d76eb..a53c0a7b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,15 +55,12 @@ tests = [ ] doc = [ - "ansys-sphinx-theme==1.5.2", + "ansys-sphinx-theme[autoapi]==1.6.3", "grpcio==1.71.2", "grpcio-health-checking==1.71.2", - "sphinx-autoapi==3.6.0", "sphinx-click==4.4.0", "sphinx-copybutton==0.5.2", - "sphinx_design==0.6.1", "sphinx-gallery==0.19.0", - "sphinx-jinja==2.0.2", ]