From 9b27587a20181d20280d9fe33ecae6a7f73478b1 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 14:45:20 +0200 Subject: [PATCH 01/16] ci: Pin actions used in workflow files with SHA --- .github/workflows/cicd.yml | 24 ++++++++++++------------ .github/workflows/label.yml | 4 ++-- .github/workflows/run_mapdl_tests.yml | 6 +++--- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index eca413c4..f17b25c8 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -24,7 +24,7 @@ jobs: contents: write pull-requests: write steps: - - uses: ansys/actions/doc-deploy-changelog@v10 + - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys code style checks - uses: ansys/actions/code-style@v10 + uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} smoke-tests: @@ -60,7 +60,7 @@ jobs: python-version: ['3.10', '3.11', '3.12'] steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@v10 + uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} @@ -77,9 +77,9 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} cache: 'pip' @@ -107,7 +107,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys documentation style checks - uses: ansys/actions/doc-style@v10 + uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -117,7 +117,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Build documentation - uses: ansys/actions/doc-build@v10 + uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} check-links: false # Delete after first release @@ -128,7 +128,7 @@ jobs: needs: [tests, doc-build] steps: - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@v10 + uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -159,14 +159,14 @@ jobs: # skip-existing: false - name: "Release to the private PyPI repository" - uses: ansys/actions/release-pypi-private@v9 + uses: ansys/actions/release-pypi-private@495ca3d79c1627f5b96c469cfbe799718e9dc35f # v9.0.13 with: library-name: "ansys-tools-common" twine-username: "__token__" twine-token: ${{ secrets.PYANSYS_PYPI_PRIVATE_PAT }} - name: Release to GitHub - uses: ansys/actions/release-github@v10 + uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} library-name: ${{ env.PACKAGE_NAME }} @@ -178,9 +178,9 @@ jobs: needs: [release] steps: - name: Deploy the stable documentation - uses: ansys/actions/doc-deploy-stable@v10 + uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} - bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} \ No newline at end of file + bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 65bf3a36..c247c58c 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -106,10 +106,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: ansys/actions/doc-changelog@v10 + - uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} use-conventional-commits: true use-default-towncrier-config: true bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} - bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} \ No newline at end of file + bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index 6bcd891e..2b7fa084 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -27,9 +27,9 @@ jobs: ON_UBUNTU: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Install uv and create venv @@ -48,4 +48,4 @@ jobs: # - uses: codecov/codecov-action@v5 # name: 'Upload coverage to CodeCov' # with: - # token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file + # token: ${{ secrets.CODECOV_TOKEN }} From 304c6e8692f7afdec1e2f8ab488e050dfc1f10e3 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 14:52:38 +0200 Subject: [PATCH 02/16] ci: Use argument persist-credentials: false with actions/checkout --- .github/workflows/cicd.yml | 2 ++ .github/workflows/label.yml | 2 ++ .github/workflows/run_mapdl_tests.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f17b25c8..70218802 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -78,6 +78,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index c247c58c..f09997d1 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -24,6 +24,8 @@ jobs: pull-requests: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index 2b7fa084..9d3c320f 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -28,6 +28,8 @@ jobs: steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: From 0ce61df14f889b2904e550e8f091c0fc8fd90b72 Mon Sep 17 00:00:00 2001 From: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com> Date: Thu, 9 Oct 2025 12:59:55 +0000 Subject: [PATCH 03/16] chore: adding changelog file 41.maintenance.md [dependabot-skip] --- doc/changelog.d/41.maintenance.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/changelog.d/41.maintenance.md diff --git a/doc/changelog.d/41.maintenance.md b/doc/changelog.d/41.maintenance.md new file mode 100644 index 00000000..e925973f --- /dev/null +++ b/doc/changelog.d/41.maintenance.md @@ -0,0 +1 @@ +Add \`\`ansys/actions/check-actions-security\`\` action and related fixes From 911f1cade15feed5eabf806aa7287e690db9c8f2 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 15:49:56 +0200 Subject: [PATCH 04/16] ci: Provide names to anonymous jobs --- .github/workflows/label.yml | 1 + .github/workflows/run_mapdl_tests.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index f09997d1..04774b8f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -80,6 +80,7 @@ jobs: labels: bug commenter: + name: Suggest labels if none assigned runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index 9d3c320f..efe0e8cf 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -15,6 +15,7 @@ env: jobs: build-tests: + name: Build tests runs-on: ubuntu-22.04 container: image: ghcr.io/ansys/mapdl:v22.2-ubuntu From b4e471d4a42d924f8ef43b0db40d1a4f235b1879 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 15:56:32 +0200 Subject: [PATCH 05/16] ci: Remove template expansion from inside job run command --- .github/workflows/run_mapdl_tests.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index efe0e8cf..0f846b89 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -43,10 +43,12 @@ jobs: run: | uv sync --extra tests - name: Run tests + env: + PACKAGE_NAMESPACE: ${{ env.PACKAGE_NAMESPACE }} run: | uv sync --extra tests --no-dev uv pip install tests/launcher/pkg_with_entrypoint - uv run pytest -vx --cov=${{ env.PACKAGE_NAMESPACE }} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html + uv run pytest -vx --cov=${PACKAGE_NAMESPACE} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html # - uses: codecov/codecov-action@v5 # name: 'Upload coverage to CodeCov' From 7fa63b2311aeabeca309983c6be203aad18e7d14 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 16:56:38 +0200 Subject: [PATCH 06/16] ci: Avoid overly broad permissions for workflow jobs - Add specific ones for those using secrets --- .github/workflows/cicd.yml | 45 +++++++++++++++++---------- .github/workflows/label.yml | 2 ++ .github/workflows/run_mapdl_tests.yml | 6 +++- 3 files changed, 35 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 70218802..d47738bf 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -14,6 +14,8 @@ env: MAIN_PYTHON_VERSION: 3.13 DOCUMENTATION_CNAME: tools.docs.pyansys.com +permissions: {} # Disable default permissions + jobs: update-changelog: @@ -34,8 +36,10 @@ jobs: # check-vulnerabilities: # name: "Check library vulnerabilities" # runs-on: ubuntu-latest + # permissions: + # contents: read # steps: - # - uses: ansys/actions/check-vulnerabilities@v10.0 + # - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 # with: # python-version: ${{ env.MAIN_PYTHON_VERSION }} # token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -43,22 +47,23 @@ jobs: # dev-mode: ${{ github.ref != 'refs/heads/main' }} style: - name: Code style - runs-on: ubuntu-latest - steps: - - name: PyAnsys code style checks - uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 - with: - python-version: ${{ env.MAIN_PYTHON_VERSION }} + name: Code style + runs-on: ubuntu-latest + steps: + - name: PyAnsys code style checks + uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + smoke-tests: - name: Build and Smoke tests - runs-on: ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - python-version: ['3.10', '3.11', '3.12'] - steps: + name: Build and Smoke tests + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest, macos-latest] + python-version: ['3.10', '3.11', '3.12'] + steps: - name: Build wheelhouse and perform smoke test uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: @@ -71,6 +76,8 @@ jobs: name: Testing runs-on: ubuntu-latest needs: [smoke-tests] + permissions: + contents: read env: ANSYS_LOCAL: false ON_UBUNTU: true @@ -99,7 +106,7 @@ jobs: uv pip install tests/launcher/pkg_with_entrypoint uv run pytest - # - uses: codecov/codecov-action@v5 + # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 # name: 'Upload coverage to CodeCov' # with: # token: ${{ secrets.CODECOV_TOKEN }} @@ -107,6 +114,8 @@ jobs: docs-style: name: Documentation Style Check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys documentation style checks uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -178,6 +187,8 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: Deploy the stable documentation uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 04774b8f..3d5bd78f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: label-syncer: diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index 0f846b89..3c522b66 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -13,6 +13,10 @@ env: PACKAGE_NAME: ansys-tools-common MAIN_PYTHON_VERSION: 3.13 +permissions: + contents: read + packages: read + jobs: build-tests: name: Build tests @@ -50,7 +54,7 @@ jobs: uv pip install tests/launcher/pkg_with_entrypoint uv run pytest -vx --cov=${PACKAGE_NAMESPACE} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html - # - uses: codecov/codecov-action@v5 + # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 # name: 'Upload coverage to CodeCov' # with: # token: ${{ secrets.CODECOV_TOKEN }} From 040f8d7345d1aa7460e30ff555db4549562a426b Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 19:22:42 +0200 Subject: [PATCH 07/16] ci: Pinning container image to its SHA256 hash --- .github/workflows/run_mapdl_tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run_mapdl_tests.yml b/.github/workflows/run_mapdl_tests.yml index 3c522b66..6736237e 100644 --- a/.github/workflows/run_mapdl_tests.yml +++ b/.github/workflows/run_mapdl_tests.yml @@ -22,7 +22,7 @@ jobs: name: Build tests runs-on: ubuntu-22.04 container: - image: ghcr.io/ansys/mapdl:v22.2-ubuntu + image: ghcr.io/ansys/mapdl:v22.2-ubuntu@sha256:024c587f4a8190e99cc3f08a2dc231583032e784a8ef7d7659f8dd9748116697 options: "-u=0:0 --entrypoint /bin/bash" credentials: username: ${{ secrets.GH_USERNAME }} From d8d9416904cd64fb6c742d6d6ad7c4663ac51675 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 19:38:23 +0200 Subject: [PATCH 08/16] ci: Remove cache: 'pip' with actions/setup-python to prevent cache-poisoning vulnerability --- .github/workflows/cicd.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index d47738bf..8450ad8f 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -91,7 +91,6 @@ jobs: uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - cache: 'pip' - name: Install uv and create venv run: | From 51764b9d5805b0fbd3b2689c03282f3c010dee6b Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Thu, 9 Oct 2025 19:56:56 +0200 Subject: [PATCH 09/16] ci: Add actions security check to workflow --- .github/workflows/cicd.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 8450ad8f..8f23bb61 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -46,6 +46,18 @@ jobs: # python-package-name: ${{ env.PACKAGE_NAME }} # dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: Check actions security + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + style: name: Code style runs-on: ubuntu-latest From dfda2dbb2741beeb4c9dbf8392f270b715acdedb Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:06:28 +0200 Subject: [PATCH 10/16] Update .github/workflows/cicd.yml --- .github/workflows/cicd.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 8f23bb61..f7cbb42d 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -70,6 +70,8 @@ jobs: smoke-tests: name: Build and Smoke tests runs-on: ${{ matrix.os }} + permissions: + contents: read strategy: fail-fast: false matrix: From a8b616e6b1c894de905e49548e59157a65a6b7f9 Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:07:09 +0200 Subject: [PATCH 11/16] Update .github/workflows/cicd.yml --- .github/workflows/cicd.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f7cbb42d..d393ee88 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -138,6 +138,8 @@ jobs: doc-build: name: Build documentation needs: [docs-style] + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Build documentation From 3475a80cbef746641b04936be7a4d937fb6a623b Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:10:51 +0200 Subject: [PATCH 12/16] Update .github/workflows/cicd.yml --- .github/workflows/cicd.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index d393ee88..c8c95ebf 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -60,6 +60,8 @@ jobs: style: name: Code style + permissions: + contents: read runs-on: ubuntu-latest steps: - name: PyAnsys code style checks From fa50de7f858bc467be7f35599b1d9a80c2205167 Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:12:39 +0200 Subject: [PATCH 13/16] Update cicd.yml --- .github/workflows/cicd.yml | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index c8c95ebf..c4acc5ba 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -14,7 +14,8 @@ env: MAIN_PYTHON_VERSION: 3.13 DOCUMENTATION_CNAME: tools.docs.pyansys.com -permissions: {} # Disable default permissions +permissions: + contents: read jobs: @@ -36,8 +37,6 @@ jobs: # check-vulnerabilities: # name: "Check library vulnerabilities" # runs-on: ubuntu-latest - # permissions: - # contents: read # steps: # - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 # with: @@ -49,8 +48,6 @@ jobs: actions-security: name: Check actions security runs-on: ubuntu-latest - permissions: - contents: read steps: - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: @@ -60,8 +57,6 @@ jobs: style: name: Code style - permissions: - contents: read runs-on: ubuntu-latest steps: - name: PyAnsys code style checks @@ -72,8 +67,6 @@ jobs: smoke-tests: name: Build and Smoke tests runs-on: ${{ matrix.os }} - permissions: - contents: read strategy: fail-fast: false matrix: @@ -92,8 +85,6 @@ jobs: name: Testing runs-on: ubuntu-latest needs: [smoke-tests] - permissions: - contents: read env: ANSYS_LOCAL: false ON_UBUNTU: true @@ -129,8 +120,6 @@ jobs: docs-style: name: Documentation Style Check runs-on: ubuntu-latest - permissions: - contents: read steps: - name: PyAnsys documentation style checks uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -140,8 +129,6 @@ jobs: doc-build: name: Build documentation needs: [docs-style] - permissions: - contents: read runs-on: ubuntu-latest steps: - name: Build documentation @@ -151,15 +138,15 @@ jobs: check-links: false # Delete after first release package: - name: Package library - runs-on: ubuntu-latest - needs: [tests, doc-build] - steps: - - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 - with: - library-name: ${{ env.PACKAGE_NAME }} - python-version: ${{ env.MAIN_PYTHON_VERSION }} + name: Package library + runs-on: ubuntu-latest + needs: [tests, doc-build] + steps: + - name: Build library source and wheel artifacts + uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + library-name: ${{ env.PACKAGE_NAME }} + python-version: ${{ env.MAIN_PYTHON_VERSION }} release: name: Release project From ccea075be3c521bc518d1ebd5a33631eae9f0b70 Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:16:47 +0200 Subject: [PATCH 14/16] Apply suggestions from code review --- .github/workflows/cicd.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index c4acc5ba..b212f05f 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -54,7 +54,7 @@ jobs: generate-summary: true token: ${{ secrets.GITHUB_TOKEN }} auditing-level: 'high' - + style: name: Code style runs-on: ubuntu-latest @@ -63,7 +63,7 @@ jobs: uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - + smoke-tests: name: Build and Smoke tests runs-on: ${{ matrix.os }} From 1189712bbaf990d90d2fefc00fadedbaf3f75d26 Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:17:24 +0200 Subject: [PATCH 15/16] Update pyproject.toml --- pyproject.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5e6d76eb..daa4652b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,15 +55,13 @@ tests = [ ] doc = [ - "ansys-sphinx-theme==1.5.2", + "ansys-sphinx-theme[autoapi]==1.6.3", "grpcio==1.71.2", "grpcio-health-checking==1.71.2", "sphinx-autoapi==3.6.0", "sphinx-click==4.4.0", "sphinx-copybutton==0.5.2", - "sphinx_design==0.6.1", "sphinx-gallery==0.19.0", - "sphinx-jinja==2.0.2", ] From 4f5484b5278c0e6b19e0ffda3ab39d6a70dd9eec Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Fri, 10 Oct 2025 09:19:39 +0200 Subject: [PATCH 16/16] Update pyproject.toml --- pyproject.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index daa4652b..a53c0a7b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -58,7 +58,6 @@ doc = [ "ansys-sphinx-theme[autoapi]==1.6.3", "grpcio==1.71.2", "grpcio-health-checking==1.71.2", - "sphinx-autoapi==3.6.0", "sphinx-click==4.4.0", "sphinx-copybutton==0.5.2", "sphinx-gallery==0.19.0",