Skip to content

ci: Add ansys/actions/check-actions-security action and related fixes #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Oct 10, 2025
Merged

ci: Add ansys/actions/check-actions-security action and related fixes #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
9b27587
ci: Pin actions used in workflow files with SHA
ecoussoux-ansys Oct 9, 2025
304c6e8
ci: Use argument persist-credentials: false with actions/checkout
ecoussoux-ansys Oct 9, 2025
0ce61df
chore: adding changelog file 41.maintenance.md [dependabot-skip]
pyansys-ci-bot Oct 9, 2025
911f1ca
ci: Provide names to anonymous jobs
ecoussoux-ansys Oct 9, 2025
b4e471d
ci: Remove template expansion from inside job run command
ecoussoux-ansys Oct 9, 2025
7fa63b2
ci: Avoid overly broad permissions for workflow jobs - Add specific o…
ecoussoux-ansys Oct 9, 2025
754e454
Merge branch 'main' into ci/add-actions-security-check
ecoussoux-ansys Oct 9, 2025
040f8d7
ci: Pinning container image to its SHA256 hash
ecoussoux-ansys Oct 9, 2025
d8d9416
ci: Remove cache: 'pip' with actions/setup-python to prevent cache-po…
ecoussoux-ansys Oct 9, 2025
51764b9
ci: Add actions security check to workflow
ecoussoux-ansys Oct 9, 2025
dfda2db
Update .github/workflows/cicd.yml
RobPasMue Oct 10, 2025
a8b616e
Update .github/workflows/cicd.yml
RobPasMue Oct 10, 2025
3475a80
Update .github/workflows/cicd.yml
RobPasMue Oct 10, 2025
fa50de7
Update cicd.yml
RobPasMue Oct 10, 2025
ccea075
Apply suggestions from code review
RobPasMue Oct 10, 2025
1189712
Update pyproject.toml
RobPasMue Oct 10, 2025
4f5484b
Update pyproject.toml
RobPasMue Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 54 additions & 37 deletions .github/workflows/cicd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ env:
MAIN_PYTHON_VERSION: 3.13
DOCUMENTATION_CNAME: tools.docs.pyansys.com

permissions:
contents: read

jobs:

update-changelog:
Expand All @@ -24,7 +27,7 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: ansys/actions/doc-deploy-changelog@v10
- uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
Expand All @@ -35,32 +38,43 @@ jobs:
# name: "Check library vulnerabilities"
# runs-on: ubuntu-latest
# steps:
# - uses: ansys/actions/check-vulnerabilities@v10.0
# - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
# with:
# python-version: ${{ env.MAIN_PYTHON_VERSION }}
# token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
# python-package-name: ${{ env.PACKAGE_NAME }}
# dev-mode: ${{ github.ref != 'refs/heads/main' }}

actions-security:
name: Check actions security
runs-on: ubuntu-latest
steps:
- uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
generate-summary: true
token: ${{ secrets.GITHUB_TOKEN }}
auditing-level: 'high'

style:
name: Code style
runs-on: ubuntu-latest
steps:
- name: PyAnsys code style checks
uses: ansys/actions/code-style@v10
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}
name: Code style
runs-on: ubuntu-latest
steps:
- name: PyAnsys code style checks
uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

smoke-tests:
name: Build and Smoke tests
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
python-version: ['3.10', '3.11', '3.12']
steps:
name: Build and Smoke tests
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
python-version: ['3.10', '3.11', '3.12']
steps:
- name: Build wheelhouse and perform smoke test
uses: ansys/actions/build-wheelhouse@v10
uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
library-name: ${{ env.PACKAGE_NAME }}
operating-system: ${{ matrix.os }}
Expand All @@ -77,12 +91,13 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@v4
uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}
cache: 'pip'

- name: Install uv and create venv
run: |
Expand All @@ -97,7 +112,7 @@ jobs:
uv pip install tests/launcher/pkg_with_entrypoint
uv run pytest

# - uses: codecov/codecov-action@v5
# - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
# name: 'Upload coverage to CodeCov'
# with:
# token: ${{ secrets.CODECOV_TOKEN }}
Expand All @@ -107,7 +122,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: PyAnsys documentation style checks
uses: ansys/actions/doc-style@v10
uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.GITHUB_TOKEN }}

Expand All @@ -117,21 +132,21 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Build documentation
uses: ansys/actions/doc-build@v10
uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}
check-links: false # Delete after first release

package:
name: Package library
runs-on: ubuntu-latest
needs: [tests, doc-build]
steps:
- name: Build library source and wheel artifacts
uses: ansys/actions/build-library@v10
with:
library-name: ${{ env.PACKAGE_NAME }}
python-version: ${{ env.MAIN_PYTHON_VERSION }}
name: Package library
runs-on: ubuntu-latest
needs: [tests, doc-build]
steps:
- name: Build library source and wheel artifacts
uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
library-name: ${{ env.PACKAGE_NAME }}
python-version: ${{ env.MAIN_PYTHON_VERSION }}

release:
name: Release project
Expand Down Expand Up @@ -159,14 +174,14 @@ jobs:
# skip-existing: false

- name: "Release to the private PyPI repository"
uses: ansys/actions/release-pypi-private@v9
uses: ansys/actions/release-pypi-private@495ca3d79c1627f5b96c469cfbe799718e9dc35f # v9.0.13
with:
library-name: "ansys-tools-common"
twine-username: "__token__"
twine-token: ${{ secrets.PYANSYS_PYPI_PRIVATE_PAT }}

- name: Release to GitHub
uses: ansys/actions/release-github@v10
uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.GITHUB_TOKEN }}
library-name: ${{ env.PACKAGE_NAME }}
Expand All @@ -176,11 +191,13 @@ jobs:
if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
runs-on: ubuntu-latest
needs: [release]
permissions:
contents: write
steps:
- name: Deploy the stable documentation
uses: ansys/actions/doc-deploy-stable@v10
uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
cname: ${{ env.DOCUMENTATION_CNAME }}
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
9 changes: 7 additions & 2 deletions .github/workflows/label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {} # Disable default permissions

jobs:

label-syncer:
Expand All @@ -24,6 +26,8 @@ jobs:
pull-requests: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -78,6 +82,7 @@ jobs:
labels: bug

commenter:
name: Suggest labels if none assigned
runs-on: ubuntu-latest
permissions:
contents: read
Expand Down Expand Up @@ -106,10 +111,10 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: ansys/actions/doc-changelog@v10
- uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
use-conventional-commits: true
use-default-towncrier-config: true
bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
21 changes: 15 additions & 6 deletions .github/workflows/run_mapdl_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,16 @@ env:
PACKAGE_NAME: ansys-tools-common
MAIN_PYTHON_VERSION: 3.13

permissions:
contents: read
packages: read

jobs:
build-tests:
name: Build tests
runs-on: ubuntu-22.04
container:
image: ghcr.io/ansys/mapdl:v22.2-ubuntu
image: ghcr.io/ansys/mapdl:v22.2-ubuntu@sha256:024c587f4a8190e99cc3f08a2dc231583032e784a8ef7d7659f8dd9748116697
options: "-u=0:0 --entrypoint /bin/bash"
credentials:
username: ${{ secrets.GH_USERNAME }}
Expand All @@ -27,9 +32,11 @@ jobs:
ON_UBUNTU: true

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}
- name: Install uv and create venv
Expand All @@ -40,12 +47,14 @@ jobs:
run: |
uv sync --extra tests
- name: Run tests
env:
PACKAGE_NAMESPACE: ${{ env.PACKAGE_NAMESPACE }}
run: |
uv sync --extra tests --no-dev
uv pip install tests/launcher/pkg_with_entrypoint
uv run pytest -vx --cov=${{ env.PACKAGE_NAMESPACE }} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html
uv run pytest -vx --cov=${PACKAGE_NAMESPACE} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html

# - uses: codecov/codecov-action@v5
# - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
# name: 'Upload coverage to CodeCov'
# with:
# token: ${{ secrets.CODECOV_TOKEN }}
# token: ${{ secrets.CODECOV_TOKEN }}
1 change: 1 addition & 0 deletions doc/changelog.d/41.maintenance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add \`\`ansys/actions/check-actions-security\`\` action and related fixes
5 changes: 1 addition & 4 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,12 @@ tests = [
]

doc = [
"ansys-sphinx-theme==1.5.2",
"ansys-sphinx-theme[autoapi]==1.6.3",
"grpcio==1.71.2",
"grpcio-health-checking==1.71.2",
"sphinx-autoapi==3.6.0",
"sphinx-click==4.4.0",
"sphinx-copybutton==0.5.2",
"sphinx_design==0.6.1",
"sphinx-gallery==0.19.0",
"sphinx-jinja==2.0.2",
]


Expand Down