From da53e2f2b4a0894d11ea3d6531abb4c624c2e0c9 Mon Sep 17 00:00:00 2001 From: Alex Fernandez Luces Date: Thu, 2 Oct 2025 13:21:54 +0200 Subject: [PATCH 1/3] fix: Zizmor fixes --- .github/workflows/ci_cd.yml | 33 ++++++++++++++++++--------------- .github/workflows/label.yml | 23 ++++++++++++++--------- 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 499115b3..d5f8088b 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -20,6 +20,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: update-changelog: @@ -30,7 +32,7 @@ jobs: contents: write pull-requests: write steps: - - uses: ansys/actions/doc-deploy-changelog@v10 + - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -42,7 +44,7 @@ jobs: steps: - name: PyAnsys Vulnerability check (on main) if: github.ref == 'refs/heads/main' - uses: ansys/actions/check-vulnerabilities@v10 + uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} python-package-name: ${{ env.PACKAGE_NAME }} @@ -50,7 +52,7 @@ jobs: - name: PyAnsys Vulnerability check (on dev mode) if: github.ref != 'refs/heads/main' - uses: ansys/actions/check-vulnerabilities@v10 + uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} python-package-name: ${{ env.PACKAGE_NAME }} @@ -62,7 +64,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys documentation style checks - uses: ansys/actions/doc-style@v10 + uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -72,10 +74,10 @@ jobs: needs: [docs-style] steps: - name: Setup headless display - uses: pyvista/setup-headless-display-action@v4 + uses: pyvista/setup-headless-display-action@7d84ae825e6d9297a8e99bdbbae20d1b919a0b19 # v4.2 - name: "Run Ansys documentation building action" - uses: ansys/actions/doc-build@v10 + uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} add-pdf-html-docs-as-assets: true @@ -95,7 +97,7 @@ jobs: os: macos-latest steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@v10 + uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} @@ -108,27 +110,28 @@ jobs: runs-on: ubuntu-latest steps: - name: Restore images cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: tests/graphics/image_cache key: pyvista-image-cache-${{ runner.os }}-v-${{ env.RESET_IMAGE_CACHE }}-${{ hashFiles('pyproject.toml') }} restore-keys: pyvista-image-cache-${{ runner.os }}-v-${{ env.RESET_IMAGE_CACHE }} + lookup-only: true - name: "Run pytest" - uses: ansys/actions/tests-pytest@v10 + uses: ansys/actions/tests-pytest@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} requires-xvfb: true - name: Upload PyVista generated images (cache and results) if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pytest-pyvista-images-${{ runner.os }} path: tests/_image_cache retention-days: 7 - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 name: 'Upload coverage to CodeCov' with: token: ${{ secrets.CODECOV_TOKEN }} @@ -139,7 +142,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@v10 + uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -151,7 +154,7 @@ jobs: needs: [package] steps: - name: Deploy the latest documentation - uses: ansys/actions/doc-deploy-dev@v10 + uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -183,7 +186,7 @@ jobs: skip-existing: false - name: Release to GitHub - uses: ansys/actions/release-github@v10 + uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} library-name: ${{ env.PACKAGE_NAME }} @@ -195,7 +198,7 @@ jobs: needs: [release] steps: - name: Deploy the stable documentation - uses: ansys/actions/doc-deploy-stable@v10 + uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 4286cde2..53d79a5c 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -15,13 +15,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: label-syncer: name: Syncer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -35,18 +39,18 @@ jobs: steps: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v6 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: true - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') with: labels: documentation - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'maint') || startsWith(github.event.pull_request.head.ref, 'no-ci') || @@ -54,12 +58,12 @@ jobs: with: labels: maintenance - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: startsWith(github.event.pull_request.head.ref, 'feat') with: labels: enhancement - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') @@ -67,10 +71,11 @@ jobs: labels: bug commenter: + name: "Commenter to suggest adding labels" runs-on: ubuntu-latest steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: @@ -92,7 +97,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: ansys/actions/doc-changelog@v10 + - uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} From 300f23bce2831f35bcc9cdc2e216611a77aa4b55 Mon Sep 17 00:00:00 2001 From: Alex Fernandez Luces Date: Thu, 2 Oct 2025 13:38:17 +0200 Subject: [PATCH 2/3] fix: Add zizmor action --- .github/workflows/ci_cd.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index d5f8088b..b2ec7edf 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -59,6 +59,16 @@ jobs: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} dev-mode: true + actions-security: + name: Actions Security + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-actions-security@123a1f17d71f117e0ba29c53d6a0f602e0d8d902 # v10.1.3 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + docs-style: name: Documentation Style Check runs-on: ubuntu-latest From b9c2f6bcfbadc47f22bf85f1da36be4af4a30ebe Mon Sep 17 00:00:00 2001 From: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com> Date: Thu, 2 Oct 2025 11:39:52 +0000 Subject: [PATCH 3/3] chore: adding changelog file 366.miscellaneous.md [dependabot-skip] --- doc/changelog.d/366.miscellaneous.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/changelog.d/366.miscellaneous.md diff --git a/doc/changelog.d/366.miscellaneous.md b/doc/changelog.d/366.miscellaneous.md new file mode 100644 index 00000000..898808e7 --- /dev/null +++ b/doc/changelog.d/366.miscellaneous.md @@ -0,0 +1 @@ +Fix: Zizmor fixes