diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 436908264..ddaaaec95 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -42,6 +42,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: update-changelog: name: "Update CHANGELOG for new tag" @@ -51,7 +53,7 @@ jobs: contents: write pull-requests: write steps: - - uses: ansys/actions/doc-deploy-changelog@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + - uses: ansys/actions/doc-deploy-changelog@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -60,28 +62,34 @@ jobs: style: name: Code style runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys code style checks - uses: ansys/actions/code-style@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/code-style@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} doc-style: name: Documentation Style Check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys documentation style checks - uses: ansys/actions/doc-style@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/doc-style@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: token: ${{ secrets.GITHUB_TOKEN }} - vulnerabilities: - name: Vulnerabilities + check-vulnerabilities: + name: Check Vulnerabilities runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys Vulnerability check (on main) if: github.ref == 'refs/heads/main' - uses: ansys/actions/check-vulnerabilities@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/check-vulnerabilities@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} python-package-name: ${{ env.PACKAGE_NAME }} @@ -89,13 +97,26 @@ jobs: - name: PyAnsys Vulnerability check (on dev mode) if: github.ref != 'refs/heads/main' - uses: ansys/actions/check-vulnerabilities@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/check-vulnerabilities@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} python-package-name: ${{ env.PACKAGE_NAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} dev-mode: true + check-actions-security: + name: "Check Actions Security" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: true + smoke-tests: name: Build and Smoke tests runs-on: ${{ matrix.os }} @@ -110,9 +131,11 @@ jobs: exclude: - should-release: false os: macos-latest + permissions: + contents: read steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/build-wheelhouse@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} @@ -126,37 +149,43 @@ jobs: test_revn: '${{ steps.save-versions.outputs.test_revn }}' test_container: ${{ steps.save-versions.outputs.test_container }} test_docker_image_version: '${{ steps.save-versions.outputs.test_docker_image_version }}' + permissions: + contents: read steps: - id: save-versions + env: + GH_EVENT_NAME: ${{ github.event_name }} + REVN_INPUT: ${{ github.event.inputs.revn }} + DEV_REVN: ${{ env.DEV_REVN }} + DOCKER_PACKAGE: ${{ env.DOCKER_PACKAGE }} + STABLE_REVN: ${{ env.STABLE_REVN }} run: | - if ${{ github.event_name == 'schedule' }} || [[ "${{ inputs.revn }}" == "candidate" ]]; then - echo "test_revn=${{ env.DEV_REVN}}" >> $GITHUB_OUTPUT - test_mech_revn=${{ env.DEV_REVN}} + # --- Help ---- + # schedule nightly uses DEV_REVN candidate + # PRs and merges use STABLE_REVN + # Workflow dispatch can use any revision number + + if [[ "${GH_EVENT_NAME}" == "schedule" ]] || [[ "${REVN_INPUT}" == "candidate" ]]; then + echo "test_revn=${DEV_REVN}" >> $GITHUB_OUTPUT + test_mech_revn=${DEV_REVN} test_mech_image_version=${test_mech_revn:0:2}.${test_mech_revn:2}_candidate - echo "test_container=${{ env.DOCKER_PACKAGE }}:$test_mech_image_version" >> $GITHUB_OUTPUT + echo "test_container=${DOCKER_PACKAGE}:$test_mech_image_version" >> $GITHUB_OUTPUT echo "test_docker_image_version=$test_mech_image_version" >> $GITHUB_OUTPUT else - if [[ -z "${{inputs.revn}}" ]]; then - mech_revn=${{ env.STABLE_REVN }} + if [[ -z "${REVN_INPUT}" ]]; then + mech_revn=${STABLE_REVN} else - mech_revn=${{inputs.revn}} + mech_revn=${REVN_INPUT} fi export mech_image_version=${mech_revn:0:2}.${mech_revn:2}.0 echo "test_revn=$mech_revn" >> $GITHUB_OUTPUT - echo "test_container=${{ env.DOCKER_PACKAGE }}:$mech_image_version" >> $GITHUB_OUTPUT + echo "test_container=${DOCKER_PACKAGE}:$mech_image_version" >> $GITHUB_OUTPUT echo "test_docker_image_version=$mech_image_version" >> $GITHUB_OUTPUT fi - stable_mech_revn=${{ env.STABLE_REVN }} + stable_mech_revn=${STABLE_REVN} stable_mech_image_version=${mech_revn:0:2}.${mech_revn:2}.0 - echo "stable_container=${{ env.DOCKER_PACKAGE }}:$stable_mech_image_version" >> $GITHUB_OUTPUT - - echo $GITHUB_OUTPUT - - # --- Help ---- - # schedule nightly uses DEV_REVN candidate - # PRs and merges use STABLE_REVN - # Workflow dispatch can use any revision number + echo "stable_container=${DOCKER_PACKAGE}:$stable_mech_image_version" >> $GITHUB_OUTPUT test-container-info: name: Get SHA of test container @@ -167,6 +196,8 @@ jobs: strategy: matrix: test_container: ['${{ needs.revn-variations.outputs.test_container }}'] + permissions: + packages: read steps: - name: Login in Github Container registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -184,42 +215,54 @@ jobs: pip install jq # Get docker info - image_info=$(docker manifest inspect -v ${{ env.MECHANICAL_IMAGE }}) # --format ".Descriptor.digest" + image_info=$(docker manifest inspect -v ${MECHANICAL_IMAGE}) # --format ".Descriptor.digest" # Get digest SHA digest=$(echo "$image_info" | jq -r '.Descriptor.digest') # Remove the "sha256:" prefix to get only the SHA sha="${digest#*:}" - echo "SHA of image ${{ env.MECHANICAL_IMAGE }} is $sha" + echo "SHA of image ${MECHANICAL_IMAGE} is $sha" echo "sha=$sha" >> $GITHUB_OUTPUT config-matrix: + name: Configure matrix runs-on: ubuntu-latest needs: [revn-variations] outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} + permissions: + contents: read steps: - id: set-matrix + env: + GH_EVENT_NAME: ${{ github.event_name }} + TEST_DOCKER_IMAGE_VERSION: ${{ needs.revn-variations.outputs.test_docker_image_version }} + GH_REF: ${{ github.ref }} run: | # if a tag(release) is pushed, test all versions - if ${{ github.event_name == 'push' }} && ${{ contains(github.ref, 'refs/tags') }}; then + if [[ "${GH_EVENT_NAME}" == "push" ]] && [[ "$GH_REF" =~ "refs/tags" ]]; then echo "matrix={\"mechanical-version\":['24.1.0', '24.2.0', '25.1.0', '25.2.0'],\"experimental\":[false]}" >> $GITHUB_OUTPUT else - echo "matrix={\"mechanical-version\":['${{ needs.revn-variations.outputs.test_docker_image_version }}'],\"experimental\":[false]}" >> $GITHUB_OUTPUT + echo "matrix={\"mechanical-version\":["${TEST_DOCKER_IMAGE_VERSION}"],\"experimental\":[false]}" >> $GITHUB_OUTPUT fi container-stability-check: + name: Container stability check runs-on: ubuntu-latest needs: [revn-variations] outputs: container_stable_exit: ${{ steps.check_stability.outputs.container_stable_exit }} + permissions: + contents: read steps: - id: check_stability + env: + TEST_DOCKER_IMAGE_VERSION: ${{ needs.revn-variations.outputs.test_docker_image_version }} run: | sudo apt update sudo apt install bc -y - container_version=$(echo "${{ needs.revn-variations.outputs.test_docker_image_version }}" | grep -o -E '[0-9]+(\.[0-9]+)?' | head -n 1) + container_version=$(echo "${TEST_DOCKER_IMAGE_VERSION}" | grep -o -E '[0-9]+(\.[0-9]+)?' | head -n 1) if (( $(echo "$container_version > 24.2" | bc -l) )); then echo "container_stable_exit=true" >> $GITHUB_OUTPUT else @@ -234,6 +277,9 @@ jobs: strategy: fail-fast: false matrix: ${{ fromJSON(needs.config-matrix.outputs.matrix) }} + permissions: + contents: read + packages: read steps: - name: Login in Github Container registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -248,11 +294,14 @@ jobs: # ANSYS_WORKBENCH_LOGGING_CONSOLE: 0 # ANSYS_WORKBENCH_LOGGING_DIRECTORY: /log_file # workbench.log file ANSYS_WORKBENCH_LOGGING_AUTO_FLUSH: 0 # turn off autoflush for faster performance + DOCKER_MECH_CONTAINER_NAME: ${{ env.DOCKER_MECH_CONTAINER_NAME }} + LICENSE_SERVER: ${{ env.LICENSE_SERVER }} + PYMECHANICAL_PORT: ${{ env.PYMECHANICAL_PORT }} run: | - docker pull ${{ env.MECHANICAL_IMAGE }} + docker pull ${MECHANICAL_IMAGE} echo "Run docker in detached mode" - docker run -d --name ${{ env.DOCKER_MECH_CONTAINER_NAME }} -e ANSYSLMD_LICENSE_FILE=1055@${{ env.LICENSE_SERVER }} -p ${{ env.PYMECHANICAL_PORT }}:10000 ${{ env.MECHANICAL_IMAGE }} + docker run -d --name ${DOCKER_MECH_CONTAINER_NAME} -e ANSYSLMD_LICENSE_FILE=1055@${LICENSE_SERVER} -p ${PYMECHANICAL_PORT}:10000 ${MECHANICAL_IMAGE} # Wait for Mechanical to initialize with intelligent polling max_wait=300 # Maximum wait time in seconds @@ -261,7 +310,7 @@ jobs: echo "Waiting for Mechanical to initialize..." while [ $elapsed -lt $max_wait ]; do - docker logs ${{ env.DOCKER_MECH_CONTAINER_NAME }} > log.txt + docker logs ${DOCKER_MECH_CONTAINER_NAME} > log.txt if grep -q 'WB Initialize Done' log.txt 2>/dev/null; then echo "Mechanical initialized successfully after ${elapsed} seconds" break @@ -272,7 +321,7 @@ jobs: done # Final check - docker logs ${{ env.DOCKER_MECH_CONTAINER_NAME }} > log.txt + docker logs ${DOCKER_MECH_CONTAINER_NAME} > log.txt if ! grep -q 'WB Initialize Done' log.txt 2>/dev/null; then echo "ERROR: Mechanical failed to initialize within ${max_wait} seconds" echo "=== Last 50 lines of log.txt ===" @@ -283,9 +332,13 @@ jobs: - name: Display info if: github.event_name == 'schedule' id: capture_info + env: + DOCKER_PACKAGE: ${{ env.DOCKER_PACKAGE }} + MECH_VERSION: ${{ matrix.mechanical-version }} + TEST_REVN: ${{ needs.revn-variations.outputs.test_revn }} run: | - IMAGE_NAME=${{ env.DOCKER_PACKAGE }}:${{ matrix.mechanical-version }} - BUILD_DATE=$(docker run --rm --entrypoint head $IMAGE_NAME -n 1 /install/ansys_inc/v${{ needs.revn-variations.outputs.test_revn }}/aisol/CommonFiles/builddate.txt) + IMAGE_NAME=${DOCKER_PACKAGE}:${MECH_VERSION} + BUILD_DATE=$(docker run --rm --entrypoint head $IMAGE_NAME -n 1 /install/ansys_inc/v${TEST_REVN}/aisol/CommonFiles/builddate.txt) PUSHED_AT=$(docker inspect --format='{{.Created}}' $IMAGE_NAME) echo "docker_info=$IMAGE_NAME was pushed at: $PUSHED_AT" >> $GITHUB_OUTPUT echo "::group::Docker Info" @@ -296,18 +349,22 @@ jobs: echo "::endgroup::" - name: Testing - uses: ansys/actions/tests-pytest@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/tests-pytest@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 + env: + MAIN_PYTHON_VERSION: ${{ env.MAIN_PYTHON_VERSION }} with: - python-version: ${{ env.MAIN_PYTHON_VERSION }} + python-version: ${MAIN_PYTHON_VERSION} pytest-markers: '-m remote_session_connect' - pytest-extra-args: '-s --junitxml remote_results${{ env.MAIN_PYTHON_VERSION}}.xml' + pytest-extra-args: '-s --junitxml remote_results${MAIN_PYTHON_VERSION}.xml' - name: Publish Test Report uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1 if: always() + env: + MAIN_PYTHON_VERSION: ${{ env.MAIN_PYTHON_VERSION }} with: report_paths: '**/remote_results*.xml' - check_name: Remote Connect Test Report ${{ env.MAIN_PYTHON_VERSION}} + check_name: Remote Connect Test Report ${MAIN_PYTHON_VERSION} detailed_summary: true include_passed: true fail_on_failure: true @@ -332,18 +389,23 @@ jobs: - name: Get Mechanical container logs if: always() + env: + DOCKER_MECH_CONTAINER_NAME: ${{ env.DOCKER_MECH_CONTAINER_NAME }} + MATRIX_MECH_VERSION: ${{ matrix.mechanical-version }} run: | - docker logs ${{ env.DOCKER_MECH_CONTAINER_NAME }} > mechanical_tests_log-${{ matrix.mechanical-version }}.txt 2>&1 + docker logs ${DOCKER_MECH_CONTAINER_NAME} > mechanical_tests_log-${MATRIX_MECH_VERSION}.txt 2>&1 echo CONTAINER LOGS OUTPUT - cat mechanical_tests_log-${{ matrix.mechanical-version }}.txt + cat mechanical_tests_log-${MATRIX_MECH_VERSION}.txt echo CPU info lscpu - name: Upload container logs uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + env: + MATRIX_MECH_VERSION: ${{ matrix.mechanical-version }} with: - name: mechanical_tests_log-${{ matrix.mechanical-version }} - path: mechanical_tests_log-${{ matrix.mechanical-version }}.txt + name: mechanical_tests_log-${MATRIX_MECH_VERSION} + path: mechanical_tests_log-${MATRIX_MECH_VERSION}.txt retention-days: 7 embedding-tests: @@ -352,24 +414,30 @@ jobs: timeout-minutes: 30 needs: [revn-variations, test-container-info, container-stability-check, smoke-tests] container: - image: ${{ needs.revn-variations.outputs.test_container }} + image: ${{ needs.revn-variations.outputs.test_container }} # zizmor: ignore[unpinned-images] options: --entrypoint /bin/bash strategy: fail-fast: false matrix: python-version: ['3.10', '3.11', '3.12', '3.13'] - + permissions: + contents: read + packages: read steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Python shell: bash + env: + MAIN_PYTHON_VERSION: ${{ env.MAIN_PYTHON_VERSION }} run: | apt update apt install lsb-release xvfb git curl make -y curl -LsSf https://astral.sh/uv/install.sh | sh export PATH="$HOME/.local/bin:$PATH" - uv python install python${{ env.MAIN_PYTHON_VERSION }} + uv python install python${MAIN_PYTHON_VERSION} uv venv /env - name: "Install packages for testing" run: | @@ -382,14 +450,16 @@ jobs: ANSYS_WORKBENCH_LOGGING_CONSOLE: 0 ANSYS_WORKBENCH_LOGGING: 0 ANSYS_WORKBENCH_LOGGING_FILTER_LEVEL: 2 + CONTAINER_STABLE_EXIT: ${{ needs.container-stability-check.outputs.container_stable_exit }} + MATRIX_PYTHON_VERSION: ${{ matrix.python-version }} NUM_CORES: 1 PYTHONUNBUFFERED: 1 run: | . /env/bin/activate - if [ "${{ needs.container-stability-check.outputs.container_stable_exit }}" = "true" ]; then - xvfb-run mechanical-env pytest -m embedding -s --junitxml test_results${{ matrix.python-version }}.xml + if [ "${CONTAINER_STABLE_EXIT}" = "true" ]; then + xvfb-run mechanical-env pytest -m embedding -s --junitxml test_results${MATRIX_PYTHON_VERSION}.xml else - xvfb-run mechanical-env pytest -m embedding -s --junitxml test_results${{ matrix.python-version }}.xml || true + xvfb-run mechanical-env pytest -m embedding -s --junitxml test_results${MATRIX_PYTHON_VERSION}.xml || true fi - name: Upload coverage results @@ -413,9 +483,11 @@ jobs: - name: Publish Test Report uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1 if: always() + env: + MATRIX_PYTHON_VERSION: ${{ matrix.python-version }} with: report_paths: '**/test_results*.xml' - check_name: Test Report ${{ matrix.python-version }} + check_name: Test Report ${MATRIX_PYTHON_VERSION} detailed_summary: true include_passed: true fail_on_failure: true @@ -426,24 +498,30 @@ jobs: timeout-minutes: 30 needs: [smoke-tests, revn-variations, test-container-info] container: - image: ${{ needs.revn-variations.outputs.test_container }} + image: ${{ needs.revn-variations.outputs.test_container }} # zizmor: ignore[unpinned-images] options: --entrypoint /bin/bash strategy: fail-fast: false matrix: python-version: ['3.10', '3.11', '3.12', '3.13'] - + permissions: + contents: read + packages: read steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Python shell: bash + env: + MAIN_PYTHON_VERSION: ${{ env.MAIN_PYTHON_VERSION }} run: | apt update apt install lsb-release xvfb git curl make -y curl -LsSf https://astral.sh/uv/install.sh | sh export PATH="$HOME/.local/bin:$PATH" - uv python install python${{ env.MAIN_PYTHON_VERSION }} + uv python install python${MAIN_PYTHON_VERSION} uv venv /env - name: "Install packages for testing" run: | @@ -456,12 +534,13 @@ jobs: ANSYS_WORKBENCH_LOGGING_CONSOLE: 0 ANSYS_WORKBENCH_LOGGING: 0 ANSYS_WORKBENCH_LOGGING_FILTER_LEVEL: 2 + MATRIX_PYTHON_VERSION: ${{ matrix.python-version }} NUM_CORES: 1 PYTHONUNBUFFERED: 1 run: | . /env/bin/activate - mechanical-env pytest -m embedding_scripts -s --junitxml test_results_embedding_scripts${{ matrix.python-version }}.xml - pytest -m cli -s --junitxml test_results_cli_scripts${{ matrix.python-version }}.xml + mechanical-env pytest -m embedding_scripts -s --junitxml test_results_embedding_scripts${MAIN_PYTHON_VERSION}.xml + pytest -m cli -s --junitxml test_results_cli_scripts${MAIN_PYTHON_VERSION}.xml - name: Upload coverage results uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 @@ -496,25 +575,31 @@ jobs: runs-on: public-ubuntu-latest-16-cores timeout-minutes: 30 container: - image: ${{ needs.revn-variations.outputs.test_container }} + image: ${{ needs.revn-variations.outputs.test_container }} # zizmor: ignore[unpinned-images] options: --entrypoint /bin/bash needs: [ style, revn-variations, container-stability-check, test-container-info] strategy: fail-fast: false matrix: python-version: ['3.10', '3.11', '3.12', '3.13'] - + permissions: + contents: read + packages: read steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Python shell: bash + env: + MAIN_PYTHON_VERSION: ${{ env.MAIN_PYTHON_VERSION }} run: | apt update apt install lsb-release xvfb git curl make -y curl -LsSf https://astral.sh/uv/install.sh | sh export PATH="$HOME/.local/bin:$PATH" - uv python install python${{ env.MAIN_PYTHON_VERSION }} + uv python install python${MAIN_PYTHON_VERSION} uv venv /env - name: "Install packages for testing" run: | @@ -523,27 +608,33 @@ jobs: uv pip install -e .[tests] - name: Set environment variable - run: echo "ANSYSCL${{ needs.revn-variations.outputs.test_revn }}_DIR=/install/ansys_inc/v${{ needs.revn-variations.outputs.test_revn }}/licensingclient" >> $GITHUB_ENV + env: + TEST_REVN: ${{ needs.revn-variations.outputs.test_revn }} + run: echo "ANSYSCL${TEST_REVN}_DIR=/install/ansys_inc/v${TEST_REVN}/licensingclient" >> $GITHUB_ENV - name: Unit Testing and coverage env: ANSYS_WORKBENCH_LOGGING_CONSOLE: 0 + CONTAINER_STABLE_EXIT: ${{ needs.container-stability-check.outputs.container_stable_exit }} + MATRIX_PYTHON_VERSION: ${{ matrix.python-version }} run: | unset PYMECHANICAL_PORT unset PYMECHANICAL_START_INSTANCE . /env/bin/activate - if [ "${{ needs.container-stability-check.outputs.container_stable_exit }}" = "true" ]; then - pytest -m remote_session_launch -s --junitxml launch_test_results${{ matrix.python-version }}.xml + if [ "${CONTAINER_STABLE_EXIT}" = "true" ]; then + pytest -m remote_session_launch -s --junitxml launch_test_results${MATRIX_PYTHON_VERSION}.xml else - pytest -m remote_session_launch -s --junitxml launch_test_results${{ matrix.python-version }}.xml || true + pytest -m remote_session_launch -s --junitxml launch_test_results${MATRIX_PYTHON_VERSION}.xml || true fi - name: Publish Launch Test Report uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6 # v6.0.1 if: always() + env: + MATRIX_PYTHON_VERSION: ${{ matrix.python-version }} with: report_paths: '**/launch_test_results*.xml' - check_name: Launch Test Report ${{ matrix.python-version }} + check_name: Launch Test Report ${MATRIX_PYTHON_VERSION} detailed_summary: true include_passed: true fail_on_failure: true @@ -571,23 +662,29 @@ jobs: runs-on: public-ubuntu-latest-16-cores timeout-minutes: 30 container: - image: ${{ needs.revn-variations.outputs.test_container }} + image: ${{ needs.revn-variations.outputs.test_container }} # zizmor: ignore[unpinned-images] options: --entrypoint /bin/bash needs: [style, doc-style, revn-variations, container-stability-check, test-container-info] - + permissions: + contents: read + packages: read steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Python shell: bash + env: + MAIN_PYTHON_VERSION: ${{ env.MAIN_PYTHON_VERSION }} run: | apt update apt install lsb-release xvfb git curl make -y curl -LsSf https://astral.sh/uv/install.sh | sh export PATH="$HOME/.local/bin:$PATH" - uv python install python${{ env.MAIN_PYTHON_VERSION }} + uv python install python${MAIN_PYTHON_VERSION} uv venv /env - name: Install system dependencies @@ -610,8 +707,8 @@ jobs: && apt install gh -y - name: Install quarto to build cheatsheet - run: | - echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token + run: | # zizmor: ignore[template-injection] + echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token gh release download v1.6.43 --repo github.com/quarto-dev/quarto-cli --pattern *linux-amd64.deb apt install ./quarto*linux-amd64.deb -y quarto install tool tinytex --log-level warning @@ -630,6 +727,7 @@ jobs: NUM_CORES: 1 ANSYS_WORKBENCH_LOGGING_FILTER_LEVEL: 0 BUILD_CHEATSHEET: true + CONTAINER_STABLE_EXIT: ${{ needs.container-stability-check.outputs.container_stable_exit }} run: | . /env/bin/activate @@ -638,7 +736,7 @@ jobs: # Add the /usr/lib/x86_64-linux-gnu/ path to the LD_LIBRARY_PATH (where libjbig-dev .so files are) export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/x86_64-linux-gnu/ - if [ "${{ needs.container-stability-check.outputs.container_stable_exit }}" = "true" ]; then + if [ "${CONTAINER_STABLE_EXIT}" = "true" ]; then xvfb-run mechanical-env make -C doc html else xvfb-run mechanical-env make -C doc html > output.txt 2>&1 || true @@ -667,8 +765,11 @@ jobs: runs-on: ubuntu-latest needs: [doc-build] if: always() && (needs.doc-build.result == 'success' || needs.doc-build.result == 'skipped') + permissions: + contents: write + pull-requests: write steps: - - uses: ansys/actions/doc-deploy-pr@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + - uses: ansys/actions/doc-deploy-pr@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.GITHUB_TOKEN }} @@ -679,11 +780,12 @@ jobs: coverage: name: Merging coverage needs: [remote-connect, embedding-tests, embedding-scripts-tests, launch-tests] - # needs: [remote-connect, embedding-tests, embedding-scripts-tests, embedding-rpc-tests, launch-tests] runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -705,11 +807,6 @@ jobs: name: coverage-file-tests-embedding path: cov-dir/embedding - # - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - # with: - # name: coverage-file-tests-embedding-rpc - # path: cov-dir/embedding-rpc - - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: coverage-file-tests-embedding-scripts @@ -731,7 +828,6 @@ jobs: - name: Move files to common location run: | mv cov-dir/embedding/.coverage .coverage.Embedding - # mv cov-dir/embedding-rpc/.coverage .coverage.EmbeddingRPC mv cov-dir/embedding-scripts/.coverage .coverage.EmbeddingScripts mv cov-dir/launch/.coverage .coverage.Launch mv cov-dir/normal/.coverage .coverage.Normal @@ -792,7 +888,7 @@ jobs: id-token: write steps: - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/build-library@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: library-name: ${{ env.PACKAGE_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -808,7 +904,7 @@ jobs: contents: write steps: - name: Release to GitHub - uses: ansys/actions/release-github@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/release-github@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: token: ${{ secrets.GITHUB_TOKEN }} library-name: ${{ env.PACKAGE_NAME }} @@ -842,9 +938,11 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: [package] + permissions: + contents: write steps: - name: Deploy the latest documentation - uses: ansys/actions/doc-deploy-dev@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/doc-deploy-dev@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -856,9 +954,11 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: Deploy the stable documentation - uses: ansys/actions/doc-deploy-stable@33399106dc8b62d83c8aad1fb2c333c8055df180 # v10.0.20 + uses: ansys/actions/doc-deploy-stable@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -870,6 +970,8 @@ jobs: runs-on: ubuntu-latest outputs: date: ${{ steps.date.outputs.date }} + permissions: + contents: read steps: - name: Get current date id: date @@ -881,6 +983,9 @@ jobs: needs: [get-date, embedding-tests, embedding-scripts-tests, launch-tests, remote-connect, doc-build] if: github.event_name == 'schedule' && (failure() || cancelled()) runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: Microsoft Teams Notification uses: skitionek/notify-microsoft-teams@11e40c38c3a629ae65a985b582eca4897b01e79e # v1.0.9 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f59cff4b8..743e8679a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,8 @@ on: schedule: - cron: '38 17 * * 2' +permissions: {} + jobs: analyze: name: Analyze @@ -46,11 +48,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -64,7 +68,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -77,6 +81,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependabot_automerge.yml b/.github/workflows/dependabot_automerge.yml index fac9c196e..693eafc2a 100644 --- a/.github/workflows/dependabot_automerge.yml +++ b/.github/workflows/dependabot_automerge.yml @@ -1,19 +1,21 @@ name: Dependabot auto-merge on: pull_request -permissions: - pull-requests: write - contents: write +permissions: {} jobs: dependabot-automerge: + name: "Auto-merge Dependabot PRs" runs-on: ubuntu-latest if: startsWith(github.head_ref, 'dependabot/') + permissions: + pull-requests: write + contents: write steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index c5716395b..5a97a099f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -14,14 +14,22 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: label-syncer: name: Syncer runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -36,45 +44,51 @@ jobs: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v6 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: false # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') with: labels: documentation + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: | startsWith(github.event.pull_request.head.ref, 'maint') || startsWith(github.event.pull_request.head.ref, 'no-ci') || startsWith(github.event.pull_request.head.ref, 'ci') with: labels: maintenance + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: startsWith(github.event.pull_request.head.ref, 'feat') with: - labels: | - enhancement + labels: enhancement + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') with: labels: bug + github_token: ${{ secrets.GITHUB_TOKEN }} commenter: + name: "Suggest labels if none applied" runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: @@ -96,7 +110,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: ansys/actions/doc-changelog@v10 + - uses: ansys/actions/doc-changelog@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} use-conventional-commits: true diff --git a/.github/workflows/package_cleanup.yml b/.github/workflows/package_cleanup.yml index 877e26281..d4768e281 100644 --- a/.github/workflows/package_cleanup.yml +++ b/.github/workflows/package_cleanup.yml @@ -4,17 +4,18 @@ on: schedule: - cron: '00 22 * * *' -permissions: - contents: write - packages: write +permissions: {} jobs: cleanup: name: "Delete untagged package versions" runs-on: ubuntu-latest + permissions: + contents: write + packages: write steps: - name: "Delete untagged package versions" - uses: ansys/actions/hk-package-clean-untagged@v10 + uses: ansys/actions/hk-package-clean-untagged@21c9de9bee9692173780696d4a39964f20b9cfa3 # v10.1.5 with: package-org: 'ansys' package-name: 'mechanical' diff --git a/doc/changelog.d/1387.maintenance.md b/doc/changelog.d/1387.maintenance.md new file mode 100644 index 000000000..22d8f69ea --- /dev/null +++ b/doc/changelog.d/1387.maintenance.md @@ -0,0 +1 @@ +Add \`check-actions-security\` action