From 5bfc1ad77ee71982756d7b144d78dd1c7c6a0ec1 Mon Sep 17 00:00:00 2001 From: kmcadams Date: Wed, 1 Oct 2025 11:21:51 -0400 Subject: [PATCH 1/5] add check-actions-security --- .github/workflows/ci_cd.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 6796c3a0..7d7c4999 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -43,6 +43,17 @@ jobs: python-package-name: ${{ env.LIBRARY_NAME }} dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-actions-security@v10.1 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: true + style: name: Code style runs-on: ubuntu-latest From 12f568332d592b236e85399c9a28eb56e83ec125 Mon Sep 17 00:00:00 2001 From: kmcadams Date: Wed, 1 Oct 2025 11:22:49 -0400 Subject: [PATCH 2/5] add workflow dispatch --- .github/workflows/ci_cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 7d7c4999..04a6c9e4 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -1,5 +1,6 @@ name: CI on: + workflow_dispatch: pull_request: push: tags: From f0bde13a4ff70127458b0dbdaf7a21d4cab5cc3c Mon Sep 17 00:00:00 2001 From: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com> Date: Wed, 1 Oct 2025 15:24:24 +0000 Subject: [PATCH 3/5] chore: adding changelog file 352.added.md [dependabot-skip] --- doc/changelog.d/352.added.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/changelog.d/352.added.md diff --git a/doc/changelog.d/352.added.md b/doc/changelog.d/352.added.md new file mode 100644 index 00000000..83e72192 --- /dev/null +++ b/doc/changelog.d/352.added.md @@ -0,0 +1 @@ +Add check-actions-security action From 8bd8af7d17b75837edbd88fccc023919bb90b363 Mon Sep 17 00:00:00 2001 From: kmcadams Date: Wed, 1 Oct 2025 11:58:37 -0400 Subject: [PATCH 4/5] add hashes and permissions --- .github/workflows/ci_cd.yml | 46 +++++++++++++++++++++++++++---------- .github/workflows/label.yml | 31 +++++++++++++++++-------- 2 files changed, 56 insertions(+), 21 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 04a6c9e4..cc74998c 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -17,6 +17,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: update-changelog: name: "Update CHANGELOG for new tag" @@ -26,7 +28,7 @@ jobs: contents: write pull-requests: write steps: - - uses: ansys/actions/doc-deploy-changelog@main + - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} release-from-main: true @@ -36,8 +38,10 @@ jobs: check-vulnerabilities: name: "Check library vulnerabilities" runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: ansys/actions/check-vulnerabilities@v10.0 + - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -47,8 +51,10 @@ jobs: actions-security: name: "Check actions security" runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: ansys/actions/check-actions-security@v10.1 + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: generate-summary: true token: ${{ secrets.GITHUB_TOKEN }} @@ -58,30 +64,36 @@ jobs: style: name: Code style runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys code style checks - uses: ansys/actions/code-style@v10 + uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} doc-style: name: "Documentation style" runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: ansys/actions/doc-style@v10 + - uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} smoke-tests: name: "Build and Smoke tests" runs-on: ${{ matrix.os }} + permissions: + contents: read strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest] python-version: ['3.10', '3.11', '3.12', '3.13'] steps: - - uses: ansys/actions/build-wheelhouse@v10 + - uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.LIBRARY_NAME }} operating-system: ${{ matrix.os }} @@ -91,13 +103,15 @@ jobs: name: "Tests" runs-on: ${{ matrix.os }} needs: [smoke-tests] + permissions: + contents: read strategy: matrix: os: [ubuntu-latest, windows-latest] python-version: ['3.10', '3.11', '3.12', '3.13'] fail-fast: false steps: - - uses: ansys/actions/tests-pytest@v10 + - uses: ansys/actions/tests-pytest@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: pytest-extra-args: "--cov=ansys.pre_commit_hooks --cov-report=term --cov-report=html:.cov/html" python-version: ${{ matrix.python-version }} @@ -106,8 +120,10 @@ jobs: name: "Build documentation" runs-on: ubuntu-latest needs: [doc-style] + permissions: + contents: read steps: - - uses: ansys/actions/doc-build@v10 + - uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -115,8 +131,10 @@ jobs: name: "Build library basic example" runs-on: ubuntu-latest needs: [doc-build, tests] + permissions: + contents: read steps: - - uses: ansys/actions/build-library@v10 + - uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.LIBRARY_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -126,8 +144,10 @@ jobs: runs-on: ubuntu-latest needs: [build-library] if: github.event_name == 'push' && !contains(github.ref, 'refs/tags') + permissions: + contents: write steps: - - uses: ansys/actions/doc-deploy-dev@v10 + - uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -159,7 +179,7 @@ jobs: skip-existing: false - name: "Release to GitHub" - uses: ansys/actions/release-github@v10 + uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.LIBRARY_NAME }} token: ${{ secrets.GITHUB_TOKEN }} @@ -168,9 +188,11 @@ jobs: name: "Deploy stable documentation" runs-on: ubuntu-latest needs: [release] + permissions: + contents: write if: github.event_name == 'push' && contains(github.ref, 'refs/tags') steps: - - uses: ansys/actions/doc-deploy-stable@v10 + - uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 2b1443db..a692e955 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -14,14 +14,21 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: label-syncer: name: Syncer runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -36,44 +43,50 @@ jobs: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v6 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') with: labels: documentation + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: | startsWith(github.event.pull_request.head.ref, 'maint') || startsWith(github.event.pull_request.head.ref, 'no-ci') || startsWith(github.event.pull_request.head.ref, 'ci') with: labels: maintenance + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: startsWith(github.event.pull_request.head.ref, 'feat') with: labels: | enhancement + github_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') with: labels: bug + github_token: ${{ secrets.GITHUB_TOKEN }} commenter: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: @@ -95,7 +108,7 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: ansys/actions/doc-changelog@main + - uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} use-conventional-commits: true From 179d8016174aedee3502e3d7689a782317821181 Mon Sep 17 00:00:00 2001 From: kmcadams Date: Wed, 1 Oct 2025 12:06:53 -0400 Subject: [PATCH 5/5] add name to commenter job --- .github/workflows/label.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index a692e955..90c172e6 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -81,6 +81,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} commenter: + name: "Suggest labels if none applied" runs-on: ubuntu-latest permissions: pull-requests: write