Skip to content

feat: Add check-actions-security action #352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
klmcadams merged 6 commits into from
Oct 1, 2025
Merged

feat: Add check-actions-security action #352

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5bfc1ad
add check-actions-security
klmcadams Oct 1, 2025
12f5683
add workflow dispatch
klmcadams Oct 1, 2025
f0bde13
chore: adding changelog file 352.added.md [dependabot-skip]
pyansys-ci-bot Oct 1, 2025
8bd8af7
add hashes and permissions
klmcadams Oct 1, 2025
8044b7e
Merge branch 'feat/check-security-action' of https://github.com/ansys…
klmcadams Oct 1, 2025
179d801
add name to commenter job
klmcadams Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 45 additions & 11 deletions .github/workflows/ci_cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
name: CI
on:
workflow_dispatch:
pull_request:
push:
tags:
Expand All @@ -16,6 +17,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
update-changelog:
name: "Update CHANGELOG for new tag"
Expand All @@ -25,7 +28,7 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: ansys/actions/doc-deploy-changelog@main
- uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
release-from-main: true
Expand All @@ -35,41 +38,62 @@ jobs:
check-vulnerabilities:
name: "Check library vulnerabilities"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: ansys/actions/check-vulnerabilities@v10.0
- uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
python-package-name: ${{ env.LIBRARY_NAME }}
dev-mode: ${{ github.ref != 'refs/heads/main' }}

actions-security:
name: "Check actions security"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
generate-summary: true
token: ${{ secrets.GITHUB_TOKEN }}
auditing-level: 'high'
trust-ansys-actions: true

style:
name: Code style
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: PyAnsys code style checks
uses: ansys/actions/code-style@v10
uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

doc-style:
name: "Documentation style"
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: ansys/actions/doc-style@v10
- uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.GITHUB_TOKEN }}

smoke-tests:
name: "Build and Smoke tests"
runs-on: ${{ matrix.os }}
permissions:
contents: read
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
python-version: ['3.10', '3.11', '3.12', '3.13']
steps:
- uses: ansys/actions/build-wheelhouse@v10
- uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
library-name: ${{ env.LIBRARY_NAME }}
operating-system: ${{ matrix.os }}
Expand All @@ -79,13 +103,15 @@ jobs:
name: "Tests"
runs-on: ${{ matrix.os }}
needs: [smoke-tests]
permissions:
contents: read
strategy:
matrix:
os: [ubuntu-latest, windows-latest]
python-version: ['3.10', '3.11', '3.12', '3.13']
fail-fast: false
steps:
- uses: ansys/actions/tests-pytest@v10
- uses: ansys/actions/tests-pytest@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
pytest-extra-args: "--cov=ansys.pre_commit_hooks --cov-report=term --cov-report=html:.cov/html"
python-version: ${{ matrix.python-version }}
Expand All @@ -94,17 +120,21 @@ jobs:
name: "Build documentation"
runs-on: ubuntu-latest
needs: [doc-style]
permissions:
contents: read
steps:
- uses: ansys/actions/doc-build@v10
- uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
python-version: ${{ env.MAIN_PYTHON_VERSION }}

build-library:
name: "Build library basic example"
runs-on: ubuntu-latest
needs: [doc-build, tests]
permissions:
contents: read
steps:
- uses: ansys/actions/build-library@v10
- uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
library-name: ${{ env.LIBRARY_NAME }}
python-version: ${{ env.MAIN_PYTHON_VERSION }}
Expand All @@ -114,8 +144,10 @@ jobs:
runs-on: ubuntu-latest
needs: [build-library]
if: github.event_name == 'push' && !contains(github.ref, 'refs/tags')
permissions:
contents: write
steps:
- uses: ansys/actions/doc-deploy-dev@v10
- uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
cname: ${{ env.DOCUMENTATION_CNAME }}
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
Expand Down Expand Up @@ -147,7 +179,7 @@ jobs:
skip-existing: false

- name: "Release to GitHub"
uses: ansys/actions/release-github@v10
uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
library-name: ${{ env.LIBRARY_NAME }}
token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -156,9 +188,11 @@ jobs:
name: "Deploy stable documentation"
runs-on: ubuntu-latest
needs: [release]
permissions:
contents: write
if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
steps:
- uses: ansys/actions/doc-deploy-stable@v10
- uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
cname: ${{ env.DOCUMENTATION_CNAME }}
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
Expand Down
32 changes: 23 additions & 9 deletions .github/workflows/label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,21 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

jobs:

label-syncer:
name: Syncer
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v5
- uses: micnncim/action-label-syncer@v1
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Expand All @@ -36,44 +43,51 @@ jobs:

# Label based on modified files
- name: Label based on changed files
uses: actions/labeler@v6
uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}

# Label based on branch name
- uses: actions-ecosystem/action-add-labels@v1
- uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0
if: |
startsWith(github.event.pull_request.head.ref, 'doc') ||
startsWith(github.event.pull_request.head.ref, 'docs')
with:
labels: documentation
github_token: ${{ secrets.GITHUB_TOKEN }}

- uses: actions-ecosystem/action-add-labels@v1
- uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0
if: |
startsWith(github.event.pull_request.head.ref, 'maint') ||
startsWith(github.event.pull_request.head.ref, 'no-ci') ||
startsWith(github.event.pull_request.head.ref, 'ci')
with:
labels: maintenance
github_token: ${{ secrets.GITHUB_TOKEN }}

- uses: actions-ecosystem/action-add-labels@v1
- uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0
if: startsWith(github.event.pull_request.head.ref, 'feat')
with:
labels: |
enhancement
github_token: ${{ secrets.GITHUB_TOKEN }}

- uses: actions-ecosystem/action-add-labels@v1
- uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.0
if: |
startsWith(github.event.pull_request.head.ref, 'fix') ||
startsWith(github.event.pull_request.head.ref, 'patch')
with:
labels: bug
github_token: ${{ secrets.GITHUB_TOKEN }}

commenter:
name: "Suggest labels if none applied"
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Suggest to add labels
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
# Execute only when no labels have been applied to the pull request
if: toJSON(github.event.pull_request.labels.*.name) == '{}'
with:
Expand All @@ -95,7 +109,7 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: ansys/actions/doc-changelog@main
- uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
with:
token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
use-conventional-commits: true
Expand Down
1 change: 1 addition & 0 deletions doc/changelog.d/352.added.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add check-actions-security action
Loading