diff --git a/.github/actions/hps_services/action.yml b/.github/actions/hps_services/action.yml index a6ea820ec..c58f63cce 100644 --- a/.github/actions/hps_services/action.yml +++ b/.github/actions/hps_services/action.yml @@ -42,7 +42,7 @@ runs: steps: - if: ${{ inputs.version != 'latest-dev' }} - uses: dsaltares/fetch-gh-release-asset@master + uses: dsaltares/fetch-gh-release-asset@aa2ab1243d6e0d5b405b973c89fa4d06a2d0fff7 # master name: Download Customer Services Artifact with: file: 'docker-compose-customer.tar.gz' @@ -52,7 +52,7 @@ runs: token: ${{ inputs.token }} - if: ${{ inputs.version == 'latest-dev' }} - uses: dawidd6/action-download-artifact@v3 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 name: Download Internal Services Artifact with: workflow: main.yaml @@ -64,12 +64,12 @@ runs: path: ./docker-compose-artifact github_token: ${{ inputs.token }} - - uses: KengoTODA/actions-setup-docker-compose@main + - uses: KengoTODA/actions-setup-docker-compose@477353946803dd64eaa44008b865b6bfc88cab4e # v1.2.4 env: GITHUB_TOKEN: ${{ inputs.token }} - name: Login in Github Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ inputs.ghcr-username }} @@ -113,7 +113,7 @@ runs: tar -xvzf docker-compose-internal.tar.gz cd docker-compose docker-compose pull - if [ -z "$PROFILE"]; then + if [ -z "$PROFILE" ]; then docker-compose up -d else docker-compose --profile $PROFILE up -d diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 7b1bc1c69..918bd1d74 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -35,14 +35,22 @@ concurrency: cancel-in-progress: true permissions: - contents: write - checks: write + contents: read jobs: style: uses: ./.github/workflows/style.yml - secrets: inherit + + check-actions-security: + name: Check actions security + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@v10.3.2 + with: + token: ${{ secrets.GITHUB_TOKEN }} tests: strategy: @@ -53,7 +61,11 @@ jobs: ] fail-fast: false uses: ./.github/workflows/tests.yml - secrets: inherit + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} + PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: python-version: ${{ matrix.cfg.python-version }} toxenv: ${{ matrix.cfg.toxenv }} @@ -67,7 +79,11 @@ jobs: hps-version: ['v1.2.0', 'v1.3.45', 'v1.4.10'] fail-fast: false uses: ./.github/workflows/tests.yml - secrets: inherit + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} + PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: python-version: '3.10' toxenv: 'py310' @@ -81,14 +97,16 @@ jobs: runs-on: ubuntu-latest needs: [style] steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -105,17 +123,19 @@ jobs: sudo apt install latexmk texlive-latex-extra - name: Generate the documentation with tox - run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }} + env: + DOC_PLATFORM: ${{ runner.os == 'Linux' && 'linux' || 'windows' }} + run: tox -e "doc-html-${DOC_PLATFORM},doc-pdf-${DOC_PLATFORM}" - name: Upload HTML Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-html path: doc/_build/html retention-days: 7 - name: Upload PDF Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-pdf path: doc/_build/latex/*.pdf @@ -146,7 +166,7 @@ jobs: python-version: '3.14' steps: - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -188,16 +208,18 @@ jobs: library_version: ${{ steps.version.outputs.library_version }} steps: - name: "Install Git and clone project" - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot password: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} - name: "Set up Python ${{ env.MAIN_PYTHON_VERSION }}" - uses: ansys/actions/_setup-python@main + uses: ansys/actions/_setup-python@v10.3.2 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} use-cache: true @@ -211,7 +233,7 @@ jobs: id: version shell: bash run: | - library_name=${{ env.PACKAGE_NAME }} + library_name="$PACKAGE_NAME" library_version=$(python -c "import importlib.metadata as importlib_metadata; print(importlib_metadata.version('$library_name'))") if [ -z "$library_version" ]; then @@ -227,8 +249,10 @@ jobs: if: startsWith(github.ref, 'refs/heads/main') needs: [package, library-version] runs-on: ubuntu-latest + permissions: + contents: write # Required to publish a GitHub release for the latest-dev pre-release steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ansys-hps-client-artifacts path: /tmp/artifacts @@ -237,7 +261,7 @@ jobs: run: ls -ltR /tmp/artifacts - name: Release to latest-dev - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 if: startsWith(github.ref, 'refs/heads/main') with: tag_name: "v${{ needs.library-version.outputs.library_version }}" @@ -251,6 +275,8 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: [package] + permissions: + contents: write # Required to push generated docs to the gh-pages branch steps: - name: Deploy the latest documentation uses: ansys/actions/doc-deploy-dev@v10.3.2 @@ -267,17 +293,17 @@ jobs: needs: [package] runs-on: ubuntu-latest permissions: - id-token: write - contents: write + id-token: write # Required for PyPI trusted publishing (OIDC) + contents: write # Required to publish the GitHub release for the tagged version steps: - name: "Download the library artifacts from package step" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ env.PACKAGE_NAME }}-artifacts path: ${{ env.PACKAGE_NAME }}-artifacts - name: "Upload artifacts to PyPI using trusted publisher" - uses: pypa/gh-action-pypi-publish@v1.14.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: repository-url: "https://upload.pypi.org/legacy/" print-hash: true @@ -296,6 +322,8 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write # Required to push the stable docs to the gh-pages branch steps: - uses: ansys/actions/doc-deploy-stable@v10.3.2 with: diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index fc1e57d8e..0ab93a76f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -10,14 +10,21 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: label-syncer: name: Syncer runs-on: ubuntu-latest + permissions: + contents: read + issues: write # Required to create/update repo labels steps: - - uses: actions/checkout@v6.0.2 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -26,25 +33,25 @@ jobs: needs: [label-syncer] permissions: contents: read - pull-requests: write + pull-requests: write # Required to add labels to pull requests runs-on: ubuntu-latest steps: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v6.1.0 + uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') with: labels: documentation - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: | startsWith(github.event.pull_request.head.ref, 'maint') || startsWith(github.event.pull_request.head.ref, 'no-ci') || @@ -52,13 +59,13 @@ jobs: with: labels: maintenance - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: startsWith(github.event.pull_request.head.ref, 'feat') with: labels: | enhancement - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') @@ -66,10 +73,13 @@ jobs: labels: bug commenter: + name: Suggest labels runs-on: ubuntu-latest + permissions: + pull-requests: write # Required to comment on pull requests steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index e59801416..5c1afec56 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -25,11 +25,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: style: uses: ./.github/workflows/style.yml - secrets: inherit tests: strategy: @@ -44,7 +45,11 @@ jobs: ] fail-fast: false uses: ./.github/workflows/tests.yml - secrets: inherit + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} + PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: python-version: ${{ matrix.cfg.python-version }} toxenv: ${{ matrix.cfg.toxenv }} @@ -55,6 +60,8 @@ jobs: name: Build and Smoke tests runs-on: ${{ matrix.os }} needs: [style] + permissions: + contents: read strategy: fail-fast: false matrix: @@ -66,7 +73,7 @@ jobs: - should-release: false os: macos-latest steps: - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -83,15 +90,19 @@ jobs: name: Documentation runs-on: ubuntu-latest needs: [style] + permissions: + contents: read steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -107,17 +118,19 @@ jobs: sudo apt install texlive-latex-extra - name: Generate the documentation with tox - run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }} + env: + DOC_PLATFORM: ${{ runner.os == 'Linux' && 'linux' || 'windows' }} + run: tox -e "doc-html-${DOC_PLATFORM},doc-pdf-${DOC_PLATFORM}" - name: Upload HTML Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-html path: doc/_build/html retention-days: 7 - name: Upload PDF Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-pdf path: doc/_build/latex/*.pdf diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index b375d888d..206b21a07 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -5,15 +5,21 @@ on: env: MAIN_PYTHON_VERSION: '3.12' +permissions: {} + jobs: style: name: Code style runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Install dependencies @@ -25,6 +31,8 @@ jobs: doc-style: name: Documentation Style Check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys documentation style checks uses: ansys/actions/doc-style@v10.3.2 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 531a04f62..01b9dd2b2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -30,20 +30,35 @@ on: description: Whether to upload coverage results type: boolean default: true + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: + required: true + PYANSYS_CI_BOT_TOKEN: + required: true + PYANSYS_CI_BOT_USERNAME: + required: true + CODECOV_TOKEN: + required: true + +permissions: {} jobs: tests: name: Tests and coverage runs-on: ${{ inputs.runner }} + permissions: + contents: read steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python ${{ inputs.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -66,14 +81,15 @@ jobs: profile: ${{ inputs.docker-compose-profiles }} - name: Test with tox - run: tox -e ${{ inputs.toxenv }}-coverage + run: tox -e "${TOXENV_NAME}-coverage" env: + TOXENV_NAME: ${{ inputs.toxenv }} HPS_TEST_URL: ${{ steps.hps-services.outputs.url }} HPS_TEST_USERNAME: repadmin HPS_TEST_PASSWORD: repadmin - name: Upload coverage results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: ${{ inputs.python-version == '3.10' && inputs.upload-coverage }} with: name: coverage-html @@ -81,7 +97,7 @@ jobs: retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6.0.1 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 if: ${{ inputs.python-version == '3.10' && inputs.upload-coverage }} env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -89,7 +105,7 @@ jobs: files: '**/test*.xml' - name: Publish Test Report - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@3a81627bfac62268172037048872e8ebd4207e6d # v6 if: always() with: report_paths: '**/test*.xml' diff --git a/.github/workflows/update_rms_models.yml b/.github/workflows/update_rms_models.yml index b4a353581..83b615f6d 100644 --- a/.github/workflows/update_rms_models.yml +++ b/.github/workflows/update_rms_models.yml @@ -7,22 +7,33 @@ on: env: MAIN_PYTHON_VERSION: '3.12' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + jobs: update-models: name: Update models runs-on: ubuntu-latest + permissions: + contents: write # Required to push the auto-update branch + pull-requests: write # Required to open the auto-update pull request steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Start HPS services id: hps-services - uses: ansys/pyhps/.github/actions/hps_services@main + uses: ./.github/actions/hps_services with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} ghcr-username: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -41,7 +52,7 @@ jobs: - name: "Create PR if changes detected" if: startsWith(github.ref, 'refs/heads/main') - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8 with: title: "[Auto] Update RMS models" body: An update of auto-generated RMS models has been triggered either manually or by a scheduled workflow.