From 8f75be85fa04c0b16042b15b484c3e0c383ff0b5 Mon Sep 17 00:00:00 2001 From: Manikanth Guntupally Venkata Date: Thu, 4 Jun 2026 12:09:17 +0100 Subject: [PATCH 1/6] [MAINTENANCE] Add ansys/actions/check-actions-security action --- .github/workflows/ci_cd.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 849babfd9..4fd6a1982 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -44,6 +44,16 @@ jobs: uses: ./.github/workflows/style.yml secrets: inherit + check-actions-security: + name: Check actions security + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@v10.3.2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + tests: strategy: matrix: From 07e270886c4faabdaa77dc297dd501f73e434d30 Mon Sep 17 00:00:00 2001 From: Manikanth Guntupally Venkata Date: Fri, 5 Jun 2026 11:28:17 +0100 Subject: [PATCH 2/6] fix security check failures --- .github/actions/hps_services/action.yml | 10 ++++---- .github/workflows/ci_cd.yml | 31 ++++++++++++++----------- .github/workflows/label.yml | 16 ++++++------- .github/workflows/nightly.yml | 12 +++++----- .github/workflows/style.yml | 4 ++-- .github/workflows/tests.yml | 17 +++++++------- .github/workflows/update_rms_models.yml | 8 +++---- 7 files changed, 52 insertions(+), 46 deletions(-) diff --git a/.github/actions/hps_services/action.yml b/.github/actions/hps_services/action.yml index a6ea820ec..2c94c0c18 100644 --- a/.github/actions/hps_services/action.yml +++ b/.github/actions/hps_services/action.yml @@ -42,7 +42,7 @@ runs: steps: - if: ${{ inputs.version != 'latest-dev' }} - uses: dsaltares/fetch-gh-release-asset@master + uses: dsaltares/fetch-gh-release-asset@aa2ab1243d6e0d5b405b973c89fa4d06a2d0fff7 # master name: Download Customer Services Artifact with: file: 'docker-compose-customer.tar.gz' @@ -52,7 +52,7 @@ runs: token: ${{ inputs.token }} - if: ${{ inputs.version == 'latest-dev' }} - uses: dawidd6/action-download-artifact@v3 + uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3 name: Download Internal Services Artifact with: workflow: main.yaml @@ -64,12 +64,12 @@ runs: path: ./docker-compose-artifact github_token: ${{ inputs.token }} - - uses: KengoTODA/actions-setup-docker-compose@main + - uses: KengoTODA/actions-setup-docker-compose@17da3fa4493b7303eff3e8f4f84a07ed6ed2e7a7 # main env: GITHUB_TOKEN: ${{ inputs.token }} - name: Login in Github Container registry - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ inputs.ghcr-username }} @@ -113,7 +113,7 @@ runs: tar -xvzf docker-compose-internal.tar.gz cd docker-compose docker-compose pull - if [ -z "$PROFILE"]; then + if [ -z "$PROFILE" ]; then docker-compose up -d else docker-compose --profile $PROFILE up -d diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 4fd6a1982..e97f1d658 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -35,8 +35,7 @@ concurrency: cancel-in-progress: true permissions: - contents: write - checks: write + contents: read jobs: @@ -91,14 +90,14 @@ jobs: runs-on: ubuntu-latest needs: [style] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -118,14 +117,14 @@ jobs: run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }} - name: Upload HTML Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-html path: doc/_build/html retention-days: 7 - name: Upload PDF Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-pdf path: doc/_build/latex/*.pdf @@ -154,7 +153,7 @@ jobs: python-version: '3.13' steps: - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -196,16 +195,16 @@ jobs: library_version: ${{ steps.version.outputs.library_version }} steps: - name: "Install Git and clone project" - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot password: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} - name: "Set up Python ${{ env.MAIN_PYTHON_VERSION }}" - uses: ansys/actions/_setup-python@main + uses: ansys/actions/_setup-python@v10.3.2 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} use-cache: true @@ -235,8 +234,10 @@ jobs: if: startsWith(github.ref, 'refs/heads/main') needs: [package, library-version] runs-on: ubuntu-latest + permissions: + contents: write steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ansys-hps-client-artifacts path: /tmp/artifacts @@ -245,7 +246,7 @@ jobs: run: ls -ltR /tmp/artifacts - name: Release to latest-dev - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 if: startsWith(github.ref, 'refs/heads/main') with: tag_name: "v${{ needs.library-version.outputs.library_version }}" @@ -259,6 +260,8 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: [package] + permissions: + contents: write steps: - name: Deploy the latest documentation uses: ansys/actions/doc-deploy-dev@v10.3.1 @@ -296,6 +299,8 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - uses: ansys/actions/doc-deploy-stable@v10.3.1 with: diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index bea5a4350..190125352 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -16,8 +16,8 @@ jobs: name: Syncer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -32,19 +32,19 @@ jobs: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v6.1.0 + uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') with: labels: documentation - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: | startsWith(github.event.pull_request.head.ref, 'maint') || startsWith(github.event.pull_request.head.ref, 'no-ci') || @@ -52,13 +52,13 @@ jobs: with: labels: maintenance - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: startsWith(github.event.pull_request.head.ref, 'feat') with: labels: | enhancement - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') @@ -69,7 +69,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 7454a0f0c..de0f1a154 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -65,7 +65,7 @@ jobs: - should-release: false os: macos-latest steps: - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -83,14 +83,14 @@ jobs: runs-on: ubuntu-latest needs: [style] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -109,14 +109,14 @@ jobs: run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }} - name: Upload HTML Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-html path: doc/_build/html retention-days: 7 - name: Upload PDF Documentation - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: documentation-pdf path: doc/_build/latex/*.pdf diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index 16a2511f0..ede565c3b 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -11,9 +11,9 @@ jobs: name: Code style runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Install dependencies diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 848bcd126..23ee648a0 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -37,13 +37,13 @@ jobs: name: Tests and coverage runs-on: ${{ inputs.runner }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python ${{ inputs.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ inputs.python-version }} - - uses: extractions/netrc@v3 + - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: machine: github.com username: pyansys-ci-bot @@ -56,7 +56,7 @@ jobs: - name: Start HPS services id: hps-services - uses: ansys/pyhps/.github/actions/hps_services@main + uses: ./.github/actions/hps_services with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} ghcr-username: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -66,14 +66,15 @@ jobs: profile: ${{ inputs.docker-compose-profiles }} - name: Test with tox - run: tox -e ${{ inputs.toxenv }}-coverage + run: tox -e "${TOXENV_NAME}-coverage" env: + TOXENV_NAME: ${{ inputs.toxenv }} HPS_TEST_URL: ${{ steps.hps-services.outputs.url }} HPS_TEST_USERNAME: repadmin HPS_TEST_PASSWORD: repadmin - name: Upload coverage results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: ${{ inputs.python-version == '3.10' && inputs.upload-coverage }} with: name: coverage-html @@ -81,7 +82,7 @@ jobs: retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6.0.1 + uses: codecov/codecov-action@cddd853df119a48c5be31a973f8cd97e12e35e16 # v6.0.1 if: ${{ inputs.python-version == '3.10' && inputs.upload-coverage }} env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -89,7 +90,7 @@ jobs: files: '**/test*.xml' - name: Publish Test Report - uses: mikepenz/action-junit-report@v6 + uses: mikepenz/action-junit-report@3a81627bfac62268172037048872e8ebd4207e6d # v6 if: always() with: report_paths: '**/test*.xml' diff --git a/.github/workflows/update_rms_models.yml b/.github/workflows/update_rms_models.yml index ef6e1ba26..15d54eb33 100644 --- a/.github/workflows/update_rms_models.yml +++ b/.github/workflows/update_rms_models.yml @@ -13,16 +13,16 @@ jobs: name: Update models runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Start HPS services id: hps-services - uses: ansys/pyhps/.github/actions/hps_services@main + uses: ./.github/actions/hps_services with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} ghcr-username: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -41,7 +41,7 @@ jobs: - name: "Create PR if changes detected" if: startsWith(github.ref, 'refs/heads/main') - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8 with: title: "[Auto] Update RMS models" body: An update of auto-generated RMS models has been triggered either manually or by a scheduled workflow. From a3d1992f58335cde645db677caefcc39a7a0e088 Mon Sep 17 00:00:00 2001 From: Manikanth Guntupally Venkata Date: Fri, 5 Jun 2026 11:55:28 +0100 Subject: [PATCH 3/6] fix security check failures --- .github/actions/hps_services/action.yml | 2 +- .github/workflows/tests.yml | 2 +- .github/workflows/update_rms_models.yml | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/actions/hps_services/action.yml b/.github/actions/hps_services/action.yml index 2c94c0c18..9131ead42 100644 --- a/.github/actions/hps_services/action.yml +++ b/.github/actions/hps_services/action.yml @@ -52,7 +52,7 @@ runs: token: ${{ inputs.token }} - if: ${{ inputs.version == 'latest-dev' }} - uses: dawidd6/action-download-artifact@09f2f74827fd3a8607589e5ad7f9398816f540fe # v3 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 name: Download Internal Services Artifact with: workflow: main.yaml diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 23ee648a0..f7e99892a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -82,7 +82,7 @@ jobs: retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@cddd853df119a48c5be31a973f8cd97e12e35e16 # v6.0.1 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 if: ${{ inputs.python-version == '3.10' && inputs.upload-coverage }} env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/update_rms_models.yml b/.github/workflows/update_rms_models.yml index 15d54eb33..d67d917d7 100644 --- a/.github/workflows/update_rms_models.yml +++ b/.github/workflows/update_rms_models.yml @@ -7,6 +7,10 @@ on: env: MAIN_PYTHON_VERSION: '3.12' +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: update-models: From 89d26092daa9708ae25ab6f1a8e5ecc0bf781664 Mon Sep 17 00:00:00 2001 From: Manikanth Guntupally Venkata Date: Fri, 5 Jun 2026 12:16:38 +0100 Subject: [PATCH 4/6] fix security check failures --- .github/actions/hps_services/action.yml | 2 +- .github/workflows/ci_cd.yml | 31 ++++++++++++++++++------- .github/workflows/label.yml | 12 +++++++++- .github/workflows/nightly.yml | 19 ++++++++++++--- .github/workflows/style.yml | 8 +++++++ .github/workflows/tests.yml | 15 ++++++++++++ .github/workflows/update_rms_models.yml | 7 ++++++ 7 files changed, 80 insertions(+), 14 deletions(-) diff --git a/.github/actions/hps_services/action.yml b/.github/actions/hps_services/action.yml index 9131ead42..c58f63cce 100644 --- a/.github/actions/hps_services/action.yml +++ b/.github/actions/hps_services/action.yml @@ -64,7 +64,7 @@ runs: path: ./docker-compose-artifact github_token: ${{ inputs.token }} - - uses: KengoTODA/actions-setup-docker-compose@17da3fa4493b7303eff3e8f4f84a07ed6ed2e7a7 # main + - uses: KengoTODA/actions-setup-docker-compose@477353946803dd64eaa44008b865b6bfc88cab4e # v1.2.4 env: GITHUB_TOKEN: ${{ inputs.token }} diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index e97f1d658..0ac5378de 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -41,7 +41,6 @@ jobs: style: uses: ./.github/workflows/style.yml - secrets: inherit check-actions-security: name: Check actions security @@ -62,7 +61,11 @@ jobs: ] fail-fast: false uses: ./.github/workflows/tests.yml - secrets: inherit + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} + PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: python-version: ${{ matrix.cfg.python-version }} toxenv: ${{ matrix.cfg.toxenv }} @@ -76,7 +79,11 @@ jobs: hps-version: ['v1.2.0', 'v1.3.45', 'v1.4.10'] fail-fast: false uses: ./.github/workflows/tests.yml - secrets: inherit + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} + PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: python-version: '3.10' toxenv: 'py310' @@ -91,6 +98,8 @@ jobs: needs: [style] steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -114,7 +123,9 @@ jobs: sudo apt install latexmk texlive-latex-extra - name: Generate the documentation with tox - run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }} + env: + DOC_PLATFORM: ${{ runner.os == 'Linux' && 'linux' || 'windows' }} + run: tox -e "doc-html-${DOC_PLATFORM},doc-pdf-${DOC_PLATFORM}" - name: Upload HTML Documentation uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 @@ -196,6 +207,8 @@ jobs: steps: - name: "Install Git and clone project" uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3 with: @@ -218,7 +231,7 @@ jobs: id: version shell: bash run: | - library_name=${{ env.PACKAGE_NAME }} + library_name="$PACKAGE_NAME" library_version=$(python -c "import importlib.metadata as importlib_metadata; print(importlib_metadata.version('$library_name'))") if [ -z "$library_version" ]; then @@ -235,7 +248,7 @@ jobs: needs: [package, library-version] runs-on: ubuntu-latest permissions: - contents: write + contents: write # Required to publish a GitHub release for the latest-dev pre-release steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: @@ -261,7 +274,7 @@ jobs: runs-on: ubuntu-latest needs: [package] permissions: - contents: write + contents: write # Required to push generated docs to the gh-pages branch steps: - name: Deploy the latest documentation uses: ansys/actions/doc-deploy-dev@v10.3.1 @@ -278,7 +291,7 @@ jobs: needs: [package] runs-on: ubuntu-latest permissions: - contents: write + contents: write # Required to publish the GitHub release for the tagged version steps: - name: Release to the public PyPI repository uses: ansys/actions/release-pypi-public@v10.3.1 @@ -300,7 +313,7 @@ jobs: runs-on: ubuntu-latest needs: [release] permissions: - contents: write + contents: write # Required to push the stable docs to the gh-pages branch steps: - uses: ansys/actions/doc-deploy-stable@v10.3.1 with: diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 190125352..d1652cb01 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -10,13 +10,20 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: label-syncer: name: Syncer runs-on: ubuntu-latest + permissions: + contents: read + issues: write # Required to create/update repo labels steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -26,7 +33,7 @@ jobs: needs: [label-syncer] permissions: contents: read - pull-requests: write + pull-requests: write # Required to add labels to pull requests runs-on: ubuntu-latest steps: @@ -66,7 +73,10 @@ jobs: labels: bug commenter: + name: Suggest labels runs-on: ubuntu-latest + permissions: + pull-requests: write # Required to comment on pull requests steps: - name: Suggest to add labels uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5 diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index de0f1a154..f4f0b346c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -25,11 +25,12 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: style: uses: ./.github/workflows/style.yml - secrets: inherit tests: strategy: @@ -43,7 +44,11 @@ jobs: ] fail-fast: false uses: ./.github/workflows/tests.yml - secrets: inherit + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }} + PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: python-version: ${{ matrix.cfg.python-version }} toxenv: ${{ matrix.cfg.toxenv }} @@ -54,6 +59,8 @@ jobs: name: Build and Smoke tests runs-on: ${{ matrix.os }} needs: [style] + permissions: + contents: read strategy: fail-fast: false matrix: @@ -82,8 +89,12 @@ jobs: name: Documentation runs-on: ubuntu-latest needs: [style] + permissions: + contents: read steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,7 +117,9 @@ jobs: sudo apt install texlive-latex-extra - name: Generate the documentation with tox - run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }} + env: + DOC_PLATFORM: ${{ runner.os == 'Linux' && 'linux' || 'windows' }} + run: tox -e "doc-html-${DOC_PLATFORM},doc-pdf-${DOC_PLATFORM}" - name: Upload HTML Documentation uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index ede565c3b..fbc10f997 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -5,13 +5,19 @@ on: env: MAIN_PYTHON_VERSION: '3.12' +permissions: {} + jobs: style: name: Code style runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: @@ -25,6 +31,8 @@ jobs: doc-style: name: Documentation Style Check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: PyAnsys documentation style checks uses: ansys/actions/doc-style@v10.3.1 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f7e99892a..8b91351b9 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -30,14 +30,29 @@ on: description: Whether to upload coverage results type: boolean default: true + secrets: + PYANSYS_CI_BOT_PACKAGE_TOKEN: + required: true + PYANSYS_CI_BOT_TOKEN: + required: true + PYANSYS_CI_BOT_USERNAME: + required: true + CODECOV_TOKEN: + required: true + +permissions: {} jobs: tests: name: Tests and coverage runs-on: ${{ inputs.runner }} + permissions: + contents: read steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python ${{ inputs.python-version }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: diff --git a/.github/workflows/update_rms_models.yml b/.github/workflows/update_rms_models.yml index d67d917d7..b46cf8136 100644 --- a/.github/workflows/update_rms_models.yml +++ b/.github/workflows/update_rms_models.yml @@ -11,13 +11,20 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: update-models: name: Update models runs-on: ubuntu-latest + permissions: + contents: write # Required to push the auto-update branch + pull-requests: write # Required to open the auto-update pull request steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 From 01daae3b161d5d155e10248ed11e2d8c39cd1be3 Mon Sep 17 00:00:00 2001 From: Manikanth Guntupally Venkata Date: Fri, 5 Jun 2026 15:13:11 +0100 Subject: [PATCH 5/6] use absolute path --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 8b91351b9..8e6bca46c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -71,7 +71,7 @@ jobs: - name: Start HPS services id: hps-services - uses: ./.github/actions/hps_services + uses: ansys/pyhps/.github/actions/hps_services@main with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} ghcr-username: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} From a3e6b509bf596680c06d4263adb6faabf18b7ea2 Mon Sep 17 00:00:00 2001 From: Manikanth Guntupally Venkata Date: Fri, 5 Jun 2026 15:27:34 +0100 Subject: [PATCH 6/6] fix failures --- .github/workflows/ci_cd.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index f9553801f..c2fbbaa5c 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -293,17 +293,17 @@ jobs: needs: [package] runs-on: ubuntu-latest permissions: - id-token: write - contents: write # # Required to publish the GitHub release for the tagged version + id-token: write # Required for PyPI trusted publishing (OIDC) + contents: write # Required to publish the GitHub release for the tagged version steps: - name: "Download the library artifacts from package step" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ${{ env.PACKAGE_NAME }}-artifacts path: ${{ env.PACKAGE_NAME }}-artifacts - name: "Upload artifacts to PyPI using trusted publisher" - uses: pypa/gh-action-pypi-publish@v1.14.0 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: repository-url: "https://upload.pypi.org/legacy/" print-hash: true