[MAINTENANCE] Add ansys/actions/check-actions-security action

.github/actions/hps_services/action.yml

@@ -42,7 +42,7 @@ runs:
 
   steps:
     - if: ${{ inputs.version != 'latest-dev' }}
-      uses: dsaltares/fetch-gh-release-asset@master
+      uses: dsaltares/fetch-gh-release-asset@aa2ab1243d6e0d5b405b973c89fa4d06a2d0fff7 # master
       name: Download Customer Services Artifact
       with:
         file: 'docker-compose-customer.tar.gz'
@@ -52,7 +52,7 @@ runs:
         token: ${{ inputs.token }}
 
     - if: ${{ inputs.version == 'latest-dev' }}
-      uses: dawidd6/action-download-artifact@v3
+      uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
       name: Download Internal Services Artifact
       with:
         workflow: main.yaml
@@ -64,12 +64,12 @@ runs:
         path: ./docker-compose-artifact
         github_token: ${{ inputs.token }}
 
-    - uses: KengoTODA/actions-setup-docker-compose@main
+    - uses: KengoTODA/actions-setup-docker-compose@477353946803dd64eaa44008b865b6bfc88cab4e # v1.2.4
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
 
     - name: Login in Github Container registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
       with:
         registry: ghcr.io
         username: ${{ inputs.ghcr-username }}
@@ -113,7 +113,7 @@ runs:
         tar -xvzf docker-compose-internal.tar.gz
         cd docker-compose
         docker-compose pull
-        if [ -z "$PROFILE"]; then
+        if [ -z "$PROFILE" ]; then
           docker-compose up -d
         else
           docker-compose --profile $PROFILE up -d

.github/workflows/ci_cd.yml

@@ -35,14 +35,22 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
-  checks: write
+  contents: read
 
 jobs:
 
   style:
     uses: ./.github/workflows/style.yml
-    secrets: inherit
+
+  check-actions-security:
+    name: Check actions security
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: ansys/actions/check-actions-security@v10.3.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
 
   tests:
     strategy:
@@ -53,7 +61,11 @@ jobs:
             ]
       fail-fast: false
     uses: ./.github/workflows/tests.yml
-    secrets: inherit
+    secrets:
+      PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }}
+      PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+      PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     with:
       python-version: ${{ matrix.cfg.python-version }}   
       toxenv: ${{ matrix.cfg.toxenv }}
@@ -67,7 +79,11 @@ jobs:
           hps-version: ['v1.2.0', 'v1.3.45', 'v1.4.10']
       fail-fast: false
     uses: ./.github/workflows/tests.yml
-    secrets: inherit
+    secrets:
+      PYANSYS_CI_BOT_PACKAGE_TOKEN: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }}
+      PYANSYS_CI_BOT_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+      PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     with:
       python-version: '3.10'
       toxenv: 'py310'
@@ -81,14 +97,16 @@ jobs:
     runs-on: ubuntu-latest
     needs: [style]
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
 
-      - uses: extractions/netrc@v3
+      - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3
         with:
           machine: github.com
           username: pyansys-ci-bot
@@ -105,17 +123,19 @@ jobs:
           sudo apt install latexmk texlive-latex-extra
 
       - name: Generate the documentation with tox
-        run: tox -e doc-html-${{ runner.os == 'Linux' && 'linux' || 'windows' }},doc-pdf-${{ runner.os == 'Linux' && 'linux' || 'windows' }}
+        env:
+          DOC_PLATFORM: ${{ runner.os == 'Linux' && 'linux' || 'windows' }}
+        run: tox -e "doc-html-${DOC_PLATFORM},doc-pdf-${DOC_PLATFORM}"
 
       - name: Upload HTML Documentation
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: documentation-html
           path: doc/_build/html
           retention-days: 7
 
       - name: Upload PDF Documentation
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: documentation-pdf
           path: doc/_build/latex/*.pdf
@@ -146,7 +166,7 @@ jobs:
             python-version: '3.14'
 
     steps:
-      - uses: extractions/netrc@v3
+      - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3
         with:
           machine: github.com
           username: pyansys-ci-bot
@@ -188,16 +208,18 @@ jobs:
       library_version: ${{ steps.version.outputs.library_version }}
     steps:
       - name: "Install Git and clone project"
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-      - uses: extractions/netrc@v3
+      - uses: extractions/netrc@c3879108aae6b4ed5c4eb60854ae04f06d2f2f68 # v3
         with:
           machine: github.com
           username: pyansys-ci-bot
           password: ${{ secrets.PYANSYS_CI_BOT_PACKAGE_TOKEN }}
 
       - name: "Set up Python ${{ env.MAIN_PYTHON_VERSION }}"
-        uses: ansys/actions/_setup-python@main
+        uses: ansys/actions/_setup-python@v10.3.2
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
           use-cache: true
@@ -211,7 +233,7 @@ jobs:
         id: version
         shell: bash
         run: |
-          library_name=${{ env.PACKAGE_NAME }}
+          library_name="$PACKAGE_NAME"
           library_version=$(python -c "import importlib.metadata as importlib_metadata; print(importlib_metadata.version('$library_name'))")
 
           if [ -z "$library_version" ]; then
@@ -227,8 +249,10 @@ jobs:
     if: startsWith(github.ref, 'refs/heads/main')
     needs: [package, library-version]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # Required to publish a GitHub release for the latest-dev pre-release
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ansys-hps-client-artifacts
           path: /tmp/artifacts
@@ -237,7 +261,7 @@ jobs:
         run: ls -ltR /tmp/artifacts
 
       - name: Release to latest-dev
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
         if: startsWith(github.ref, 'refs/heads/main')
         with:
           tag_name: "v${{ needs.library-version.outputs.library_version }}"
@@ -251,6 +275,8 @@ jobs:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs: [package]
+    permissions:
+      contents: write  # Required to push generated docs to the gh-pages branch
     steps:
       - name: Deploy the latest documentation
         uses: ansys/actions/doc-deploy-dev@v10.3.2
@@ -267,17 +293,17 @@ jobs:
     needs: [package]
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      contents: write
+      id-token: write  # Required for PyPI trusted publishing (OIDC)
+      contents: write  # Required to publish the GitHub release for the tagged version
     steps:
       - name: "Download the library artifacts from package step"
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: ${{ env.PACKAGE_NAME }}-artifacts
           path: ${{ env.PACKAGE_NAME }}-artifacts
 
       - name: "Upload artifacts to PyPI using trusted publisher"
-        uses: pypa/gh-action-pypi-publish@v1.14.0
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           repository-url: "https://upload.pypi.org/legacy/"
           print-hash: true
@@ -296,6 +322,8 @@ jobs:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     needs: [release]
+    permissions:
+      contents: write  # Required to push the stable docs to the gh-pages branch
     steps:
       - uses: ansys/actions/doc-deploy-stable@v10.3.2
         with:

.github/workflows/label.yml

@@ -10,14 +10,21 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
 
   label-syncer:
     name: Syncer
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write  # Required to create/update repo labels
     steps:
-      - uses: actions/checkout@v6.0.2
-      - uses: micnncim/action-label-syncer@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -26,50 +33,53 @@ jobs:
     needs: [label-syncer]
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write  # Required to add labels to pull requests
     runs-on: ubuntu-latest
     steps:
 
     # Label based on modified files
     - name: Label based on changed files
-      uses: actions/labeler@v6.1.0
+      uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
 
     # Label based on branch name
-    - uses: actions-ecosystem/action-add-labels@v1
+    - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
       if: |
         startsWith(github.event.pull_request.head.ref, 'doc') || 
         startsWith(github.event.pull_request.head.ref, 'docs')
       with:
         labels: documentation
 
-    - uses: actions-ecosystem/action-add-labels@v1
+    - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
       if: |
         startsWith(github.event.pull_request.head.ref, 'maint') ||
         startsWith(github.event.pull_request.head.ref, 'no-ci') ||
         startsWith(github.event.pull_request.head.ref, 'ci')
       with:
         labels: maintenance
 
-    - uses: actions-ecosystem/action-add-labels@v1
+    - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
       if: startsWith(github.event.pull_request.head.ref, 'feat')
       with:
         labels: |
           enhancement
 
-    - uses: actions-ecosystem/action-add-labels@v1
+    - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1
       if: |
         startsWith(github.event.pull_request.head.ref, 'fix') ||
         startsWith(github.event.pull_request.head.ref, 'patch')
       with:
         labels: bug
 
   commenter:
+    name: Suggest labels
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write  # Required to comment on pull requests
     steps:
     - name: Suggest to add labels
-      uses: peter-evans/create-or-update-comment@v5
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
       # Execute only when no labels have been applied to the pull request
       if: toJSON(github.event.pull_request.labels.*.name) == '{}'
       with: