Merge branch 'main' into docs/overall_review

Author: RobPasMue

.github/workflows/cicd.yml

@@ -14,6 +14,9 @@ env:
     MAIN_PYTHON_VERSION: 3.13
     DOCUMENTATION_CNAME: tools.docs.pyansys.com
 
+permissions:
+  contents: read
+
 jobs:
 
     update-changelog:
@@ -24,7 +27,7 @@ jobs:
         contents: write
         pull-requests: write
       steps:
-        - uses: ansys/actions/doc-deploy-changelog@v10
+        - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
             bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
@@ -35,32 +38,43 @@ jobs:
     #   name: "Check library vulnerabilities"
     #   runs-on: ubuntu-latest
     #   steps:
-    #     - uses: ansys/actions/check-vulnerabilities@v10.0
+    #     - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
     #       with:
     #         python-version: ${{ env.MAIN_PYTHON_VERSION }}
     #         token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
     #         python-package-name: ${{ env.PACKAGE_NAME }}
     #         dev-mode: ${{ github.ref != 'refs/heads/main' }}
 
+    actions-security:
+      name: Check actions security
+      runs-on: ubuntu-latest
+      steps:
+        - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
+          with:
+            generate-summary: true
+            token: ${{ secrets.GITHUB_TOKEN }}
+            auditing-level: 'high'
+
     style:
-        name: Code style
-        runs-on: ubuntu-latest
-        steps:
-          - name: PyAnsys code style checks
-            uses: ansys/actions/code-style@v10
-            with:
-              python-version: ${{ env.MAIN_PYTHON_VERSION }}
+      name: Code style
+      runs-on: ubuntu-latest
+      steps:
+        - name: PyAnsys code style checks
+          uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
+          with:
+            python-version: ${{ env.MAIN_PYTHON_VERSION }}
+
     smoke-tests:
-        name: Build and Smoke tests
-        runs-on: ${{ matrix.os }}
-        strategy:
-            fail-fast: false
-            matrix:
-                os: [ubuntu-latest, windows-latest, macos-latest]
-                python-version: ['3.10', '3.11', '3.12']
-        steps:
+      name: Build and Smoke tests
+      runs-on: ${{ matrix.os }}
+      strategy:
+        fail-fast: false
+        matrix:
+          os: [ubuntu-latest, windows-latest, macos-latest]
+          python-version: ['3.10', '3.11', '3.12']
+      steps:
         - name: Build wheelhouse and perform smoke test
-          uses: ansys/actions/build-wheelhouse@v10
+          uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             library-name: ${{ env.PACKAGE_NAME }}
             operating-system: ${{ matrix.os }}
@@ -77,12 +91,13 @@ jobs:
 
       steps:
         - name: Checkout repository
-          uses: actions/checkout@v3
+          uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+          with:
+            persist-credentials: false
         - name: Set up Python
-          uses: actions/setup-python@v4
+          uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
           with:
             python-version: ${{ env.MAIN_PYTHON_VERSION }}
-            cache: 'pip'
 
         - name: Install uv and create venv
           run: |
@@ -97,7 +112,7 @@ jobs:
             uv pip install tests/launcher/pkg_with_entrypoint
             uv run pytest
 
-        # - uses: codecov/codecov-action@v5
+        # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         #   name: 'Upload coverage to CodeCov'
         #   with:
         #     token: ${{ secrets.CODECOV_TOKEN }}
@@ -107,7 +122,7 @@ jobs:
       runs-on: ubuntu-latest
       steps:
         - name: PyAnsys documentation style checks
-          uses: ansys/actions/doc-style@v10
+          uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -117,21 +132,21 @@ jobs:
       runs-on: ubuntu-latest
       steps:
         - name: Build documentation
-          uses: ansys/actions/doc-build@v10
+          uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             python-version: ${{ env.MAIN_PYTHON_VERSION }}
             check-links: false # Delete after first release
 
     package:
-        name: Package library
-        runs-on: ubuntu-latest
-        needs: [tests, doc-build]
-        steps:
-            - name: Build library source and wheel artifacts
-              uses: ansys/actions/build-library@v10
-              with:
-                library-name: ${{ env.PACKAGE_NAME }}
-                python-version: ${{ env.MAIN_PYTHON_VERSION }}
+      name: Package library
+      runs-on: ubuntu-latest
+      needs: [tests, doc-build]
+      steps:
+        - name: Build library source and wheel artifacts
+          uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
+          with:
+            library-name: ${{ env.PACKAGE_NAME }}
+            python-version: ${{ env.MAIN_PYTHON_VERSION }}
 
     release:
       name: Release project
@@ -159,14 +174,14 @@ jobs:
         #     skip-existing: false
 
         - name: "Release to the private PyPI repository"
-          uses: ansys/actions/release-pypi-private@v9
+          uses: ansys/actions/release-pypi-private@495ca3d79c1627f5b96c469cfbe799718e9dc35f # v9.0.13
           with:
             library-name: "ansys-tools-common"
             twine-username: "__token__"
             twine-token: ${{ secrets.PYANSYS_PYPI_PRIVATE_PAT }}
 
         - name: Release to GitHub
-          uses: ansys/actions/release-github@v10
+          uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             token: ${{ secrets.GITHUB_TOKEN }}
             library-name: ${{ env.PACKAGE_NAME }}
@@ -176,11 +191,13 @@ jobs:
       if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
       runs-on: ubuntu-latest
       needs: [release]
+      permissions:
+        contents: write
       steps:
         - name: Deploy the stable documentation
-          uses: ansys/actions/doc-deploy-stable@v10
+          uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             cname: ${{ env.DOCUMENTATION_CNAME }}
             token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
             bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
-            bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
+            bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}

.github/workflows/label.yml

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {} # Disable default permissions
+
 jobs:
 
   label-syncer:
@@ -24,6 +26,8 @@ jobs:
       pull-requests: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -78,6 +82,7 @@ jobs:
         labels: bug
 
   commenter:
+    name: Suggest labels if none assigned
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -106,10 +111,10 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: ansys/actions/doc-changelog@v10
+    - uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
       with:
         token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
         use-conventional-commits: true
         use-default-towncrier-config: true
         bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
-        bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}
+        bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }}

.github/workflows/run_mapdl_tests.yml

@@ -13,11 +13,16 @@ env:
     PACKAGE_NAME: ansys-tools-common
     MAIN_PYTHON_VERSION: 3.13
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   build-tests:
+    name: Build tests
     runs-on: ubuntu-22.04
     container:
-      image: ghcr.io/ansys/mapdl:v22.2-ubuntu
+      image: ghcr.io/ansys/mapdl:v22.2-ubuntu@sha256:024c587f4a8190e99cc3f08a2dc231583032e784a8ef7d7659f8dd9748116697
       options: "-u=0:0 --entrypoint /bin/bash"
       credentials:
         username: ${{ secrets.GH_USERNAME }}
@@ -27,9 +32,11 @@ jobs:
       ON_UBUNTU: true
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      with:
+        persist-credentials: false
     - name: Setup Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ env.MAIN_PYTHON_VERSION }}
     - name: Install uv and create venv
@@ -40,12 +47,14 @@ jobs:
       run: |
         uv sync --extra tests
     - name: Run tests
+      env:
+        PACKAGE_NAMESPACE: ${{ env.PACKAGE_NAMESPACE }}
       run: |
         uv sync --extra tests --no-dev
         uv pip install tests/launcher/pkg_with_entrypoint
-        uv run pytest -vx --cov=${{ env.PACKAGE_NAMESPACE }} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html
+        uv run pytest -vx --cov=${PACKAGE_NAMESPACE} --cov-report=term --cov-report=xml:.cov/coverage.xml --cov-report=html:.cov/html
 
-      # - uses: codecov/codecov-action@v5
+      # - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       #   name: 'Upload coverage to CodeCov'
       #   with:
-      #     token: ${{ secrets.CODECOV_TOKEN }}
+      #     token: ${{ secrets.CODECOV_TOKEN }}

doc/changelog.d/41.maintenance.md

@@ -0,0 +1 @@
+Add \`\`ansys/actions/check-actions-security\`\` action and related fixes