fix: Zizmor fixes (#366)

AlejandroFernandezLuces · pyansys-ci-bot · web-flow · commit 6997605962f5 · 2025-10-03T07:50:37.000+02:00
Co-authored-by: pyansys-ci-bot &lt;92810346+pyansys-ci-bot@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml
@@ -20,6 +20,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
 
   update-changelog:
@@ -30,7 +32,7 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: ansys/actions/doc-deploy-changelog@v10
+      - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
@@ -42,27 +44,37 @@ jobs:
     steps:
       - name: PyAnsys Vulnerability check (on main)
         if: github.ref == 'refs/heads/main'
-        uses: ansys/actions/check-vulnerabilities@v10
+        uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
           python-package-name: ${{ env.PACKAGE_NAME }}
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
 
       - name: PyAnsys Vulnerability check (on dev mode)
         if: github.ref != 'refs/heads/main'
-        uses: ansys/actions/check-vulnerabilities@v10
+        uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
           python-package-name: ${{ env.PACKAGE_NAME }}
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           dev-mode: true
 
+  actions-security:
+    name: Actions Security
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-actions-security@123a1f17d71f117e0ba29c53d6a0f602e0d8d902 # v10.1.3
+        with:
+          generate-summary: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          auditing-level: 'high'
+
   docs-style:
     name: Documentation Style Check
     runs-on: ubuntu-latest
     steps:
       - name: PyAnsys documentation style checks
-        uses: ansys/actions/doc-style@v10
+        uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -72,10 +84,10 @@ jobs:
     needs: [docs-style]
     steps:
     - name: Setup headless display
-      uses: pyvista/setup-headless-display-action@v4
+      uses: pyvista/setup-headless-display-action@7d84ae825e6d9297a8e99bdbbae20d1b919a0b19 # v4.2
 
     - name: "Run Ansys documentation building action"
-      uses: ansys/actions/doc-build@v10
+      uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
       with:
         python-version: ${{ env.MAIN_PYTHON_VERSION }}
         add-pdf-html-docs-as-assets: true
@@ -95,7 +107,7 @@ jobs:
             os: macos-latest
     steps:
       - name: Build wheelhouse and perform smoke test
-        uses: ansys/actions/build-wheelhouse@v10
+        uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           operating-system: ${{ matrix.os }}
@@ -108,27 +120,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore images cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: tests/graphics/image_cache
           key: pyvista-image-cache-${{ runner.os }}-v-${{ env.RESET_IMAGE_CACHE }}-${{ hashFiles('pyproject.toml') }}
           restore-keys: pyvista-image-cache-${{ runner.os }}-v-${{ env.RESET_IMAGE_CACHE }}
+          lookup-only: true
 
       - name: "Run pytest"
-        uses: ansys/actions/tests-pytest@v10
+        uses: ansys/actions/tests-pytest@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
           requires-xvfb: true
 
       - name: Upload PyVista generated images (cache and results)
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pytest-pyvista-images-${{ runner.os }}
           path: tests/_image_cache
           retention-days: 7
 
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         name: 'Upload coverage to CodeCov'
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -139,7 +152,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Build library source and wheel artifacts
-        uses: ansys/actions/build-library@v10
+        uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
@@ -151,7 +164,7 @@ jobs:
     needs: [package]
     steps:
       - name: Deploy the latest documentation
-        uses: ansys/actions/doc-deploy-dev@v10
+        uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           cname: ${{ env.DOCUMENTATION_CNAME }}
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
@@ -183,7 +196,7 @@ jobs:
           skip-existing: false
 
       - name: Release to GitHub
-        uses: ansys/actions/release-github@v10
+        uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           library-name: ${{ env.PACKAGE_NAME }}
@@ -195,7 +208,7 @@ jobs:
     needs: [release]
     steps:
       - name: Deploy the stable documentation
-        uses: ansys/actions/doc-deploy-stable@v10
+        uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
         with:
           cname: ${{ env.DOCUMENTATION_CNAME }}
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -15,13 +15,17 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
 
+permissions: {}
+
 jobs:
     label-syncer:
         name: Syncer
         runs-on: ubuntu-latest
         steps:
-        - uses: actions/checkout@v5
-        - uses: micnncim/action-label-syncer@v1
+        - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+          with:
+            persist-credentials: false
+        - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
         env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -35,42 +39,43 @@ jobs:
         steps:
         # Label based on modified files
         - name: Label based on changed files
-          uses: actions/labeler@v6
+          uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
           with:
             repo-token: ${{ secrets.GITHUB_TOKEN }}
             sync-labels: true
 
-        - uses: actions-ecosystem/action-add-labels@v1
+        - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
           if: |
             startsWith(github.event.pull_request.head.ref, 'doc') ||
             startsWith(github.event.pull_request.head.ref, 'docs')
           with:
             labels: documentation
-        - uses: actions-ecosystem/action-add-labels@v1
+        - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
           if: |
             startsWith(github.event.pull_request.head.ref, 'maint') ||
             startsWith(github.event.pull_request.head.ref, 'no-ci') ||
             startsWith(github.event.pull_request.head.ref, 'ci')
           with:
             labels: maintenance
 
-        - uses: actions-ecosystem/action-add-labels@v1
+        - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
           if: startsWith(github.event.pull_request.head.ref, 'feat')
           with:
               labels: enhancement
 
-        - uses: actions-ecosystem/action-add-labels@v1
+        - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
           if: |
             startsWith(github.event.pull_request.head.ref, 'fix') ||
             startsWith(github.event.pull_request.head.ref, 'patch')
           with:
             labels: bug
 
     commenter:
+        name: "Commenter to suggest adding labels"
         runs-on: ubuntu-latest
         steps:
         - name: Suggest to add labels
-          uses: peter-evans/create-or-update-comment@v4
+          uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
           # Execute only when no labels have been applied to the pull request
           if: toJSON(github.event.pull_request.labels.*.name) == '{}'
           with:
@@ -92,7 +97,7 @@ jobs:
           pull-requests: write
         runs-on: ubuntu-latest
         steps:
-        - uses: ansys/actions/doc-changelog@v10
+        - uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
           with:
             token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
             bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
diff --git a/doc/changelog.d/366.miscellaneous.md b/doc/changelog.d/366.miscellaneous.md
@@ -0,0 +1 @@
+Fix: Zizmor fixes
