@@ -23,6 +23,8 @@ concurrency:
2323 group : ${{ github.workflow }}-${{ github.ref }}
2424 cancel-in-progress : true
2525
26+ permissions : {} # Disable default permissions
27+
2628jobs :
2729
2830 update-changelog :
4345 vulnerabilities :
4446 name : " Vulnerabilities"
4547 runs-on : ubuntu-latest
48+ permissions :
49+ contents : read
4650 steps :
4751 - uses : ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
4852 with :
5256 dev-mode : ${{ github.ref != 'refs/heads/main' }}
5357 extra-targets : ' all'
5458
59+ actions-security :
60+ name : " Check actions security"
61+ runs-on : ubuntu-latest
62+ permissions :
63+ contents : read
64+ steps :
65+ - uses : ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
66+ with :
67+ generate-summary : true
68+ token : ${{ secrets.GITHUB_TOKEN }}
69+ auditing-level : ' high'
70+
5571 # NOTE: We do not allow dependabot to trigger the CI/CD pipeline automatically.
5672 # This is to mitigate supply chain attacks, where a malicious dependency update
5773 # could execute arbitrary code in our build environment.
6278 runs-on : ubuntu-latest
6379 steps :
6480 - name : Exit if dependabot triggered the workflow
65- if : github.triggering_actor == 'dependabot[bot]'
81+ if : github.event.pull_request.user.login == 'dependabot[bot]'
6682 run : |
6783 echo "::warning::Dependabot is not allowed to trigger this workflow. Please review carefully the changes before running the workflow manually."
6884 exit 1
87103 name : Check the title of the PR (if needed)
88104 runs-on : ubuntu-latest
89105 needs : [block-pyansys-ci-bot]
106+ permissions :
107+ pull-requests : read
90108 steps :
91109 - name : Check the title of the pull request
92110 if : github.event_name == 'pull_request'
@@ -103,6 +121,8 @@ jobs:
103121 name : Documentation style check
104122 runs-on : ubuntu-latest
105123 needs : [pr-title]
124+ permissions :
125+ contents : read
106126 steps :
107127 - name : Check documentation style
108128 uses : ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
@@ -157,8 +177,10 @@ jobs:
157177 use-python-cache : false
158178 - name : Import python package
159179 shell : bash
180+ env :
181+ ACTIVATE_VENV : ${{ steps.build-wheelhouse.outputs.activate-venv }}
160182 run : |
161- ${{ steps.build-wheelhouse.outputs.activate-venv } }
183+ ${ACTIVATE_VENV }
162184 python -c "import ansys.aedt.core; from ansys.aedt.core import __version__"
163185
164186unit-tests :
@@ -228,6 +250,8 @@ jobs:
228250 steps :
229251 - name : Install Git and checkout project
230252 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
253+ with :
254+ persist-credentials : false
231255
232256 - name : Setup Python
233257 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -267,9 +291,10 @@ jobs:
267291name : Run tests marked with 'solvers'
268292 env :
269293 PYTHONMALLOC : malloc
294+ PYTEST_ARGUMENTS : ${{ env.PYTEST_ARGUMENTS }}
270295 run : |
271296 .venv\Scripts\Activate.ps1
272- pytest ${{ env. PYTEST_ARGUMENTS } } --timeout=600 -m solvers
297+ pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers
273298
274299uses : codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
275300 with :
@@ -299,24 +324,30 @@ jobs:
299324 steps :
300325 - name : Install Git and checkout project
301326 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
327+ with :
328+ persist-credentials : false
302329
303330 - name : Setup Python
304331 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
305332 with :
306333 python-version : ${{ env.MAIN_PYTHON_VERSION }}
307334
308335 - name : Create virtual environment
336+ env :
337+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
309338 run : |
310- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
339+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
311340 python -m venv .venv
312341 source .venv/bin/activate
313342 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
314343 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
315344 python -c "import sys; print(sys.executable)"
316345
317346name : Install pyaedt and tests dependencies
347+ env :
348+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
318349 run : |
319- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
350+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
320351 source .venv/bin/activate
321352 pip install .[tests]
322353
@@ -329,10 +360,13 @@ jobs:
329360 done
330361
331362name : Run tests marked with 'solvers'
363+ env :
364+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
365+ PYTEST_ARGUMENTS : ${{ env.PYTEST_ARGUMENTS }}
332366 run : |
333- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
367+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
334368 source .venv/bin/activate
335- pytest ${{ env. PYTEST_ARGUMENTS } } --timeout=600 -m solvers
369+ pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers
336370
337371uses : codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
338372 with :
@@ -359,6 +393,8 @@ jobs:
359393 steps :
360394 - name : Install Git and checkout project
361395 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
396+ with :
397+ persist-credentials : false
362398
363399 - name : Setup Python
364400 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -435,24 +471,30 @@ jobs:
435471 steps :
436472 - name : Install Git and checkout project
437473 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
474+ with :
475+ persist-credentials : false
438476
439477 - name : Setup Python
440478 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
441479 with :
442480 python-version : ${{ env.MAIN_PYTHON_VERSION }}
443481
444482 - name : Create virtual environment
483+ env :
484+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
445485 run : |
446- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
486+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
447487 python -m venv .venv
448488 source .venv/bin/activate
449489 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
450490 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
451491 python -c "import sys; print(sys.executable)"
452492
453493name : Install pyaedt and tests dependencies
494+ env :
495+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
454496 run : |
455- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
497+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
456498 source .venv/bin/activate
457499 pip install .[tests]
458500
@@ -510,6 +552,8 @@ jobs:
510552 steps :
511553 - name : Install Git and checkout project
512554 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
555+ with :
556+ persist-credentials : false
513557
514558 - name : Setup Python
515559 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -587,24 +631,30 @@ jobs:
587631 steps :
588632 - name : Install Git and checkout project
589633 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
634+ with :
635+ persist-credentials : false
590636
591637 - name : Setup Python
592638 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
593639 with :
594640 python-version : ${{ env.MAIN_PYTHON_VERSION }}
595641
596642 - name : Create virtual environment
643+ env :
644+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
597645 run : |
598- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
646+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
599647 python -m venv .venv
600648 source .venv/bin/activate
601649 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
602650 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
603651 python -c "import sys; print(sys.executable)"
604652
605653name : Install pyaedt and tests dependencies
654+ env :
655+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
606656 run : |
607- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
657+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
608658 source .venv/bin/activate
609659 pip install .[tests]
610660
@@ -659,6 +709,8 @@ jobs:
659709 steps :
660710 - name : Install Git and checkout project
661711 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
712+ with :
713+ persist-credentials : false
662714
663715 - name : Setup Python
664716 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -735,24 +787,30 @@ jobs:
735787 steps :
736788 - name : Install Git and checkout project
737789 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
790+ with :
791+ persist-credentials : false
738792
739793 - name : Setup Python
740794 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
741795 with :
742796 python-version : ${{ env.MAIN_PYTHON_VERSION }}
743797
744798 - name : Create virtual environment
799+ env :
800+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
745801 run : |
746- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
802+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
747803 python -m venv .venv
748804 source .venv/bin/activate
749805 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U
750806 python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org wheel setuptools -U
751807 python -c "import sys; print(sys.executable)"
752808
753809name : Install pyaedt and tests dependencies
810+ env :
811+ ANSYSEM : ${{ env.ANSYSEM_ROOT252 }}
754812 run : |
755- export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 } }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
813+ export LD_LIBRARY_PATH=${ANSYSEM }/common/mono/Linux64/lib64:$LD_LIBRARY_PATH
756814 source .venv/bin/activate
757815 pip install .[tests]
758816
@@ -812,6 +870,8 @@ jobs:
812870 steps :
813871 - name : Install Git and checkout project
814872 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
873+ with :
874+ persist-credentials : false
815875
816876 - name : Setup Python
817877 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -885,6 +945,8 @@ jobs:
885945 steps :
886946 - name : Install Git and checkout project
887947 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
948+ with :
949+ persist-credentials : false
888950
889951 - name : Setup Python
890952 uses : actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
@@ -1011,6 +1073,8 @@ jobs:
10111073 if : github.event_name == 'push' && contains(github.ref, 'refs/tags')
10121074 runs-on : ubuntu-latest
10131075 needs : [release]
1076+ permissions :
1077+ contents : write
10141078 steps :
10151079 - name : Deploy the stable documentation
10161080 uses : ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4
0 commit comments