ci: cleanup nightly docker test workflow

RobPasMue · RobPasMue · commit 9cabf882a139 · 2025-10-01T11:56:29.000+02:00
diff --git a/.github/workflows/nightly_docker_test.yml b/.github/workflows/nightly_docker_test.yml
@@ -32,9 +32,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: write
-  packages: write
+permissions: {} # Disable default permissions
 
 jobs:
 
@@ -44,6 +42,9 @@ jobs:
     outputs:
       skip_core_windows: ${{ steps.services.outputs.skip_core_windows }}
       skip_core_linux: ${{ steps.services.outputs.skip_core_linux }}
+    permissions:
+      contents: read
+      packages: read
     strategy:
       matrix:
         include:
@@ -65,23 +66,28 @@ jobs:
 
       - name: Check ${{ matrix.service-name }} manifest
         id: services
+        env:
+          CONTAINER_STABLE: ${{ matrix.container-stable }}
+          CONTAINER_UNSTABLE: ${{ matrix.container-unstable }}
+          SERVICE: ${{ matrix.service }}
+          SERVICE_NAME: ${{ matrix.service-name }}
         run: |
-          docker manifest inspect ghcr.io/ansys/geometry:${{ matrix.container-stable }} > ${{ matrix.container-stable }}.json
-          docker manifest inspect ghcr.io/ansys/geometry:${{ matrix.container-unstable }} > ${{ matrix.container-unstable }}.json || true
+          docker manifest inspect ghcr.io/ansys/geometry:${CONTAINER_STABLE} > ${CONTAINER_STABLE}.json
+          docker manifest inspect ghcr.io/ansys/geometry:${CONTAINER_UNSTABLE} > ${CONTAINER_UNSTABLE}.json || true
 
           # Verify that the unstable manifest exists - otherwise create an empty file
-          if [ ! -f ${{ matrix.container-unstable }}.json ]; then
-            touch ${{ matrix.container-unstable }}.json
+          if [ ! -f ${CONTAINER_UNSTABLE}.json ]; then
+            touch ${CONTAINER_UNSTABLE}.json
           fi
 
 
           # Check if the manifests are the same (and if so, create an output that will skip the next job)
-          if diff ${{ matrix.container-stable }}.json ${{ matrix.container-unstable }}.json; then
-            echo "${{ matrix.service-name }} container manifests are the same... skipping"
-            echo "skip_${{ matrix.service }}=1" >> "$GITHUB_OUTPUT"
+          if diff ${CONTAINER_STABLE}.json ${CONTAINER_UNSTABLE}.json; then
+            echo "${SERVICE_NAME} container manifests are the same... skipping"
+            echo "skip_${SERVICE}=1" >> "$GITHUB_OUTPUT"
           else
-            echo "${{ matrix.service-name }} container manifests are different"
-            echo "skip_${{ matrix.service }}=0" >> "$GITHUB_OUTPUT"
+            echo "${SERVICE_NAME} container manifests are different"
+            echo "skip_${SERVICE}=0" >> "$GITHUB_OUTPUT"
           fi
 
 # =================================================================================================
@@ -95,6 +101,9 @@ jobs:
     runs-on: [self-hosted, Windows, pygeometry]
     env:
       PYVISTA_OFF_SCREEN: true
+    permissions:
+      contents: read
+      packages: read
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
@@ -128,18 +137,23 @@ jobs:
 
       - name: Download Geometry service container (always latest version)
         run: |
-          docker image rm ${{ env.ANSRV_GEO_IMAGE_WINDOWS_CORE_TAG }}
-          docker pull ${{ env.ANSRV_GEO_IMAGE_WINDOWS_CORE_TAG }}
+          docker image rm $env:ANSRV_GEO_IMAGE_WINDOWS_CORE_TAG
+          docker pull $env:ANSRV_GEO_IMAGE_WINDOWS_CORE_TAG
 
       - name: Check location of self-hosted runner and define license server accordingly
         if: runner.name == 'pygeometry-ci-2'
+        env:
+          LICENSE_SERVER_INTERNAL: ${{ secrets.LICENSE_SERVER_INTERNAL }}
         run:
-          echo "ANSRV_GEO_LICENSE_SERVER=${{ secrets.LICENSE_SERVER_INTERNAL }}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "ANSRV_GEO_LICENSE_SERVER=$env:LICENSE_SERVER_INTERNAL" | Out-File -FilePath $env:GITHUB_ENV -Append
 
       - name: Start Geometry service and verify start
+        env:
+          TRANSPORT_MODE_SELECTION: ${{ secrets.TRANSPORT_MODE_SELECTION }}
+          PORT_MAPPING: "${{ env.ANSRV_GEO_PORT }}:50051"
         run: |
           .\.venv\Scripts\Activate.ps1
-          docker run --detach --name ${{ env.GEO_CONT_NAME }} -e LICENSE_SERVER=${{ env.ANSRV_GEO_LICENSE_SERVER }} -p ${{ env.ANSRV_GEO_PORT }}:50051 ${{ env.ANSRV_GEO_IMAGE_WINDOWS_CORE_TAG }} ${{ secrets.TRANSPORT_MODE_SELECTION }}
+          docker run --detach --name $env:GEO_CONT_NAME -e LICENSE_SERVER=$env:ANSRV_GEO_LICENSE_SERVER -p $env:PORT_MAPPING $env:ANSRV_GEO_IMAGE_WINDOWS_CORE_TAG $env:TRANSPORT_MODE_SELECTION
           python -c "from ansys.geometry.core.connection.validate import validate; validate()"
 
       - name: Run PyAnsys Geometry tests
@@ -151,9 +165,9 @@ jobs:
       - name: Stop the Geometry service
         if: always()
         run: |
-          docker stop ${{ env.GEO_CONT_NAME }}
-          docker logs ${{ env.GEO_CONT_NAME }}
-          docker rm ${{ env.GEO_CONT_NAME }}
+          docker stop $env:GEO_CONT_NAME
+          docker logs $env:GEO_CONT_NAME
+          docker rm $env:GEO_CONT_NAME
 
       - name: Stop any remaining containers
         if: always()
@@ -206,7 +220,9 @@ jobs:
     needs: manifests
     if: needs.manifests.outputs.skip_core_linux == 0
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      packages: read
     steps:
       - name: Login in Github Container registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -216,9 +232,11 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Pull and launch geometry service
+        env:
+          TRANSPORT_MODE_SELECTION: ${{ secrets.TRANSPORT_MODE_SELECTION }}
         run: |
           docker pull ${ANSRV_GEO_IMAGE_LINUX_CORE_TAG}
-          docker run --detach --name ${GEO_CONT_NAME} -e LICENSE_SERVER=${ANSRV_GEO_LICENSE_SERVER} -p ${ANSRV_GEO_PORT}:50051 ${ANSRV_GEO_IMAGE_LINUX_CORE_TAG} ${{ secrets.TRANSPORT_MODE_SELECTION }}
+          docker run --detach --name ${GEO_CONT_NAME} -e LICENSE_SERVER=${ANSRV_GEO_LICENSE_SERVER} -p ${ANSRV_GEO_PORT}:50051 ${ANSRV_GEO_IMAGE_LINUX_CORE_TAG} ${TRANSPORT_MODE_SELECTION}
 
       - name: Set up headless display
         uses: pyvista/setup-headless-display-action@7d84ae825e6d9297a8e99bdbbae20d1b919a0b19 # v4.2
@@ -273,6 +291,8 @@ jobs:
     env:
       WINDOWS_UNSTABLE: ghcr.io/ansys/geometry:core-windows-latest-unstable
       WINDOWS_STABLE_GHCR: ghcr.io/ansys/geometry:core-windows-latest
+    permissions:
+      packages: write
     steps:
       - name: Login in Github Container registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -298,6 +318,8 @@ jobs:
     env:
       LINUX_UNSTABLE: ghcr.io/ansys/geometry:core-linux-latest-unstable
       LINUX_STABLE_GHCR: ghcr.io/ansys/geometry:core-linux-latest
+    permissions:
+      packages: write
     steps:
       - name: Login in Github Container registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
