CI: Add ansys/actions/check-actions-security action and related fixes
#1575
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ecoussoux-ansys
changed the title
ansys/actions/check-actions-security action and related fixes
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1575 +/- ##
=======================================
Coverage 72.29% 72.29%
=======================================
Files 260 260
Lines 39345 39345
=======================================
Hits 28443 28443
Misses 10902 10902 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the
ansys/actions/check-actions-securityaction in the workflow file.github/workflows/ci_cd.ymland consequently in the CI ofpyedbas requested in #1567.This action is using
zizmorto perform an audit of the workflows defined in.github/workflows/ci_cd.ymland.github/workflows/label.yml.The PR addresses the findings surfaced by the
zizmoraudit on the workflow files (performed locally), resulting in the following changes:ansys/actionsas well as external ones) used in workflow files are now pinned with a commit SHA,persist-credentials: falseis now systematically used with the actionactions/checkout,permissionsare now defined on a job by job basis and none are granted at the workflow level. Jobs that do not use secrets are not granted any specificpermissions,${{ ... }}) are removed from plainrunsteps inside jobs. Inputs and relevant context variables are expanded in theenvblock instead.The approach for introducing the
ansys/actions/check-actions-securityaction is explained in details here and instructions for fixing common workflow vulnerabilities are provided here.For further reference, such changes have been conducted in a few other pyansys projects already: ansys/pre-commit-hooks#352, ansys/ansys-tools-visualization-interface#366, ansys/pyansys-geometry#2277. The parameters used for the action and its position within the workflow have been defined based on these implementations.
The latest release v10.1.4 of
ansys/actionsis used.Close #1567.