diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index c2b2c0ced8..2fee1e6002 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -19,17 +19,20 @@ env: MEILISEARCH_PUBLIC_API_KEY: ${{ secrets.MEILISEARCH_PUBLIC_API_KEY }} ON_CI: True - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: pr-title: if: github.event_name == 'pull_request' name: Check the title of the pull request runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check the title of the pull request uses: ansys/actions/check-pr-title@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -40,6 +43,8 @@ jobs: vulnerabilities: name: Vulnerabilities runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: @@ -48,9 +53,23 @@ jobs: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: Check actions security + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + doc-style: name: Documentation style check runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Check documentation style uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -76,8 +95,10 @@ jobs: - name: Import python package shell: bash + env: + ACTIVATE_VENV: ${{ steps.build-wheelhouse.outputs.activate-venv }} run: | - ${{ steps.build-wheelhouse.outputs.activate-venv }} + ${ACTIVATE_VENV} python -c "import pyedb; from pyedb import __version__" # ================================================================================================= @@ -87,15 +108,19 @@ jobs: system-tests-windows-dotnet: name: Test dotnet (windows) runs-on: [ Windows, self-hosted, pyedb ] + permissions: + contents: read env: USE_GRPC: '0' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Revert to previous verison due too setup-python#819 - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -115,7 +140,7 @@ jobs: python -m pip install .[tests] - name: "Executing system tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -132,14 +157,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\system-html name: html-system-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -152,15 +177,19 @@ jobs: system-tests-windows-grpc: name: Test grpc (windows) runs-on: [ Windows, self-hosted, pyedb ] + permissions: + contents: read env: USE_GRPC: '1' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Revert to previous verison due too setup-python#819 - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -180,7 +209,7 @@ jobs: python -m pip install .[tests] - name: "Executing system tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -197,14 +226,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\system-html name: html-system-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -217,15 +246,19 @@ jobs: unit-tests-windows-dotnet: name: Unit test dotnet (windows) runs-on: [ Windows, self-hosted, pyedb ] + permissions: + contents: read env: USE_GRPC: '0' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Revert to previous verison due too setup-python#819 - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -245,7 +278,7 @@ jobs: python -m pip install .[tests] - name: "Executing system tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -262,14 +295,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\unit-html name: html-unit-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -282,15 +315,19 @@ jobs: unit-tests-windows-grpc: name: Unit test grpc (windows) runs-on: [ Windows, self-hosted, pyedb ] + permissions: + contents: read env: USE_GRPC: '1' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false # Revert to previous verison due too setup-python#819 - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -310,7 +347,7 @@ jobs: python -m pip install .[tests] - name: "Executing system tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -327,14 +364,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\unit-html name: html-unit-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -347,16 +384,20 @@ jobs: system-tests-linux-dotnet: name: Test dotnet (linux) runs-on: [ Linux, self-hosted, pyedb ] + permissions: + contents: read env: ANSYSEM_ROOT252: '/usr/ansys_inc/v252/AnsysEM' ANS_NODEPCHECK: '1' USE_GRPC: '0' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -380,7 +421,7 @@ jobs: python -m pip install .[tests] - name: "Executing system tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -398,14 +439,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\system-html name: html-system-linux-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -418,16 +459,20 @@ jobs: system-tests-linux-grpc: name: Test grpc (linux) runs-on: [ Linux, self-hosted, pyedb ] + permissions: + contents: read env: ANSYSEM_ROOT252: '/usr/ansys_inc/v252/AnsysEM' ANS_NODEPCHECK: '1' USE_GRPC: '1' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -451,7 +496,7 @@ jobs: python -m pip install .[tests] - name: "Executing system tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -469,14 +514,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\system-html name: html-system-linux-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -489,16 +534,20 @@ jobs: unit-tests-linux-dotnet: name: Unit test dotnet (linux) runs-on: [ Linux, self-hosted, pyedb ] + permissions: + contents: read env: ANSYSEM_ROOT252: '/usr/ansys_inc/v252/AnsysEM' ANS_NODEPCHECK: '1' USE_GRPC: '0' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -522,7 +571,7 @@ jobs: python -m pip install .[tests] - name: "Executing unit tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -540,14 +589,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\unit-html name: html-unit-linux-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -560,16 +609,20 @@ jobs: unit-tests-linux-grpc: name: Unit test grpc (linux) runs-on: [ Linux, self-hosted, pyedb ] + permissions: + contents: read env: ANSYSEM_ROOT252: '/usr/ansys_inc/v252/AnsysEM' ANS_NODEPCHECK: '1' USE_GRPC: '1' steps: - name: "Install Git and clone project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: "Set up Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -593,7 +646,7 @@ jobs: python -m pip install .[tests] - name: "Executing unit tests" - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 with: max_attempts: 3 retry_on: error @@ -611,14 +664,14 @@ jobs: - name: Upload Coverage Results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: .cov\unit-html name: html-unit-linux-coverage-${{ github.job }}-${{ github.run_attempt }} retention-days: 7 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: @@ -633,13 +686,15 @@ jobs: name: Testing PyAEDT main branch (Windows) if: github.event_name == 'push' && contains(github.ref, 'refs/tags') needs: [smoke-tests] - runs-on: [ self-hosted, Windows, pyedb ] + runs-on: [ Windows, self-hosted, pyedb ] steps: - name: Install Git and checkout project - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -654,11 +709,12 @@ jobs: python -m pip install -U pip - name: Clone PyAEDT on main branch - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: repository: ansys/pyaedt path: "external/pyaedt" ref: "main" + persist-credentials: false - name: Install PyAEDT main branch version with its test dependencies run: | @@ -678,7 +734,7 @@ jobs: pip install --index-url https://wheels.vtk.org vtk-osmesa==9.3.1 - name: Run PyAEDT tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: PYTHONMALLOC: malloc with: @@ -692,7 +748,7 @@ jobs: pytest -v external/pyaedt/tests/system/general/test_21_Circuit.py - name: Run PyAEDT solvers tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: PYTHONMALLOC: malloc with: @@ -705,7 +761,7 @@ jobs: pytest -v external/pyaedt/tests/system/solvers/test_00_analyze.py - name: Run PyAEDT extensions tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: PYTHONMALLOC: malloc with: @@ -726,13 +782,15 @@ jobs: name: Testing PyAEDT main branch (Linux) if: github.event_name == 'push' && contains(github.ref, 'refs/tags') needs: [smoke-tests] - runs-on: [ self-hosted, Linux, pyedb ] + runs-on: [ Linux, self-hosted, pyedb ] env: ANSYSEM_ROOT252: '/usr/ansys_inc/v252/AnsysEM' ANS_NODEPCHECK: '1' steps: - name: Install Git and checkout project - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Install OS packages run: | @@ -740,7 +798,7 @@ jobs: sudo apt-get install tk -y - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -754,34 +812,41 @@ jobs: python -m pip install -U pip - name: Clone PyAEDT on main branch - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: repository: ansys/pyaedt path: "external/pyaedt" ref: "main" + persist-credentials: false - name: Install PyAEDT main branch version with its test dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH . .venv/bin/activate pip install --no-cache-dir external/pyaedt[tests] - name: Install PyEDB + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH . .venv/bin/activate python -m pip install . - name: Install CI dependencies (e.g. vtk-osmesa) + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH . .venv/bin/activate # Uninstall conflicting dependencies pip uninstall --yes vtk pip install --index-url https://wheels.vtk.org vtk-osmesa==9.3.1 - name: Run PyAEDT tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: PYTHONMALLOC: malloc with: @@ -796,7 +861,7 @@ jobs: pytest -v external/pyaedt/tests/system/general/test_21_Circuit.py - name: Run PyAEDT solvers tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: PYTHONMALLOC: malloc with: @@ -810,7 +875,7 @@ jobs: pytest -v external/pyaedt/tests/system/solvers/test_00_analyze.py - name: Run PyAEDT extensions tests - uses: nick-fields/retry@v3 + uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 env: PYTHONMALLOC: malloc with: @@ -893,6 +958,8 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest needs: [package] + permissions: + contents: write steps: - name: Deploy the latest documentation uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -907,6 +974,8 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: Deploy the stable documentation uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 43974d4f46..15afcbc16a 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -10,14 +10,18 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: label-syncer: name: Syncer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -32,6 +36,6 @@ jobs: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v5 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}"