diff --git a/.ci/waiting_services.sh b/.ci/waiting_services.sh index d10318685..ac9786c51 100755 --- a/.ci/waiting_services.sh +++ b/.ci/waiting_services.sh @@ -3,7 +3,7 @@ echo "Waiting for the MAPDL service to be up..." nc -v -z localhost "$PYMAPDL_PORT" echo "::group:: ps aux Output" && ps aux && echo "::endgroup::" -echo "Waiting for MAPDL port is open..." +echo "Waiting for MAPDL port to be open..." echo "::group:: Waiting for the MAPDL port to be open..." while ! nc -z localhost "$PYMAPDL_PORT"; do sleep 0.1 diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 8ab807bbb..276b1e5f3 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -10,6 +10,8 @@ on: branches: - main +permissions: {} + env: MAIN_PYTHON_VERSION: '3.10' PACKAGE_NAME: 'ansys-math-core' @@ -21,11 +23,6 @@ env: PYANSYS_OFF_SCREEN: True PYMAPDL_PORT: 21000 # default won't work on GitHub runners PYMAPDL_DB_PORT: 21001 # default won't work on GitHub runners - USE_CACHE: true - RESET_PIP_CACHE: 0 - RESET_AUTOSUMMARY_CACHE: 0 - RESET_EXAMPLES_CACHE: 0 - RESET_DOC_BUILD_CACHE: 0 concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -42,7 +39,7 @@ jobs: contents: write pull-requests: write steps: - - uses: ansys/actions/doc-deploy-changelog@v10 + - uses: ansys/actions/doc-deploy-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} @@ -53,7 +50,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys code style checks - uses: ansys/actions/code-style@v10 + uses: ansys/actions/code-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -63,7 +60,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "PyAnsys documentation style checks" - uses: ansys/actions/doc-style@v10 + uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -87,38 +84,37 @@ jobs: os: windows-latest steps: - name: "Build wheelhouse and perform smoke test" - uses: ansys/actions/build-wheelhouse@v10 + uses: ansys/actions/build-wheelhouse@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} python-version: ${{ matrix.python-version }} - check-vulnerabilities-dev: - name: "Check library vulnerabilities (development mode)" - if: github.ref != 'refs/heads/main' + vulnerabilities: + name: "Check library vulnerabilities" runs-on: ubuntu-latest steps: - name: "Check library vulnerabilities with development mode" - uses: ansys/actions/check-vulnerabilities@v10 + uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} python-package-name: ${{ env.PACKAGE_NAME }} - dev-mode: true + dev-mode: ${{ github.ref != 'refs/heads/main' }} - check-vulnerabilities-main: - name: "Check library vulnerabilities (default mode - only on main)" - if: github.ref == 'refs/heads/main' + actions-security: + name: "Check actions security" runs-on: ubuntu-latest + needs: [vulnerabilities] steps: - - name: "Check library vulnerabilities with default mode" - uses: ansys/actions/check-vulnerabilities@v10 + - uses: ansys/actions/check-actions-security@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: - python-version: ${{ env.MAIN_PYTHON_VERSION }} - token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} - python-package-name: ${{ env.PACKAGE_NAME }} + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: true build-test: @@ -140,10 +136,12 @@ jobs: steps: - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: "Login in Github Container registry" - uses: docker/login-action@v3.6.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -173,7 +171,7 @@ jobs: echo "DOCKER_PID=$(echo $DOCKER_PID)" >> $GITHUB_OUTPUT - name: "Setup Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -182,15 +180,6 @@ jobs: sudo apt-get update sudo apt-get install -y pandoc xvfb libgl1-mesa-glx - - name: "Cache pip" - if: env.USE_CACHE == true - uses: actions/cache@v4 - with: - path: ~/.cache/pip - key: Python-v${{ env.RESET_PIP_CACHE }}-${{ runner.os }}-${{ matrix.mapdl-version }}-${{ hashFiles('pyproject.toml') }} - restore-keys: | - Python-v${{ env.RESET_PIP_CACHE }}-${{ runner.os }}-${{ matrix.mapdl-version }} - - name: "Unit testing requirements installation" run: | python -m pip install .[tests] @@ -218,14 +207,14 @@ jobs: --cov-report=html --cov-report term - name: "Upload coverage to Codecov" - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: token: ${{ secrets.CODECOV_TOKEN }} # required name: ${{ matrix.mapdl-version }}-remote.xml flags: remote,${{ matrix.mapdl-version }} - name: "Upload coverage artifacts" - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ matrix.mapdl-version }}-remote.xml path: ./${{ matrix.mapdl-version }}-remote.xml @@ -253,13 +242,6 @@ jobs: cp log.txt ./logs-build-tests-${{ matrix.mapdl-version }}/ tar cvzf ./logs-build-tests-${{ matrix.mapdl-version }}.tgz ./logs-build-tests-${{ matrix.mapdl-version }} - # - name: "Upload logs to GitHub" - # if: always() - # uses: actions/upload-artifact@v5 - # with: - # name: logs-build-tests-${{ matrix.mapdl-version }}.tgz - # path: ./logs-build-tests-${{ matrix.mapdl-version }}.tgz - - name: "Display MAPDL Logs" if: always() run: cat log.txt @@ -278,10 +260,12 @@ jobs: LIBGL_ALWAYS_SOFTWARE: 1 steps: - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: "Login in Github container registry" - uses: docker/login-action@v3.6.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -300,19 +284,10 @@ jobs: echo "DOCKER_PID=$(echo $DOCKER_PID)" >> $GITHUB_OUTPUT - name: "Setup Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - - name: "Cache pip" - if: env.USE_CACHE == true - uses: actions/cache@v4 - with: - path: ~/.cache/pip - key: Python-v${{ env.RESET_PIP_CACHE }}-Linux-${{ env.MAIN_PYTHON_VERSION }}-${{ hashFiles('pyproject.toml') }} - restore-keys: | - Python-v${{ env.RESET_PIP_CACHE }}-Linux-${{ env.MAIN_PYTHON_VERSION }} - - name: "Install ansys-math-core and documentation requirements" run: | pip install .[doc] @@ -323,40 +298,13 @@ jobs: echo "ANSYSMATH_VERSION=$(python -c 'from ansys.math.core import __version__; print(__version__)')" >> $GITHUB_OUTPUT echo "AnsysMath version is: $(python -c "from ansys.math.core import __version__; print(__version__)")" - - name: "Cache examples" - if: env.USE_CACHE == true - uses: actions/cache@v4 - with: - path: doc/source/examples - key: Examples-v${{ env.RESET_EXAMPLES_CACHE }}-${{ steps.version.outputs.ANSYSMATH_VERSION }}-${{ github.sha }} - restore-keys: | - Examples-v${{ env.RESET_EXAMPLES_CACHE }}-${{ steps.version.outputs.ANSYSMATH_VERSION }} - - - name: "Cache docs build directory" - if: env.USE_CACHE == true - uses: actions/cache@v4 - with: - path: doc/_build - key: doc-build-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ steps.version.outputs.ANSYSMATH_VERSION }}-${{ github.sha }} - restore-keys: | - doc-build-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ steps.version.outputs.ANSYSMATH_VERSION }} - - - name: "Cache autosummary" - if: env.USE_CACHE == true - uses: actions/cache@v4 - with: - path: doc/source/**/_autosummary/*.rst - key: autosummary-v${{ env.RESET_AUTOSUMMARY_CACHE }}-${{ steps.version.outputs.ANSYSMATH_VERSION }}-${{ github.sha }} - restore-keys: | - autosummary-v${{ env.RESET_AUTOSUMMARY_CACHE }}-${{ steps.version.outputs.ANSYSMATH_VERSION }} - - name: "Waiting for the services to be up" timeout-minutes: 15 run: | .ci/waiting_services.sh - name: "Run Ansys documentation building action" - uses: ansys/actions/doc-build@v10 + uses: ansys/actions/doc-build@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} skip-install: true @@ -404,11 +352,11 @@ jobs: package: name: "Package library" - needs: [doc-build, build-test] + needs: [doc-build, build-test, actions-security] runs-on: ubuntu-latest steps: - name: "Build library source and wheel artifacts" - uses: ansys/actions/build-library@v10 + uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -419,10 +367,12 @@ jobs: # Deploy development only when merging to main if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest - needs: [check-vulnerabilities-main, package] + needs: [package] + permissions: + contents: write steps: - name: "Deploy the latest documentation" - uses: ansys/actions/doc-deploy-dev@v10 + uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} @@ -458,7 +408,7 @@ jobs: skip-existing: false - name: "Release to GitHub" - uses: ansys/actions/release-github@v10 + uses: ansys/actions/release-github@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: library-name: ${{ env.PACKAGE_NAME }} token: ${{ secrets.GITHUB_TOKEN }} @@ -472,9 +422,11 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: "Deploy the stable documentation" - uses: ansys/actions/doc-deploy-stable@v10 + uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 6f95f260b..87bfa7e4e 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -10,6 +10,8 @@ on: paths: - '../labels.yml' +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -19,9 +21,17 @@ jobs: label-syncer: name: "Syncer" runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - - uses: actions/checkout@v5 - - uses: micnncim/action-label-syncer@v1 + - name: "Checkout repository" + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: "Sync labels" + uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -35,14 +45,15 @@ jobs: steps: # Label based on modified files - - name: Label based on changed files - uses: actions/labeler@v6 + - name: "Label based on changed files" + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" sync-labels: true # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - name: "Label based on branch name - documentation" + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') @@ -50,7 +61,8 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN}} labels: documentation - - uses: actions-ecosystem/action-add-labels@v1 + - name: "Label based on branch name - ci/cd" + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'docker') || startsWith(github.event.pull_request.head.ref, 'no-ci') || @@ -59,20 +71,23 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN}} labels: ci/cd - - uses: actions-ecosystem/action-add-labels@v1 + - name: "Label based on branch name - maintenance" + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: startsWith(github.event.pull_request.head.ref, 'maint') with: github_token: ${{ secrets.GITHUB_TOKEN}} labels: maintenance - - uses: actions-ecosystem/action-add-labels@v1 + - name: "Label based on branch name - enhancement" + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: startsWith(github.event.pull_request.head.ref, 'feat') with: github_token: ${{ secrets.GITHUB_TOKEN}} labels: | enhancement - - uses: actions-ecosystem/action-add-labels@v1 + - name: "Label based on branch name - bug" + uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') @@ -83,9 +98,12 @@ jobs: commenter: runs-on: ubuntu-latest needs: labeler + permissions: + contents: read + pull-requests: write steps: - - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v5 + - name: "Suggest to add labels" + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: @@ -108,7 +126,8 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: ansys/actions/doc-changelog@v10 + - name: "Changelog fragment" + uses: ansys/actions/doc-changelog@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} diff --git a/doc/changelog.d/571.miscellaneous.md b/doc/changelog.d/571.miscellaneous.md new file mode 100644 index 000000000..d57b50bc2 --- /dev/null +++ b/doc/changelog.d/571.miscellaneous.md @@ -0,0 +1 @@ +Ci: enabling \`\`check-actions-security\`\`