diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index d728237af18..c2241f38484 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -23,6 +23,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: update-changelog: @@ -43,6 +45,8 @@ jobs: vulnerabilities: name: "Vulnerabilities" runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: @@ -52,6 +56,18 @@ jobs: dev-mode: ${{ github.ref != 'refs/heads/main' }} extra-targets: 'all' + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + # NOTE: We do not allow dependabot to trigger the CI/CD pipeline automatically. # This is to mitigate supply chain attacks, where a malicious dependency update # could execute arbitrary code in our build environment. @@ -62,7 +78,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Exit if dependabot triggered the workflow - if: github.triggering_actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' run: | echo "::warning::Dependabot is not allowed to trigger this workflow. Please review carefully the changes before running the workflow manually." exit 1 @@ -87,6 +103,8 @@ jobs: name: Check the title of the PR (if needed) runs-on: ubuntu-latest needs: [block-pyansys-ci-bot] + permissions: + pull-requests: read steps: - name: Check the title of the pull request if: github.event_name == 'pull_request' @@ -103,6 +121,8 @@ jobs: name: Documentation style check runs-on: ubuntu-latest needs: [pr-title] + permissions: + contents: read steps: - name: Check documentation style uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -157,8 +177,10 @@ jobs: use-python-cache: false - name: Import python package shell: bash + env: + ACTIVATE_VENV: ${{ steps.build-wheelhouse.outputs.activate-venv }} run: | - ${{ steps.build-wheelhouse.outputs.activate-venv }} + ${ACTIVATE_VENV} python -c "import ansys.aedt.core; from ansys.aedt.core import __version__" unit-tests: @@ -228,6 +250,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -267,9 +291,10 @@ jobs: - name: Run tests marked with 'solvers' env: PYTHONMALLOC: malloc + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | .venv\Scripts\Activate.ps1 - pytest ${{ env.PYTEST_ARGUMENTS }} --timeout=600 -m solvers + pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -299,6 +324,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -306,8 +333,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -315,8 +344,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -329,10 +360,13 @@ jobs: done - name: Run tests marked with 'solvers' + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate - pytest ${{ env.PYTEST_ARGUMENTS }} --timeout=600 -m solvers + pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -359,6 +393,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -435,6 +471,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -442,8 +480,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -451,8 +491,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -510,6 +552,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -587,6 +631,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -594,8 +640,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -603,8 +651,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -659,6 +709,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -735,6 +787,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -742,8 +796,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -751,8 +807,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -812,6 +870,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -885,6 +945,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -1011,6 +1073,8 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: Deploy the stable documentation uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 5628d82a202..1f5fc9c5ab7 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -15,6 +15,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: label-syncer: @@ -22,6 +24,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -76,6 +80,7 @@ jobs: labels: testing commenter: + name: Suggest labels if none assigned runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/manual_draft.yml b/.github/workflows/manual_draft.yml index b4c747f79ab..eaf09bf3d7c 100644 --- a/.github/workflows/manual_draft.yml +++ b/.github/workflows/manual_draft.yml @@ -36,6 +36,8 @@ env: MAIN_PYTHON_VERSION: '3.10' PYTEST_ARGUMENTS: '-vvv --color=yes -ra --durations=25 --maxfail=10 --cov=ansys.aedt.core --cov-report=html --cov-report=xml --junitxml=junit/test-results.xml' +permissions: {} # Disable default permissions + jobs: system-test-solvers-windows: @@ -45,6 +47,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -85,9 +89,10 @@ jobs: - name: Run tests marked with 'solvers' env: PYTHONMALLOC: malloc + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | .venv\Scripts\Activate.ps1 - pytest ${{ env.PYTEST_ARGUMENTS }} -m solvers + pytest ${PYTEST_ARGUMENTS} -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -112,6 +117,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -119,8 +126,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -128,8 +137,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] pip install pytest-azurepipelines @@ -143,10 +154,13 @@ jobs: done - name: Run tests marked with 'solvers' + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate - pytest ${{ env.PYTEST_ARGUMENTS }} -m solvers + pytest ${PYTEST_ARGUMENTS} -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -168,6 +182,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -240,6 +256,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -247,8 +265,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -256,8 +276,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] pip install pytest-azurepipelines diff --git a/.github/workflows/nightly-docs.yml b/.github/workflows/nightly-docs.yml index a628f4dcd71..789659f23d3 100644 --- a/.github/workflows/nightly-docs.yml +++ b/.github/workflows/nightly-docs.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: doc-build: @@ -40,6 +42,8 @@ jobs: name: Upload dev documentation runs-on: ubuntu-latest needs: doc-build + permissions: + contents: write steps: - name: Upload development documentation uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 diff --git a/doc/changelog.d/6743.maintenance.md b/doc/changelog.d/6743.maintenance.md new file mode 100644 index 00000000000..e925973f3be --- /dev/null +++ b/doc/changelog.d/6743.maintenance.md @@ -0,0 +1 @@ +Add \`\`ansys/actions/check-actions-security\`\` action and related fixes