From da80f13888d5f9c8a0a610c21fe45b98fcb42c9b Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Tue, 7 Oct 2025 12:24:50 +0200 Subject: [PATCH 1/8] ci: Use argument persist-credentials: false with actions/checkout --- .github/workflows/ci_cd.yml | 20 ++++++++++++++++++++ .github/workflows/label.yml | 2 ++ .github/workflows/manual_draft.yml | 8 ++++++++ 3 files changed, 30 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index d728237af18..091951c8347 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -228,6 +228,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -299,6 +301,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -359,6 +363,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -435,6 +441,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -510,6 +518,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -587,6 +597,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -659,6 +671,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -735,6 +749,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -812,6 +828,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -885,6 +903,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 65ec46fe37f..6a92efb6204 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -22,6 +22,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/manual_draft.yml b/.github/workflows/manual_draft.yml index b4c747f79ab..0967b63d7aa 100644 --- a/.github/workflows/manual_draft.yml +++ b/.github/workflows/manual_draft.yml @@ -45,6 +45,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -112,6 +114,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -168,6 +172,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 @@ -240,6 +246,8 @@ jobs: steps: - name: Install Git and checkout project uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Python uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 From 10ea390d9ec58ed978a357fe7cffb6f3ba68c469 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Tue, 7 Oct 2025 14:32:28 +0200 Subject: [PATCH 2/8] ci: Remove template expansions from inside job runs --- .github/workflows/ci_cd.yml | 46 ++++++++++++++++++++++-------- .github/workflows/manual_draft.yml | 26 ++++++++++++----- 2 files changed, 53 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 091951c8347..1e59d71e2ba 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -157,8 +157,10 @@ jobs: use-python-cache: false - name: Import python package shell: bash + env: + ACTIVATE_VENV: ${{ steps.build-wheelhouse.outputs.activate-venv }} run: | - ${{ steps.build-wheelhouse.outputs.activate-venv }} + ${ACTIVATE_VENV} python -c "import ansys.aedt.core; from ansys.aedt.core import __version__" unit-tests: @@ -269,9 +271,10 @@ jobs: - name: Run tests marked with 'solvers' env: PYTHONMALLOC: malloc + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | .venv\Scripts\Activate.ps1 - pytest ${{ env.PYTEST_ARGUMENTS }} --timeout=600 -m solvers + pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -310,8 +313,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -319,8 +324,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -333,10 +340,13 @@ jobs: done - name: Run tests marked with 'solvers' + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate - pytest ${{ env.PYTEST_ARGUMENTS }} --timeout=600 -m solvers + pytest ${PYTEST_ARGUMENTS} --timeout=600 -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -450,8 +460,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -459,8 +471,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -606,8 +620,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -615,8 +631,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] @@ -758,8 +776,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -767,8 +787,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] diff --git a/.github/workflows/manual_draft.yml b/.github/workflows/manual_draft.yml index 0967b63d7aa..faffaf69090 100644 --- a/.github/workflows/manual_draft.yml +++ b/.github/workflows/manual_draft.yml @@ -87,9 +87,10 @@ jobs: - name: Run tests marked with 'solvers' env: PYTHONMALLOC: malloc + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | .venv\Scripts\Activate.ps1 - pytest ${{ env.PYTEST_ARGUMENTS }} -m solvers + pytest ${PYTEST_ARGUMENTS} -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -123,8 +124,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -132,8 +135,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] pip install pytest-azurepipelines @@ -147,10 +152,13 @@ jobs: done - name: Run tests marked with 'solvers' + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate - pytest ${{ env.PYTEST_ARGUMENTS }} -m solvers + pytest ${PYTEST_ARGUMENTS} -m solvers - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: @@ -255,8 +263,10 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: Create virtual environment + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH python -m venv .venv source .venv/bin/activate python -m pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org pip -U @@ -264,8 +274,10 @@ jobs: python -c "import sys; print(sys.executable)" - name: Install pyaedt and tests dependencies + env: + ANSYSEM: ${{ env.ANSYSEM_ROOT252 }} run: | - export LD_LIBRARY_PATH=${{ env.ANSYSEM_ROOT252 }}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH + export LD_LIBRARY_PATH=${ANSYSEM}/common/mono/Linux64/lib64:$LD_LIBRARY_PATH source .venv/bin/activate pip install .[tests] pip install pytest-azurepipelines From d8a8a52af9388d9bf8c34780cdec3ad5ad062e64 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Tue, 7 Oct 2025 17:35:03 +0200 Subject: [PATCH 3/8] ci: Avoid overly broad permissions for workflow jobs - Add specific ones for those using secrets --- .github/workflows/ci_cd.yml | 10 ++++++++++ .github/workflows/label.yml | 2 ++ .github/workflows/manual_draft.yml | 2 ++ .github/workflows/nightly-docs.yml | 4 ++++ 4 files changed, 18 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 1e59d71e2ba..7a0190d7979 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -23,6 +23,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: update-changelog: @@ -43,6 +45,8 @@ jobs: vulnerabilities: name: "Vulnerabilities" runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: @@ -87,6 +91,8 @@ jobs: name: Check the title of the PR (if needed) runs-on: ubuntu-latest needs: [block-pyansys-ci-bot] + permissions: + contents: read steps: - name: Check the title of the pull request if: github.event_name == 'pull_request' @@ -103,6 +109,8 @@ jobs: name: Documentation style check runs-on: ubuntu-latest needs: [pr-title] + permissions: + contents: read steps: - name: Check documentation style uses: ansys/actions/doc-style@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 @@ -1053,6 +1061,8 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write steps: - name: Deploy the stable documentation uses: ansys/actions/doc-deploy-stable@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 6a92efb6204..fd6d3b72a73 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -15,6 +15,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: label-syncer: diff --git a/.github/workflows/manual_draft.yml b/.github/workflows/manual_draft.yml index faffaf69090..eaf09bf3d7c 100644 --- a/.github/workflows/manual_draft.yml +++ b/.github/workflows/manual_draft.yml @@ -36,6 +36,8 @@ env: MAIN_PYTHON_VERSION: '3.10' PYTEST_ARGUMENTS: '-vvv --color=yes -ra --durations=25 --maxfail=10 --cov=ansys.aedt.core --cov-report=html --cov-report=xml --junitxml=junit/test-results.xml' +permissions: {} # Disable default permissions + jobs: system-test-solvers-windows: diff --git a/.github/workflows/nightly-docs.yml b/.github/workflows/nightly-docs.yml index a628f4dcd71..789659f23d3 100644 --- a/.github/workflows/nightly-docs.yml +++ b/.github/workflows/nightly-docs.yml @@ -14,6 +14,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} # Disable default permissions + jobs: doc-build: @@ -40,6 +42,8 @@ jobs: name: Upload dev documentation runs-on: ubuntu-latest needs: doc-build + permissions: + contents: write steps: - name: Upload development documentation uses: ansys/actions/doc-deploy-dev@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 From 91ec1c446551c6c76a53f8eb4a719016470e6c0a Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Wed, 8 Oct 2025 10:53:20 +0200 Subject: [PATCH 4/8] ci: Fix anonymous-definition of commenter job --- .github/workflows/label.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index fd6d3b72a73..87b98182b59 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -80,6 +80,7 @@ jobs: labels: testing commenter: + name: Suggest labels if none assigned runs-on: ubuntu-latest permissions: contents: read From 1431aecefa79d4dd2b3d1ebff9102201f0438cb8 Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Wed, 8 Oct 2025 11:03:35 +0200 Subject: [PATCH 5/8] ci: Fix spoofable bot condition in block-dependabot job --- .github/workflows/ci_cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 7a0190d7979..b9c750c14f5 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -66,7 +66,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Exit if dependabot triggered the workflow - if: github.triggering_actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' run: | echo "::warning::Dependabot is not allowed to trigger this workflow. Please review carefully the changes before running the workflow manually." exit 1 From 9857bf5327fcdcacc87875ef0d1d192fe4b184fc Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Wed, 8 Oct 2025 11:21:31 +0200 Subject: [PATCH 6/8] ci: Add actions security check to workflow --- .github/workflows/ci_cd.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index b9c750c14f5..22f0b4ae5e8 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -56,6 +56,18 @@ jobs: dev-mode: ${{ github.ref != 'refs/heads/main' }} extra-targets: 'all' + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + # NOTE: We do not allow dependabot to trigger the CI/CD pipeline automatically. # This is to mitigate supply chain attacks, where a malicious dependency update # could execute arbitrary code in our build environment. From 9f5f81354472f52f8a01eff8a60cd4c76a231a69 Mon Sep 17 00:00:00 2001 From: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com> Date: Wed, 8 Oct 2025 10:31:16 +0000 Subject: [PATCH 7/8] chore: adding changelog file 6743.maintenance.md [dependabot-skip] --- doc/changelog.d/6743.maintenance.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/changelog.d/6743.maintenance.md diff --git a/doc/changelog.d/6743.maintenance.md b/doc/changelog.d/6743.maintenance.md new file mode 100644 index 00000000000..e925973f3be --- /dev/null +++ b/doc/changelog.d/6743.maintenance.md @@ -0,0 +1 @@ +Add \`\`ansys/actions/check-actions-security\`\` action and related fixes From af08ee39865799fb293e82bb5d2fa0a495ecda2e Mon Sep 17 00:00:00 2001 From: Edouard Coussoux Date: Fri, 10 Oct 2025 15:17:04 +0200 Subject: [PATCH 8/8] ci: Updating permissions for check-pr-title job --- .github/workflows/ci_cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 22f0b4ae5e8..c2241f38484 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -104,7 +104,7 @@ jobs: runs-on: ubuntu-latest needs: [block-pyansys-ci-bot] permissions: - contents: read + pull-requests: read steps: - name: Check the title of the pull request if: github.event_name == 'pull_request'