Skip to content

CI: Add ansys/actions/check-actions-security action and related fixes #6743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Oct 13, 2025
Merged

CI: Add ansys/actions/check-actions-security action and related fixes #6743

merged 10 commits into from
Oct 13, 2025

Conversation

ecoussoux-ansys
Copy link
Contributor

This PR introduces the ansys/actions/check-actions-security action in the workflow file .github/workflows/ci_cd.yml and consequently in the CI of pyaedt as requested in #6713.

This action is using zizmor to perform an audit of the workflows defined in the .github/workflows folder.
More information on the approach for introducing the action is provided here, while instructions for fixing common workflow vulnerabilities and the rationale for addressing them are provided here.

The PR addresses the findings surfaced by the zizmor audit on the workflow files (performed locally), resulting in the following changes:

  • The argument persist-credentials: false is now systematically used with the action actions/checkout,
  • Template expansions (${{ ... }}) are removed from plain run steps inside jobs. Inputs and relevant context variables are expanded in the env block instead,
  • permissions are now defined on a job by job basis while none are granted at the workflow level. Jobs that do not use secrets are not granted any specific permission,
  • An anonymous definition for a job in the label.yml file is fixed,
  • A potentially spoofable bot condition in ci_cd.yml is fixed (more details on this fix here).

Note that zizmor findings of the type "note[self-hosted-runner]: runs on a self-hosted runner" (see related documentation here) are not addressed by the present changes.
These findings cannot actually be fixed (since self-hosted runners are required for pyaedt), but they can be silenced: Based on the implementation of this particular check, it appears that not putting the self-hosted parameter of the job's runs-on argument first will result in zizmor not raising a finding. However, GitHub's documentation states that self-hosted must come first in the array provided for runs-on, hence the decision to not apply any change to get rid of the related findings.
A different approach was adopted in ansys/pyedb#1575 due to the presence - prior to that PR - of array declarations for runs-on with self-hosted not being declared as the first item (which does not seem to be causing issues in the workflow).

For further reference, here are a few PRs applying similar changes from other pyansys projects: ansys/pre-commit-hooks#352, ansys/ansys-tools-visualization-interface#366, ansys/pyansys-geometry#2277.
Lastly, the latest release v10.1.4 of ansys/actions is used here.

Close #6713.

@ecoussoux-ansys ecoussoux-ansys self-assigned this Oct 8, 2025
@ecoussoux-ansys ecoussoux-ansys requested a review from a team as a code owner October 8, 2025 10:29
@ecoussoux-ansys ecoussoux-ansys added the maintenance Package and maintenance related label Oct 8, 2025
@codecov Codecov
Copy link

codecov bot commented Oct 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.16%. Comparing base (1c4d85f) to head (bcc3027).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6743      +/-   ##
==========================================
- Coverage   83.25%   83.16%   -0.10%     
==========================================
  Files         246      246              
  Lines       77491    77493       +2     
==========================================
- Hits        64519    64445      -74     
- Misses      12972    13048      +76
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

SMoraisAnsys
SMoraisAnsys reviewed Oct 10, 2025
View reviewed changes
Copy link
Collaborator

@SMoraisAnsys SMoraisAnsys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for those changes @ecoussoux-ansys I left a few changes propositions

@SMoraisAnsys SMoraisAnsys merged commit cfde896 into main Oct 13, 2025
39 checks passed
@SMoraisAnsys SMoraisAnsys deleted the ci/add-actions-security-check branch October 13, 2025 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SMoraisAnsys SMoraisAnsys SMoraisAnsys approved these changes

@Samuelopez-ansys Samuelopez-ansys Samuelopez-ansys left review comments

Assignees

@ecoussoux-ansys ecoussoux-ansys

Labels

maintenance Package and maintenance related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[MAINTENANCE] Missing or outdated ansys/actions/check-actions-security action in ansys/pyaedt

4 participants

@ecoussoux-ansys @Samuelopez-ansys @SMoraisAnsys @pyansys-ci-bot