From fc8f94b05075adeadd3191838c49053e6e3a74b8 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 15:50:38 +0200 Subject: [PATCH 01/13] fix: ``AUTHORS`` file --- AUTHORS.md => AUTHORS | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename AUTHORS.md => AUTHORS (100%) diff --git a/AUTHORS.md b/AUTHORS similarity index 100% rename from AUTHORS.md rename to AUTHORS From 209144d36683bd74c7430d5750ba5bfbb4983a80 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 16:03:51 +0200 Subject: [PATCH 02/13] feat: add ``check-vulnerabilities`` action --- .github/workflows/ci_cd.yml | 33 ++++++++++++++++++++--------- src/pyconverter/xml2py/formatter.py | 7 ++++-- 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index c48c1d43c..3d2a71be0 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys code style checks - uses: ansys/actions/code-style@v10 + uses: ansys/actions/code-style@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -44,11 +44,24 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys documentation style checks - uses: ansys/actions/doc-style@v10 + uses: ansys/actions/doc-style@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: token: ${{ secrets.GITHUB_TOKEN }} + vulnerabilities: + name: "Check library vulnerabilities" + runs-on: ubuntu-latest + steps: + - name: "Check library vulnerabilities with default mode" + uses: ansys/actions/check-vulnerabilities@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + python-package-name: ${{ env.PACKAGE_NAME }} + dev-mode: ${{ github.ref != 'refs/heads/main' }} + + smoke-tests: # Needs to be re-enabled prior to release name: Build and Smoke tests (Linux) runs-on: ubuntu-latest @@ -60,7 +73,7 @@ jobs: steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@v10 + uses: ansys/actions/build-wheelhouse@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ runner.os }} @@ -80,7 +93,7 @@ jobs: steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@v10 + uses: ansys/actions/build-wheelhouse@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} @@ -195,7 +208,7 @@ jobs: autosummary-pyconverter-xml2py-v${{ env.RESET_AUTOSUMMARY_CACHE }}-${{ env.PYCONVERTER_VERSION }} - name: "Run Ansys documentation building action" - uses: ansys/actions/doc-build@v10 + uses: ansys/actions/doc-build@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} checkout: false @@ -209,7 +222,7 @@ jobs: needs: [doc-build, build-test] steps: - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@v10 + uses: ansys/actions/build-library@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: library-name: ${{ env.PACKAGE_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -223,7 +236,7 @@ jobs: needs: [package] steps: - name: "Deploy the latest documentation" - uses: ansys/actions/doc-deploy-dev@v10 + uses: ansys/actions/doc-deploy-dev@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.GITHUB_TOKEN }} @@ -238,14 +251,14 @@ jobs: runs-on: ubuntu-latest steps: - name: "Release to the public PyPI repository" - uses: ansys/actions/release-pypi-public@v10 + uses: ansys/actions/release-pypi-public@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: library-name: ${{ env.PACKAGE_NAME }} twine-username: "__token__" twine-token: ${{ secrets.PYPI_TOKEN }} - name: "Release to GitHub" - uses: ansys/actions/release-github@v10 + uses: ansys/actions/release-github@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: library-name: ${{ env.PACKAGE_NAME }} @@ -258,7 +271,7 @@ jobs: needs: [release] steps: - name: "Deploy the stable documentation" - uses: ansys/actions/doc-deploy-stable@v10 + uses: ansys/actions/doc-deploy-stable@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.GITHUB_TOKEN }} diff --git a/src/pyconverter/xml2py/formatter.py b/src/pyconverter/xml2py/formatter.py index 1f055450c..651205a70 100644 --- a/src/pyconverter/xml2py/formatter.py +++ b/src/pyconverter/xml2py/formatter.py @@ -26,7 +26,8 @@ from pathlib import Path # Subprocess is needed to run pre-commit hooks. -import subprocess +# Excluding bandit check. +import subprocess # nosec B404 def run_pre_commit(package_path) -> None: @@ -39,6 +40,8 @@ def run_pre_commit(package_path) -> None: raise FileNotFoundError(f"Pre-commit configuration file not found at {pre_commit_file}.") while cur_run < max_run and output != 0: cur_run += 1 + # pre_commit_file is controlled by the library. + # Excluding bandit check. output = subprocess.run( [ "pre-commit", @@ -48,7 +51,7 @@ def run_pre_commit(package_path) -> None: str(pre_commit_file), ], capture_output=True, - ).returncode + ).returncode # nosec B603 B607 if output != 0: raise RuntimeError("Pre-commit failed.") else: From cff407734af08427785e96c18679de678eac65e9 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 16:07:23 +0200 Subject: [PATCH 03/13] feat: add ``SECURITY.md`` file --- SECURITY.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..5a88c0149 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ +# Security Policy + +## Reporting a vulnerability + +> [!CAUTION] +> Do not use GitHub issues to report any security vulnerabilities. + +If you detect a vulnerability, contact the [PyAnsys Core team](mailto:pyansys.core@ansys.com), +mentioning the repository and the details of your finding. The team will address it as soon as possible. + +Provide the PyAnsys Core team with this information: + +- Any specific configuration settings needed to reproduce the problem +- Step-by-step guidance to reproduce the problem +- The exact location of the problematic source code, including tag, branch, commit, or a direct URL +- The potential consequences of the vulnerability, along with a description of how an attacker could take advantage of the issue From f367f28875eecdfc860ba13719e72c7f93cad723 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 16:28:08 +0200 Subject: [PATCH 04/13] fix: updating workflow to ``pypa/gh-action-pypi-publish`` --- .github/workflows/ci_cd.yml | 35 +++++++++++++++++------------ src/pyconverter/xml2py/formatter.py | 2 +- 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 3d2a71be0..fb1650f93 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -245,22 +245,29 @@ jobs: release: - name: "Release project to public PyPI and GitHub" - if: github.event_name == 'push' && contains(github.ref, 'refs/tags') - needs: [package, smoke-tests-macos-windows] + name: Release project + if: ${{ github.event_name == 'push' && contains(github.ref, 'refs/tags') }} + needs: package runs-on: ubuntu-latest + environment: release + permissions: + id-token: write + contents: write steps: - - name: "Release to the public PyPI repository" - uses: ansys/actions/release-pypi-public@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 - with: - library-name: ${{ env.PACKAGE_NAME }} - twine-username: "__token__" - twine-token: ${{ secrets.PYPI_TOKEN }} - - - name: "Release to GitHub" - uses: ansys/actions/release-github@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 - with: - library-name: ${{ env.PACKAGE_NAME }} + + - name: "Download the library artifacts from build-library step" + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9 + with: + name: ${{ env.PACKAGE_NAME }}-artifacts + path: ${{ env.PACKAGE_NAME }}-artifacts + + - name: "Upload artifacts to PyPI using trusted publisher" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 + with: + repository-url: "https://upload.pypi.org/legacy/" + print-hash: true + packages-dir: ${{ env.PACKAGE_NAME }}-artifacts + skip-existing: false doc-deploy-stable: diff --git a/src/pyconverter/xml2py/formatter.py b/src/pyconverter/xml2py/formatter.py index 651205a70..23df89cd3 100644 --- a/src/pyconverter/xml2py/formatter.py +++ b/src/pyconverter/xml2py/formatter.py @@ -51,7 +51,7 @@ def run_pre_commit(package_path) -> None: str(pre_commit_file), ], capture_output=True, - ).returncode # nosec B603 B607 + ).returncode # nosec B603 B607 if output != 0: raise RuntimeError("Pre-commit failed.") else: From 2e80b2711c46272e142d5f866440e79c00f7683d Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 16:28:54 +0200 Subject: [PATCH 05/13] feat: adding ``ansys/actions/check-actions-security`` --- .github/workflows/ci_cd.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index fb1650f93..f3fc1094d 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -62,6 +62,19 @@ jobs: dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + needs: [vulnerabilities] + steps: + - uses: ansys/actions/check-actions-security@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: true + + smoke-tests: # Needs to be re-enabled prior to release name: Build and Smoke tests (Linux) runs-on: ubuntu-latest @@ -219,7 +232,7 @@ jobs: package: name: Package library runs-on: ubuntu-latest - needs: [doc-build, build-test] + needs: [doc-build, build-test, actions-security] steps: - name: Build library source and wheel artifacts uses: ansys/actions/build-library@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 From 9755e3c2e9e6775e19f66f31bf984ecd1067bdfe Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 17:04:25 +0200 Subject: [PATCH 06/13] fix: using sha version instead of number version --- .github/workflows/ci_cd.yml | 24 ++++++++++++------------ .github/workflows/label.yml | 16 ++++++++-------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index f3fc1094d..ee158ae8c 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -120,10 +120,10 @@ jobs: steps: - name: "Install Git and checkout project" - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: "Setup Python" - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -133,16 +133,16 @@ jobs: sudo apt-get install pandoc - name: "Cache pip" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.cache/pip key: Python-v${{ env.RESET_PIP_CACHE }}-${{ runner.os }}-${{ hashFiles('pyproject.toml') }} restore-keys: | Python-v${{ env.RESET_PIP_CACHE }}-${{ runner.os }} - # The token will expire in 2024. + # The token will expire in 2025. - name: "Checkout mapdl-cmd-doc repository" - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ansys-internal/mapdl-cmd-doc ref: feat/pyconverter-xml2py-predifined-format @@ -161,13 +161,13 @@ jobs: --cov-report term - name: "Upload coverage to Codecov" - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 with: name: coverage.xml flags: coverage - name: Upload coverage artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage.xml path: ./coverage.xml @@ -179,15 +179,15 @@ jobs: needs: [doc-style] steps: - name: "Install Git and checkout project" - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: "Setup Python" - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: "Cache pip" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.cache/pip key: Python-pyconverter.xml2py-v${{ env.RESET_PIP_CACHE }}-${{ env.MAIN_PYTHON_VERSION }}-${{ hashFiles('pyproject.toml') }} @@ -205,7 +205,7 @@ jobs: echo "pyconverter.xml2py version is: $(python -c 'from pyconverter.xml2py import __version__; print(__version__)')" - name: "Cache docs build directory" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: doc/_build key: doc-build-pyconverter-xml2py-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ env.PYCONVERTER_VERSION }}-${{ github.sha }} @@ -213,7 +213,7 @@ jobs: doc-build-pyconverter-xml2py-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ env.PYCONVERTER_VERSION }} - name: "Cache autosummary" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: doc/source/**/_autosummary/**/*.rst key: autosummary-pyconverter-xml2py-v${{ env.RESET_AUTOSUMMARY_CACHE }}-${{ env.PYCONVERTER_VERSION }}-${{ github.sha }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 8f9e75b46..442923759 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -17,8 +17,8 @@ jobs: name: Syncer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -33,20 +33,20 @@ jobs: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v5 + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} sync-labels: true # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'doc') || startsWith(github.event.pull_request.head.ref, 'docs') with: labels: documentation - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'maint') || startsWith(github.event.pull_request.head.ref, 'no-ci') || @@ -54,13 +54,13 @@ jobs: with: labels: maintenance - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: startsWith(github.event.pull_request.head.ref, 'feat') with: labels: | enhancement - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 if: | startsWith(github.event.pull_request.head.ref, 'fix') || startsWith(github.event.pull_request.head.ref, 'patch') @@ -72,7 +72,7 @@ jobs: needs: labeler steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' with: From e144a04371a1217289ea150e33f383b0af996875 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 17:10:20 +0200 Subject: [PATCH 07/13] fix: using sha version instead of number version - 2 --- .github/workflows/autodoc_cicd.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/autodoc_cicd.yml b/.github/workflows/autodoc_cicd.yml index a70a044f5..c763c1297 100644 --- a/.github/workflows/autodoc_cicd.yml +++ b/.github/workflows/autodoc_cicd.yml @@ -25,15 +25,15 @@ jobs: runs-on: ubuntu-latest steps: - name: "Install Git and checkout project" - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: "Setup Python" - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: "Cache pip" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.cache/pip key: Python-pyconverter-generatedcommands-v${{ env.RESET_PIP_CACHE_2 }}-${{ hashFiles('pyproject.toml') }} @@ -42,7 +42,7 @@ jobs: # The token will expire in 2024. - name: "Checkout mapdl-cmd-doc repository" - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ansys-internal/mapdl-cmd-doc ref: feat/pyconverter-xml2py-predifined-format @@ -59,7 +59,7 @@ jobs: pyconverter-xml2py package -x ${{ github.workspace }}/mapdl-cmd-doc -f ${{ github.workspace }}/tests/customized_functions -l 100 - name: Upload autogenerated doc artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: package path: ./package @@ -71,7 +71,7 @@ jobs: needs: [generate-code] steps: - name: Download autogenerated documentation - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9 with: name: package @@ -79,7 +79,7 @@ jobs: run: ls -R -a - name: PyAnsys code style checks - uses: ansys/actions/code-style@v10 + uses: ansys/actions/code-style@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} use-python-cache: false @@ -91,12 +91,12 @@ jobs: needs: [auto-doc-code-style] steps: - name: Download autogenerated documentation - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9 with: name: package - name: "Cache pip" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: ~/.cache/pip key: Python-pyconverter-generatedcommands-v${{ env.RESET_PIP_CACHE_2 }}-${{ env.MAIN_PYTHON_VERSION }}-${{ hashFiles('pyproject.toml') }} @@ -113,7 +113,7 @@ jobs: echo "PyConverter-GeneratedCommands version is: $(python -c 'from pyconverter.generatedcommands import __version__; print(__version__)')" - name: "Cache docs build directory" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: doc/_build key: doc-build-pyconverter-generatedcommands-v${{ env.RESET_DOC_BUILD_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }}-${{ github.sha }} @@ -121,7 +121,7 @@ jobs: doc-build-pyconverter-generatedcommands-v${{ env.RESET_DOC_BUILD_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }} - name: "Cache autosummary" - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: doc/source/_autosummary/*.rst key: autosummary-pyconverter-generatedcommands-v${{ env.RESET_AUTOSUMMARY_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }}-${{ github.sha }} @@ -129,7 +129,7 @@ jobs: autosummary-pyconverter-generatedcommands-v${{ env.RESET_AUTOSUMMARY_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }} - name: "Run Ansys documentation building action" - uses: ansys/actions/doc-build@v10 + uses: ansys/actions/doc-build@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} checkout: false From 2147c113810d6b22436ba041cefd7162171a5e5d Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 17:13:40 +0200 Subject: [PATCH 08/13] revert: disabling ``check-actions-security`` for the moment --- .github/workflows/ci_cd.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index ee158ae8c..5d2ae64e1 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -62,19 +62,6 @@ jobs: dev-mode: ${{ github.ref != 'refs/heads/main' }} - actions-security: - name: "Check actions security" - runs-on: ubuntu-latest - needs: [vulnerabilities] - steps: - - uses: ansys/actions/check-actions-security@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 - with: - generate-summary: true - token: ${{ secrets.GITHUB_TOKEN }} - auditing-level: 'high' - trust-ansys-actions: true - - smoke-tests: # Needs to be re-enabled prior to release name: Build and Smoke tests (Linux) runs-on: ubuntu-latest From 05f4e17ae8c1057c20a440b81825569120732148 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 18:12:06 +0200 Subject: [PATCH 09/13] fix: workflow --- .github/workflows/ci_cd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 5d2ae64e1..74da5e396 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -219,7 +219,7 @@ jobs: package: name: Package library runs-on: ubuntu-latest - needs: [doc-build, build-test, actions-security] + needs: [doc-build, build-test] steps: - name: Build library source and wheel artifacts uses: ansys/actions/build-library@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 From ae626207cfe23d9478cbaa0af17fd59e2e397961 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 11 Aug 2025 18:17:58 +0200 Subject: [PATCH 10/13] ci: update workflow --- .github/workflows/ci_cd.yml | 48 +++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 74da5e396..dedfe39a1 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -228,26 +228,28 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - doc-deploy-dev: - name: "Deploy development documentation" - # Deploy development only when merging to main - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest + release: + name: "Release project to GitHub" + if: github.event_name == 'push' && contains(github.ref, 'refs/tags') needs: [package] + runs-on: ubuntu-latest + environment: release + permissions: + id-token: write + contents: write steps: - - name: "Deploy the latest documentation" - uses: ansys/actions/doc-deploy-dev@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 + - name: Release to GitHub + uses: ansys/actions/release-github@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 with: - cname: ${{ env.DOCUMENTATION_CNAME }} - token: ${{ secrets.GITHUB_TOKEN }} - bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} - bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} + token: ${{ secrets.GITHUB_TOKEN }} + library-name: ${{ env.PACKAGE_NAME }} + add-artifact-attestation-notes: true - release: - name: Release project + release-pypi: + name: "Release project to PyPI" if: ${{ github.event_name == 'push' && contains(github.ref, 'refs/tags') }} - needs: package + needs: [package] runs-on: ubuntu-latest environment: release permissions: @@ -275,7 +277,7 @@ jobs: # Deploy release documentation when creating a new tag if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest - needs: [release] + needs: [release, release-pypi] steps: - name: "Deploy the stable documentation" uses: ansys/actions/doc-deploy-stable@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 @@ -284,3 +286,19 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} + + + doc-deploy-dev: + name: "Deploy development documentation" + # Deploy development only when merging to main + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: [package] + steps: + - name: "Deploy the latest documentation" + uses: ansys/actions/doc-deploy-dev@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 + with: + cname: ${{ env.DOCUMENTATION_CNAME }} + token: ${{ secrets.GITHUB_TOKEN }} + bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} \ No newline at end of file From 7c13cf9051a89b11e66e5ba2119dacf03a34df9f Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Wed, 3 Sep 2025 11:43:20 +0200 Subject: [PATCH 11/13] fix: incremental fix --- .github/workflows/autodoc_cicd.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/autodoc_cicd.yml b/.github/workflows/autodoc_cicd.yml index c763c1297..b0419ccfe 100644 --- a/.github/workflows/autodoc_cicd.yml +++ b/.github/workflows/autodoc_cicd.yml @@ -11,13 +11,13 @@ on: branches: - main - env: RESET_PIP_CACHE_2: 1 RESET_AUTOSUMMARY_CACHE_2: 1 RESET_DOC_BUILD_CACHE_2: 1 MAIN_PYTHON_VERSION: '3.12' +permissions: {} jobs: generate-code: @@ -26,6 +26,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: "Setup Python" uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 @@ -48,6 +50,7 @@ jobs: ref: feat/pyconverter-xml2py-predifined-format token: ${{ secrets.MAPDL_CMD_DOC_TOKEN }} path: mapdl-cmd-doc + persist-credentials: false - name: "Install pyconverter-xml2py" run: | From ecc11178a6a2e4caeb4b49e9d0442c0564126922 Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Wed, 3 Sep 2025 17:16:51 +0200 Subject: [PATCH 12/13] fix: other fixes for ci/cd vulnerabilities --- .github/workflows/autodoc_cicd.yml | 10 +++++----- .github/workflows/ci_cd.yml | 23 ++++++++++++++++++----- .github/workflows/label.yml | 12 ++++++++++++ 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/.github/workflows/autodoc_cicd.yml b/.github/workflows/autodoc_cicd.yml index b0419ccfe..3cfc89207 100644 --- a/.github/workflows/autodoc_cicd.yml +++ b/.github/workflows/autodoc_cicd.yml @@ -35,7 +35,7 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: "Cache pip" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: ~/.cache/pip key: Python-pyconverter-generatedcommands-v${{ env.RESET_PIP_CACHE_2 }}-${{ hashFiles('pyproject.toml') }} @@ -59,7 +59,7 @@ jobs: - name: "Create pyconverter-autogenerated package" run: | - pyconverter-xml2py package -x ${{ github.workspace }}/mapdl-cmd-doc -f ${{ github.workspace }}/tests/customized_functions -l 100 + pyconverter-xml2py package -x ${GITHUB_WORKSPACE}/mapdl-cmd-doc -f ${GITHUB_WORKSPACE}/tests/customized_functions -l 100 - name: Upload autogenerated doc artifacts uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -99,7 +99,7 @@ jobs: name: package - name: "Cache pip" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: ~/.cache/pip key: Python-pyconverter-generatedcommands-v${{ env.RESET_PIP_CACHE_2 }}-${{ env.MAIN_PYTHON_VERSION }}-${{ hashFiles('pyproject.toml') }} @@ -116,7 +116,7 @@ jobs: echo "PyConverter-GeneratedCommands version is: $(python -c 'from pyconverter.generatedcommands import __version__; print(__version__)')" - name: "Cache docs build directory" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: doc/_build key: doc-build-pyconverter-generatedcommands-v${{ env.RESET_DOC_BUILD_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }}-${{ github.sha }} @@ -124,7 +124,7 @@ jobs: doc-build-pyconverter-generatedcommands-v${{ env.RESET_DOC_BUILD_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }} - name: "Cache autosummary" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: doc/source/_autosummary/*.rst key: autosummary-pyconverter-generatedcommands-v${{ env.RESET_AUTOSUMMARY_CACHE_2 }}-${{ inputs.PYCONVERTER_GENERATED_VERSION }}-${{ github.sha }} diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index dedfe39a1..436810567 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -23,6 +23,10 @@ env: RESET_DOC_BUILD_CACHE: 10 ON_CI: true +permissions: + contents: read + pull-requests: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -108,6 +112,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: "Setup Python" uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 @@ -120,7 +126,7 @@ jobs: sudo apt-get install pandoc - name: "Cache pip" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: ~/.cache/pip key: Python-v${{ env.RESET_PIP_CACHE }}-${{ runner.os }}-${{ hashFiles('pyproject.toml') }} @@ -135,6 +141,7 @@ jobs: ref: feat/pyconverter-xml2py-predifined-format token: ${{ secrets.MAPDL_CMD_DOC_TOKEN }} path: mapdl-cmd-doc + persist-credentials: false - name: "Unit testing requirements installation" run: | @@ -143,7 +150,7 @@ jobs: - name: "Unit testing" run: | pytest -v --durations=10 --maxfail=10 \ - --reruns 7 --reruns-delay 3 --ghdir ${{ github.workspace }}\ + --reruns 7 --reruns-delay 3 --ghdir ${GITHUB_WORKSPACE}\ --cov=pyconverter.xml2py --cov-report=xml:coverage.xml --cov-report=html\ --cov-report term @@ -167,6 +174,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: "Setup Python" uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 @@ -174,7 +183,7 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: "Cache pip" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: ~/.cache/pip key: Python-pyconverter.xml2py-v${{ env.RESET_PIP_CACHE }}-${{ env.MAIN_PYTHON_VERSION }}-${{ hashFiles('pyproject.toml') }} @@ -192,7 +201,7 @@ jobs: echo "pyconverter.xml2py version is: $(python -c 'from pyconverter.xml2py import __version__; print(__version__)')" - name: "Cache docs build directory" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: doc/_build key: doc-build-pyconverter-xml2py-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ env.PYCONVERTER_VERSION }}-${{ github.sha }} @@ -200,7 +209,7 @@ jobs: doc-build-pyconverter-xml2py-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ env.PYCONVERTER_VERSION }} - name: "Cache autosummary" - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] with: path: doc/source/**/_autosummary/**/*.rst key: autosummary-pyconverter-xml2py-v${{ env.RESET_AUTOSUMMARY_CACHE }}-${{ env.PYCONVERTER_VERSION }}-${{ github.sha }} @@ -277,6 +286,8 @@ jobs: # Deploy release documentation when creating a new tag if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest + permissions: + contents: write needs: [release, release-pypi] steps: - name: "Deploy the stable documentation" @@ -293,6 +304,8 @@ jobs: # Deploy development only when merging to main if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest + permissions: + contents: write needs: [package] steps: - name: "Deploy the latest documentation" diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 442923759..4225365d8 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -7,6 +7,8 @@ on: paths: - '../labels.yml' +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -16,8 +18,14 @@ jobs: label-syncer: name: Syncer runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -68,7 +76,11 @@ jobs: labels: bug commenter: + name: Add comment to PR about label suggestions runs-on: ubuntu-latest + permissions: + pull-requests: write + issues: write needs: labeler steps: - name: Suggest to add labels From a11b8ff1215ff138b2f43f80ec14fcdac0f0665d Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Wed, 3 Sep 2025 17:23:46 +0200 Subject: [PATCH 13/13] fix: reactivate check-actions-security --- .github/workflows/ci_cd.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 436810567..0065033ed 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -65,6 +65,17 @@ jobs: python-package-name: ${{ env.PACKAGE_NAME }} dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + needs: [vulnerabilities] + steps: + - uses: ansys/actions/check-actions-security@1096998b81f7ebdea116b683e11f3a8bda759ca6 # v10.0.14 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: true smoke-tests: # Needs to be re-enabled prior to release name: Build and Smoke tests (Linux)