ci: add actions-security job to audit GitHub Actions usage

[germa89]

Description

As the title.

Issue linked

Close #4238

Checklist

• I have visited and read Develop PyMAPDL.
• I have tested my changes locally
• I have added necessary documentation or updated existing documentation.
• I have followed the PyMAPDL coding style guidelines.
• I have added appropriate unit tests that also ensure the minimal coverage criteria.
• I have reviewed my changes before submitting this pull request.
• I have linked the issue or issues that are solved to the PR if any.
• I have assigned this PR to myself.
• I have marked this PR as draft if it is not ready to be reviewed yet.
• I have made sure that the title of my PR follows Commit naming conventions (e.g. feat: adding new MAPDL command)

[Copilot]

Pull Request Overview

Adds a new GitHub Actions workflow job to audit the security of GitHub Actions usage in the repository. This addresses security concerns by implementing automated checks on action usage as part of the CI pipeline.

• Adds actions-security job to CI workflow
• Configures security auditing with high-level checks and Ansys actions trust
• Enables automated summary generation for security audit results

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.27%. Comparing base (98a8f85) to head (eacca68).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4260      +/-   ##
==========================================
- Coverage   91.33%   91.27%   -0.07%     
==========================================
  Files         193      193              
  Lines       15720    15720              
==========================================
- Hits        14358    14348      -10     
- Misses       1362     1372      +10     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[RobPasMue]

Looks like you have some fixes to perform right @germa89 ?

Run python ${GITHUB_ACTION_PATH}/../python-utils/zizmor-summary.py
=========                                         ================    
File name                                         Number of issues    
=========                                         ================    
./.github/actions/build-matrix/action.yml         5                   
./.github/actions/pytest-summary/action.yml       3                   
./.github/actions/test-julia/action.yml           1                   
./.github/actions/test-windows/action.yml         4                   
./.github/workflows/approver.yml                  18                  
./.github/workflows/cache_cleaner.yml             8                   
./.github/workflows/ci.yml                        19                  
./.github/workflows/codeql-analysis.yml           5                   
./.github/workflows/doc-build.yml                 23                  
./.github/workflows/docker_clean_untagged.yml     2                   
./.github/workflows/label.yml                     14                  
./.github/workflows/linkchecker.yml               4                   
./.github/workflows/migrator.yml                  14                  
./.github/workflows/pr-docs-cleaner.yml           2                   
./.github/workflows/test-local.yml                26                  
./.github/workflows/test-remote.yml               33                  
=========                                         ================    
Total                                             181                 
=========                                         ================    

[germa89]

@RobPasMue I knowww 😭😭😭

[jorgepiloto]

@germa89, use https://github.com/suzuki-shunsuke/pinact to automatically pin the latest hash for the actions you use. It will save you some time when addressing previous warnings.

GitHub

GitHub - suzuki-shunsuke/pinact: pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify version annotations.

pinact is a CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows. pinact can also update their versions and verify version annotations. - suzuki...

[germa89]

thank you a lot @jorgepiloto !! 😄

[germa89]

@RobPasMue @jorgepiloto @moe-ad ... it took aaaaagess....

[moe-ad]

🚀 🚀 🚀 🚀 🚀

[germa89]

I think the permission changes are going to bite me in the future...

@pyansys-ci-bot LGTM.

[pyansys-ci-bot]

✅ Approving this PR because germa89 said so in here 😬