From ff7d10d6dfcc51b3002dc8f80fa58e809e2c7459 Mon Sep 17 00:00:00 2001 From: German <28149841+germa89@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:59:55 +0200 Subject: [PATCH 1/7] ci: add actions-security job to audit GitHub Actions usage --- .github/workflows/ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index efbda83d914..8e5feb3932d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -151,6 +151,16 @@ jobs: python-package-name: ${{ env.PACKAGE_NAME }} dev-mode: ${{ github.ref != 'refs/heads/main' }} + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-actions-security@c2fa7c93f6883114e0e643599431b33d29f0b13f #v10.1.4 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: true docs-build: name: "Build documentation" From ade4c7140ec47c62b0e8c195fe145e34860bbdc6 Mon Sep 17 00:00:00 2001 From: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com> Date: Wed, 15 Oct 2025 10:03:46 +0000 Subject: [PATCH 2/7] chore: adding changelog file 4260.maintenance.md [dependabot-skip] --- doc/changelog.d/4260.maintenance.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/changelog.d/4260.maintenance.md diff --git a/doc/changelog.d/4260.maintenance.md b/doc/changelog.d/4260.maintenance.md new file mode 100644 index 00000000000..788bdfe4c34 --- /dev/null +++ b/doc/changelog.d/4260.maintenance.md @@ -0,0 +1 @@ +Add actions-security job to audit GitHub Actions usage From 84b0d9d584668c3483f2e130164076a70e28878a Mon Sep 17 00:00:00 2001 From: German <28149841+germa89@users.noreply.github.com> Date: Wed, 15 Oct 2025 13:48:23 +0200 Subject: [PATCH 3/7] ci: pin GitHub Actions to specific SHAs to stabilize and make workflows reproducible --- .github/actions/build-matrix/action.yml | 2 +- .github/actions/pytest-summary/action.yml | 6 +++--- .github/actions/test-julia/action.yml | 2 +- .github/actions/test-windows/action.yml | 6 +++--- .github/workflows/approver.yml | 4 ++-- .github/workflows/cache_cleaner.yml | 2 +- .github/workflows/ci.yml | 14 ++++++------- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/doc-build.yml | 24 +++++++++++------------ .github/workflows/label.yml | 20 +++++++++---------- .github/workflows/linkchecker.yml | 2 +- .github/workflows/migrator.yml | 16 +++++++-------- .github/workflows/test-local.yml | 12 ++++++------ .github/workflows/test-remote.yml | 20 +++++++++---------- 14 files changed, 68 insertions(+), 68 deletions(-) diff --git a/.github/actions/build-matrix/action.yml b/.github/actions/build-matrix/action.yml index e163d80157d..77745737d03 100644 --- a/.github/actions/build-matrix/action.yml +++ b/.github/actions/build-matrix/action.yml @@ -55,7 +55,7 @@ runs: echo "This PR has been opened by: $user" echo "user=$( echo "$user" )" >> $GITHUB_OUTPUT - - uses: tspascoal/get-user-teams-membership@v3 + - uses: tspascoal/get-user-teams-membership@57e9f42acd78f4d0f496b3be4368fc5f62696662 #v3.0.0 id: is_organization_member if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'pre-commit-ci[bot]' }} with: diff --git a/.github/actions/pytest-summary/action.yml b/.github/actions/pytest-summary/action.yml index a8d73faa25d..4c39efe70ab 100644 --- a/.github/actions/pytest-summary/action.yml +++ b/.github/actions/pytest-summary/action.yml @@ -24,7 +24,7 @@ runs: steps: - name: "Setup Python with cache" - uses: actions/setup-python@v5 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 with: cache: 'pip' python-version: ${{ inputs.python-version }} @@ -34,7 +34,7 @@ runs: run: python -m pip install numpy click - name: "Download artifacts" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0 with: pattern: "reports-*" path: "artifacts" @@ -84,7 +84,7 @@ runs: - name: "Upload tests summary" if: ${{ env.HAS_FILES == 'true' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: tests_durations.json path: tests_durations.json diff --git a/.github/actions/test-julia/action.yml b/.github/actions/test-julia/action.yml index 690384ed892..9e23d0aae97 100644 --- a/.github/actions/test-julia/action.yml +++ b/.github/actions/test-julia/action.yml @@ -14,7 +14,7 @@ runs: using: "composite" steps: - name: "Set up Julia" - uses: julia-actions/setup-julia@v2 + uses: julia-actions/setup-julia@5c9647d97b78a5debe5164e9eec09d653d29bd71 #v2.6.1 with: version: ${{ matrix.julia-version }} diff --git a/.github/actions/test-windows/action.yml b/.github/actions/test-windows/action.yml index 4c1ae2f42f1..0d74001b0fa 100644 --- a/.github/actions/test-windows/action.yml +++ b/.github/actions/test-windows/action.yml @@ -21,7 +21,7 @@ runs: # Skipping because it is installed locally. # - name: Setup Python - # uses: actions/setup-python@v5 + # uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 # with: # python-version: 3.9 @@ -68,7 +68,7 @@ runs: --report-log=$file_name.jsonl \ --cov-report=xml:$file_name.xml - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 #v5.5.1 name: "Upload coverage to Codecov" with: token: ${{ inputs.codecov_token }} # required @@ -76,7 +76,7 @@ runs: flags: windows,local,v22.2.0 - name: "Upload coverage artifacts" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: windows-v22.2.0-local.xml path: ./windows_local.xml \ No newline at end of file diff --git a/.github/workflows/approver.yml b/.github/workflows/approver.yml index a94219dc0c5..04c60c4f738 100644 --- a/.github/workflows/approver.yml +++ b/.github/workflows/approver.yml @@ -58,7 +58,7 @@ jobs: - name: React to comment #https://github.com/ansys/pymapdl/pull/2654#issuecomment-1889009514 - uses: dkershner6/reaction-action@v2 # You can also use a specific version, e.g. v2.0.0 + uses: dkershner6/reaction-action@97ede302a1b145b3739dec3ca84a489a34ef48b5 #v2.2.1 with: token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} commentId: ${{ steps.settings.outputs.commentid }} # Optional if the trigger is a comment. Use another action to find this otherwise. @@ -71,7 +71,7 @@ jobs: export IMG_MSG=$(curl -s 'https://us-central1-lgtm-reloaded.cloudfunctions.net/lgtm' | jq -r '.markdown' | grep -v 'Powered By GIPHY') echo "IMG_MSG=$IMG_MSG" >> $GITHUB_OUTPUT - - uses: hmarr/auto-approve-action@v4 + - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4.0.0 with: review-message: | :white_check_mark: Approving this PR because [${{ steps.settings.outputs.user }}](https://github.com/${{ steps.settings.outputs.user }}) said so in [here](${{ steps.settings.outputs.html_url }}) :grimacing: diff --git a/.github/workflows/cache_cleaner.yml b/.github/workflows/cache_cleaner.yml index 0ea72c656f1..8f3aeb7bf36 100644 --- a/.github/workflows/cache_cleaner.yml +++ b/.github/workflows/cache_cleaner.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Cleanup PR caches if: github.event_name != 'workflow_dispatch' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index efbda83d914..ad79a67386f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,7 +49,7 @@ jobs: name: Adding assignee if there is none. runs-on: ubuntu-latest steps: - - uses: actions-ecosystem/action-add-assignees@v1 + - uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 #v1.0.0 if: | ( github.event_name == 'pull_request' && @@ -186,7 +186,7 @@ jobs: steps: - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Build matrix for remote testing uses: ./.github/actions/build-matrix @@ -222,7 +222,7 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: Build matrix for local, minimal and console testing uses: ./.github/actions/build-matrix @@ -315,7 +315,7 @@ jobs: ON_LOCAL: TRUE steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - uses: ./.github/actions/test_windows with: @@ -408,7 +408,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Open issue" - uses: jayqi/failed-build-issue-action@v1 + uses: jayqi/failed-build-issue-action@1a893bbf43ef1c2a8705e2b115cd4f0fe3c5649b #v1.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} title-template: "Failed scheduled build" @@ -426,7 +426,7 @@ jobs: os: [ubuntu-latest, windows-latest] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: "Run Julia testing" uses: ./.github/actions/test-julia @@ -443,7 +443,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: "Run Pytest-summary action" uses: ./.github/actions/pytest-summary diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 648da843752..784dbc468dc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,11 +55,11 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 #v4.30.8 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -71,6 +71,6 @@ jobs: # queries: security-extended,security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 #v4.30.8 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/doc-build.yml b/.github/workflows/doc-build.yml index e9f6fddeb43..3c6f89fcf7c 100644 --- a/.github/workflows/doc-build.yml +++ b/.github/workflows/doc-build.yml @@ -85,10 +85,10 @@ jobs: steps: - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: "Login in Github container registry" - uses: docker/login-action@v3.6.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0 with: registry: ghcr.io username: ${{ secrets.username }} @@ -114,7 +114,7 @@ jobs: $(docker pull $DPF_DOCKER_IMAGE && docker run -d --name dpfserver --env ANSYS_DPF_ACCEPT_LA=Y --env ANSYSLMD_LICENSE_FILE="1055@${{ secrets.license-server }}" -p ${{ env.DPF_PORT }}:50052 $DPF_DOCKER_IMAGE && echo "DPF Server active on port ${{ env.DPF_PORT }}.") & - name: "Getting files change filters" - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3.0.2 id: changes with: filters: | @@ -130,14 +130,14 @@ jobs: - 'pyproject.toml' - name: "Setup Python with cache" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 if: steps.changes.outputs.workflows != 'true' with: cache: 'pip' python-version: ${{ env.MAIN_PYTHON_VERSION }} - name: "Setup Python without cache" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 if: steps.changes.outputs.workflows == 'true' with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -167,7 +167,7 @@ jobs: echo "PyMAPDL version is: $(python -c "from ansys.mapdl.core import __version__; print(__version__)")" - name: "Cache examples" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 if: ${{ inputs.use_cache_examples && (steps.changes.outputs.documentation != 'true' || env.NOT_ON_RELEASE) }} with: path: doc/source/examples @@ -176,7 +176,7 @@ jobs: Examples-v${{ env.RESET_EXAMPLES_CACHE }}-${{ steps.version.outputs.PYMAPDL_VERSION }} - name: "Cache docs build directory" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 if: ${{ inputs.use_cache_doc_build && (steps.changes.outputs.documentation != 'true' || env.NOT_ON_RELEASE) }} with: path: doc/_build @@ -185,7 +185,7 @@ jobs: doc-build-v${{ env.RESET_DOC_BUILD_CACHE }}-${{ steps.version.outputs.PYMAPDL_VERSION }} - name: "Cache autosummary" - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0 if: ${{ inputs.use_cache_autosummary && (steps.changes.outputs.documentation != 'true' || env.NOT_ON_RELEASE) }} with: path: doc/source/**/_autosummary/*.rst @@ -205,7 +205,7 @@ jobs: - name: Install Quarto if: ${{ inputs.build_cheatsheet }} - uses: quarto-dev/quarto-actions/setup@v2 + uses: quarto-dev/quarto-actions/setup@9e48da27e184aa238fcb49f5db75469626d43adb #v2.1.9 with: tinytex: true version: 1.7.32 @@ -235,7 +235,7 @@ jobs: .ci/substitute_defective_gif.sh - name: "Upload HTML Documentation" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: documentation-html path: doc/_build/html @@ -255,7 +255,7 @@ jobs: - name: "Upload PDF documentation" if: ${{ inputs.build_pdf }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: documentation-pdf path: doc/_build/latex/pymapdl*.pdf @@ -263,7 +263,7 @@ jobs: - name: "Upload minimal requirements file" # To include it in the release - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: minimum_requirements.txt path: ./minimum_requirements.txt diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 172fea4f16d..edb9ff0b16f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -21,8 +21,8 @@ jobs: name: Syncer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: micnncim/action-label-syncer@v1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c #v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -37,13 +37,13 @@ jobs: # Label based on modified files - name: Label based on changed files - uses: actions/labeler@v6 + uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b #v6.0.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" sync-labels: true # Label based on branch name - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 #v1.1.0 if: | startsWith(github.event.pull_request.title, 'fix') || startsWith(github.event.pull_request.title, 'bug') || @@ -52,14 +52,14 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN}} labels: bug - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 #v1.1.0 if: | startsWith(github.event.pull_request.title, 'feat') with: github_token: ${{ secrets.GITHUB_TOKEN}} labels: new feature - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 #v1.1.0 if: | startsWith(github.event.pull_request.title, 'style') || startsWith(github.event.pull_request.title, 'refactor') || @@ -70,7 +70,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN}} labels: enhancement - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 #v1.1.0 if: | startsWith(github.event.pull_request.title, 'build') || startsWith(github.event.pull_request.title, 'revert') || @@ -79,7 +79,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN}} labels: maintenance - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 #v1.1.0 if: | startsWith(github.event.pull_request.title, 'doc') || startsWith(github.event.pull_request.title, 'docs') @@ -87,7 +87,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN}} labels: documentation - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 #v1.1.0 if: | startsWith(github.event.pull_request.title, 'docker') || startsWith(github.event.pull_request.title, 'no-ci') || @@ -103,7 +103,7 @@ jobs: pull-requests: write steps: - name: Suggest to add labels - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 #v5.0.0 # Execute only when no labels have been applied to the pull request if: toJSON(github.event.pull_request.labels.*.name) == '{}' # Empty labels with: diff --git a/.github/workflows/linkchecker.yml b/.github/workflows/linkchecker.yml index 283ef3928b9..0cc45055362 100644 --- a/.github/workflows/linkchecker.yml +++ b/.github/workflows/linkchecker.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Open issue" - uses: jayqi/failed-build-issue-action@v1.2 + uses: jayqi/failed-build-issue-action@1a893bbf43ef1c2a8705e2b115cd4f0fe3c5649b #v1.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} title-template: "Failed scheduled linkcheck 🔗 build" diff --git a/.github/workflows/migrator.yml b/.github/workflows/migrator.yml index 0660695be0b..42fed2bc869 100644 --- a/.github/workflows/migrator.yml +++ b/.github/workflows/migrator.yml @@ -69,7 +69,7 @@ jobs: - name: Setup the configuration id: pr_number - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 env: EVENTNAME: ${{ github.event_name }} DISPATCH_PR_NUMBER: ${{ github.event.inputs.issue_number }} @@ -138,7 +138,7 @@ jobs: core.exportVariable('MODE', mode); - id: is_organization_member - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 with: github-token: ${{ secrets.TOKEN_TEAMS_USER_READ }} script: | @@ -169,7 +169,7 @@ jobs: } - name: 'Delete previous reactions' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 with: github-token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} script: | @@ -202,7 +202,7 @@ jobs: } - name: 'Reply to comment' - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 with: github-token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} script: | @@ -240,7 +240,7 @@ jobs: - name: Get pull request details if : ${{ env.CONTINUE == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 with: github-token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} script: | @@ -294,7 +294,7 @@ jobs: - name: Checkout repo if : ${{ env.CONTINUE == 'true'}} - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: ref: main @@ -364,7 +364,7 @@ jobs: - name: Opening PR if needed. if : ${{ env.CONTINUE == 'true' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 with: github-token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} script: | @@ -475,7 +475,7 @@ jobs: - name: Create comment about failed migration # Not creating more failure comments if the workflow is retried if: ${{ failure() && github.run_attempt == 1 && github.event_name != 'workflow_dispatch' }} - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 with: github-token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} script: | diff --git a/.github/workflows/test-local.yml b/.github/workflows/test-local.yml index 05e67a6d4e7..c778c95b058 100644 --- a/.github/workflows/test-local.yml +++ b/.github/workflows/test-local.yml @@ -143,7 +143,7 @@ jobs: df -h - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: repository: ansys/pymapdl @@ -186,7 +186,7 @@ jobs: apt-get update && apt install -y libgl1 libglx-mesa0 xvfb libgomp1 graphviz curl && apt-get clean - name: "Setup Python" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 with: python-version: ${{ inputs.python-version }} @@ -269,7 +269,7 @@ jobs: - name: "Upload pytest reports to GitHub" if: always() - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: "reports-${{ inputs.file-name }}" path: ./${{ inputs.file-name }}.jsonl @@ -284,7 +284,7 @@ jobs: # - name: "Upload logs to GitHub" # if: always() - # uses: actions/upload-artifact@v4.6.2 + # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 # with: # name: logs-${{ inputs.file-name }}.tgz # path: ./logs-${{ inputs.file-name }}.tgz @@ -297,7 +297,7 @@ jobs: run: | .ci/display_logs_locals.sh - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 #v5.5.1 name: "Upload coverage to Codecov" if: inputs.codecov-report == true with: @@ -307,7 +307,7 @@ jobs: flags: local-ubuntu-${{ inputs.mapdl-version }}-dmp-${{ steps.student_check.outputs.TAG_STUDENT }}-${{ inputs.tags }} - name: "Upload coverage artifacts" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 if: inputs.codecov-report == true with: name: ${{ inputs.file-name }}.xml diff --git a/.github/workflows/test-remote.yml b/.github/workflows/test-remote.yml index 40327ab1732..d0afcfda8bf 100644 --- a/.github/workflows/test-remote.yml +++ b/.github/workflows/test-remote.yml @@ -82,10 +82,10 @@ jobs: df -h - name: "Install Git and checkout project" - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - name: "Login in Github container registry" - uses: docker/login-action@v3.6.0 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0 with: registry: ghcr.io username: ${{ secrets.username }} @@ -180,7 +180,7 @@ jobs: docker pull $DPF_DOCKER_IMAGE && docker run -d --name dpfserver --env ANSYS_DPF_ACCEPT_LA=Y -p ${{ env.DPF_PORT }}:50052 $DPF_DOCKER_IMAGE && echo "DPF Server active on port ${{ env.DPF_PORT }}." > log_dpf.log & - name: "Getting files change filters" - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3.0.2 id: changes with: filters: | @@ -188,14 +188,14 @@ jobs: - '.github/workflows/**' - name: "Setup Python with cache" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 if: steps.changes.outputs.workflows != 'true' with: cache: 'pip' python-version: ${{ inputs.python-version }} - name: "Setup Python without cache" - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 if: steps.changes.outputs.workflows == 'true' with: python-version: ${{ inputs.python-version }} @@ -266,12 +266,12 @@ jobs: echo "Number of restarts in the MAPDL_1 container: $N_RESTART" - name: "Upload pytest reports to GitHub" - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: "reports-${{ inputs.file-name }}" path: ./${{ inputs.file-name }}.jsonl - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 #v5.5.1 name: "Upload coverage to Codecov" with: token: ${{ secrets.codecov-token }} # required @@ -279,7 +279,7 @@ jobs: flags: remote-${{ steps.ubuntu_check.outputs.TAG_UBUNTU }}-${{ inputs.mapdl-version }}-${{ steps.distributed_mode.outputs.distributed_mode }}-${{ steps.student_check.outputs.TAG_STUDENT }} - name: Upload coverage artifacts - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: "${{ inputs.file-name }}.xml" path: "./${{ inputs.file-name }}.xml" @@ -291,7 +291,7 @@ jobs: twine check dist/* - name: "Upload wheel and binaries" - uses: actions/upload-artifact@v4.6.2 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 with: name: PyMAPDL-packages-${{ inputs.mapdl-version }} path: dist/ @@ -309,7 +309,7 @@ jobs: # - name: "Upload logs to GitHub" # if: always() - # uses: actions/upload-artifact@v4.6.2 + # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2 # with: # name: logs-${{ inputs.file-name }}.tgz # path: ./logs-${{ inputs.file-name }}.tgz From f290776e23b055872be7c53d5a1c7b6a6d575a4f Mon Sep 17 00:00:00 2001 From: German <28149841+germa89@users.noreply.github.com> Date: Wed, 15 Oct 2025 14:40:25 +0200 Subject: [PATCH 4/7] ci: standardize checkout and env handling across GitHub Actions --- .github/actions/build-matrix/action.yml | 6 ++++-- .github/actions/test-windows/action.yml | 8 ++----- .github/workflows/approver.yml | 28 ++++++++++++++++--------- .github/workflows/cache_cleaner.yml | 26 +++++++++++++---------- .github/workflows/ci.yml | 25 +++++++--------------- .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/doc-build.yml | 7 ++++++- .github/workflows/label.yml | 3 +++ .github/workflows/migrator.yml | 11 +++++++--- .github/workflows/test-local.yml | 21 ++++++++++++------- .github/workflows/test-remote.yml | 27 ++++++++++++++++-------- 11 files changed, 98 insertions(+), 66 deletions(-) diff --git a/.github/actions/build-matrix/action.yml b/.github/actions/build-matrix/action.yml index 77745737d03..74663434678 100644 --- a/.github/actions/build-matrix/action.yml +++ b/.github/actions/build-matrix/action.yml @@ -43,14 +43,16 @@ runs: id: get_user env: type_event: ${{ inputs.type_event }} + login: ${{ github.event.pull_request.user.login }} + user: ${{ github.actor }} shell: bash run: | if [[ $type_event ]]; then echo "Event type: $type_event" echo "event_type=$( echo "$type_event" )" >> $GITHUB_OUTPUT - export user=${{ github.event.pull_request.user.login }} + export user=${login} else - export user=${{ github.actor }} + export user=${user} fi echo "This PR has been opened by: $user" echo "user=$( echo "$user" )" >> $GITHUB_OUTPUT diff --git a/.github/actions/test-windows/action.yml b/.github/actions/test-windows/action.yml index 0d74001b0fa..827adb4d56a 100644 --- a/.github/actions/test-windows/action.yml +++ b/.github/actions/test-windows/action.yml @@ -50,20 +50,16 @@ runs: run: | python -m pip install .[tests] - # - name: DPF Server Activation - # run: | - # docker pull ghcr.io/ansys/dpf-core:22.2dev - # docker run -d --name dpfserver -p ${{ env.DPF_PORT }}:50052 ghcr.io/ansys/dpf-core:22.2dev && echo "DPF Server active on port ${{ env.DPF_PORT }}." - - name: "Unit testing" shell: powershell env: file_name: windows-v22.2.0-local + PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }} run: | set PYMAPDL_PORT= set PYMAPDL_START_INSTANCE= python -m pytest -k "not test_database and not test_dpf" \ - ${{ env.PYTEST_ARGUMENTS }} \ + ${PYTEST_ARGUMENTS} \ --ignore_image_cache \ --report-log=$file_name.jsonl \ --cov-report=xml:$file_name.xml diff --git a/.github/workflows/approver.yml b/.github/workflows/approver.yml index 04c60c4f738..1a2f960491c 100644 --- a/.github/workflows/approver.yml +++ b/.github/workflows/approver.yml @@ -37,22 +37,30 @@ jobs: - name: "Settings" id: settings + env: + event_name: ${{ github.event_name }} + inputs_user: ${{ inputs.user }} + inputs_html_url: ${{ inputs.html_url }} + inputs_pr: ${{ inputs.pr }} + inputs_commentid: ${{ inputs.commentid }} + github_login: ${{ github.event.comment.user.login }} + github_html_url: ${{ github.event.comment.html_url }} + github_number: ${{ github.event.issue.number }} + github_id: ${{ github.event.comment.id }} run: | - export event_name=${{ github.event_name }} - if [[ $event_name == "workflow_dispatch" ]] ; then echo "On workflow dispatch" - echo "user=${{ inputs.user }}" >> $GITHUB_OUTPUT - echo "html_url=${{ inputs.html_url }}" >> $GITHUB_OUTPUT - echo "pull_request=${{ inputs.pr }}" >> $GITHUB_OUTPUT - echo "commentid=${{ inputs.commentid }}" >> $GITHUB_OUTPUT + echo "user=${inputs_user}" >> $GITHUB_OUTPUT + echo "html_url=${inputs_html_url}" >> $GITHUB_OUTPUT + echo "pull_request=${inputs_pr}" >> $GITHUB_OUTPUT + echo "commentid=${inputs_commentid}" >> $GITHUB_OUTPUT else echo "On $event_name" - echo "user=${{ github.event.comment.user.login }}" >> $GITHUB_OUTPUT - echo "html_url=${{ github.event.comment.html_url }}" >> $GITHUB_OUTPUT - echo "pull_request=${{ github.event.issue.number }}" >> $GITHUB_OUTPUT - echo "commentid=${{ github.event.comment.id }}" >> $GITHUB_OUTPUT + echo "user=${github_login}" >> $GITHUB_OUTPUT + echo "html_url=${github_html_url}" >> $GITHUB_OUTPUT + echo "pull_request=${github_number}" >> $GITHUB_OUTPUT + echo "commentid=${github_id}" >> $GITHUB_OUTPUT fi; diff --git a/.github/workflows/cache_cleaner.yml b/.github/workflows/cache_cleaner.yml index 8f3aeb7bf36..74d74f2db04 100644 --- a/.github/workflows/cache_cleaner.yml +++ b/.github/workflows/cache_cleaner.yml @@ -7,18 +7,24 @@ on: jobs: cleanup: + name: Cleanup caches runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: Cleanup PR caches if: github.event_name != 'workflow_dispatch' + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} run: | gh extension install actions/gh-actions-cache - - REPO=${{ github.repository }} - BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge" + + BRANCH="refs/pull/${PR_NUMBER}/merge" echo "Fetching list of cache key" cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 ) @@ -37,16 +43,16 @@ jobs: cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 ) done echo "Done" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Cleanup by workflow dispatch if: github.event_name == 'workflow_dispatch' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} run: | gh extension install actions/gh-actions-cache - - REPO=${{ github.repository }} - echo $REPO + + echo "The repository is: $REPO" echo "Fetching list of cache key" cacheKeysForPR=$(gh actions-cache list -R $REPO | cut -f 1 ) @@ -63,6 +69,4 @@ jobs: cacheKeysForPR=$(gh actions-cache list -R $REPO | cut -f 1 ) done - echo "Done" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + echo "Done" \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad79a67386f..01aca34ae88 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -187,6 +187,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: Build matrix for remote testing uses: ./.github/actions/build-matrix @@ -223,6 +225,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: Build matrix for local, minimal and console testing uses: ./.github/actions/build-matrix @@ -305,23 +309,6 @@ jobs: test_dpf: false - test-windows: - # Skipped - if: github.repository == '' - name: "Local: Build & test on Windows" - runs-on: [self-hosted, Windows, pymapdl] - timeout-minutes: 30 - env: - ON_LOCAL: TRUE - - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 - - - uses: ./.github/actions/test_windows - with: - codecov_token: ${{ secrets.CODECOV_TOKEN }} - - package: name: "Package library" needs: [build-test-remote, build-test-ubuntu-local, build-test-ubuntu-minimal, docs-build] @@ -427,6 +414,8 @@ jobs: steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: "Run Julia testing" uses: ./.github/actions/test-julia @@ -444,6 +433,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: "Run Pytest-summary action" uses: ./.github/actions/pytest-summary diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 784dbc468dc..2dad7d3eddb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -56,6 +56,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/doc-build.yml b/.github/workflows/doc-build.yml index 3c6f89fcf7c..21152246419 100644 --- a/.github/workflows/doc-build.yml +++ b/.github/workflows/doc-build.yml @@ -65,6 +65,7 @@ on: jobs: doc-build: + name: Build documentation runs-on: ubuntu-latest env: ON_CI: True @@ -86,6 +87,8 @@ jobs: steps: - name: "Install Git and checkout project" uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: "Login in Github container registry" uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0 @@ -110,8 +113,10 @@ jobs: - name: "DPF server activation" shell: bash + env: + LICENSE_SERVER: ${{ secrets.license-server }} run: | - $(docker pull $DPF_DOCKER_IMAGE && docker run -d --name dpfserver --env ANSYS_DPF_ACCEPT_LA=Y --env ANSYSLMD_LICENSE_FILE="1055@${{ secrets.license-server }}" -p ${{ env.DPF_PORT }}:50052 $DPF_DOCKER_IMAGE && echo "DPF Server active on port ${{ env.DPF_PORT }}.") & + $(docker pull $DPF_DOCKER_IMAGE && docker run -d --name dpfserver --env ANSYS_DPF_ACCEPT_LA=Y --env ANSYSLMD_LICENSE_FILE="1055@${LICENSE_SERVER}" -p ${DPF_PORT}:50052 $DPF_DOCKER_IMAGE && echo "DPF Server active on port ${DPF_PORT}.") & - name: "Getting files change filters" uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3.0.2 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index edb9ff0b16f..488b9d887b1 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -22,6 +22,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c #v1.3.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -97,6 +99,7 @@ jobs: labels: CI/CD commenter: + name: Comment to suggest adding labels if none have been added runs-on: ubuntu-latest needs: [labeler] permissions: diff --git a/.github/workflows/migrator.yml b/.github/workflows/migrator.yml index 42fed2bc869..46822dfdd5b 100644 --- a/.github/workflows/migrator.yml +++ b/.github/workflows/migrator.yml @@ -59,6 +59,7 @@ permissions: jobs: migrate: + name: Migrate PR from fork to main repo if: | ( github.event.issue.pull_request != null && @@ -297,19 +298,23 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: ref: main + persist-credentials: false - name: Clone head repo and checkout branch. Resolve conflicts if needed. if : ${{ env.CONTINUE == 'true' }} env: GITHUB_TOKEN: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + PYANSYS_CI_BOT_USERNAME: ${{ secrets.PYANSYS_CI_BOT_USERNAME }} + PYANSYS_CI_BOT_EMAIL: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} + run: | echo "Setting up git configuration" - git config --global user.name "${{ secrets.PYANSYS_CI_BOT_USERNAME }}" - git config --global user.email "${{ secrets.PYANSYS_CI_BOT_EMAIL}}" + git config --global user.name "${PYANSYS_CI_BOT_USERNAME}" + git config --global user.email "${PYANSYS_CI_BOT_EMAIL}" git config pull.rebase true echo "\033[1;92m[INFO]Adding \"${PR_HEAD_REPO}\" as remote \033[0m" - git remote add head_repo https://x-access-token:${{ secrets.PYANSYS_CI_BOT_TOKEN }}@github.com/${PR_HEAD_REPO}.git + git remote add head_repo https://x-access-token:${GITHUB_TOKEN}@github.com/${PR_HEAD_REPO}.git echo "\033[1;92m[INFO]Fetching \"${PR_HEAD_BRANCH}\" branch from \"${PR_HEAD_REPO}\" \033[0m" git fetch head_repo ${PR_HEAD_BRANCH} diff --git a/.github/workflows/test-local.yml b/.github/workflows/test-local.yml index c778c95b058..3eca6021072 100644 --- a/.github/workflows/test-local.yml +++ b/.github/workflows/test-local.yml @@ -110,6 +110,7 @@ on: jobs: test-local: + name: Test MAPDL locally runs-on: ${{ inputs.runner }} env: ON_CI: True @@ -146,17 +147,20 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: repository: ansys/pymapdl + persist-credentials: false - name: "Get if running student version" id: student_check shell: bash + env: + MAPDL_VERSION: ${{ inputs.mapdl-version }} run: | - if [[ "${{ inputs.mapdl-version }}" == *"student"* ]]; + if [[ "${MAPDL_VERSION}" == *"student"* ]]; then export ON_STUDENT=true; export TAG_STUDENT="student"; else export ON_STUDENT=false; export TAG_STUDENT="non-student"; fi - if [[ "${{ inputs.mapdl-version }}" == *"cicd"* ]]; then + if [[ "${MAPDL_VERSION}" == *"cicd"* ]]; then echo "CICD MAPDL version detected, testing DPF backend for results module."; echo "TEST_DPF_BACKEND=true" >> $GITHUB_ENV; fi @@ -232,6 +236,9 @@ jobs: ON_CONSOLE: ${{ inputs.on-console }} ANSYSLMD_LICENSE_FILE: "1055@${{ secrets.license-server }}" file_name: ${{ inputs.file-name }} + PYTEST_ARGUMENTS: "${{ env.PYTEST_ARGUMENTS }}" + MAPDL_VERSION: ${{ inputs.mapdl-version }} + PYTEST_INPUT_ARGUMENTS: "${{ inputs.pytest-arguments }}" shell: bash run: | echo "ON_UBUNTU: $ON_UBUNTU" @@ -240,16 +247,16 @@ jobs: # Because there is no 'ansys-tools-path' we need to input the # executable path with the env var: PYMAPDL_MAPDL_EXEC. - if [[ "${{ inputs.mapdl-version }}" == *"latest-ubuntu"* ]] ; then + if [[ "${MAPDL_VERSION}" == *"latest-ubuntu"* ]] ; then version=${{ inputs.latest-version }} else - version=$(echo "${{ inputs.mapdl-version }}" | head -c 5 | tail -c 4 | tr -d '.') + version=$(echo "${MAPDL_VERSION}" | head -c 5 | tail -c 4 | tr -d '.') fi; echo "Version: $version" # If minimal is true, we need to set the executable path. - if [[ "${{ inputs.testing-minimal }}" == "true" ]]; then + if [[ "${ON_MINIMAL}" == "true" ]]; then echo "PYMAPDL_MAPDL_EXEC: $PYMAPDL_MAPDL_EXEC" export PYMAPDL_MAPDL_EXEC=/ansys_inc/v"$version"/ansys/bin/ansys"$version" export cmd="pytest" @@ -260,8 +267,8 @@ jobs: unset PYMAPDL_START_INSTANCE unset PYMAPDL_PORT - $cmd ${{ inputs.pytest-arguments }} \ - ${{ env.PYTEST_ARGUMENTS }} \ + $cmd ${PYTEST_INPUT_ARGUMENTS} \ + ${PYTEST_ARGUMENTS} \ --report-log=$file_name.jsonl \ --cov-report=xml:$file_name.xml \ --log-file=pytest.log \ diff --git a/.github/workflows/test-remote.yml b/.github/workflows/test-remote.yml index d0afcfda8bf..b0b832717e1 100644 --- a/.github/workflows/test-remote.yml +++ b/.github/workflows/test-remote.yml @@ -49,6 +49,7 @@ on: jobs: test-remote: + name: Test PyMAPDL with remote MAPDL instances runs-on: ubuntu-latest env: ON_CI: True @@ -83,6 +84,8 @@ jobs: - name: "Install Git and checkout project" uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 + with: + persist-credentials: false - name: "Login in Github container registry" uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0 @@ -94,8 +97,9 @@ jobs: - name: "Getting SMP/DMP mode" id: distributed_mode shell: bash + env: + image: ${{ inputs.mapdl-version }} run: | - image=${{ inputs.mapdl-version }} export distributed_mode="smp" if [[ $image == *".1."* ]]; then export distributed_mode="dmp"; @@ -106,15 +110,17 @@ jobs: - name: "Get if running on Ubuntu" id: ubuntu_check shell: bash + env: + MAPDL_VERSION: ${{ inputs.mapdl-version }} run: | export ON_SAME_CONTAINER=false - if [[ "${{ inputs.mapdl-version }}" == *"ubuntu"* ]]; + if [[ "${MAPDL_VERSION}" == *"ubuntu"* ]]; then export ON_UBUNTU=true; export TAG_UBUNTU="ubuntu"; else export ON_UBUNTU=false; export TAG_UBUNTU="centos"; fi - if [[ "${{ inputs.mapdl-version }}" == *"cicd"* ]]; then + if [[ "${MAPDL_VERSION}" == *"cicd"* ]]; then echo "CICD MAPDL version detected, testing DPF backend for results module."; echo "TEST_DPF_BACKEND=true" >> $GITHUB_ENV; @@ -133,8 +139,10 @@ jobs: - name: "Get if running student version" id: student_check shell: bash + env: + MAPDL_VERSION: ${{ inputs.mapdl-version }} run: | - if [[ "${{ inputs.mapdl-version }}" == *"student"* ]]; + if [[ "${MAPDL_VERSION}" == *"student"* ]]; then export ON_STUDENT=true; export TAG_STUDENT="student"; else export ON_STUDENT=false; export TAG_STUDENT="non-student"; fi @@ -160,10 +168,10 @@ jobs: echo "Launching a second instance for MAPDL pool testing..." export RUN_DPF_SERVER=false - export PYMAPDL_PORT=${{ env.PYMAPDL_PORT2 }} - export PYMAPDL_DB_PORT=${{ env.PYMAPDL_DB_PORT2 }} + export PYMAPDL_PORT=${PYMAPDL_PORT2} + export PYMAPDL_DB_PORT=${PYMAPDL_DB_PORT2} export INSTANCE_NAME=MAPDL_1 - export DPF_PORT=${{ env.DPF_PORT2 }} + export DPF_PORT=${DPF_PORT2} .ci/start_mapdl.sh &> mapdl_launch_1.log & export DOCKER_PID_1=$! echo "Launching MAPDL service 0 at PID: $DOCKER_PID_0" @@ -177,7 +185,7 @@ jobs: env: ANSYS_DPF_ACCEPT_LA: Y run: | - docker pull $DPF_DOCKER_IMAGE && docker run -d --name dpfserver --env ANSYS_DPF_ACCEPT_LA=Y -p ${{ env.DPF_PORT }}:50052 $DPF_DOCKER_IMAGE && echo "DPF Server active on port ${{ env.DPF_PORT }}." > log_dpf.log & + docker pull $DPF_DOCKER_IMAGE && docker run -d --name dpfserver --env ANSYS_DPF_ACCEPT_LA=Y -p ${DPF_PORT}:50052 $DPF_DOCKER_IMAGE && echo "DPF Server active on port ${DPF_PORT}." > log_dpf.log & - name: "Getting files change filters" uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 #v3.0.2 @@ -245,12 +253,13 @@ jobs: ON_STUDENT: ${{ steps.student_check.outputs.ON_STUDENT }} file_name: "${{ inputs.file-name }}" MAPDL_VERSION: "${{ inputs.mapdl-version }}" + PYTEST_ARGUMENTS: "${{ env.PYTEST_ARGUMENTS }}" shell: bash run: | echo "ON_UBUNTU: $ON_UBUNTU" echo "ON_STUDENT: $ON_STUDENT" xvfb-run pytest \ - ${{ env.PYTEST_ARGUMENTS }} \ + ${PYTEST_ARGUMENTS} \ --ignore_image_cache \ --report-log=$file_name.jsonl \ --cov-report=xml:$file_name.xml \ From 4cda1ad54f9ec5f65ccab702476f0b8409dbba6f Mon Sep 17 00:00:00 2001 From: German <28149841+germa89@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:49:36 +0200 Subject: [PATCH 5/7] ci: standardize workflow permissions and add job-level scopes Unify workflows to use top-level `permissions: {}` and grant minimal, explicit job-level permissions where needed across GitHub Actions (ci, doc-build, test-local, test-remote, approver, cache_cleaner, codeql-analysis, docker_clean_untagged, label, linkchecker, migrator, pr-docs-cleaner). Also include small behavioural fixes: - Pass BUILDER via env in doc-build and use it when invoking Make. - Introduce PYTHON_ACTIVATE env usage in CI steps that activate venvs. - Use LATEST_VERSION env in test-local and annotate container image as unpinned. - Minor reorganization of permissions/read/write scopes per job. --- .github/workflows/approver.yml | 2 + .github/workflows/cache_cleaner.yml | 4 ++ .github/workflows/ci.yml | 61 ++++++++++++++++++--- .github/workflows/codeql-analysis.yml | 2 + .github/workflows/doc-build.yml | 9 ++- .github/workflows/docker_clean_untagged.yml | 7 ++- .github/workflows/label.yml | 4 ++ .github/workflows/linkchecker.yml | 7 +++ .github/workflows/migrator.yml | 8 +-- .github/workflows/pr-docs-cleaner.yml | 4 ++ .github/workflows/test-local.yml | 10 +++- .github/workflows/test-remote.yml | 4 ++ 12 files changed, 103 insertions(+), 19 deletions(-) diff --git a/.github/workflows/approver.yml b/.github/workflows/approver.yml index 1a2f960491c..2bc04ba2d22 100644 --- a/.github/workflows/approver.yml +++ b/.github/workflows/approver.yml @@ -22,6 +22,8 @@ on: issue_comment: types: [created, edited] +permissions: {} + jobs: autoapprove: # This job only runs for pull request comments diff --git a/.github/workflows/cache_cleaner.yml b/.github/workflows/cache_cleaner.yml index 74d74f2db04..633eaa728e2 100644 --- a/.github/workflows/cache_cleaner.yml +++ b/.github/workflows/cache_cleaner.yml @@ -5,10 +5,14 @@ on: types: - closed +permissions: {} + jobs: cleanup: name: Cleanup caches runs-on: ubuntu-latest + permissions: + actions: write steps: - name: Check out code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 01aca34ae88..257e38ad502 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,17 +37,15 @@ defaults: run: shell: bash -permissions: - contents: write - packages: read - pull-requests: write - issues: write +permissions: {} jobs: add_labels: name: Adding assignee if there is none. runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions-ecosystem/action-add-assignees@ce5019e63cc4f35aba27308dc88d19c8f3686747 #v1.0.0 if: | @@ -80,6 +78,8 @@ jobs: if: github.event_name == 'pull_request' name: Check the name of the pull-request runs-on: ubuntu-latest + permissions: + pull-requests: read steps: - name: Check pull-request name uses: ansys/actions/check-pr-title@c2fa7c93f6883114e0e643599431b33d29f0b13f #v10.1.4 @@ -90,6 +90,8 @@ jobs: doc-style: name: "Documentation style ${{ matrix.folder }}" runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: folder: ["doc", "examples"] @@ -108,6 +110,7 @@ jobs: runs-on: ${{ matrix.os }} if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' timeout-minutes: 20 + permissions: {} strategy: fail-fast: false matrix: @@ -130,19 +133,25 @@ jobs: check-licenses: true - name: "Importing library" + env: + PYTHON_ACTIVATE: ${{ steps.build-wheelhouse.outputs.python-path }} run: | - ${{ steps.build-wheelhouse.outputs.activate-venv }} + ${PYTHON_ACTIVATE} python -c "from ansys.mapdl import core as pymapdl; print(pymapdl.Report())" - name: "Checking plotting support" + env: + PYTHON_ACTIVATE: ${{ steps.build-wheelhouse.outputs.python-path }} run: | - ${{ steps.build-wheelhouse.outputs.activate-venv }} + ${PYTHON_ACTIVATE} python -c "from pyvista.plotting import system_supports_plotting; print('System support plotting ' + str(system_supports_plotting()))" check-vulnerabilities: name: "Check library vulnerabilities" runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: ansys/actions/check-vulnerabilities@c2fa7c93f6883114e0e643599431b33d29f0b13f #v10.1.4 with: @@ -151,11 +160,13 @@ jobs: python-package-name: ${{ env.PACKAGE_NAME }} dev-mode: ${{ github.ref != 'refs/heads/main' }} - docs-build: name: "Build documentation" needs: doc-style uses: ./.github/workflows/doc-build.yml + permissions: + contents: read + packages: read secrets: license-server: ${{ secrets.LICENSE_SERVER }} username: ${{ github.actor }} @@ -167,6 +178,9 @@ jobs: runs-on: ubuntu-latest needs: docs-build if: contains(github.event.pull_request.labels.*.name, 'deploy pr docs') + permissions: + contents: write + pull-requests: write steps: - uses: ansys/actions/doc-deploy-pr@c2fa7c93f6883114e0e643599431b33d29f0b13f #v10.1.4 with: @@ -180,6 +194,8 @@ jobs: build-test-remote-matrix: name: "Build remote test matrix" runs-on: ubuntu-latest + permissions: + contents: read if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} @@ -205,6 +221,9 @@ jobs: strategy: fail-fast: false matrix: ${{ fromJson(needs.build-test-remote-matrix.outputs.matrix) }} + permissions: + contents: read + packages: read uses: ./.github/workflows/test-remote.yml secrets: license-server: ${{ secrets.LICENSE_SERVER }} @@ -219,6 +238,8 @@ jobs: build-test-local-matrix: name: "Build test matrix for minimal and local" runs-on: ubuntu-latest + permissions: + contents: read if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} @@ -242,6 +263,9 @@ jobs: if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' needs: [smoke-tests, build-test-local-matrix] uses: ./.github/workflows/test-local.yml + permissions: + contents: read + packages: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-test-local-matrix.outputs.matrix) }} @@ -265,6 +289,9 @@ jobs: if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' needs: [build-test-ubuntu-local, build-test-remote] uses: ./.github/workflows/test-local.yml + permissions: + contents: read + packages: read strategy: fail-fast: false matrix: @@ -288,6 +315,9 @@ jobs: name: "Local-min-console: ${{ matrix.mapdl-version }}" if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' needs: [build-test-ubuntu-local, build-test-remote] + permissions: + contents: read + packages: read uses: ./.github/workflows/test-local.yml strategy: fail-fast: false @@ -313,6 +343,8 @@ jobs: name: "Package library" needs: [build-test-remote, build-test-ubuntu-local, build-test-ubuntu-minimal, docs-build] runs-on: ubuntu-latest + permissions: + contents: read steps: - name: "Build library source and wheel artifacts" uses: ansys/actions/build-library@c2fa7c93f6883114e0e643599431b33d29f0b13f #v10.1.4 @@ -361,6 +393,8 @@ jobs: name: "Upload release documentation" if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest + permissions: + contents: write needs: [release] steps: - name: "Deploy the stable documentation" @@ -377,6 +411,8 @@ jobs: name: "Upload dev documentation" if: github.ref == 'refs/heads/main' && !contains(github.ref, 'refs/tags') runs-on: ubuntu-latest + permissions: + contents: write needs: [docs-build] steps: - name: "Deploy the latest documentation" @@ -393,6 +429,8 @@ jobs: needs: [smoke-tests, docs-build, build-test-remote, build-test-ubuntu-local, build-test-ubuntu-minimal] if: failure() && github.event_name == 'schedule' runs-on: ubuntu-latest + permissions: + issues: write steps: - name: "Open issue" uses: jayqi/failed-build-issue-action@1a893bbf43ef1c2a8705e2b115cd4f0fe3c5649b #v1.2.0 @@ -405,6 +443,8 @@ jobs: test_julia: name: "Julia ${{ matrix.julia-version }} | ${{ matrix.os }}" runs-on: ${{ matrix.os }} + permissions: + contents: read if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' strategy: fail-fast: false @@ -429,7 +469,10 @@ jobs: build-test-remote, build-test-ubuntu-local, build-test-ubuntu-minimal, build-test-ubuntu-console ] if: always() - runs-on: ubuntu-latest + runs-on: ubuntu-latest + permissions: + contents: read + actions: write steps: - name: "Install Git and checkout project" uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2dad7d3eddb..865e4ef3ebb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,6 +19,8 @@ on: schedule: - cron: '32 3 * * 2' +permissions: {} + jobs: analyze: name: Analyze (${{ matrix.language }}) diff --git a/.github/workflows/doc-build.yml b/.github/workflows/doc-build.yml index 21152246419..8a264408c6c 100644 --- a/.github/workflows/doc-build.yml +++ b/.github/workflows/doc-build.yml @@ -63,10 +63,15 @@ on: Password for the GitHub container registry. required: true +permissions: {} + jobs: doc-build: name: Build documentation runs-on: ubuntu-latest + permissions: + contents: read + packages: read env: ON_CI: True ON_DOCUMENTATION: TRUE @@ -230,9 +235,11 @@ jobs: - name: "Build documentation" shell: bash + env: + BUILDER: ${{ inputs.builder }} run: | export PYTHONFAULTHANDLER=1 - xvfb-run make -C doc ${{ inputs.builder }} SPHINXOPTS="-j auto" | tee doc_build.log + xvfb-run make -C doc ${BUILDER} SPHINXOPTS="-j auto" | tee doc_build.log - name: "Substitute defective GIF" shell: bash diff --git a/.github/workflows/docker_clean_untagged.yml b/.github/workflows/docker_clean_untagged.yml index dfd01cdfff7..d5d06c8c837 100644 --- a/.github/workflows/docker_clean_untagged.yml +++ b/.github/workflows/docker_clean_untagged.yml @@ -8,14 +8,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: write - packages: write +permissions: {} jobs: cleanup: name: Cleaning unnecessary packages runs-on: ubuntu-latest + permissions: + contents: read + packages: write env: PACKAGE_DELETION_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 488b9d887b1..ad1d39b02be 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -14,12 +14,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: label-syncer: # Sync the labels name, colours with the file ``labels.yml`` name: Syncer runs-on: ubuntu-latest + permissions: + issues: write steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 with: diff --git a/.github/workflows/linkchecker.yml b/.github/workflows/linkchecker.yml index 0cc45055362..019d31bfbff 100644 --- a/.github/workflows/linkchecker.yml +++ b/.github/workflows/linkchecker.yml @@ -9,10 +9,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: linkcheck: name: "Check Links" uses: ./.github/workflows/doc-build.yml + permissions: + contents: read + packages: read with: builder: linkcheck build_pdf: false @@ -30,6 +35,8 @@ jobs: needs: [linkcheck] if: failure() && github.event_name == 'schedule' runs-on: ubuntu-latest + permissions: + issues: write steps: - name: "Open issue" uses: jayqi/failed-build-issue-action@1a893bbf43ef1c2a8705e2b115cd4f0fe3c5649b #v1.2.0 diff --git a/.github/workflows/migrator.yml b/.github/workflows/migrator.yml index 46822dfdd5b..bc2c0308637 100644 --- a/.github/workflows/migrator.yml +++ b/.github/workflows/migrator.yml @@ -52,10 +52,7 @@ on: required: true type: string - -permissions: - contents: write - pull-requests: read +permissions: {} jobs: migrate: @@ -66,6 +63,9 @@ jobs: (contains(github.event.comment.body, '@pyansys-ci-bot migrate') || contains(github.event.comment.body, '@pyansys-ci-bot sync') ) ) || ( github.event_name == 'workflow_dispatch' ) runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Setup the configuration diff --git a/.github/workflows/pr-docs-cleaner.yml b/.github/workflows/pr-docs-cleaner.yml index d11f661feaf..0281d0c297f 100644 --- a/.github/workflows/pr-docs-cleaner.yml +++ b/.github/workflows/pr-docs-cleaner.yml @@ -15,10 +15,14 @@ on: env: DOCUMENTATION_CNAME: 'mapdl.docs.pyansys.com' +permissions: {} + jobs: clean-docs-pr: name: "Deploy PR documentation" runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: ansys/actions/doc-deploy-pr@c2fa7c93f6883114e0e643599431b33d29f0b13f # v10.1.4 with: diff --git a/.github/workflows/test-local.yml b/.github/workflows/test-local.yml index 3eca6021072..797beee677d 100644 --- a/.github/workflows/test-local.yml +++ b/.github/workflows/test-local.yml @@ -108,10 +108,15 @@ on: GitHub username for login into ghcr.io. required: true +permissions: {} + jobs: test-local: name: Test MAPDL locally runs-on: ${{ inputs.runner }} + permissions: + contents: read + packages: read env: ON_CI: True ON_LOCAL: true @@ -127,7 +132,7 @@ jobs: DATAPROCESSING_DEBUG: /home/mapdl/dpf_logs container: - image: "${{ inputs.package-registry }}:${{ inputs.mapdl-version }}" + image: "${{ inputs.package-registry }}:${{ inputs.mapdl-version }}" # zizmor: ignore[unpinned-images] options: -u=0:0 --oom-kill-disable --memory=6656MB --memory-swap=16896MB --shm-size=1gb --entrypoint /bin/bash credentials: username: ${{ secrets.username }} @@ -239,6 +244,7 @@ jobs: PYTEST_ARGUMENTS: "${{ env.PYTEST_ARGUMENTS }}" MAPDL_VERSION: ${{ inputs.mapdl-version }} PYTEST_INPUT_ARGUMENTS: "${{ inputs.pytest-arguments }}" + LATEST_VERSION: "${{ inputs.latest-version }}" shell: bash run: | echo "ON_UBUNTU: $ON_UBUNTU" @@ -248,7 +254,7 @@ jobs: # executable path with the env var: PYMAPDL_MAPDL_EXEC. if [[ "${MAPDL_VERSION}" == *"latest-ubuntu"* ]] ; then - version=${{ inputs.latest-version }} + version=${LATEST_VERSION} else version=$(echo "${MAPDL_VERSION}" | head -c 5 | tail -c 4 | tr -d '.') fi; diff --git a/.github/workflows/test-remote.yml b/.github/workflows/test-remote.yml index b0b832717e1..fc67e101eca 100644 --- a/.github/workflows/test-remote.yml +++ b/.github/workflows/test-remote.yml @@ -46,11 +46,15 @@ on: Token for Codecov. required: true +permissions: {} jobs: test-remote: name: Test PyMAPDL with remote MAPDL instances runs-on: ubuntu-latest + permissions: + contents: read + packages: read env: ON_CI: True ON_LOCAL: FALSE From a667de9cae183c3b87177451bb86d7e2a7ef4671 Mon Sep 17 00:00:00 2001 From: German <28149841+germa89@users.noreply.github.com> Date: Mon, 20 Oct 2025 13:09:50 +0200 Subject: [PATCH 6/7] ci: use build-wheelhouse 'activate-venv' output for PYTHON_ACTIVATE --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4703bb23d39..8d520ad056f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -131,14 +131,14 @@ jobs: - name: "Importing library" env: - PYTHON_ACTIVATE: ${{ steps.build-wheelhouse.outputs.python-path }} + PYTHON_ACTIVATE: ${{ steps.build-wheelhouse.outputs.activate-venv }} run: | ${PYTHON_ACTIVATE} python -c "from ansys.mapdl import core as pymapdl; print(pymapdl.Report())" - name: "Checking plotting support" env: - PYTHON_ACTIVATE: ${{ steps.build-wheelhouse.outputs.python-path }} + PYTHON_ACTIVATE: ${{ steps.build-wheelhouse.outputs.activate-venv }} run: | ${PYTHON_ACTIVATE} python -c "from pyvista.plotting import system_supports_plotting; print('System support plotting ' + str(system_supports_plotting()))" From eacca68d0358b314c60ad94e4be52dba64dcb852 Mon Sep 17 00:00:00 2001 From: German <28149841+germa89@users.noreply.github.com> Date: Mon, 20 Oct 2025 14:58:35 +0200 Subject: [PATCH 7/7] chore: retriggering CICD