Resolve ci issues identified by ansys-automation. (#92)

Author: phx-mpascale

.github/dependabot.yml

@@ -7,8 +7,30 @@ updates:
     labels:
       - "maintenance"
       - "dependencies"
+    commit-message:
+      prefix: "build"
+    cooldown:
+      default-days: 10
+      include:
+        - "*"  # Include all dependencies in cooldown
+      exclude:
+        - "ansys/actions"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "maintenance"
+    commit-message:
+      prefix: "ci"
+    cooldown:
+      default-days: 10
+      include:
+        - "*"  # Include all dependencies in cooldown
+      exclude:
+        - "ansys/actions"
+    groups:
+       actions:
+          patterns:
+            - "*"

.github/workflows/cicd.yml

@@ -10,19 +10,48 @@ on:
     branches:
       - main
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   DOCUMENTATION_CNAME: 'engineeringworkflow.docs.pyansys.com'
   MAIN_PYTHON_VERSION: '3.13'
   PACKAGE_NAME: 'ansys-engineeringworkflow-api'
   PACKAGE_NAMESPACE: 'ansys.engineeringworkflow.api'
 
+permissions: {} # Zero permissions can be granted at the workflow level if not all jobs require permissions.
+                # As a good rule of thumb, this normally includes jobs that don't use secrets.
+
 jobs:
+  check-vulnerabilities:
+    name: "Check library vulnerabilities"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-vulnerabilities@eb7d0fc873deeee6d4740774675ce1741cb6f154 # v10.2.2
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+          token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+          python-package-name: ${{ env.PACKAGE_NAME }}
+          dev-mode: ${{ github.ref != 'refs/heads/main' }}
+
+  actions-security:
+    name: "Check actions security"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ansys/actions/check-actions-security@eb7d0fc873deeee6d4740774675ce1741cb6f154 # v10.2.2
+        with:
+          generate-summary: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          auditing-level: 'high'
+          trust-ansys-actions: false
+
   code-style:
     name: "Code style"
     runs-on: ubuntu-latest
     steps:
       - name: PyAnsys code style checks
-        uses: ansys/actions/code-style@v8
+        uses: ansys/actions/code-style@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
 
@@ -31,7 +60,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: PyAnsys documentation style checks
-        uses: ansys/actions/doc-style@v8
+        uses: ansys/actions/doc-style@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -52,7 +81,7 @@ jobs:
 
     steps:
       - name: Build wheelhouse and perform smoke test
-        uses: ansys/actions/build-wheelhouse@v8
+        uses: ansys/actions/build-wheelhouse@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           operating-system: ${{ matrix.os }}
@@ -64,18 +93,18 @@ jobs:
     needs: [smoke-tests]
     steps:
       - name: Run pytest
-        uses: ansys/actions/tests-pytest@v8
+        uses: ansys/actions/tests-pytest@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
           python-version: ${{ matrix.python-version }}
           pytest-extra-args: -v --durations=10 --maxfail=10 --cov=${{ env.PACKAGE_NAMESPACE }} --cov-report=xml:coverage.xml --cov-report=html --cov-report term
 
       - name: "Upload coverage to Codecov"
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         with:
           files: coverage.xml
 
       - name: "Upload coverage artifacts"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: coverage-html
           path: htmlcov
@@ -96,7 +125,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Build library source and wheel artifacts
-        uses: ansys/actions/build-library@v8
+        uses: ansys/actions/build-library@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
@@ -109,39 +138,53 @@ jobs:
     needs: [package]
     steps:
       - name: "Deploy the latest documentation"
-        uses: ansys/actions/doc-deploy-dev@v8
+        uses: ansys/actions/doc-deploy-dev@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
           cname: ${{ env.DOCUMENTATION_CNAME }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
   release:
     name: "Release project to public PyPI and GitHub"
-    if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
-    needs:  [package]
+    if: ${{ github.event_name == 'push' && contains(github.ref, 'refs/tags') }}
+    needs: [package]
     runs-on: ubuntu-latest
+    # INFO: Specifying a GitHub environment is optional but encouraged
+    environment: release
+    # INFO: Trusted publishers require these permissions
+    permissions:
+      id-token: write # required by trusted publishers
+      contents: write # required by trusted publishers
     steps:
+      - name: Download the library artifacts from build-library step
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: ${{ env.PACKAGE_NAME }}-artifacts
+          path: ${{ env.PACKAGE_NAME }}-artifacts
 
-    - name: "Release to the public PyPI repository"
-      uses: ansys/actions/release-pypi-public@v8
-      with:
-        library-name: ${{ env.PACKAGE_NAME }}
-        twine-username: "__token__"
-        twine-token: ${{ secrets.PYPI_TOKEN }}
+      - name: Release to PyPI using trusted publisher
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+        with:
+          repository-url: "https://upload.pypi.org/legacy/"
+          print-hash: true
+          packages-dir: ${{ env.PACKAGE_NAME }}-artifacts
+          skip-existing: false
 
-    - name: "Release to GitHub"
-      uses: ansys/actions/release-github@v8
-      with:
-        library-name: ${{ env.PACKAGE_NAME }}
+      - name: "Release to GitHub"
+        uses: ansys/actions/release-github@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
+        with:
+          library-name: ${{ env.PACKAGE_NAME }}
 
   doc-deploy-stable:
     name: "Deploy stable documentation"
     # Deploy release documentation when creating a new tag
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     needs: [release]
+    permissions:
+      contents: write # Write permissions to deploy the documentation
     steps:
       - name: "Deploy the stable documentation"
-        uses: ansys/actions/doc-deploy-stable@v8
+        uses: ansys/actions/doc-deploy-stable@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30
         with:
             cname: ${{ env.DOCUMENTATION_CNAME }}
             token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -72,3 +72,8 @@ test-output.xml
 .\#*
 /.ipynb_checkpoints
 
+# Files part of the ansys/check_vulnerabilities script
+check_vulnerabilities.py
+info_bandit.json
+info_safety.json
+requirements.txt

pyproject.toml

@@ -23,15 +23,14 @@ classifiers = [
 ]
 
 dependencies = [
-    "anyio>=3.6",
+    "anyio>=4.4",
     "numpy>=2.1.0",
     "pyansys-tools-variableinterop>=0.1.0",
 ]
 
 [project.optional-dependencies]
 doc = [
     "ansys-sphinx-theme[autoapi]==1.6.3",
-    "anyio==4.3.0",
     "numpydoc==1.10.0",
     "pyansys-tools-variableinterop==0.1.1",
     "Sphinx==8.2.3",
@@ -42,7 +41,6 @@ doc = [
 ]
 
 tests = [
-    "anyio==4.3.0",
     "pytest==8.1.1",
     "pytest-cov==7.0.0",
     "pyansys-tools-variableinterop==0.1.1",