diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e9b9ffc..c0099ce 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,8 +7,30 @@ updates: labels: - "maintenance" - "dependencies" + commit-message: + prefix: "build" + cooldown: + default-days: 10 + include: + - "*" # Include all dependencies in cooldown + exclude: + - "ansys/actions" - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + labels: + - "maintenance" + commit-message: + prefix: "ci" + cooldown: + default-days: 10 + include: + - "*" # Include all dependencies in cooldown + exclude: + - "ansys/actions" + groups: + actions: + patterns: + - "*" \ No newline at end of file diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index dbaeb8e..c935480 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -10,19 +10,48 @@ on: branches: - main +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + env: DOCUMENTATION_CNAME: 'engineeringworkflow.docs.pyansys.com' MAIN_PYTHON_VERSION: '3.13' PACKAGE_NAME: 'ansys-engineeringworkflow-api' PACKAGE_NAMESPACE: 'ansys.engineeringworkflow.api' +permissions: {} # Zero permissions can be granted at the workflow level if not all jobs require permissions. + # As a good rule of thumb, this normally includes jobs that don't use secrets. + jobs: + check-vulnerabilities: + name: "Check library vulnerabilities" + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-vulnerabilities@eb7d0fc873deeee6d4740774675ce1741cb6f154 # v10.2.2 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + python-package-name: ${{ env.PACKAGE_NAME }} + dev-mode: ${{ github.ref != 'refs/heads/main' }} + + actions-security: + name: "Check actions security" + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-actions-security@eb7d0fc873deeee6d4740774675ce1741cb6f154 # v10.2.2 + with: + generate-summary: true + token: ${{ secrets.GITHUB_TOKEN }} + auditing-level: 'high' + trust-ansys-actions: false + code-style: name: "Code style" runs-on: ubuntu-latest steps: - name: PyAnsys code style checks - uses: ansys/actions/code-style@v8 + uses: ansys/actions/code-style@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -31,7 +60,7 @@ jobs: runs-on: ubuntu-latest steps: - name: PyAnsys documentation style checks - uses: ansys/actions/doc-style@v8 + uses: ansys/actions/doc-style@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -52,7 +81,7 @@ jobs: steps: - name: Build wheelhouse and perform smoke test - uses: ansys/actions/build-wheelhouse@v8 + uses: ansys/actions/build-wheelhouse@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: library-name: ${{ env.PACKAGE_NAME }} operating-system: ${{ matrix.os }} @@ -64,18 +93,18 @@ jobs: needs: [smoke-tests] steps: - name: Run pytest - uses: ansys/actions/tests-pytest@v8 + uses: ansys/actions/tests-pytest@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: python-version: ${{ matrix.python-version }} pytest-extra-args: -v --durations=10 --maxfail=10 --cov=${{ env.PACKAGE_NAMESPACE }} --cov-report=xml:coverage.xml --cov-report=html --cov-report term - name: "Upload coverage to Codecov" - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 with: files: coverage.xml - name: "Upload coverage artifacts" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: coverage-html path: htmlcov @@ -96,7 +125,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Build library source and wheel artifacts - uses: ansys/actions/build-library@v8 + uses: ansys/actions/build-library@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: library-name: ${{ env.PACKAGE_NAME }} python-version: ${{ env.MAIN_PYTHON_VERSION }} @@ -109,29 +138,41 @@ jobs: needs: [package] steps: - name: "Deploy the latest documentation" - uses: ansys/actions/doc-deploy-dev@v8 + uses: ansys/actions/doc-deploy-dev@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.GITHUB_TOKEN }} release: name: "Release project to public PyPI and GitHub" - if: github.event_name == 'push' && contains(github.ref, 'refs/tags') - needs: [package] + if: ${{ github.event_name == 'push' && contains(github.ref, 'refs/tags') }} + needs: [package] runs-on: ubuntu-latest + # INFO: Specifying a GitHub environment is optional but encouraged + environment: release + # INFO: Trusted publishers require these permissions + permissions: + id-token: write # required by trusted publishers + contents: write # required by trusted publishers steps: + - name: Download the library artifacts from build-library step + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + name: ${{ env.PACKAGE_NAME }}-artifacts + path: ${{ env.PACKAGE_NAME }}-artifacts - - name: "Release to the public PyPI repository" - uses: ansys/actions/release-pypi-public@v8 - with: - library-name: ${{ env.PACKAGE_NAME }} - twine-username: "__token__" - twine-token: ${{ secrets.PYPI_TOKEN }} + - name: Release to PyPI using trusted publisher + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 + with: + repository-url: "https://upload.pypi.org/legacy/" + print-hash: true + packages-dir: ${{ env.PACKAGE_NAME }}-artifacts + skip-existing: false - - name: "Release to GitHub" - uses: ansys/actions/release-github@v8 - with: - library-name: ${{ env.PACKAGE_NAME }} + - name: "Release to GitHub" + uses: ansys/actions/release-github@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 + with: + library-name: ${{ env.PACKAGE_NAME }} doc-deploy-stable: name: "Deploy stable documentation" @@ -139,9 +180,11 @@ jobs: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest needs: [release] + permissions: + contents: write # Write permissions to deploy the documentation steps: - name: "Deploy the stable documentation" - uses: ansys/actions/doc-deploy-stable@v8 + uses: ansys/actions/doc-deploy-stable@010ddbe522e0a9aed3cbd850b4e226dcfae4ecda # v8.2.30 with: cname: ${{ env.DOCUMENTATION_CNAME }} token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore index ae4f178..7ecaad1 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,8 @@ test-output.xml .\#* /.ipynb_checkpoints +# Files part of the ansys/check_vulnerabilities script +check_vulnerabilities.py +info_bandit.json +info_safety.json +requirements.txt \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index d950315..0d287d6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,7 +23,7 @@ classifiers = [ ] dependencies = [ - "anyio>=3.6", + "anyio>=4.4", "numpy>=2.1.0", "pyansys-tools-variableinterop>=0.1.0", ] @@ -31,7 +31,6 @@ dependencies = [ [project.optional-dependencies] doc = [ "ansys-sphinx-theme[autoapi]==1.6.3", - "anyio==4.3.0", "numpydoc==1.10.0", "pyansys-tools-variableinterop==0.1.1", "Sphinx==8.2.3", @@ -42,7 +41,6 @@ doc = [ ] tests = [ - "anyio==4.3.0", "pytest==8.1.1", "pytest-cov==7.0.0", "pyansys-tools-variableinterop==0.1.1",