ci: add actions-security job to audit GitHub Actions usage (#4260)

Author: germa89

.github/actions/build-matrix/action.yml

@@ -43,19 +43,21 @@ runs:
       id: get_user
       env:
         type_event: ${{ inputs.type_event }}
+        login: ${{ github.event.pull_request.user.login }}
+        user: ${{ github.actor }}
       shell: bash
       run: |
         if [[ $type_event ]]; then
           echo "Event type: $type_event"
           echo "event_type=$( echo "$type_event" )" >> $GITHUB_OUTPUT
-          export user=${{ github.event.pull_request.user.login }}
+          export user=${login}
         else
-          export user=${{ github.actor }}
+          export user=${user}
         fi
         echo "This PR has been opened by: $user"
         echo "user=$( echo "$user" )" >> $GITHUB_OUTPUT
 
-    - uses: tspascoal/get-user-teams-membership@v3
+    - uses: tspascoal/get-user-teams-membership@57e9f42acd78f4d0f496b3be4368fc5f62696662 #v3.0.0
       id: is_organization_member
       if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'pre-commit-ci[bot]' }}
       with:

.github/actions/pytest-summary/action.yml

@@ -24,7 +24,7 @@ runs:
   steps:
 
     - name: "Setup Python with cache"
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0
       with:
         cache: 'pip'
         python-version: ${{ inputs.python-version }}
@@ -34,7 +34,7 @@ runs:
       run: python -m pip install numpy click
 
     - name: "Download artifacts"
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5.0.0
       with:
         pattern: "reports-*"
         path: "artifacts"
@@ -84,7 +84,7 @@ runs:
 
     - name: "Upload tests summary"
       if: ${{ env.HAS_FILES == 'true' }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
       with:
         name: tests_durations.json
         path: tests_durations.json

.github/actions/test-julia/action.yml

@@ -14,7 +14,7 @@ runs:
   using: "composite"
   steps:
     - name: "Set up Julia"
-      uses: julia-actions/setup-julia@v2
+      uses: julia-actions/setup-julia@5c9647d97b78a5debe5164e9eec09d653d29bd71 #v2.6.1
       with:
         version: ${{ matrix.julia-version }}
 

.github/actions/test-windows/action.yml

@@ -21,7 +21,7 @@ runs:
 
     # Skipping because it is installed locally.
     # - name: Setup Python
-    #   uses: actions/setup-python@v5
+    #   uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0
     #   with:
     #     python-version: 3.9
 
@@ -50,33 +50,29 @@ runs:
       run: |
         python -m pip install .[tests]
 
-    # - name: DPF Server Activation
-    #   run: |
-    #     docker pull ghcr.io/ansys/dpf-core:22.2dev
-    #     docker run -d --name dpfserver -p ${{ env.DPF_PORT }}:50052 ghcr.io/ansys/dpf-core:22.2dev && echo "DPF Server active on port ${{ env.DPF_PORT }}."
-
     - name: "Unit testing"
       shell: powershell
       env:
         file_name: windows-v22.2.0-local
+        PYTEST_ARGUMENTS: ${{ env.PYTEST_ARGUMENTS }}
       run: |
         set PYMAPDL_PORT=
         set PYMAPDL_START_INSTANCE=
         python -m pytest -k "not test_database and not test_dpf" \
-          ${{ env.PYTEST_ARGUMENTS }} \
+          ${PYTEST_ARGUMENTS} \
           --ignore_image_cache \
           --report-log=$file_name.jsonl \
           --cov-report=xml:$file_name.xml
 
-    - uses: codecov/codecov-action@v5
+    - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 #v5.5.1
       name: "Upload coverage to Codecov"
       with:
         token: ${{ inputs.codecov_token }} # required
         name: windows-v22.2.0-local.xml
         flags: windows,local,v22.2.0
 
     - name: "Upload coverage artifacts"
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
       with:
         name: windows-v22.2.0-local.xml
         path: ./windows_local.xml

.github/workflows/approver.yml

@@ -22,6 +22,8 @@ on:
   issue_comment:                                     
     types: [created, edited]
 
+permissions: {}
+
 jobs:
   autoapprove:
     # This job only runs for pull request comments
@@ -37,28 +39,36 @@ jobs:
 
       - name: "Settings"
         id: settings
+        env:
+          event_name: ${{ github.event_name }}
+          inputs_user: ${{ inputs.user }}
+          inputs_html_url: ${{ inputs.html_url }}
+          inputs_pr: ${{ inputs.pr }}
+          inputs_commentid: ${{ inputs.commentid }}
+          github_login: ${{ github.event.comment.user.login }}
+          github_html_url: ${{ github.event.comment.html_url }}
+          github_number: ${{ github.event.issue.number }}
+          github_id: ${{ github.event.comment.id }}
         run: |
-          export event_name=${{ github.event_name }}
-
           if [[ $event_name == "workflow_dispatch" ]] ; then
             echo "On workflow dispatch"
-            echo "user=${{ inputs.user }}" >> $GITHUB_OUTPUT
-            echo "html_url=${{ inputs.html_url }}" >> $GITHUB_OUTPUT
-            echo "pull_request=${{ inputs.pr }}" >> $GITHUB_OUTPUT
-            echo "commentid=${{ inputs.commentid }}" >> $GITHUB_OUTPUT
+            echo "user=${inputs_user}" >> $GITHUB_OUTPUT
+            echo "html_url=${inputs_html_url}" >> $GITHUB_OUTPUT
+            echo "pull_request=${inputs_pr}" >> $GITHUB_OUTPUT
+            echo "commentid=${inputs_commentid}" >> $GITHUB_OUTPUT
 
           else
             echo "On $event_name"
-            echo "user=${{ github.event.comment.user.login }}" >> $GITHUB_OUTPUT
-            echo "html_url=${{ github.event.comment.html_url }}" >> $GITHUB_OUTPUT
-            echo "pull_request=${{ github.event.issue.number }}" >> $GITHUB_OUTPUT
-            echo "commentid=${{ github.event.comment.id }}" >> $GITHUB_OUTPUT
+            echo "user=${github_login}" >> $GITHUB_OUTPUT
+            echo "html_url=${github_html_url}" >> $GITHUB_OUTPUT
+            echo "pull_request=${github_number}" >> $GITHUB_OUTPUT
+            echo "commentid=${github_id}" >> $GITHUB_OUTPUT
 
           fi;
 
       - name: React to comment
       #https://github.com/ansys/pymapdl/pull/2654#issuecomment-1889009514
-        uses: dkershner6/reaction-action@v2 # You can also use a specific version, e.g. v2.0.0
+        uses: dkershner6/reaction-action@97ede302a1b145b3739dec3ca84a489a34ef48b5 #v2.2.1
         with:
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           commentId: ${{ steps.settings.outputs.commentid }} # Optional if the trigger is a comment. Use another action to find this otherwise.
@@ -71,7 +81,7 @@ jobs:
           export IMG_MSG=$(curl -s 'https://us-central1-lgtm-reloaded.cloudfunctions.net/lgtm' | jq -r '.markdown' | grep -v 'Powered By GIPHY')
           echo "IMG_MSG=$IMG_MSG" >> $GITHUB_OUTPUT
 
-      - uses: hmarr/auto-approve-action@v4
+      - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4.0.0
         with:
           review-message: |
             :white_check_mark: Approving this PR because [${{ steps.settings.outputs.user }}](https://github.com/${{ steps.settings.outputs.user }}) said so in [here](${{ steps.settings.outputs.html_url }}) :grimacing:

.github/workflows/cache_cleaner.yml

@@ -5,20 +5,30 @@ on:
     types:
       - closed
 
+permissions: {}
+
 jobs:
   cleanup:
+    name: Cleanup caches
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Cleanup PR caches
         if: github.event_name != 'workflow_dispatch'
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
         run: |
           gh extension install actions/gh-actions-cache
-          
-          REPO=${{ github.repository }}
-          BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
+
+          BRANCH="refs/pull/${PR_NUMBER}/merge"
 
           echo "Fetching list of cache key"
           cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
@@ -37,16 +47,16 @@ jobs:
             cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH | cut -f 1 )
           done
           echo "Done"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         
       - name: Cleanup by workflow dispatch
         if: github.event_name == 'workflow_dispatch'
+        env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            REPO: ${{ github.repository }}
         run: |
             gh extension install actions/gh-actions-cache
-            
-            REPO=${{ github.repository }}
-            echo $REPO
+
+            echo "The repository is: $REPO"
 
             echo "Fetching list of cache key"
             cacheKeysForPR=$(gh actions-cache list -R $REPO | cut -f 1 )
@@ -63,6 +73,4 @@ jobs:
 
               cacheKeysForPR=$(gh actions-cache list -R $REPO | cut -f 1 )
             done
-            echo "Done"
-        env:
-            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            echo "Done"