diff --git a/doc-changelog/action.yml b/doc-changelog/action.yml index 3e91833d6..6c4df4906 100644 --- a/doc-changelog/action.yml +++ b/doc-changelog/action.yml @@ -32,7 +32,7 @@ description: | .. important:: **Required GitHub Permissions** - **contents**: ``write`` - Required to commit and push changelog fragments - - **pull-requests**: ``read`` - Required to read pull request labels via GitHub API + - **pull-requests**: ``write`` - Required to add comments on pull requests inputs: # Required inputs diff --git a/doc/source/build-actions/examples/build-ci-wheels-basic.yml b/doc/source/build-actions/examples/build-ci-wheels-basic.yml index d6231e8c9..4b7c68100 100644 --- a/doc/source/build-actions/examples/build-ci-wheels-basic.yml +++ b/doc/source/build-actions/examples/build-ci-wheels-basic.yml @@ -1,6 +1,8 @@ build-c-extension: name: "Build a C-extension library" runs-on: ${{ '{{ matrix.os }}' }} + permissions: + contents: read # Required to checkout repository code when the repository is not public strategy: matrix: os: [ubuntu-latest, windows-latest, macos-11] diff --git a/doc/source/build-actions/examples/build-library-basic.yml b/doc/source/build-actions/examples/build-library-basic.yml index 514fc7a1e..9dc50bde3 100644 --- a/doc/source/build-actions/examples/build-library-basic.yml +++ b/doc/source/build-actions/examples/build-library-basic.yml @@ -1,6 +1,8 @@ build-library: name: "Build library basic example" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - name: "Build library source and wheel artifacts" uses: ansys/actions/build-library@{{ version }} diff --git a/doc/source/build-actions/examples/build-wheelhouse-basic.yml b/doc/source/build-actions/examples/build-wheelhouse-basic.yml index 642a33845..9c2b26ffd 100644 --- a/doc/source/build-actions/examples/build-wheelhouse-basic.yml +++ b/doc/source/build-actions/examples/build-wheelhouse-basic.yml @@ -1,6 +1,8 @@ build-wheelhouse: name: "Build wheelhouse for latest Python versions" runs-on: ${{ '{{ matrix.os }}' }} + permissions: + contents: read # Required to checkout repository code when the repository is not public strategy: matrix: os: [ubuntu-latest, windows-latest] diff --git a/doc/source/changelog/1355.documentation.md b/doc/source/changelog/1355.documentation.md new file mode 100644 index 000000000..49ec63338 --- /dev/null +++ b/doc/source/changelog/1355.documentation.md @@ -0,0 +1 @@ +Update examples with permissions diff --git a/doc/source/doc-actions/examples/doc-build-basic.yml b/doc/source/doc-actions/examples/doc-build-basic.yml index 09153b56a..fdcc8c12e 100644 --- a/doc/source/doc-actions/examples/doc-build-basic.yml +++ b/doc/source/doc-actions/examples/doc-build-basic.yml @@ -2,6 +2,8 @@ doc-build: name: "Building library documentation" runs-on: ubuntu-latest needs: doc-style + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - name: "Run Ansys documentation building action" uses: ansys/actions/doc-build@{{ version }} diff --git a/doc/source/doc-actions/examples/doc-build-dependencies.yml b/doc/source/doc-actions/examples/doc-build-dependencies.yml index 36500f6af..ad1bc4e24 100644 --- a/doc/source/doc-actions/examples/doc-build-dependencies.yml +++ b/doc/source/doc-actions/examples/doc-build-dependencies.yml @@ -2,6 +2,8 @@ doc-build: name: "Installing additional system dependencies for building documentation" runs-on: ubuntu-latest needs: doc-style + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - name: "Run Ansys documentation building action" uses: ansys/actions/doc-build@{{ version }} diff --git a/doc/source/doc-actions/examples/doc-build-xvfb.yml b/doc/source/doc-actions/examples/doc-build-xvfb.yml index a0115bd07..63fd250ae 100644 --- a/doc/source/doc-actions/examples/doc-build-xvfb.yml +++ b/doc/source/doc-actions/examples/doc-build-xvfb.yml @@ -2,6 +2,8 @@ doc-build: name: "Building library documentation that using XVFB" runs-on: ubuntu-latest needs: doc-style + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - name: "Run Ansys documentation building action" uses: ansys/actions/doc-build@{{ version }} diff --git a/doc/source/doc-actions/examples/doc-changelog-basic.yml b/doc/source/doc-actions/examples/doc-changelog-basic.yml index c33125243..9b7f78a40 100644 --- a/doc/source/doc-actions/examples/doc-changelog-basic.yml +++ b/doc/source/doc-actions/examples/doc-changelog-basic.yml @@ -13,8 +13,8 @@ changelog-fragment: name: "Create changelog fragment" needs: [labeler] permissions: - contents: write - pull-requests: write + contents: write # Required to commit and push changelog fragments + pull-requests: write # Required to add comments on pull requests runs-on: ubuntu-latest steps: - uses: ansys/actions/doc-changelog@{{ version }} diff --git a/doc/source/doc-actions/examples/doc-deploy-changelog.yml b/doc/source/doc-actions/examples/doc-deploy-changelog.yml index 13bc00ae0..736ab9082 100644 --- a/doc/source/doc-actions/examples/doc-deploy-changelog.yml +++ b/doc/source/doc-actions/examples/doc-deploy-changelog.yml @@ -3,8 +3,8 @@ update-changelog: if: github.event_name == 'push' && contains(github.ref, 'refs/tags') runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # Required to push commits, delete and create tags + pull-requests: write # Required to create pull requests steps: - uses: ansys/actions/doc-deploy-changelog@{{ version }} with: diff --git a/doc/source/doc-actions/examples/doc-deploy-dev-basic.yml b/doc/source/doc-actions/examples/doc-deploy-dev-basic.yml index 1e4001e89..2f6edc772 100644 --- a/doc/source/doc-actions/examples/doc-deploy-dev-basic.yml +++ b/doc/source/doc-actions/examples/doc-deploy-dev-basic.yml @@ -3,6 +3,9 @@ doc-deploy-dev: runs-on: ubuntu-latest needs: doc-build if: github.event_name == 'push' + permissions: + contents: write # Required to push documentation to the gh-pages branch + pull-requests: write # Required to add comments on pull requests about documentation deployment steps: - name: "Deploy the latest documentation" uses: ansys/actions/doc-deploy-dev@{{ version }} diff --git a/doc/source/doc-actions/examples/doc-deploy-pr.yml b/doc/source/doc-actions/examples/doc-deploy-pr.yml index c519834a6..b889f4fef 100644 --- a/doc/source/doc-actions/examples/doc-deploy-pr.yml +++ b/doc/source/doc-actions/examples/doc-deploy-pr.yml @@ -21,6 +21,9 @@ doc-deploy-pr: runs-on: ubuntu-latest needs: doc-build if: contains(github.event.pull_request.labels.*.name, 'deploy-pr-doc') + permissions: + contents: write # Required to push documentation to the gh-pages branch + pull-requests: write # Required to add comments on pull requests about documentation deployment steps: - uses: ansys/actions/doc-deploy-pr@{{ version }} with: diff --git a/doc/source/doc-actions/examples/doc-deploy-stable-basic.yml b/doc/source/doc-actions/examples/doc-deploy-stable-basic.yml index 6d5ec88dd..55914f699 100644 --- a/doc/source/doc-actions/examples/doc-deploy-stable-basic.yml +++ b/doc/source/doc-actions/examples/doc-deploy-stable-basic.yml @@ -3,6 +3,8 @@ doc-deploy-stable: runs-on: ubuntu-latest needs: doc-build if: github.event_name == 'push' && contains(github.ref, 'refs/tags') + permissions: + contents: write # Required to push documentation to the gh-pages branch steps: - name: "Deploy the stable documentation" uses: ansys/actions/doc-deploy-stable@{{ version }} diff --git a/doc/source/housekeeping-actions/examples/hk-automerge-prs-basic.yml b/doc/source/housekeeping-actions/examples/hk-automerge-prs-basic.yml index f6970ed1f..c16284b22 100644 --- a/doc/source/housekeeping-actions/examples/hk-automerge-prs-basic.yml +++ b/doc/source/housekeeping-actions/examples/hk-automerge-prs-basic.yml @@ -3,6 +3,9 @@ hk-automerge-prs: runs-on: ubuntu-latest # Only runs if we are on a PR if: github.event_name == 'pull_request' + permissions: + contents: write # Required to merge pull requests + pull-requests: write # Required to approve and enable auto-merge on pull requests steps: - name: "Automerging dependabot and pre-commit.ci PRs" uses: ansys/actions/hk-automerge-prs@{{ version }} diff --git a/doc/source/housekeeping-actions/examples/hk-migrate-fork-pr-basic.yml b/doc/source/housekeeping-actions/examples/hk-migrate-fork-pr-basic.yml index 4d81bc333..4611ffd6c 100644 --- a/doc/source/housekeeping-actions/examples/hk-migrate-fork-pr-basic.yml +++ b/doc/source/housekeeping-actions/examples/hk-migrate-fork-pr-basic.yml @@ -8,8 +8,8 @@ hk-migrate-fork-pr: (contains(github.event.comment.body, '@pyansys-ci-bot migrate') || contains(github.event.comment.body, '@pyansys-ci-bot sync')) permissions: - contents: write - pull-requests: write + contents: write # Required to push migration branches to the main repository + pull-requests: write # Required to create pull requests, add comments, and manage reactions steps: - name: "Migrate fork PR" uses: ansys/actions/hk-migrate-fork-pr@{{ version }} diff --git a/doc/source/housekeeping-actions/examples/hk-package-clean-except-basic.yml b/doc/source/housekeeping-actions/examples/hk-package-clean-except-basic.yml index da4cb1682..8ee0f758d 100644 --- a/doc/source/housekeeping-actions/examples/hk-package-clean-except-basic.yml +++ b/doc/source/housekeeping-actions/examples/hk-package-clean-except-basic.yml @@ -1,6 +1,8 @@ hk-package-clean-except: name: "Perform versions cleanup - except certain tags" runs-on: ubuntu-latest + permissions: + packages: delete # Required to delete package versions from GitHub Container Registry (GHCR) steps: - name: "Perform versions cleanup - except certain tags" uses: ansys/actions/hk-package-clean-except@{{ version }} diff --git a/doc/source/housekeeping-actions/examples/hk-package-clean-untagged-basic.yml b/doc/source/housekeeping-actions/examples/hk-package-clean-untagged-basic.yml index 319ea310d..df5fbdea8 100644 --- a/doc/source/housekeeping-actions/examples/hk-package-clean-untagged-basic.yml +++ b/doc/source/housekeeping-actions/examples/hk-package-clean-untagged-basic.yml @@ -1,6 +1,8 @@ hk-package-clean-untagged: name: "Perform untagged versions cleanup" runs-on: ubuntu-latest + permissions: + packages: delete # Required to delete package versions from GitHub Container Registry (GHCR) steps: - name: "Perform untagged versions cleanup" uses: ansys/actions/hk-package-clean-untagged@{{ version }} diff --git a/doc/source/housekeeping-actions/examples/hk-tag-repository-version-advanced.yml b/doc/source/housekeeping-actions/examples/hk-tag-repository-version-advanced.yml index 5c43f444a..abe599501 100644 --- a/doc/source/housekeeping-actions/examples/hk-tag-repository-version-advanced.yml +++ b/doc/source/housekeeping-actions/examples/hk-tag-repository-version-advanced.yml @@ -3,7 +3,7 @@ hk-tag-repository-version: runs-on: ubuntu-latest if: github.event_name == 'release' permissions: - contents: write + contents: write # Required to push commits, delete and create tags steps: - uses: actions/checkout@v6 with: diff --git a/doc/source/housekeeping-actions/examples/hk-tag-repository-version-basic.yml b/doc/source/housekeeping-actions/examples/hk-tag-repository-version-basic.yml index 146d71fab..b4f1ef7a9 100644 --- a/doc/source/housekeeping-actions/examples/hk-tag-repository-version-basic.yml +++ b/doc/source/housekeeping-actions/examples/hk-tag-repository-version-basic.yml @@ -3,7 +3,7 @@ hk-tag-repository-version: runs-on: ubuntu-latest if: github.event_name == 'release' permissions: - contents: write + contents: write # Required to push commits, delete and create tags steps: - uses: actions/checkout@v6 with: diff --git a/doc/source/licenses-actions/examples/check-licenses-basic.yml b/doc/source/licenses-actions/examples/check-licenses-basic.yml index d62464abd..47a7862c5 100644 --- a/doc/source/licenses-actions/examples/check-licenses-basic.yml +++ b/doc/source/licenses-actions/examples/check-licenses-basic.yml @@ -1,6 +1,8 @@ check-licenses: name: "Check library dependencies ship with valid licenses" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - name: "Validate third party licenses" uses: ansys/actions/check-licenses@{{ version }} diff --git a/doc/source/release-actions/examples/release-github-basic.yml b/doc/source/release-actions/examples/release-github-basic.yml index ed36c0a94..e31ba55f3 100644 --- a/doc/source/release-actions/examples/release-github-basic.yml +++ b/doc/source/release-actions/examples/release-github-basic.yml @@ -3,6 +3,8 @@ release-github: runs-on: ubuntu-latest needs: [build-library] if: github.event_name == 'push' && contains(github.ref, 'refs/tags') + permissions: + contents: write # Required to create GitHub releases and upload release assets steps: - name: "Release to GitHub" uses: ansys/actions/release-github@{{ version }} diff --git a/doc/source/release-actions/examples/release-pypi-public-basic.yml b/doc/source/release-actions/examples/release-pypi-public-basic.yml deleted file mode 100644 index fa529aeef..000000000 --- a/doc/source/release-actions/examples/release-pypi-public-basic.yml +++ /dev/null @@ -1,12 +0,0 @@ -release-pypi-public: - name: "Release to public PyPI" - runs-on: ubuntu-latest - needs: [build-library] - if: github.event_name == 'push' && contains(github.ref, 'refs/tags') - steps: - - name: "Release to the public PyPI repository" - uses: ansys/actions/release-pypi-public@{{ version }} - with: - library-name: "ansys--" - twine-username: "__token__" - twine-token: ${{ '{{ secrets.PYPI_TOKEN }}' }} diff --git a/doc/source/release-actions/examples/release-pypi-test-basic.yml b/doc/source/release-actions/examples/release-pypi-test-basic.yml deleted file mode 100644 index 82ed4cafd..000000000 --- a/doc/source/release-actions/examples/release-pypi-test-basic.yml +++ /dev/null @@ -1,12 +0,0 @@ -release-pypi-test: - name: "Release to test PyPI" - runs-on: ubuntu-latest - needs: [build-library] - if: github.event_name == 'push' && contains(github.ref, 'refs/tags') - steps: - - name: "Release to the test PyPI repository" - uses: ansys/actions/release-pypi-test@{{ version }} - with: - library-name: "ansys--" - twine-username: "__token__" - twine-token: ${{ '{{ secrets.PYANSYS_PYPI_TEST_PAT }}' }} diff --git a/doc/source/style-actions/examples/check-pr-conventional-name-basic.yml b/doc/source/style-actions/examples/check-pr-conventional-name-basic.yml deleted file mode 100644 index 46bae2700..000000000 --- a/doc/source/style-actions/examples/check-pr-conventional-name-basic.yml +++ /dev/null @@ -1,6 +0,0 @@ -check-pr-conventional-name: - name: "Check if PR name follows conventional commit standards" - runs-on: ubuntu-latest - steps: - - name: "Check if PR name follows conventional commit standards" - uses: ansys/actions/check-pr-conventional-name@{{ version }} diff --git a/doc/source/style-actions/examples/check-pr-title-basic.yml b/doc/source/style-actions/examples/check-pr-title-basic.yml index 6dd71d313..190d63e4b 100644 --- a/doc/source/style-actions/examples/check-pr-title-basic.yml +++ b/doc/source/style-actions/examples/check-pr-title-basic.yml @@ -1,6 +1,8 @@ check-pr-title: name: "Check pull-request title follows conventional commits" runs-on: ubuntu-latest + permissions: + pull-requests: read # Required to read pull request title steps: - uses: ansys/actions/check-pr-title@{{ version }} with: diff --git a/doc/source/style-actions/examples/code-style-basic.yml b/doc/source/style-actions/examples/code-style-basic.yml index 890031752..16f7c1276 100644 --- a/doc/source/style-actions/examples/code-style-basic.yml +++ b/doc/source/style-actions/examples/code-style-basic.yml @@ -1,6 +1,8 @@ code-style: name: "Running code style checks" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - name: "Run PyAnsys code style checks" uses: ansys/actions/code-style@{{ version }} diff --git a/doc/source/style-actions/examples/doc-style-basic.yml b/doc/source/style-actions/examples/doc-style-basic.yml index 37a3d8c4f..7acf600af 100644 --- a/doc/source/style-actions/examples/doc-style-basic.yml +++ b/doc/source/style-actions/examples/doc-style-basic.yml @@ -1,6 +1,9 @@ doc-style: name: "Running documentation style checks" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public + pull-requests: write # Required for Vale to add review comments and suggestions on pull requests steps: - name: "Running documentation style checks" uses: ansys/actions/doc-style@{{ version }} diff --git a/doc/source/style-actions/examples/docker-style-basic.yml b/doc/source/style-actions/examples/docker-style-basic.yml index 9ff2e9336..cb8488f70 100644 --- a/doc/source/style-actions/examples/docker-style-basic.yml +++ b/doc/source/style-actions/examples/docker-style-basic.yml @@ -1,6 +1,8 @@ docker-style: name: "Docker style" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - uses: ansys/actions/docker-style@{{ version }} with: diff --git a/doc/source/tests-actions/examples/tests-pytest-basic.yml b/doc/source/tests-actions/examples/tests-pytest-basic.yml index 82062fd4d..74c994e98 100644 --- a/doc/source/tests-actions/examples/tests-pytest-basic.yml +++ b/doc/source/tests-actions/examples/tests-pytest-basic.yml @@ -1,6 +1,8 @@ tests: name: "Testing library with different operating systems and Python versions" runs-on: ${{ '{{ matrix.os }}' }} + permissions: + contents: read # Required to checkout repository code when the repository is not public strategy: matrix: os: [ubuntu-latest, windows-latest] diff --git a/doc/source/tests-actions/examples/tests-pytest-optimized.yml b/doc/source/tests-actions/examples/tests-pytest-optimized.yml index b49af7540..d32acc3e3 100644 --- a/doc/source/tests-actions/examples/tests-pytest-optimized.yml +++ b/doc/source/tests-actions/examples/tests-pytest-optimized.yml @@ -1,6 +1,8 @@ tests: name: "Optimized testing with different operating systems and Python versions" runs-on: ${{ '{{ matrix.os }}' }} + permissions: + contents: read # Required to checkout repository code when the repository is not public strategy: matrix: os: [ubuntu-latest, windows-latest] diff --git a/doc/source/vulnerability-actions/examples/check-actions-security.yml b/doc/source/vulnerability-actions/examples/check-actions-security.yml index 70864b136..0cfd0a87f 100644 --- a/doc/source/vulnerability-actions/examples/check-actions-security.yml +++ b/doc/source/vulnerability-actions/examples/check-actions-security.yml @@ -1,6 +1,8 @@ actions-security: name: "Check actions security" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public steps: - uses: ansys/actions/check-actions-security@{{ version }} with: diff --git a/doc/source/vulnerability-actions/examples/check-vulnerabilities.yml b/doc/source/vulnerability-actions/examples/check-vulnerabilities.yml index 120ccf0d1..3cabee780 100644 --- a/doc/source/vulnerability-actions/examples/check-vulnerabilities.yml +++ b/doc/source/vulnerability-actions/examples/check-vulnerabilities.yml @@ -1,6 +1,10 @@ check-vulnerabilities: name: "Check library vulnerabilities" runs-on: ubuntu-latest + permissions: + contents: read # Required to checkout repository code when the repository is not public + security-events: write # Required to create security advisories + issues: write # Required to create issues (only when create-issues is set to true) steps: - uses: ansys/actions/check-vulnerabilities@{{ version }} with: