ansys · SMoraisAnsys · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
@@ -32,7 +32,7 @@ description: |
   .. important:: **Required GitHub Permissions**
 
      - **contents**: ``write`` - Required to commit and push changelog fragments
-     - **pull-requests**: ``read`` - Required to read pull request labels via GitHub API
+     - **pull-requests**: ``write`` - Required to add comments on pull requests
 
 inputs:
   # Required inputs

@@ -1,6 +1,8 @@
 build-c-extension:
   name: "Build a C-extension library"
   runs-on: ${{ '{{ matrix.os }}' }}
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   strategy:
      matrix:
          os: [ubuntu-latest, windows-latest, macos-11]

@@ -1,6 +1,8 @@
 build-library:
   name: "Build library basic example"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - name: "Build library source and wheel artifacts"
       uses: ansys/actions/build-library@{{ version }}

@@ -1,6 +1,8 @@
 build-wheelhouse:
   name: "Build wheelhouse for latest Python versions"
   runs-on: ${{ '{{ matrix.os }}' }}
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   strategy:
      matrix:
          os: [ubuntu-latest, windows-latest]

@@ -0,0 +1 @@
+Update examples with permissions
@@ -2,6 +2,8 @@ doc-build:
   name: "Building library documentation"
   runs-on: ubuntu-latest
   needs: doc-style
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - name: "Run Ansys documentation building action"
       uses: ansys/actions/doc-build@{{ version }}
@@ -2,6 +2,8 @@ doc-build:
   name: "Installing additional system dependencies for building documentation"
   runs-on: ubuntu-latest
   needs: doc-style
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - name: "Run Ansys documentation building action"
       uses: ansys/actions/doc-build@{{ version }}

@@ -2,6 +2,8 @@ doc-build:
   name: "Building library documentation that using XVFB"
   runs-on: ubuntu-latest
   needs: doc-style
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - name: "Run Ansys documentation building action"
       uses: ansys/actions/doc-build@{{ version }}

@@ -13,8 +13,8 @@ changelog-fragment:
   name: "Create changelog fragment"
   needs: [labeler]
   permissions:
-    contents: write
-    pull-requests: write
+    contents: write  # Required to commit and push changelog fragments
+    pull-requests: write  # Required to add comments on pull requests
   runs-on: ubuntu-latest
   steps:
     - uses: ansys/actions/doc-changelog@{{ version }}

@@ -3,8 +3,8 @@ update-changelog:
   if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
   runs-on: ubuntu-latest
   permissions:
-    contents: write
-    pull-requests: write
+    contents: write  # Required to push commits, delete and create tags
+    pull-requests: write  # Required to create pull requests
   steps:
     - uses: ansys/actions/doc-deploy-changelog@{{ version }}
       with:

@@ -3,6 +3,9 @@ doc-deploy-dev:
   runs-on: ubuntu-latest
   needs: doc-build
   if: github.event_name == 'push'
+  permissions:
+    contents: write  # Required to push documentation to the gh-pages branch
+    pull-requests: write  # Required to add comments on pull requests about documentation deployment
   steps:
     - name: "Deploy the latest documentation"
       uses: ansys/actions/doc-deploy-dev@{{ version }}

@@ -21,6 +21,9 @@ doc-deploy-pr:
   runs-on: ubuntu-latest
   needs: doc-build
   if: contains(github.event.pull_request.labels.*.name, 'deploy-pr-doc')
+  permissions:
+    contents: write  # Required to push documentation to the gh-pages branch
+    pull-requests: write  # Required to add comments on pull requests about documentation deployment
   steps:
     - uses: ansys/actions/doc-deploy-pr@{{ version }}
       with:

@@ -3,6 +3,8 @@ doc-deploy-stable:
   runs-on: ubuntu-latest
   needs: doc-build
   if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
+  permissions:
+    contents: write  # Required to push documentation to the gh-pages branch
   steps:
     - name: "Deploy the stable documentation"
       uses: ansys/actions/doc-deploy-stable@{{ version }}

@@ -3,6 +3,9 @@ hk-automerge-prs:
   runs-on: ubuntu-latest
   # Only runs if we are on a PR
   if: github.event_name == 'pull_request'
+  permissions:
+    contents: write  # Required to merge pull requests
+    pull-requests: write  # Required to approve and enable auto-merge on pull requests
   steps:
     - name: "Automerging dependabot and pre-commit.ci PRs"
       uses: ansys/actions/hk-automerge-prs@{{ version }}

@@ -8,8 +8,8 @@ hk-migrate-fork-pr:
     (contains(github.event.comment.body, '@pyansys-ci-bot migrate') ||
      contains(github.event.comment.body, '@pyansys-ci-bot sync'))
   permissions:
-    contents: write
-    pull-requests: write
+    contents: write  # Required to push migration branches to the main repository
+    pull-requests: write  # Required to create pull requests, add comments, and manage reactions
   steps:
     - name: "Migrate fork PR"
       uses: ansys/actions/hk-migrate-fork-pr@{{ version }}

@@ -1,6 +1,8 @@
 hk-package-clean-except:
   name: "Perform versions cleanup - except certain tags"
   runs-on: ubuntu-latest
+  permissions:
+    packages: delete  # Required to delete package versions from GitHub Container Registry (GHCR)
   steps:
     - name: "Perform versions cleanup - except certain tags"
       uses: ansys/actions/hk-package-clean-except@{{ version }}

@@ -1,6 +1,8 @@
 hk-package-clean-untagged:
   name: "Perform untagged versions cleanup"
   runs-on: ubuntu-latest
+  permissions:
+    packages: delete  # Required to delete package versions from GitHub Container Registry (GHCR)
   steps:
     - name: "Perform untagged versions cleanup"
       uses: ansys/actions/hk-package-clean-untagged@{{ version }}

@@ -3,7 +3,7 @@ hk-tag-repository-version:
   runs-on: ubuntu-latest
   if: github.event_name == 'release'
   permissions:
-    contents: write
+    contents: write  # Required to push commits, delete and create tags
   steps:
     - uses: actions/checkout@v6
       with:

@@ -3,7 +3,7 @@ hk-tag-repository-version:
   runs-on: ubuntu-latest
   if: github.event_name == 'release'
   permissions:
-    contents: write
+    contents: write  # Required to push commits, delete and create tags
   steps:
     - uses: actions/checkout@v6
       with:

@@ -1,6 +1,8 @@
 check-licenses:
   name: "Check library dependencies ship with valid licenses"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - name: "Validate third party licenses"
       uses: ansys/actions/check-licenses@{{ version }}

@@ -3,6 +3,8 @@ release-github:
   runs-on: ubuntu-latest
   needs: [build-library]
   if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
+  permissions:
+    contents: write  # Required to create GitHub releases and upload release assets
   steps:
     - name: "Release to GitHub"
       uses: ansys/actions/release-github@{{ version }}

@@ -1,6 +1,8 @@
 check-pr-title:
   name: "Check pull-request title follows conventional commits"
   runs-on: ubuntu-latest
+  permissions:
+    pull-requests: read  # Required to read pull request title
   steps:
     - uses: ansys/actions/check-pr-title@{{ version }}
       with:

@@ -1,6 +1,8 @@
 code-style:
   name: "Running code style checks"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - name: "Run PyAnsys code style checks"
       uses: ansys/actions/code-style@{{ version }}
@@ -1,6 +1,9 @@
 doc-style:
   name: "Running documentation style checks"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
+    pull-requests: write  # Required for Vale to add review comments and suggestions on pull requests
   steps:
     - name: "Running documentation style checks"
       uses: ansys/actions/doc-style@{{ version }}

@@ -1,6 +1,8 @@
 docker-style:
   name: "Docker style"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - uses: ansys/actions/docker-style@{{ version }}
       with:

@@ -1,6 +1,8 @@
 tests:
   name: "Testing library with different operating systems and Python versions"
   runs-on: ${{ '{{ matrix.os }}' }}
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   strategy:
      matrix:
          os: [ubuntu-latest, windows-latest]

@@ -1,6 +1,8 @@
 tests:
   name: "Optimized testing with different operating systems and Python versions"
   runs-on: ${{ '{{ matrix.os }}' }}
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   strategy:
      matrix:
          os: [ubuntu-latest, windows-latest]

@@ -1,6 +1,8 @@
 actions-security:
   name: "Check actions security"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
   steps:
     - uses: ansys/actions/check-actions-security@{{ version }}
       with:

@@ -1,6 +1,10 @@
 check-vulnerabilities:
   name: "Check library vulnerabilities"
   runs-on: ubuntu-latest
+  permissions:
+    contents: read  # Required to checkout repository code when the repository is not public
+    security-events: write  # Required to create security advisories
+    issues: write  # Required to create issues (only when create-issues is set to true)
   steps:
     - uses: ansys/actions/check-vulnerabilities@{{ version }}
       with: