From a61f5e491355a2404a5c0be14699501d1e3e9fae Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Wed, 17 Sep 2025 18:40:13 +0200 Subject: [PATCH 1/4] docs: improve gha vulnerabilities documentation --- doc/source/how-to/vulnerabilities.rst | 92 ++++++++++++++------------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index 2e187fde..9ce5c155 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -144,7 +144,7 @@ action is up to date and that it is being used in all PyAnsys repositories consi that the action is implemented correctly and that the results are reviewed regularly. -Addressing common vulnerabilities in python libraries and applications +Addressing common vulnerabilities in Python libraries and applications ---------------------------------------------------------------------- When developing Python applications, it is essential to be aware of common vulnerabilities that can @@ -371,22 +371,22 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml - + # See https://docs.zizmor.sh/audits/#artipacked for more information. steps: - - name: "Checkout project" + - name: "Checkout project" # actions/checkout persists git credentials by default. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 .. tab-item:: After .. code:: yaml - + # See https://docs.zizmor.sh/audits/#artipacked for more information. steps: - name: "Checkout project" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: + with: # Unless needed for git operations in subsequent steps, do not persist credentials. persist-credentials: false .. note:: @@ -402,11 +402,11 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml - + # See https://docs.zizmor.sh/audits/#unpinned-uses for more information. steps: - name: "Upload distribution artifacts to GitHub artifacts" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v4 # The commit a tag-pinned action points to can change due to various factors. with: name: ${{ env.LIBRARY_NAME }}-artifacts path: ~/${{ env.LIBRARY_NAME }}/dist/ @@ -415,25 +415,25 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml - + # See https://docs.zizmor.sh/audits/#unpinned-uses for more information. steps: - name: "Upload distribution artifacts to GitHub artifacts" - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 # Pinning with a SHA prevents this. with: name: ${{ env.LIBRARY_NAME }}-artifacts path: ~/${{ env.LIBRARY_NAME }}/dist/ +.. tip:: + + You can use the `pinact`_ tool to automatically pin versions of actions and reusable workflows. + .. note:: The ``ansys/actions/check-actions-security`` action has a ``trust-ansys-actions`` option that allows you to use tags for ``ansys/actions``. When this option is enabled, you only need to pin external actions. -.. tip:: - - You can use the `pinact`_ tool to automatically pin versions of actions and reusable workflows. - **github-env** .. tab-set:: @@ -442,17 +442,16 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml - + # See https://docs.zizmor.sh/audits/#github-env for more information. steps: - name: "Decompose tag into components" shell: bash run: | if [[ ${{ github.ref_name }} =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - # Split the tag into its components IFS='.' read -ra PARTS <<< "${{ github.ref_name }}" - echo "V_AND_MAJOR=${PARTS[0]}" >> $GITHUB_ENV - echo "MINOR=${PARTS[1]}" >> $GITHUB_ENV + echo "V_AND_MAJOR=${PARTS[0]}" >> $GITHUB_ENV # When used in workflows with dangerous triggers, such as pull_request_target + echo "MINOR=${PARTS[1]}" >> $GITHUB_ENV # and workflow_run, GITHUB_ENV and GITHUB_PATH can be an arbitrary code execution risk. echo "PATCH=${PARTS[2]}" >> $GITHUB_ENV else echo "Invalid tag format. Expected vX.Y.Z but got ${{ github.ref_name }}" @@ -462,7 +461,6 @@ For additional examples of fixes, see the `zizmor trophy case`_. - name: "Check tag is valid for current branch" shell: bash run: | - # Remove leading "v" from env.X V_AND_MAJOR=${{ env.V_AND_MAJOR }} MAJOR="${V_AND_MAJOR#v}" echo "MAJOR=${MAJOR}" >> $GITHUB_ENV @@ -497,7 +495,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml - + # See https://docs.zizmor.sh/audits/#github-env for more information. steps: - name: "Decompose tag into components" @@ -505,11 +503,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. shell: bash run: | if [[ ${{ github.ref_name }} =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - # Split the tag into its components IFS='.' read -ra PARTS <<< "${{ github.ref_name }}" - echo "V_AND_MAJOR=${PARTS[0]}" >> $GITHUB_OUTPUT - echo "MINOR=${PARTS[1]}" >> $GITHUB_OUTPUT - echo "PATCH=${PARTS[2]}" >> $GITHUB_OUTPUT + echo "V_AND_MAJOR=${PARTS[0]}" >> $GITHUB_OUTPUT # Writing to GITHUB_OUTPUT is safe. + echo "MINOR=${PARTS[1]}" >> $GITHUB_OUTPUT # Writing to GITHUB_OUTPUT is safe. + echo "PATCH=${PARTS[2]}" >> $GITHUB_OUTPUT # Writing to GITHUB_OUTPUT is safe. else echo "Invalid tag format. Expected vX.Y.Z but got ${{ github.ref_name }}" exit 1 @@ -519,10 +516,9 @@ For additional examples of fixes, see the `zizmor trophy case`_. id: current-branch-tag-validity shell: bash env: - V_AND_MAJOR: ${{ steps.tag-components.outputs.V_AND_MAJOR }} - MINOR: ${{ steps.tag-components.outputs.MINOR }} + V_AND_MAJOR: ${{ steps.tag-components.outputs.V_AND_MAJOR }} # Then share information between steps + MINOR: ${{ steps.tag-components.outputs.MINOR }} # through the env block. run: | - # Remove leading "v" from env.X MAJOR="${V_AND_MAJOR#v}" echo "MAJOR=${MAJOR}" >> $GITHUB_OUTPUT if [[ ${{ github.event.base_ref }} != "refs/heads/release/${MAJOR}.${MINOR}" ]]; then @@ -573,7 +569,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml - + # See https://docs.zizmor.sh/audits/#template-injection for more information. name: Example reusable workflow on: @@ -598,15 +594,15 @@ For additional examples of fixes, see the `zizmor trophy case`_. - name: "Inspect context variables and workflow input" run: | - echo ${{ github.workspace }} - echo ${{ runner.temp }} - echo ${{ input.user-input }} + echo ${{ github.workspace }} # which are resolved before workflows and jobs run. These expansions + echo ${{ runner.temp }} # insert their results directly into the context, which can accidentally introduce shell injection risks. + echo ${{ input.user-input }} # This is especially through when such expansion is from a user input. .. tab-item:: After .. code:: yaml - + # See https://docs.zizmor.sh/audits/#template-injection for more information. name: Example reusable workflow on: @@ -631,17 +627,17 @@ For additional examples of fixes, see the `zizmor trophy case`_. - name: "Inspect context variables and workflow input" env: - USER_INPUT: ${{ inputs.user-input }} + USER_INPUT: ${{ inputs.user-input }} # Expand inputs and relevant context variables in the env block. run: | - echo ${USER_INPUT} - echo ${RUNNER_TEMP} - echo ${GITHUB_WORKSPACE} + echo ${USER_INPUT} # Then use that directly within the run block. + echo ${RUNNER_TEMP} # Also, most Github context variables have equivalent environment variables + echo ${GITHUB_WORKSPACE} # that can be directly used in place of template expansions. .. note:: Notice that ``RUNNER_TEMP`` and ``GITHUB_WORKSPACE`` were not explicitly set in the ``env`` block. Some GitHub context variables automatically map to environment variables, such as - ``runner.temp`` to ``RUNNER_TEMP`` and ``github.workspace`` to ``GITHUB_WORKSPACE`` + ``runner.temp`` to ``RUNNER_TEMP`` and ``github.workspace`` to ``GITHUB_WORKSPACE``. If a corresponding environment variable is not automatically available, you must set it in the ``env`` block of the job or step where it is needed before you can use it. @@ -654,7 +650,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml - + # See https://docs.zizmor.sh/audits/#excessive-permissions for more information. name: Github CI on: @@ -669,6 +665,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. MAIN_PYTHON_VERSION: '3.12' DOCUMENTATION_CNAME: 'actions.docs.ansys.com' + # When not specified, the default permission assigned to workflows might be too excessive + # for what the jobs need to do. Furthermore, all job steps automatically inherit this + # default permission + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -701,7 +701,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml - + # See https://docs.zizmor.sh/audits/#excessive-permissions for more information. name: Github CI on: @@ -716,7 +716,8 @@ For additional examples of fixes, see the `zizmor trophy case`_. MAIN_PYTHON_VERSION: '3.12' DOCUMENTATION_CNAME: 'actions.docs.ansys.com' - permissions: {} + permissions: {} # Zero permissions can be granted at the workflow level if not all jobs require permissions. + # As a good rule of thumb, this normally includes jobs that don't use secrets. concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -739,7 +740,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. runs-on: ubuntu-latest needs: [doc-build] permissions: - contents: write + contents: write # The specific permission type needed is set for a job that actually needs it. steps: - uses: ansys/actions/doc-deploy-dev@v10.1.0a0 with: @@ -756,8 +757,8 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml - - on: push + # See https://docs.zizmor.sh/audits/#anonymous-definition for more information. + on: push # This workflow has no name. jobs: build: @@ -769,8 +770,8 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml - - name: Echo Test + # See https://docs.zizmor.sh/audits/#anonymous-definition for more information. + name: Echo Test # It is good practice to always name workflows. on: push jobs: @@ -779,6 +780,9 @@ For additional examples of fixes, see the `zizmor trophy case`_. steps: - run: echo "Hello!" +.. note:: + + This finding has no security impact and is more of reinforcing good practices. Ignoring ``zizmor`` findings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From 21e7ea624b423fe23f64d1b21c3acf4dcc037aba Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Wed, 17 Sep 2025 18:43:44 +0200 Subject: [PATCH 2/4] docs: fix code block --- doc/source/how-to/vulnerabilities.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index 9ce5c155..e6229367 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -371,6 +371,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml + # See https://docs.zizmor.sh/audits/#artipacked for more information. steps: @@ -381,6 +382,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml + # See https://docs.zizmor.sh/audits/#artipacked for more information. steps: @@ -402,6 +404,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml + # See https://docs.zizmor.sh/audits/#unpinned-uses for more information. steps: @@ -415,6 +418,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml + # See https://docs.zizmor.sh/audits/#unpinned-uses for more information. steps: @@ -442,6 +446,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml + # See https://docs.zizmor.sh/audits/#github-env for more information. steps: @@ -495,6 +500,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml + # See https://docs.zizmor.sh/audits/#github-env for more information. steps: @@ -569,6 +575,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml + # See https://docs.zizmor.sh/audits/#template-injection for more information. name: Example reusable workflow @@ -602,6 +609,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml + # See https://docs.zizmor.sh/audits/#template-injection for more information. name: Example reusable workflow @@ -650,6 +658,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml + # See https://docs.zizmor.sh/audits/#excessive-permissions for more information. name: Github CI @@ -701,6 +710,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml + # See https://docs.zizmor.sh/audits/#excessive-permissions for more information. name: Github CI @@ -757,6 +767,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: Before .. code:: yaml + # See https://docs.zizmor.sh/audits/#anonymous-definition for more information. on: push # This workflow has no name. @@ -770,6 +781,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. .. tab-item:: After .. code:: yaml + # See https://docs.zizmor.sh/audits/#anonymous-definition for more information. name: Echo Test # It is good practice to always name workflows. on: push From 51684068e8cc5c962657ddefefd78a7d401158fb Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Wed, 17 Sep 2025 18:46:38 +0200 Subject: [PATCH 3/4] docs: add content --- doc/source/how-to/vulnerabilities.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index e6229367..c949b67d 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -601,7 +601,7 @@ For additional examples of fixes, see the `zizmor trophy case`_. - name: "Inspect context variables and workflow input" run: | - echo ${{ github.workspace }} # which are resolved before workflows and jobs run. These expansions + echo ${{ github.workspace }} # Template expansions are resolved before workflows and jobs run. These expansions echo ${{ runner.temp }} # insert their results directly into the context, which can accidentally introduce shell injection risks. echo ${{ input.user-input }} # This is especially through when such expansion is from a user input. From 7ba19e4824e432e2e5430b52c662ec85724e4f79 Mon Sep 17 00:00:00 2001 From: Muhammed Adedigba Date: Mon, 22 Sep 2025 13:16:05 +0200 Subject: [PATCH 4/4] docs: review suggestions and vale errors --- doc/Makefile | 5 +- doc/source/how-to/compatibility.rst | 6 +- doc/source/how-to/vulnerabilities.rst | 78 ++++++++++++------- doc/source/links.rst | 6 ++ .../config/vocabularies/ANSYS/accept.txt | 16 ++-- requirements/requirements_doc.txt | 2 +- 6 files changed, 73 insertions(+), 40 deletions(-) diff --git a/doc/Makefile b/doc/Makefile index 8fff6489..7d614c2f 100755 --- a/doc/Makefile +++ b/doc/Makefile @@ -19,10 +19,9 @@ help: @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) -# customized clean due to examples gallery +# customized clean clean: - rm -rf build - rm -rf source/examples/ + rm -rf _build # customized pdf fov svg format images pdf: diff --git a/doc/source/how-to/compatibility.rst b/doc/source/how-to/compatibility.rst index 99198c5f..c0843bb5 100644 --- a/doc/source/how-to/compatibility.rst +++ b/doc/source/how-to/compatibility.rst @@ -34,9 +34,9 @@ introduced in an earlier version are also supported in later versions. Suppressi a feature would lead to a backward compatibility issue. Because the same type of issues can happen with the PyAnsys servers wrapping -Ansys products, creating a similar *maximum version* data structure is -is necessary. While there are no such implementations yet, it should work -in the same way as the minimum version data structure. +Ansys products, creating a similar *maximum version* data structure is necessary. +While there are no such implementations yet, it should work in the same way as the +minimum version data structure. ``version_requires`` decorator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index c949b67d..b8453cf9 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -365,25 +365,29 @@ For additional examples of fixes, see the `zizmor trophy case`_. **artipacked** +The vulnerability is that using ``actions/checkout`` in GitHub Actions can store repository credentials in ``.git/config``, +which may be unintentionally exposed through artifacts or workflow steps. + +Fixing is important because leaked credentials could grant attackers unauthorized access to your repositories, +which can allow them push malicious code, among other things. See `artipacked audit rule`_ for more information. + .. tab-set:: - .. tab-item:: Before + .. tab-item:: Potential risk .. code:: yaml - # See https://docs.zizmor.sh/audits/#artipacked for more information. steps: - name: "Checkout project" # actions/checkout persists git credentials by default. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - .. tab-item:: After + .. tab-item:: Remediation .. code:: yaml - # See https://docs.zizmor.sh/audits/#artipacked for more information. steps: - name: "Checkout project" @@ -398,14 +402,20 @@ For additional examples of fixes, see the `zizmor trophy case`_. **unpinned-uses** +The vulnerability is that using unpinned ``uses:`` clauses in GitHub Actions allows workflows to pull in action +code that can change at any time, including through branch or tag updates. + +Fixing it is important because unpinned actions could be modified by attackers or upstream maintainers, leading +to unexpected or malicious code execution in your workflows. See `unpinned-uses audit rule`_ for more +information. + .. tab-set:: - .. tab-item:: Before + .. tab-item:: Potential risk .. code:: yaml - # See https://docs.zizmor.sh/audits/#unpinned-uses for more information. steps: - name: "Upload distribution artifacts to GitHub artifacts" @@ -415,11 +425,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. path: ~/${{ env.LIBRARY_NAME }}/dist/ - .. tab-item:: After + .. tab-item:: Remediation .. code:: yaml - # See https://docs.zizmor.sh/audits/#unpinned-uses for more information. steps: - name: "Upload distribution artifacts to GitHub artifacts" @@ -440,14 +449,20 @@ For additional examples of fixes, see the `zizmor trophy case`_. **github-env** +Writing to ``GITHUB_ENV`` or ``GITHUB_PATH`` in workflows with dangerous triggers (such as ``pull_request_target`` and +``workflow_run``) can let attackers inject arbitrary environment variables / variable contents. + +A fix is required because this exposure could allow attackers to run malicious code in your GitHub Actions workflows +either implictly in subsequent steps, or by shadowing ordinary system executables (such as ``ssh``). See +`github-env audit rule`_ for more information. + .. tab-set:: - .. tab-item:: Before + .. tab-item:: Potential risk .. code:: yaml - # See https://docs.zizmor.sh/audits/#github-env for more information. steps: - name: "Decompose tag into components" @@ -497,11 +512,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. git push origin v${{ env.MAJOR }} - .. tab-item:: After + .. tab-item:: Remediation .. code:: yaml - # See https://docs.zizmor.sh/audits/#github-env for more information. steps: - name: "Decompose tag into components" @@ -569,14 +583,19 @@ For additional examples of fixes, see the `zizmor trophy case`_. **template-injection** +The vulnerability is that template expansions (``${{ ... }}``) in GitHub Actions can allow code injection when used with +attacker-controlled inputs, such as issue titles (``github.event.issue.title`` which the attacker can fully control by supplying a new issue title). + +Fixing it is important because malicious inputs could execute unintended commands, compromising the security of your workflows. See +`template-injection audit rule`_ for more information. + .. tab-set:: - .. tab-item:: Before + .. tab-item:: Potential risk .. code:: yaml - # See https://docs.zizmor.sh/audits/#template-injection for more information. name: Example reusable workflow on: @@ -606,11 +625,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. echo ${{ input.user-input }} # This is especially through when such expansion is from a user input. - .. tab-item:: After + .. tab-item:: Remediation .. code:: yaml - # See https://docs.zizmor.sh/audits/#template-injection for more information. name: Example reusable workflow on: @@ -652,14 +670,19 @@ For additional examples of fixes, see the `zizmor trophy case`_. **excessive-permissions** +The vulnerability is that workflows with excessive permissions grant more access than needed, either at the +workflow or job level, including through the default ``GITHUB_TOKEN``. + +Fixing it is important because over-scoped permissions increase the risk that a compromised workflow could +perform unauthorized actions on your repository. See `excessive-permissions audit rule`_ for more information. + .. tab-set:: - .. tab-item:: Before + .. tab-item:: Potential risk .. code:: yaml - # See https://docs.zizmor.sh/audits/#excessive-permissions for more information. name: Github CI on: @@ -707,11 +730,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. bot-email: ${{ secrets.PYANSYS_CI_BOT_EMAIL }} - .. tab-item:: After + .. tab-item:: Remediation .. code:: yaml - # See https://docs.zizmor.sh/audits/#excessive-permissions for more information. name: Github CI on: @@ -761,14 +783,19 @@ For additional examples of fixes, see the `zizmor trophy case`_. **anonymous-definition** +This issue is raised when workflows omit the ``name:`` field. When ``name:`` is omitted, the workflow is rendered +anonymously in the Github Actions UI, making it harder to understand which definition is running. + +There is no security impact associated with this issue. However, it is good practice to always include the ``name:`` +field. See `anonymous-definition audit rule`_ for more information. + .. tab-set:: - .. tab-item:: Before + .. tab-item:: Potential risk .. code:: yaml - # See https://docs.zizmor.sh/audits/#anonymous-definition for more information. on: push # This workflow has no name. jobs: @@ -778,11 +805,10 @@ For additional examples of fixes, see the `zizmor trophy case`_. - run: echo "Hello!" - .. tab-item:: After + .. tab-item:: Remediation .. code:: yaml - # See https://docs.zizmor.sh/audits/#anonymous-definition for more information. name: Echo Test # It is good practice to always name workflows. on: push @@ -792,10 +818,6 @@ For additional examples of fixes, see the `zizmor trophy case`_. steps: - run: echo "Hello!" -.. note:: - - This finding has no security impact and is more of reinforcing good practices. - Ignoring ``zizmor`` findings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/source/links.rst b/doc/source/links.rst index ba33e5ad..13b0add1 100644 --- a/doc/source/links.rst +++ b/doc/source/links.rst @@ -124,6 +124,12 @@ .. _zizmor audit rules: https://docs.zizmor.sh/audits/ .. _zizmor trophy case: https://docs.zizmor.sh/trophy-case/ .. _ignoring zizmor results: https://docs.zizmor.sh/usage/#ignoring-results +.. _artipacked audit rule: https://docs.zizmor.sh/audits/#artipacked +.. _unpinned-uses audit rule: https://docs.zizmor.sh/audits/#unpinned-uses +.. _github-env audit rule: https://docs.zizmor.sh/audits/#github-env +.. _template-injection audit rule: https://docs.zizmor.sh/audits/#template-injection +.. _excessive-permissions audit rule: https://docs.zizmor.sh/audits/#excessive-permissions +.. _anonymous-definition audit rule: https://docs.zizmor.sh/audits/#anonymous-definition .. _pinact: https://github.com/suzuki-shunsuke/pinact diff --git a/doc/styles/config/vocabularies/ANSYS/accept.txt b/doc/styles/config/vocabularies/ANSYS/accept.txt index 80e79293..743bd3d1 100644 --- a/doc/styles/config/vocabularies/ANSYS/accept.txt +++ b/doc/styles/config/vocabularies/ANSYS/accept.txt @@ -2,6 +2,7 @@ (?i)Api (?i)Apis ahrefs +artipacked autogenerated BCs [Bb]lacken-[Dd]ocs @@ -43,10 +44,14 @@ GitHub Actions Hpertext (?i)Html imag +implictly initialisms initializer internetworking +IPython [Ii]sort +Jupytext +jupyter linenos matplotlib Maxime @@ -55,7 +60,8 @@ metapackage Microelectromechanical monospaced Muela -[Nn]amespace +[Nn]amespace(s?) +NBSphinx nosec npm numpy @@ -84,6 +90,7 @@ PyPI pytest [Pp]ython pythoncom +Pythonic pyvista rebasing recurse @@ -102,8 +109,8 @@ SEO SSH subclassing sublist -[Ss]ubpackage -[Ss]ubpackages +[Ss]ubpackage(s?) +subprocess substring superset tensorflow @@ -127,5 +134,4 @@ Sphinx-Gallery snyk README CSV -zizmor -artipacked \ No newline at end of file +zizmor \ No newline at end of file diff --git a/requirements/requirements_doc.txt b/requirements/requirements_doc.txt index ab361d6b..44586489 100644 --- a/requirements/requirements_doc.txt +++ b/requirements/requirements_doc.txt @@ -1,5 +1,5 @@ Sphinx==8.2.3 -ansys-sphinx-theme==1.3.3 +ansys-sphinx-theme==1.6.1 sphinx-copybutton==0.5.2 sphinx_toolbox==4.0.0 sphinx_design==0.6.1