Vulnerability actions ===================== Vulnerability actions verify that any safety advisories detected in a Python library are properly identified and reported, both on the library itself and third-party libraries (that is, dependencies). .. _pyansys_check_vulnerabilities: Check vulnerabilities action ---------------------------- .. note:: Users can try out the ``ansys/check-vulnerabilities`` action on their local repository by doing the following: #. Download the ``check_vulnerabilities.py`` script and the ``requirements.txt`` file from the `ansys/check-vulnerabilities action folder `_. #. Move the downloaded files to the root of the repository. #. Create a virtual environment by running ``python -m venv .venv``. #. Activate the virtual environment. #. Install the required dependencies by running ``pip install -r requirements.txt``. #. Install your repository with the command ``pip install -e .``. #. Define the following environment variables: - ``DEPENDENCY_CHECK_TOKEN``: A GitHub token with the necessary permissions to access security advisories on the repository you are interested in. - ``DEPENDENCY_CHECK_PACKAGE_NAME``: The Python package name of your repository. This is the name of the package that you would use in a ``pip install`` command. - ``DEPENDENCY_CHECK_REPOSITORY``: The full name of the repository you are interested in. This is the name of the repository in the format ``/``. #. Run the script by running ``python check_vulnerabilities.py --run-local``. .. warning:: The ``ansys/check-vulnerabilities`` action needs to be performed on a public repository. If the repository is private, the action will fail due to denied access. Documentation on how to address common vulnerabilities can be found in the `PyAnsys developer's guide `_. .. jinja:: check-vulnerabilities :file: _templates/action.rst.jinja Check actions security action ----------------------------- .. jinja:: check-actions-security :file: _templates/action.rst.jinja Check environment approval -------------------------- This action is used to determine whether a manual approval step is needed in the workflow. It evaluates the pull request workflow and determines the environment name to be used in the workflow. The environment name should then be used in a workflow job to trigger a manual approval step if needed. .. jinja:: check-environment-approval :file: _templates/action.rst.jinja