fix: security zizmor issues (#4357)

* ci: add zizmor and bandit pre-commit hooks with configurations

* ci: update pre-commit hook revisions for various repositories

* chore: adding changelog file 4345.maintenance.md [dependabot-skip]

* ci: add concurrency settings to various workflows for improved job management

* ci: update pre-commit hooks configuration to exclude tests directory from bandit checks

* Update .pre-commit-config.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* ci: remove concurrency settings from local and remote testing workflows

* ci: add concurrency limits ignore comments to local and remote testing workflows

* fix: remove zizmor and bandit pre-commit hooks for security issues

* chore: adding changelog file 4357.fixed.md [dependabot-skip]

---------

Co-authored-by: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.github/dependabot.yml

@@ -22,7 +22,6 @@ updates:
 
   - directory: "/" # Location of package manifests
     package-ecosystem: "pip" # See documentation for possible values
-    insecure-external-code-execution: allow
     schedule:
       interval: "weekly"
       day: "friday"

.github/workflows/approver.yml

@@ -24,6 +24,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   autoapprove:
     # This job only runs for pull request comments
@@ -33,7 +37,7 @@ jobs:
           github.event.comment.user.login == 'germa89'
         )) || ( github.event_name == 'workflow_dispatch' )
     permissions:
-      pull-requests: write
+      pull-requests: write  # Needed to approve pull requests
     runs-on: ubuntu-latest
     steps:
 

.github/workflows/cache_cleaner.yml

@@ -7,12 +7,16 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   cleanup:
     name: Cleanup caches
     runs-on: ubuntu-latest
     permissions:
-      actions: write
+      actions: write  # Needed to delete cache entries
     steps:
       - name: Check out code
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0

.github/workflows/ci.yml

@@ -42,7 +42,7 @@ jobs:
     name: Adding assignee if there is none.
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write  # Needed to add assignees to pull requests
     steps:
       - uses: actions-ecosystem/action-add-assignees@a5b84af721c4a621eb9c7a4a95ec20a90d0b88e9 #v1.0.1
         if: |
@@ -61,10 +61,10 @@ jobs:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write  # Needed to update changelog files
+      pull-requests: write  # Needed to create pull requests with changelog updates
     steps:
-      - uses: ansys/actions/doc-deploy-changelog@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+      - uses: ansys/actions/doc-deploy-changelog@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
           bot-user: ${{ secrets.PYANSYS_CI_BOT_USERNAME }}
@@ -76,10 +76,10 @@ jobs:
     name: Check the name of the pull-request
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read  # Needed to read pull request details
     steps:
       - name: Check pull-request name
-        uses: ansys/actions/check-pr-title@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/check-pr-title@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -94,7 +94,7 @@ jobs:
         folder: ["doc", "examples"]
     steps:
       - name: "Ansys documentation style checks"
-        uses: ansys/actions/doc-style@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/doc-style@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           files: ${{ matrix.folder }}
@@ -122,7 +122,7 @@ jobs:
     steps:
       - name: "Build wheelhouse and perform smoke test"
         id: build-wheelhouse
-        uses: ansys/actions/build-wheelhouse@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/build-wheelhouse@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           operating-system: ${{ matrix.os }}
@@ -150,7 +150,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: ansys/actions/check-vulnerabilities@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+      - uses: ansys/actions/check-vulnerabilities@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
           token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
@@ -161,7 +161,7 @@ jobs:
     name: "Check actions security"
     runs-on: ubuntu-latest
     steps:
-      - uses: ansys/actions/check-actions-security@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+      - uses: ansys/actions/check-actions-security@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           generate-summary: true
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -173,8 +173,8 @@ jobs:
     needs: doc-style
     uses: ./.github/workflows/doc-build.yml
     permissions:
-      contents: read
-      packages: read
+      contents: read  # Needed to read repository contents for documentation build
+      packages: read  # Needed to pull Docker images from GitHub packages
     secrets:
       license-server: ${{ secrets.LICENSE_SERVER }}
       username: ${{ github.actor }}
@@ -187,10 +187,10 @@ jobs:
     needs: docs-build
     if: contains(github.event.pull_request.labels.*.name, 'deploy pr docs')
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write  # Needed to push documentation to gh-pages branch
+      pull-requests: write  # Needed to comment on pull requests with documentation link
     steps:
-      - uses: ansys/actions/doc-deploy-pr@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+      - uses: ansys/actions/doc-deploy-pr@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           cname: ${{ env.DOCUMENTATION_CNAME }}
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -203,14 +203,14 @@ jobs:
     name: "Build remote test matrix"
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: read  # Needed to read repository contents for matrix build
     if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
 
     steps:
       - name: "Install Git and checkout project"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
         with:
           persist-credentials: false
 
@@ -230,8 +230,8 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-test-remote-matrix.outputs.matrix) }}
     permissions:
-      contents: read
-      packages: read
+      contents: read  # Needed to read repository contents for tests
+      packages: read  # Needed to pull Docker images from GitHub packages
     uses: ./.github/workflows/test-remote.yml
     secrets:
       license-server: ${{ secrets.LICENSE_SERVER }}
@@ -248,13 +248,13 @@ jobs:
     name: "Build test matrix for minimal and local"
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: read  # Needed to read repository contents for matrix build
     if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: "Install Git and checkout project"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
         with:
           persist-credentials: false
 
@@ -273,8 +273,8 @@ jobs:
     needs: [smoke-tests, build-test-local-matrix]
     uses: ./.github/workflows/test-local.yml
     permissions:
-      contents: read
-      packages: read
+      contents: read  # Needed to read repository contents for tests
+      packages: read  # Needed to pull Docker images from GitHub packages
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-test-local-matrix.outputs.matrix) }}
@@ -301,8 +301,8 @@ jobs:
     needs: [build-test-ubuntu-local, build-test-remote]
     uses: ./.github/workflows/test-local.yml
     permissions:
-      contents: read
-      packages: read
+      contents: read  # Needed to read repository contents for tests
+      packages: read  # Needed to pull Docker images from GitHub packages
     strategy:
       fail-fast: false
       matrix:
@@ -329,8 +329,8 @@ jobs:
     if: github.ref != 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     needs: [build-test-ubuntu-local, build-test-remote]
     permissions:
-      contents: read
-      packages: read
+      contents: read  # Needed to read repository contents for tests
+      packages: read  # Needed to pull Docker images from GitHub packages
     uses: ./.github/workflows/test-local.yml
     strategy:
       fail-fast: false
@@ -358,10 +358,10 @@ jobs:
     needs: [build-test-remote, build-test-ubuntu-local, build-test-ubuntu-minimal, docs-build]
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: read  # Needed to read repository contents for packaging
     steps:
       - name: "Build library source and wheel artifacts"
-        uses: ansys/actions/build-library@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/build-library@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           python-version: ${{ env.MAIN_PYTHON_VERSION }}
@@ -375,11 +375,11 @@ jobs:
     # Specifying a GitHub environment is optional, but strongly encouraged
     environment: release
     permissions:
-      id-token: write
-      contents: write
+      id-token: write  # Required for trusted publishing to PyPI
+      contents: write  # Needed to create GitHub releases
     steps:
       - name: "Download the library artifacts from build-library step"
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: ${{ env.PACKAGE_NAME }}-artifacts
           path: ${{ env.PACKAGE_NAME }}-artifacts
@@ -396,7 +396,7 @@ jobs:
           skip-existing: false
 
       - name: "Release to GitHub"
-        uses: ansys/actions/release-github@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/release-github@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           library-name: ${{ env.PACKAGE_NAME }}
           additional-artifacts: "minimum_requirements.txt"
@@ -408,11 +408,11 @@ jobs:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write  # Needed to push documentation to gh-pages branch
     needs: [release]
     steps:
       - name: "Deploy the stable documentation"
-        uses: ansys/actions/doc-deploy-stable@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/doc-deploy-stable@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           cname: ${{ env.DOCUMENTATION_CNAME }}
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -426,11 +426,11 @@ jobs:
     if: github.ref == 'refs/heads/main' && !contains(github.ref, 'refs/tags')
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write  # Needed to push documentation to gh-pages branch
     needs: [docs-build]
     steps:
       - name: "Deploy the latest documentation"
-        uses: ansys/actions/doc-deploy-dev@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
+        uses: ansys/actions/doc-deploy-dev@21c9de9bee9692173780696d4a39964f20b9cfa3 #v10.1.5
         with:
           cname: ${{ env.DOCUMENTATION_CNAME }}
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -444,7 +444,7 @@ jobs:
     if: failure() && github.event_name == 'schedule'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write  # Needed to create issues on build failures
     steps:
       - name: "Open issue"
         uses: jayqi/failed-build-issue-action@1a893bbf43ef1c2a8705e2b115cd4f0fe3c5649b #v1.2.0
@@ -467,7 +467,7 @@ jobs:
         os: [ubuntu-latest, windows-latest]
 
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
         with:
           persist-credentials: false
 
@@ -485,11 +485,11 @@ jobs:
     if: always()
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      actions: write
+      contents: read  # Needed to read repository contents
+      actions: write  # Needed to generate workflow summaries
     steps:
       - name: "Install Git and checkout project"
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 #v6.0.0
         with:
           persist-credentials: false
 

.github/workflows/codeql-analysis.yml

@@ -21,6 +21,10 @@ on:
 
 permissions: {}
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -31,15 +35,10 @@ jobs:
     # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: 'ubuntu-latest'
     permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
+      security-events: write  # Required to upload security scanning results
+      packages: read  # Required to fetch internal or private CodeQL packs
+      actions: read  # Required for workflows in private repositories
+      contents: read  # Required to read the repository contents
 
     strategy:
       fail-fast: false

.github/workflows/doc-build.yml

@@ -63,15 +63,18 @@ on:
           Password for the GitHub container registry.
         required: true
 
+# zizmor: ignore[concurrency-limits]
+# Concurrency is controlled by the parent workflow (ci.yml)
+
 permissions: {}
 
 jobs:
   doc-build:
     name: Build documentation
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      packages: read
+      contents: read  # Needed to read repository contents for documentation build
+      packages: read  # Needed to pull Docker images from GitHub packages
     env:
       ON_CI: True
       ON_DOCUMENTATION: TRUE

.github/workflows/docker_clean_untagged.yml

@@ -15,8 +15,8 @@ jobs:
     name: Cleaning unnecessary packages
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      packages: write
+      contents: read  # Needed to read repository contents
+      packages: write  # Needed to delete untagged Docker images
     env:
       PACKAGE_DELETION_TOKEN: ${{ secrets.GITHUB_TOKEN }}