Update Workflows to Version 1.0.1#58
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add a workflow-level permissions block near the top of .github/workflows/docker_apply_cache.yaml (after on: and before concurrency: is a clean location) to enforce least privilege for all jobs by default.
Best fix here (without changing functionality): set default read-only permissions required by typical checkout/artifact usage:
contents: readpackages: read
Keep the existing job-level override in check-renv:
id-token: write
Because job-level permissions override workflow-level defaults, this preserves OIDC behavior for check-renv while ensuring every other job gets explicitly restricted token access.
| @@ -13,6 +13,10 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit top-level permissions block in .github/workflows/docker_apply_cache.yaml so all jobs default to least privilege.
Use:
contents: read(safe minimal baseline for checkout/read access)packages: read(recommended minimal read scope for package operations)
Then, keep job-specific elevated permissions only where required. The existing check-renv job already needs OIDC (id-token: write), but once a job-level permissions block exists, unspecified scopes become none. Since that job passes ${{ secrets.GITHUB_TOKEN }} to an action, add contents: read there too so token-based read operations continue to work.
Edits are confined to:
- Insert workflow-level
permissionsafterconcurrency - Update
jobs.check-renv.permissionsto includecontents: readalongsideid-token: write
No imports/dependencies are needed.
| @@ -18,6 +18,10 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| @@ -44,6 +48,7 @@ | ||
| if: needs.preflight.outputs.do-apply == 'true' | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| outputs: | ||
| renv-needed: ${{ steps.check-for-renv.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.check-for-renv.outputs.renv-cache-hashsum }} |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit root-level permissions block in .github/workflows/docker_apply_cache.yaml so all jobs without their own permissions are constrained by default.
Best single fix without changing functionality:
- Insert at the workflow root (after
concurrencyand beforejobs):permissions:contents: read
Why this is best:
- It addresses the CodeQL finding for jobs like
renv-cache-available. - It preserves existing behavior for jobs that already define their own
permissions(likeupdate-renv-cache), since job-level settings override workflow-level defaults. - It applies least privilege across the whole workflow with minimal change surface.
No imports, methods, or dependencies are needed (YAML workflow change only).
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block to the preflight job with least privilege, specifically contents: read. This satisfies CodeQL’s requirement and aligns with least-privilege practice. Since other jobs already have their own explicit permissions, only preflight needs to be changed. No imports, methods, or dependency changes are needed.
Edit only .github/workflows/docker_build_deploy.yaml, in the jobs.preflight section, immediately after runs-on.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit root-level permissions block in .github/workflows/update-cache.yaml so all jobs have constrained defaults, while keeping the existing job-level permissions for update_cache unchanged (job-level values override root where needed).
Best single fix without changing functionality:
- Insert at workflow root (after
on:block, beforeenv:is ideal):permissions:contents: read
- This gives
preflightandcheck-renvleast-privilege baseline access and preserves existing behavior forupdate_cachesince it already declares broader write scopes.
No imports/dependencies/methods are needed (YAML config only).
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
2c7beb2 to
3e904fb
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
3e904fb to
44c88e6
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block at the workflow root so all jobs inherit least-privilege defaults. For this workflow, a safe minimal baseline is:
contents: read(common for checkout/read operations)actions: read(safe baseline for action metadata access)
Additionally, because the workflow configures AWS via OIDC (aws-actions/configure-aws-credentials@v6 with role assumption), it needs:
id-token: write(required to request OIDC token)
Apply this in .github/workflows/docker_apply_cache.yaml directly under description and before on:. This preserves existing behavior while explicitly constraining token permissions.
| @@ -1,5 +1,9 @@ | ||
| name: "03 Maintain: Apply Package Cache" | ||
| description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub" | ||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| id-token: write | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
44c88e6 to
eab816c
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
eab816c to
87c38f3
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
87c38f3 to
983ef6c
Compare
3 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.1