Update Workflows to Version 1.0.1#63
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
The best fix is to add a workflow-level permissions block near the top of .github/workflows/docker_apply_cache.yaml, so all jobs get a restricted default token scope. Keep existing job-level overrides (like check-renv with id-token: write) unchanged, because job-level permissions can extend/override as needed for OIDC.
For this workflow, a safe minimal baseline is:
contents: read(common read access for repository content)- optionally
actions: readif needed by marketplace actions resolution (often not required explicitly, but acceptable)
Given the static analysis recommendation and least-privilege principle, adding permissions: { contents: read } at workflow root is the single best low-risk change that does not alter intended functionality.
| @@ -1,5 +1,7 @@ | ||
| name: "03 Maintain: Apply Package Cache" | ||
| description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit root-level permissions block for the workflow so all jobs (including no-renv-cache-used) are constrained by default. Use least privilege baseline:
contents: read(common minimal read access),packages: read(recommended minimal for package-related workflows; harmless if unused).
Keep the existing check-renv job-level permissions block (id-token: write) as-is, since it appears to require OIDC for AWS role assumption. Job-level permissions will override/augment defaults for that job as needed.
Where to change: .github/workflows/docker_apply_cache.yaml, near the top-level keys (after concurrency is a clean location), before jobs:.
No imports/dependencies/methods are needed (YAML config only).
| @@ -18,6 +18,10 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit root-level permissions block in .github/workflows/docker_apply_cache.yaml so all jobs without their own permissions inherit least-privilege defaults. The safest minimal baseline here is:
contents: read(common for checkout/read repo metadata)packages: read(often needed for package/container pulls)
Keep existing job-specific permissions (like the one already under update-renv-cache) unchanged; job-level permissions will continue to override root-level defaults where needed.
Edit near the top of the workflow (after concurrency is a clean location) and add the block before jobs:.
| @@ -18,6 +18,10 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block to the preflight job in .github/workflows/docker_build_deploy.yaml so the token is minimally scoped for that job.
Best single fix (without changing functionality): set contents: read under jobs.preflight, since the job checks out code and reads metadata, and there is no shown write operation in that job. Keep existing permissions for other jobs unchanged.
Edit region: in .github/workflows/docker_build_deploy.yaml, directly under:
preflight:name: "Preflight: Schedule, Push, or PR?"runs-on: ubuntu-latest
insert:
permissions:
contents: readNo imports/dependencies/methods are needed.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add a workflow-level permissions block near the top of .github/workflows/update-cache.yaml (after on: is the safest placement here), setting minimal default permissions for jobs that do not declare their own permissions.
Best fix for this file:
- Add:
permissions:contents: read
- Do not remove or alter
update_cachejob permissions; its job-level write scopes are likely required for PR creation and should override the workflow default. - No imports, methods, or dependencies are needed (YAML config-only change).
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
7f617e7 to
3698b7c
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
3698b7c to
342b5ea
Compare
epiverse-trace-bot
changed the title
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block to the workflow so all jobs (including record-cache-result) inherit least-privilege defaults.
Best single fix with minimal functional change: add a root-level permissions section after concurrency and before jobs.
Given this workflow uploads artifacts and uses OIDC for AWS credentials, include:
contents: read(safe baseline for checkout/read operations),actions: read(safe for reading action metadata),id-token: write(required for OIDC token minting used byaws-actions/configure-aws-credentials).
No imports/dependencies/methods are needed (YAML config only).
File to edit: .github/workflows/docker_apply_cache.yaml in the top-level section around lines 16–21.
| @@ -18,6 +18,11 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
342b5ea to
db27d3d
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
db27d3d to
8f9e53d
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
8f9e53d to
2d9ff63
Compare
3 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.1