Update Workflows to Version 1.0.1#218
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit top-level permissions block in .github/workflows/docker_apply_cache.yaml so every job gets least-privilege defaults unless overridden.
Best single fix without changing behavior: define conservative read permissions at workflow root (contents: read, packages: read). Keep the existing job-level override on check-renv (id-token: write) unchanged, since it appears required for OIDC role assumption. This satisfies CodeQL and preserves current functionality.
| @@ -13,6 +13,10 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit root-level permissions block in .github/workflows/docker_apply_cache.yaml so all jobs default to least privilege.
Best minimal, non-breaking baseline here is:
contents: read(common for checkout/read operations)actions: read(safe minimal read access for workflow metadata/actions)
Then keep existing job-level overrides (like check-renv with id-token: write) as-is; job-level permissions override root defaults as needed. This preserves behavior while satisfying CodeQL and documenting intended access.
Change location: near the top of the workflow, after on: block (before concurrency: is a clean placement).
| @@ -13,6 +13,10 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit top-level permissions: block in .github/workflows/docker_apply_cache.yaml so all jobs without their own permissions inherit a restricted baseline.
Best single fix (without changing behavior): add:
permissions:
contents: readnear the top of the workflow (after concurrency and before jobs is a clean location).
This preserves existing job logic, keeps update-renv-cache’s existing job-specific permissions intact, and satisfies CodeQL by ensuring all jobs (including renv-cache-available) have explicit token scoping.
No imports, methods, or external definitions are needed (YAML workflow config only).
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block to the preflight job in .github/workflows/docker_build_deploy.yaml so the GITHUB_TOKEN is constrained to least privilege.
Best fix (minimal, no functional change): under jobs.preflight, add:
permissions:contents: read
contents: read is sufficient for checkout and read-oriented operations in this preflight stage, and aligns with CodeQL’s suggested minimal starting point. This change is localized to the preflight job and does not alter behavior of other jobs that already define their own permissions.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add explicit permissions for the jobs that currently lack them (preflight and check-renv).
Best minimal-impact fix: set each of those jobs to permissions: {} (no token scopes), since neither shown steps needs repository write capabilities, and this preserves the existing broader permissions already intentionally set on update_cache.
Edit .github/workflows/update-cache.yaml:
- Under
jobs.preflight, addpermissions: {}afterruns-on. - Under
jobs.check-renv, addpermissions: {}afterif(or nearruns-on/needs), so it does not inherit repo defaults. - Leave
update_cache.permissionsunchanged.
No imports, methods, or dependencies are needed.
| @@ -34,6 +34,7 @@ | ||
| preflight: | ||
| name: "Preflight: Manual or Scheduled Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| ok: ${{ steps.check.outputs.ok }} | ||
| steps: | ||
| @@ -59,6 +60,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | ||
| permissions: {} | ||
| outputs: | ||
| renv-needed: ${{ steps.renv-check.outputs.renv-needed }} | ||
| steps: |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
5b9361c to
c22179a
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
c22179a to
90a0e04
Compare
epiverse-trace-bot
changed the title
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block at the workflow root so all jobs inherit least-privilege defaults.
Best minimal fix for this workflow is:
contents: read(safe baseline for checkout/read access),id-token: write(required for the OIDC AWS credentials step usingaws-actions/configure-aws-credentials).
This avoids changing behavior while removing reliance on repo/org defaults.
Edit .github/workflows/docker_apply_cache.yaml near the top-level keys (after concurrency is a clear placement) and before jobs:.
| @@ -18,6 +18,10 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
2 times, most recently
from
88f7fe4 to
e5eec7a
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
e5eec7a to
10d2db4
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
10d2db4 to
a66368b
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
a66368b to
023ee0f
Compare
epiverse-trace-bot
changed the title
3 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.1