Update Workflows to Version 1.0.1#135
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit top-level permissions block in .github/workflows/docker_apply_cache.yaml so all jobs without their own permissions are constrained by default. Keep existing job-level permissions where needed (for example, check-renv already sets id-token: write and should remain unchanged).
Best single fix without changing functionality:
- Insert a root-level block after
concurrency(beforejobs) with:contents: read
This is a safe minimal baseline for most workflows and resolves the CodeQL “no permissions” finding by making token scope explicit. Jobs needing more privileges can continue to override at job level (as already done for OIDC incheck-renv).
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit root-level permissions: block so all jobs default to minimal token access, while preserving existing functionality by keeping the check-renv job’s explicit id-token: write override as-is.
Best single fix here:
- Edit
.github/workflows/docker_apply_cache.yaml. - Insert a top-level
permissionssection afterconcurrency(beforejobs). - Set:
contents: read(safe baseline for checkout/read operations),packages: read(common read-only package access baseline).
- Do not remove existing job-level permissions in
check-renv; job-level settings remain valid for OIDC use.
No imports/dependencies/methods are needed (YAML config change only).
| @@ -18,6 +18,10 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit top-level permissions block to .github/workflows/docker_apply_cache.yaml so all jobs without their own permissions inherit least-privilege defaults.
Best single fix (without changing functionality): add:
contents: readpackages: read
directly under the workflow triggers (on: block) and before concurrency:. This documents intent and prevents permission drift if org/repo defaults change. Existing job-level permissions (like in update-renv-cache) remain in effect and can still grant additional scoped access where required.
| @@ -13,6 +13,10 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block to the preflight job in .github/workflows/docker_build_deploy.yaml.
Best fix (minimal, least-privilege, no functional change): set contents: read for preflight, since it checks repo state and performs checkout/container-version lookup but does not appear to write checks, PRs, pages, or contents. This satisfies CodeQL and documents required access.
Change location: directly under runs-on in the preflight job (around lines 46–47 in the provided snippet).
No new imports, methods, or dependencies are needed.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit top-level permissions block so all jobs without their own permissions are restricted by default.
Best fix here (without changing existing behavior) is:
- Add workflow-level:
contents: read(minimal for checkout/read operations)
- Keep existing
update_cachejob-level permissions unchanged, since it clearly needs elevated write scopes for PR/update operations.
This limits preflight and check-renv to read-only token access while preserving update_cache’s current functionality.
| @@ -1,5 +1,7 @@ | ||
| name: "02 Maintain: Check for Updated Packages" | ||
| description: "Check for updated R packages and create a pull request to update the lesson's renv lockfile and package cache" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| schedule: | ||
| - cron: '0 0 * * 2' |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
9d070c9 to
b72e8e1
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
b72e8e1 to
cdd9f49
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
Add an explicit permissions block to the workflow file so token scope is restricted by default. The safest minimal fix without changing behavior is to set read-only at workflow level:
permissions: {}(no token permissions), orpermissions:\n contents: read(common minimal baseline).
Given this workflow primarily runs shell steps, AWS OIDC, cache actions, and artifact upload, setting contents: read at the workflow root is a conservative, compatible baseline that documents intent and avoids accidental write privileges.
Where to change: .github/workflows/docker_apply_cache.yaml, near the top-level keys (after concurrency and before jobs, or directly under name/on).
No imports/dependencies/methods are needed.
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
cdd9f49 to
8f12949
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
8f12949 to
1bbf9fa
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
1bbf9fa to
cb7fc67
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
cb7fc67 to
d6298bc
Compare
3 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.1