Update Workflows to Version 0.18.3 #224
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to explicitly define minimal permissions for the workflow or for individual jobs that currently rely on implicit repository defaults. For jobs that do not interact with the GitHub API or modify repository state, you can safely set permissions: {} (no token permissions), or permissions: contents: read if a read-only token is needed. For jobs that need specific write scopes, you grant them narrowly (e.g., pull-requests: write).
For this workflow, the simplest and safest change that does not alter existing behavior is:
- Add an explicit, least-privilege
permissionsblock at the top (workflow) level, right after theon:block. This will apply to all jobs that do not define their ownpermissions. - The
preflightjob does not appear to use the GitHub API, so it can inherit a very restrictive token. A good baseline for most workflows iscontents: read, which allows basic read operations but prevents writes. - The
check-renvjob already has explicitpermissions: id-token: write, and GitHub will merge this with workflow-level permissions, so we should not remove or change that; instead, we add the workflow-level permissions so that all other jobs are at least constrained to read-only contents. - Other jobs shown (
no-renv-cache-used,renv-cache-available,update-renv-cache,trigger-build-deploy) do not have explicit permissions; by setting the workflow-level permissions, we reduce their token privileges without changing their logic.
Concretely: edit .github/workflows/docker_apply_cache.yaml to insert:
permissions:
contents: readbetween the on: block (ending at line 14) and the concurrency: block (line 17). No additional imports or definitions are needed.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to define explicit permissions for the workflow so that the default GITHUB_TOKEN privileges are minimized, and then override them in individual jobs only where broader permissions are required. For jobs that do not need the token at all (like those just running echo or purely local commands), you can disable the token with permissions: {} or permissions: none. For jobs that need specific permissions, set only those scopes instead of broad write access.
The best way to fix this workflow without changing existing functionality is:
- Add a root-level
permissionsblock (near the top of the file, alongsidename,description, andon) that sets a safe default, e.g.contents: read. This will apply to all jobs that do not overridepermissions. - The
check-renvjob already haspermissions: id-token: writeto support OIDC with AWS, so we leave it as-is. - For jobs that clearly do not need GITHUB_TOKEN at all—
no-renv-cache-used,renv-cache-available, and likelyupdate-renv-cacheandtrigger-build-deploy—we should disable the token explicitly. However, we must not break existing functionality: thetrigger-build-deployjob uses theghCLI withGITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}, which is not the implicit GITHUB_TOKEN but a secret; therefore, we can safely setpermissions: {}orpermissions: nonethere without affecting access tosecrets.GITHUB_TOKEN. To directly address the CodeQL warning on theno-renv-cache-usedjob, we will addpermissions: {}to that job; additionally, we should still add a root default to ensure the whole workflow is hardened.
Concretely:
- In
.github/workflows/docker_apply_cache.yaml, after theon:block (after line 14 or 15), add:to define minimal default permissions for all jobs.permissions: contents: read
- In the
no-renv-cache-usedjob (around line 61–69), add:so that this job gets no GITHUB_TOKEN at all, matching its actual needs and resolving the specific CodeQL complaint.permissions: {}
No new imports or external libraries are needed; these are pure YAML configuration changes.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache | ||
| @@ -63,6 +66,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| permissions: {} | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
| name: "Trigger Build and Deploy Workflow" | ||
| runs-on: ubuntu-latest | ||
| needs: update-renv-cache | ||
| if: | | ||
| needs.update-renv-cache.result == 'success' || | ||
| needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: "Trigger Build and Deploy Workflow" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh workflow run docker_build_deploy.yaml --ref main | ||
| shell: bash | ||
| continue-on-error: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, this issue is fixed by explicitly specifying a permissions block in the workflow so that GITHUB_TOKEN has only the minimal scopes required. This can be done at the workflow root (applies to all jobs that don’t override it) or at individual jobs. Since none of the shown jobs perform repository write operations and only read repository contents and metadata (plus assume AWS roles via OIDC and call gh workflow run), contents: read is an appropriate minimal starting point.
The best way to fix this without changing functionality is to add a workflow-level permissions block near the top of .github/workflows/docker_apply_cache.yaml, just after the on: block (or after concurrency:), setting contents: read. This will apply to all jobs (preflight, check-renv, no-renv-cache-used, renv-cache-available, update-renv-cache, trigger-build-deploy, etc.) that do not have their own permissions block and will satisfy CodeQL’s requirement to restrict GITHUB_TOKEN. No additional imports or external dependencies are required; this is a pure YAML configuration change.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - Insert:
permissions:
contents: readafter the on: section (lines 3–14) or after the concurrency block (lines 16–19). Both are valid, but placing it immediately after on: is conventional and unambiguous. No other parts of the workflow need to be changed.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the fix is to explicitly define minimal permissions for jobs that use GITHUB_TOKEN, instead of inheriting potentially broad repository defaults. For this workflow, we should add an explicit permissions block for the preflight job that is limited to what the job actually needs, which, based on the snippet, is read-only repository contents. We should not change the existing permissions blocks for full-build and update-container-version, as they already declare explicit scopes and may be required for their functionality.
Concretely, in .github/workflows/docker_build_deploy.yaml, inside the preflight job definition (lines 39–51), add a permissions: section with contents: read. This keeps the job functional while ensuring GITHUB_TOKEN is constrained to read repository contents only. No additional imports, methods, or external dependencies are needed, since this is purely a YAML configuration change.
| @@ -39,6 +39,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| name: "Preflight: Manual or Scheduled Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| ok: ${{ steps.check.outputs.ok }} | ||
| steps: | ||
| - id: check | ||
| run: | | ||
| if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then | ||
| if [[ "${{ github.event_name }}" == 'workflow_dispatch' ]]; then | ||
| echo "ok=true" >> $GITHUB_OUTPUT | ||
| echo "Running on request" | ||
| # using single brackets here to avoid 08 being interpreted as octal | ||
| # https://github.com/carpentries/sandpaper/issues/250 | ||
| elif [ `date +%d` -le 7 ]; then | ||
| # If the Tuesday lands in the first week of the month, run it | ||
| echo "ok=true" >> $GITHUB_OUTPUT | ||
| echo "Running on schedule" | ||
| else | ||
| echo "ok=false" >> $GITHUB_OUTPUT | ||
| echo "Not Running Today" | ||
| fi | ||
| shell: bash | ||
|
|
||
| check_renv: | ||
| name: "Check if We Need {renv}" | ||
| runs-on: ubuntu-22.04 | ||
| check-renv: | ||
| name: "Check If We Need {renv}" | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | ||
| if: ${{ needs.preflight.outputs.ok == 'true' }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
In general, the problem is fixed by explicitly specifying a minimal permissions block for the GITHUB_TOKEN either at the workflow root (applies to all jobs that do not override it) or on each job. We should grant only the permissions needed: update_cache already has its job-level block; preflight and check-renv appear to require at most read access to repository contents for actions like actions/checkout. They do not create PRs, write issues, or modify repository state.
The best minimal fix without changing existing functionality is:
- Add a workflow-level
permissionsblock after theon:section that setscontents: read. This becomes the default forpreflightandcheck-renv. - Leave the existing job-level
permissionsforupdate_cacheunchanged so that job continues to have the broader rights it needs.
Concretely:
- Edit
.github/workflows/update-cache.yaml. - After line 26 (end of
workflow_dispatch.inputs), insert:
permissions:
contents: readThis ensures that:
preflightandcheck-renvrun withcontents: readonly.update_cacheretains its existing explicitpermissionsblock and overrides the default where necessary.
No additional imports, methods, or other definitions are needed.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.3