epiverse-trace · epiverse-trace-bot · Jan 20, 2026
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
@@ -0,0 +1,227 @@
+name: "03 Maintain: Apply Package Cache"
+description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub"
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'Who triggered this build?'
+        required: true
+        default: 'Maintainer (via GitHub)'
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+# queue cache runs
+concurrency:
+  group: docker-apply-cache
+  cancel-in-progress: false
+
+jobs:
+  preflight:
+    name: "Preflight: PR or Manual Trigger?"
+    runs-on: ubuntu-latest
+    outputs:
+      do-apply: ${{ steps.check.outputs.merged_or_manual }}
+    steps:
+      - name: "Should we run cache application?"
+        id: check
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ||
+                ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then
+            echo "merged_or_manual=true" >> $GITHUB_OUTPUT
+          else
+            echo "This was not a manual trigger and no PR was merged. No action taken."
+            echo "merged_or_manual=false" >> $GITHUB_OUTPUT
+          fi
+        shell: bash
+
+  check-renv:
@@ -13,6 +13,9 @@
    branches:
      - main
+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
  group: docker-apply-cache
@@ -13,6 +13,9 @@
    branches:
      - main

+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
  group: docker-apply-cache
+    name: "Check If We Need {renv}"
+    runs-on: ubuntu-latest
+    needs: preflight
+    if: needs.preflight.outputs.do-apply == 'true'
+    permissions:
+      id-token: write
+    outputs:
+      renv-needed: ${{ steps.check-for-renv.outputs.renv-needed }}
+      renv-cache-hashsum: ${{ steps.check-for-renv.outputs.renv-cache-hashsum }}
+      renv-cache-available: ${{ steps.check-for-renv.outputs.renv-cache-available }}
+    steps:
+      - name: "Check for renv"
+        id: check-for-renv
+        uses: carpentries/actions/renv-checks@main
+        with:
+          role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
+          aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
+          WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG || 'latest' }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  no-renv-cache-used:
+    name: "No renv cache used"
+    runs-on: ubuntu-latest
+    needs: check-renv
+    if: needs.check-renv.outputs.renv-needed != 'true'
+    steps:
+      - name: "No renv cache needed"
+        run: echo "No renv cache needed for this lesson"
+
+  renv-cache-available:
@@ -13,6 +13,9 @@
    branches:
      - main
+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
  group: docker-apply-cache
@@ -63,6 +66,7 @@
    runs-on: ubuntu-latest
    needs: check-renv
    if: needs.check-renv.outputs.renv-needed != 'true'
+    permissions: {}
    steps:
      - name: "No renv cache needed"
        run: echo "No renv cache needed for this lesson"
@@ -13,6 +13,9 @@
    branches:
      - main

+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
  group: docker-apply-cache
@@ -63,6 +66,7 @@
    runs-on: ubuntu-latest
    needs: check-renv
    if: needs.check-renv.outputs.renv-needed != 'true'
+    permissions: {}
    steps:
      - name: "No renv cache needed"
        run: echo "No renv cache needed for this lesson"
+    name: "renv cache available"
+    runs-on: ubuntu-latest
+    needs: check-renv
+    if: needs.check-renv.outputs.renv-cache-available == 'true'
+    steps:
+      - name: "renv cache available"
+        run: echo "renv cache available for this lesson"
+
+  update-renv-cache:
+    name: "Update renv Cache"
+    runs-on: ubuntu-latest
+    needs: check-renv
+    if: |
+      needs.check-renv.outputs.renv-needed == 'true' &&
+      needs.check-renv.outputs.renv-cache-available != 'true' &&
+      (
+        github.event_name == 'workflow_dispatch' ||
+        (
+          github.event.pull_request.merged == true &&
+          (
+            (
+              contains(
+                join(github.event.pull_request.labels.*.name, ','),
+                'type: package cache'
+              ) &&
+              github.event.pull_request.head.ref == 'update/packages'
+            )
+            ||
+            (
+              contains(
+                join(github.event.pull_request.labels.*.name, ','),
+                'type: workflows'
+              ) &&
+              github.event.pull_request.head.ref == 'update/workflows'
+            )
+            ||
+            (
+              contains(
+                join(github.event.pull_request.labels.*.name, ','),
+                'type: docker version'
+              ) &&
+              github.event.pull_request.head.ref == 'update/workbench-docker-version'
+            )
+          )
+        )
+      )
+    permissions:
+      checks: write
+      contents: write
+      pages: write
+      id-token: write
+    container:
+      image: ghcr.io/carpentries/workbench-docker:${{ vars.WORKBENCH_TAG || 'latest' }}
+      env:
+        WORKBENCH_PROFILE: "ci"
+        GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+        RENV_PATHS_ROOT: /home/rstudio/lesson/renv
+        RENV_PROFILE: "lesson-requirements"
+        RENV_VERSION: ${{ needs.check-renv.outputs.renv-cache-hashsum }}
+        RENV_CONFIG_EXTERNAL_LIBRARIES: "/usr/local/lib/R/site-library"
+      volumes:
+        - ${{ github.workspace }}:/home/rstudio/lesson
+      options: --cpus 2
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: "Debugging Info"
+        run: |
+          echo "Current Directory: $(pwd)"
+          ls -lah /home/rstudio/.workbench
+          ls -lah $(pwd)
+          Rscript -e 'sessionInfo()'
+        shell: bash
+
+      - name: "Mark Repository as Safe"
+        run: |
+          git config --global --add safe.directory $(pwd)
+        shell: bash
+
+      - name: "Ensure sandpaper is loadable"
+        run: |
+          .libPaths()
+          library(sandpaper)
+        shell: Rscript {0}
+
+      - name: "Setup Lesson Dependencies"
+        run: |
+          Rscript /home/rstudio/.workbench/setup_lesson_deps.R
+        shell: bash
+
+      - name: "Fortify renv Cache"
+        run: |
+          Rscript /home/rstudio/.workbench/fortify_renv_cache.R
+        shell: bash
+
+      - name: "Get Container Version Used"
+        id: wb-vers
+        uses: carpentries/actions/container-version@main
+        with:
+          WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
+          renv-needed: ${{ needs.check-renv.outputs.renv-needed }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Validate Current Org and Workflow"
+        id: validate-org-workflow
+        uses: carpentries/actions/validate-org-workflow@main
+        with:
+          repo: ${{ github.repository }}
+          workflow: ${{ github.workflow }}
+
+      - name: "Configure AWS credentials via OIDC"
+        id: aws-creds
+        env:
+          role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
+          aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
+        if: |
+          steps.validate-org-workflow.outputs.is_valid == 'true' &&
+          env.role-to-assume != '' &&
+          env.aws-region != ''
+        uses: aws-actions/configure-aws-credentials@v5.0.0
+        with:
+          role-to-assume: ${{ env.role-to-assume }}
+          aws-region: ${{ env.aws-region }}
+          output-credentials: true
+
+      - name: "Upload cache object to S3"
+        id: upload-cache
+        uses: carpentries/actions-cache@frog-matchedkey-1
+        with:
+          accessKey: ${{ steps.aws-creds.outputs.aws-access-key-id }}
+          secretKey: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
+          sessionToken: ${{ steps.aws-creds.outputs.aws-session-token }}
+          bucket: workbench-docker-caches
+          path: |
+            /home/rstudio/lesson/renv
+            /usr/local/lib/R/site-library
+          key: ${{ github.repository }}/${{ steps.wb-vers.outputs.container-version }}_renv-${{ needs.check-renv.outputs.renv-cache-hashsum }}
+          restore-keys:
+            ${{ github.repository }}/${{ steps.wb-vers.outputs.container-version }}_renv-
+
+  trigger-build-deploy:
+    name: "Trigger Build and Deploy Workflow"
+    runs-on: ubuntu-latest
+    needs: update-renv-cache
+    if: |
+      needs.update-renv-cache.result == 'success' ||
+      needs.check-renv.outputs.renv-cache-available == 'true'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: "Trigger Build and Deploy Workflow"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh workflow run docker_build_deploy.yaml --ref main
+        shell: bash
+        continue-on-error: true
@@ -13,6 +13,9 @@
    branches:
      - main
+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
  group: docker-apply-cache
@@ -13,6 +13,9 @@
    branches:
      - main

+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
  group: docker-apply-cache
diff --git a/.github/workflows/docker_build_deploy.yaml b/.github/workflows/docker_build_deploy.yaml
@@ -0,0 +1,155 @@
+name: "01 Maintain: Build and Deploy Site"
+description: "Build and deploy the lesson site using the carpentries/workbench-docker container"
+on:
+  push:
+    branches:
+      - 'main'
+    paths-ignore:
+      - '.github/workflows/**.yaml'
+      - '.github/workbench-docker-version.txt'
+  schedule:
+    - cron: '0 0 * * 2'
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'Who triggered this build?'
+        required: true
+        default: 'Maintainer (via GitHub)'
+      CACHE_VERSION:
+        description: 'Optional renv cache version override'
+        required: false
+        default: ''
+      reset:
+        description: 'Reset cached markdown files'
+        required: true
+        default: false
+        type: boolean
+      force-skip-manage-deps:
+        description: 'Skip build-time dependency management'
+        required: true
+        default: false
+        type: boolean
+
+# only one build/deploy at a time
+concurrency:
+  group: docker-build-deploy
+  cancel-in-progress: true
+
+jobs:
+  preflight:
+    name: "Preflight: Schedule, Push, or PR?"
+    runs-on: ubuntu-latest
+    outputs:
+      do-build: ${{ steps.build-check.outputs.do-build }}
+      renv-needed: ${{ steps.build-check.outputs.renv-needed }}
+      renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }}
+      workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }}
+      wb-vers: ${{ steps.wb-vers.outputs.container-version }}
+      last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }}
+      workbench-update: ${{ steps.wb-vers.outputs.workbench-update }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: "Should we run build and deploy?"
+        id: build-check
+        uses: carpentries/actions/build-preflight@main
+
+      - name: "Checkout Lesson"
+        if: steps.build-check.outputs.do-build == 'true'
+        uses: actions/checkout@v4
+
+      - name: "Get container version info"
+        id: wb-vers
+        if: steps.build-check.outputs.do-build == 'true'
+        uses: carpentries/actions/container-version@main
+        with:
+          WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
+          renv-needed: ${{ steps.build-check.outputs.renv-needed }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  full-build:
@@ -39,6 +39,8 @@
  preflight:
    name: "Preflight: Schedule, Push, or PR?"
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      do-build: ${{ steps.build-check.outputs.do-build }}
      renv-needed: ${{ steps.build-check.outputs.renv-needed }}
@@ -39,6 +39,8 @@
  preflight:
    name: "Preflight: Schedule, Push, or PR?"
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      do-build: ${{ steps.build-check.outputs.do-build }}
      renv-needed: ${{ steps.build-check.outputs.renv-needed }}
+    name: "Build Full Site"
+    runs-on: ubuntu-latest
+    needs: preflight
+    if: |
+      always() &&
+      needs.preflight.outputs.do-build == 'true' &&
+      needs.preflight.outputs.workbench-update != 'true'
+    env:
+      RENV_EXISTS: ${{ needs.preflight.outputs.renv-needed }}
+      RENV_HASH: ${{ needs.preflight.outputs.renv-cache-hashsum }}
+    permissions:
+      checks: write
+      contents: write
+      pages: write
+      id-token: write
+    container:
+      image: ghcr.io/carpentries/workbench-docker:${{ vars.WORKBENCH_TAG || 'latest' }}
+      env:
+        WORKBENCH_PROFILE: "ci"
+        GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+        RENV_PATHS_ROOT: /home/rstudio/lesson/renv
+        RENV_PROFILE: "lesson-requirements"
+        RENV_CONFIG_EXTERNAL_LIBRARIES: "/usr/local/lib/R/site-library"
+      volumes:
+        - ${{ github.workspace }}:/home/rstudio/lesson
+      options: --cpus 1
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: "Debugging Info"
+        run: |
+          cd /home/rstudio/lesson
+          echo "Current Directory: $(pwd)"
+          echo "RENV_HASH is $RENV_HASH"
+          ls -lah /home/rstudio/.workbench
+          ls -lah $(pwd)
+          Rscript -e 'sessionInfo()'
+        shell: bash
+
+      - name: "Mark Repository as Safe"
+        run: |
+          git config --global --add safe.directory $(pwd)
+        shell: bash
+
+      - name: "Setup Lesson Dependencies"
+        id: build-container-deps
+        uses: carpentries/actions/build-container-deps@main
+        with:
+          CACHE_VERSION: ${{ vars.CACHE_VERSION || github.event.inputs.CACHE_VERSION || '' }}
+          WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG || 'latest' }}
+          LESSON_PATH: ${{ vars.LESSON_PATH || '/home/rstudio/lesson' }}
+          role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
+          aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Run Container and Build Site"
+        id: build-and-deploy
+        uses: carpentries/actions/build-and-deploy@main
+        with:
+          reset: ${{ github.event.inputs.reset || 'false' }}
+          skip-manage-deps: ${{ github.event.inputs.force-skip-manage-deps == 'true' || steps.build-container-deps.outputs.renv-cache-available || steps.build-container-deps.outputs.backup-cache-used || 'false' }}
+
+  update-container-version:
+    name: "Update container version used"
+    runs-on: ubuntu-latest
+    needs: [preflight]
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
+      id-token: write
+    if: |
+      needs.preflight.outputs.do-build == 'true' &&
+      (
+        needs.preflight.outputs.workbench-container-file-exists == 'false' ||
+        needs.preflight.outputs.workbench-update == 'true'
+      )
+    steps:
+      - name: "Record container version used"
+        uses: carpentries/actions/record-container-version@main
+        with:
+          CONTAINER_VER: ${{ needs.preflight.outputs.wb-vers }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
+          aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}