🔄 Synced file(s) with ottrproject/OTTR_Template#118
Conversation
|
No broken url errors! 🎉 |
|
No spelling errors! 🎉 |
|
Re-rendered previews from the latest commit:
* note not all html features will be properly displayed in the "quick preview" but it will give you a rough idea. Updated at 2026-02-04 with changes from the latest commit 4cf7361 |
cansavvy
force-pushed
the
repo-sync/OTTR_Template/default
branch
from
d6c8be1 to
442f9ee
Compare
release-renderAction
release-renderAction
…/style_config_default.css' release-renderAction
….yml' release-renderAction
jhudsl-robot
changed the title
jhudsl-robot
force-pushed
the
repo-sync/OTTR_Template/default
branch
from
442f9ee to
1d4e071
Compare
OTTR Check ResultsSummary
🎉 All checks passed!Last Updated: 2026-02-04-22:26:55 |
| render-coursera: no | ||
| render-website: rmd | ||
| render-leanpub: true | ||
| render-coursera: true |
There was a problem hiding this comment.
| render-coursera: true | |
| render-coursera: false |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Load user automation choices | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Use the yaml-env-action action. | ||
| - name: Load environment from YAML | ||
| uses: doughepi/yaml-env-action@v1.0.0 | ||
| with: | ||
| files: config_automation.yml # Pass a space-separated list of configuration files. Rightmost files take precedence. | ||
| outputs: | ||
| toggle_url_check_periodically: "${{ env.URL_CHECK_PERIODICALLY }}" | ||
|
|
||
| url-check: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, fix this by explicitly defining a permissions block that grants only the minimal scopes required. You can set it at the workflow root so it applies to all jobs, and then, if needed, override on specific jobs that require additional permissions.
For this workflow, most steps only need read access to the repository contents, but some steps perform Git operations that modify branches. Those operations rely on git authentication; since one step uses GH_PAT from secrets, we can keep GITHUB_TOKEN largely read-only and only grant contents: write when necessary. The simplest, non-breaking change consistent with CodeQL’s recommendation is to define a root-level permissions block with contents: read. If you know that GITHUB_TOKEN is also used for the git push/delete operations and must be able to write, you could instead set contents: write. However, to keep changes minimal and aligned with least privilege and the given hint ({contents: read}), we will set permissions: contents: read at the top level.
Concretely:
- Edit
.github/workflows/check-url-2.yml. - Insert a
permissions:section after thename:line (beforeon:), withcontents: read. - No imports or additional methods are needed; this is pure workflow configuration.
| @@ -1,5 +1,7 @@ | ||
| name: Periodic URL Check 2 | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| name: Check URLs | ||
| needs: set-up | ||
| if: ${{needs.set-up.outputs.toggle_url_check_periodically == 'true'}} | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Delete the branch if this has been run before | ||
| - name: Delete branch locally and remotely | ||
| run: git push origin --delete preview-spell-error || echo "No branch to delete" | ||
|
|
||
| # Make the branch fresh | ||
| - name: Make the branch fresh | ||
| run: | | ||
| git config --global --add safe.directory $GITHUB_WORKSPACE | ||
| git config --global user.name 'github-actions[bot]' | ||
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | ||
|
|
||
| echo branch doesnt exist | ||
| git checkout -b preview-spell-error || echo branch exists | ||
| git push --set-upstream origin preview-spell-error || echo echo branch exists remotely | ||
| shell: bash | ||
|
|
||
| - name: Run the check | ||
| uses: ottrproject/ottr-reports@main | ||
| id: check_results | ||
| continue-on-error: true | ||
| with: | ||
| check_spelling: false | ||
| spelling_error_min: 1 | ||
| check_urls: true | ||
| url_error_min: 1 | ||
| check_quiz_form: false | ||
| quiz_error_min: 1 | ||
| sort_dictionary: false | ||
|
|
||
| - name: Declare file path and time | ||
| id: check-report | ||
| run: | | ||
| error_num=$(cat check_reports/url_checks.tsv | wc -l) | ||
| error_num="$((error_num-1))" | ||
| echo "error_num=$error_num" >> $GITHUB_OUTPUT | ||
| echo "error_url=https://github.com/${GITHUB_REPOSITORY}/blob/preview-spell-error/check_reports/url_checks.tsv" >> $GITHUB_OUTPUT | ||
| shell: bash | ||
|
|
||
| - name: Stop if failure | ||
| if: steps.check_results.outcome == 'failure' | ||
| run: exit 1 | ||
|
|
||
| - name: Print out error variables | ||
| run: | | ||
| echo ${{ steps.check-report.outputs.error_url }} | ||
| echo ${{ steps.check-report.outputs.error_num }} | ||
|
|
||
| # Commit file | ||
| - name: Commit tocless bookdown files | ||
| if: ${{ steps.check-report.outputs.error_num >= 1 }} | ||
| env: | ||
| GH_PAT: ${{ secrets.GH_PAT }} | ||
| run: | | ||
| git add --force check_reports/url_checks.tsv | ||
| git commit -m 'Add spell check file' || echo "No changes to commit" | ||
| git push --set-upstream origin preview-spell-error || echo echo branch exists remotely | ||
|
|
||
| - name: Find issues | ||
| id: find-issue | ||
| env: | ||
| GH_PAT: ${{ secrets.GH_PAT }} | ||
| run: | | ||
| echo "$GITHUB_REPOSITORY" | ||
| curl -o find_issue.R https://raw.githubusercontent.com/ottrproject/ottr-reports/main/scripts/find_issue.R | ||
| issue_exists=$(Rscript --vanilla find_issue.R --repo $GITHUB_REPOSITORY --git_pat $GH_PAT) | ||
| echo URL issue exists: $issue_exists | ||
| echo "issue_existence=$issue_exists" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: If too many URL errors, then make an issue | ||
| if: ${{ steps.check-report.outputs.error_num >= 1 && steps.find-issue.outputs.issue_existence == 0}} | ||
| uses: JasonEtco/create-an-issue@v2 | ||
| with: | ||
| filename: .github/ISSUE_TEMPLATE/url-error.md | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| FILE_URL: ${{ steps.check-report.outputs.error_url }} | ||
| ERROR_NUM: ${{ steps.check-report.outputs.error_num }} | ||
|
|
||
| - name: If no URL errors than delete the branch we made | ||
| if: ${{ steps.check-report.outputs.error_num < 1 }} | ||
| run: | | ||
| git config --system --add safe.directory "$GITHUB_WORKSPACE" | ||
| git push origin --delete preview-spell-error || echo "No branch to delete" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the fix is to add an explicit permissions: block to the workflow (or to the individual jobs) that grants only the minimal necessary scopes to GITHUB_TOKEN. This documents what the workflow needs and prevents it from inheriting broader default permissions.
For this specific workflow, we should:
- Add a top-level
permissions:block (applies to all jobs) that is as restrictive as possible. - The workflow performs
git pushand branch deletion using the defaultGITHUB_TOKEN(no custom token is injected in those steps), and it usesJasonEtco/create-an-issue@v2withGITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. For these to succeed:- It needs
contents: writefor pushing branches and deleting branches. - It needs
issues: writeto create issues.
- It needs
- Other scopes (e.g.,
pull-requests,packages) are not clearly needed from the shown code and should be omitted to preserve least privilege.
The best minimally invasive change is to add, near the top of .github/workflows/check-url-2.yml (after the name: line and before on:), a permissions: block:
permissions:
contents: write
issues: writeNo imports or additional methods are needed, since this is a YAML workflow configuration change only.
| @@ -1,5 +1,8 @@ | ||
| name: Periodic URL Check 2 | ||
|
|
||
| permissions: | ||
| contents: write | ||
| issues: write | ||
|
|
||
| on: | ||
| workflow_dispatch: |
| name: Readability report | ||
| needs: yaml-check | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ${{needs.yaml-check.outputs.rendering_docker_image}} | ||
| if: ${{needs.yaml-check.outputs.toggle_render_preview == 'yes'}} | ||
| if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}} | ||
|
|
||
| steps: | ||
| - name: Checkout files | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Set up git checkout | ||
| - name: Set up git checkout | ||
| run: | | ||
| git config --global --add safe.directory $GITHUB_WORKSPACE | ||
| git config --global user.name 'github-actions[bot]' | ||
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | ||
|
|
||
| branch_name='preview-${{ github.event.pull_request.number }}' | ||
| git fetch --all | ||
| git checkout $branch_name | ||
| git merge -s recursive --strategy-option=theirs origin/${{ github.head_ref }} --allow-unrelated-histories | ||
| shell: bash | ||
|
|
||
| # Run bookdown rendering | ||
| - name: Run bookdown render | ||
| id: bookdown | ||
| run: Rscript -e "bookdown::render_book('index.Rmd', output_format = 'all')" | ||
|
|
||
| # Run TOC-less version | ||
| # Rendered content for Leanpub and Coursera is very similar. | ||
| # This job creates a shared scaffold for both. | ||
| - name: Run TOC-less version of render | ||
| id: tocless | ||
| run: Rscript -e "ottrpal::render_without_toc()" | ||
|
|
||
| # This checks on the steps before it and makes sure that they completed. | ||
| # If the renders didn't complete we don't want to commit the file changes | ||
| - name: Check on render steps | ||
| if: steps.bookdown.outcome != 'success' || steps.tocless.outcome != 'success' | ||
| run: | | ||
| echo Bookdown status ${{steps.bookdown.outcome}} | ||
| echo Toc-less status ${{steps.tocless.outcome}} | ||
| exit 1 | ||
|
|
||
| - name: Website preview for download | ||
| run: zip website-preview.zip docs/* -r | ||
|
|
||
| # Commit the rendered bookdown files | ||
| - name: Commit rendered bookdown files to preview branch | ||
| id: commit | ||
| run: | | ||
| branch_name='preview-${{ github.event.pull_request.number }}' | ||
| git diff origin/main -- docs >/dev/null && changes=true || changes=false | ||
| echo "changes=$changes" >> $GITHUB_OUTPUT | ||
| git add . --force | ||
| git commit -m 'Render preview' || echo "No changes to commit" | ||
| git pull --rebase --set-upstream origin $branch_name --allow-unrelated-histories --strategy-option=ours | ||
| git push --force || echo "No changes to commit" | ||
| shell: bash | ||
|
|
||
| - name: Find Comment | ||
| uses: peter-evans/find-comment@v2 | ||
| id: fc | ||
| - name: Readability report | ||
| uses: Rebilly/lexi@v2 | ||
| with: | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| comment-author: 'github-actions[bot]' | ||
| body-includes: latest commit | ||
| github-token: ${{ secrets.GH_PAT }} | ||
| glob: '**/*.md' | ||
|
|
||
| - name: Build components of the comment | ||
| id: build-components | ||
| run: | | ||
| course_name=$(head -n 1 _bookdown.yml | cut -d'"' -f 2| tr " " "-") | ||
| bookdown_link=$(echo "https://htmlpreview.github.io/?https://raw.githubusercontent.com/$GITHUB_REPOSITORY/preview-${{ github.event.pull_request.number }}/docs/index.html") | ||
| tocless_link=$(echo "https://htmlpreview.github.io/?https://raw.githubusercontent.com/$GITHUB_REPOSITORY/preview-${{ github.event.pull_request.number }}/docs/no_toc/index.html") | ||
| docx_link=$(echo "https://github.com/$GITHUB_REPOSITORY/raw/preview-${{ github.event.pull_request.number }}/docs/$course_name.docx") | ||
| zip_link=$(echo "https://github.com/$GITHUB_REPOSITORY/raw/preview-${{ github.event.pull_request.number }}/website-preview.zip") | ||
| echo "zip_link=$zip_link" >> $GITHUB_OUTPUT | ||
| echo "bookdown_link=$bookdown_link" >> $GITHUB_OUTPUT | ||
| echo "tocless_link=$tocless_link" >> $GITHUB_OUTPUT | ||
| echo "docx_link=$docx_link" >> $GITHUB_OUTPUT | ||
| echo "time=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | ||
| echo "commit_id=$GITHUB_SHA" >> $GITHUB_OUTPUT | ||
| echo ${{steps.commit.outputs.changes}} | ||
|
|
||
| - name: Create or update comment | ||
| if: steps.commit.outputs.changes == 'true' | ||
| uses: peter-evans/create-or-update-comment@v2 | ||
| with: | ||
| comment-id: ${{ steps.fc.outputs.comment-id }} | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| body: | | ||
| Re-rendered previews from the latest commit: | ||
| - :eyes: Quick [preview of course website here](${{ steps.build-components.outputs.bookdown_link }}) \* | ||
| - :microscope: Comprehensive [download of the course website here](${{ steps.build-components.outputs.zip_link }}) | ||
| - Download the [.docx file](${{ steps.build-components.outputs.docx_link }}) | ||
|
|
||
| \* note not all html features will be properly displayed in the "quick preview" but it will give you a rough idea. | ||
|
|
||
| _Updated at ${{ steps.build-components.outputs.time }} with changes from the latest commit ${{ steps.build-components.outputs.commit_id }}_ | ||
| edit-mode: replace | ||
|
|
||
| - name: Comment if no changes | ||
| if: steps.commit.outputs.changes == 'false' | ||
| uses: peter-evans/create-or-update-comment@v2 | ||
| with: | ||
| comment-id: ${{ steps.fc.outputs.comment-id }} | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| body: | | ||
| The latest commit did not produce rendering changes. | ||
| ############################# Render Preview ################################### | ||
| render-preview: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the problem is fixed by explicitly scoping the GITHUB_TOKEN permissions for the readability-report job so it does not inherit potentially broader repository/organization defaults. Since this job only needs to read repository contents (it checks out the code and runs a report) and uses a separate GH_PAT for the external action, we can safely set permissions: contents: read for this job.
The best targeted fix without changing behavior is to add a permissions: section under the readability-report job, at the same indentation level as runs-on and if. Specifically, in .github/workflows/pull_request.yml, in the readability-report job definition starting at line 114, insert:
permissions:
contents: readbetween the existing if: condition (line 118) and the steps: key (line 120). No additional imports or methods are required because this is a YAML workflow configuration change only.
| @@ -116,6 +116,8 @@ | ||
| needs: yaml-check | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repo |
|
Carrie checked the preview and the render all action is working for all steps on this branch. So going to merge |
3 participants
Synced local file(s) with ottrproject/OTTR_Template.
Changed files
.github/workflows/with remote directory.github/workflows/assets/style.csswith remoteassets/style.cssassets/style_config_default.cssfrom remoteassets/style_config_default.cssconfig_automation.ymlwith remoteconfig_automation.ymlThis PR was created automatically by the repo-file-sync-action workflow run #15498355326