Update Workflows to Version 0.18.3#76
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the problem is fixed by explicitly defining a permissions block for the workflow (or the specific job) and scoping the GITHUB_TOKEN to the minimal rights required. For the preflight job, no token access is needed, so the safest option is to set default workflow permissions to contents: read, which is GitHub’s recommended minimal baseline and is sufficient for most basic operations while avoiding unnecessary write access. Jobs that require additional privileges can still override this with their own permissions blocks, as check-renv already does.
For this file, the best fix without changing existing functionality is:
- Add a top-level
permissions:block near the top of the workflow, after theon:block (line 15/16 area), settingcontents: read. This will apply to all jobs that do not explicitly specify permissions, includingpreflight,no-renv-cache-used,renv-cache-available,update-renv-cache, andtrigger-build-deploy. - Leave the existing
permissionsblock incheck-renvunchanged so it can still obtainid-token: writeas required. - No additional imports or dependencies are needed; this is purely a YAML configuration change.
Concretely, edit .github/workflows/docker_apply_cache.yaml to insert:
permissions:
contents: readbetween the on: block (lines 3–14) and the concurrency: section (lines 16–19). This ensures the preflight job (highlighted by CodeQL) now has an explicit, least-privilege permission set.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
To fix the issue, explicitly set GitHub token permissions instead of relying on the repository defaults. For jobs that don’t need the token, you should disable it entirely with permissions: {} (or permissions: read-all if you prefer a minimal read access). This enforces least privilege and satisfies CodeQL’s requirement for an explicit permissions block.
The best fix here without changing functionality is:
- Add a root‑level
permissions:block near the top of.github/workflows/docker_apply_cache.yamlto define safe defaults for all jobs (e.g.,read-all). - For the
no-renv-cache-usedjob specifically (line 62), addpermissions: {}to disable the token for that job, overriding the workflow default. - Optionally, other trivial jobs like
renv-cache-availableandpreflightcan also getpermissions: {}, but CodeQL’s reported location isno-renv-cache-used, so we’ll minimally ensure that job is explicitly configured.
No new imports, methods, or external definitions are needed; this is purely a YAML workflow configuration change within .github/workflows/docker_apply_cache.yaml.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache | ||
| @@ -63,6 +66,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| permissions: {} | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, each job should have an explicit permissions block (or inherit from a restrictive root-level permissions block) that grants only the minimal rights needed. For jobs that do not need to call GitHub’s API or modify repository resources, you can set permissions: {} (no permissions) or permissions: contents: read if read access is required.
For this specific workflow:
- The
renv-cache-availablejob only prints a message viarun: echo, so it does not need any token permissions. The safest fix is to addpermissions: {}to that job. - This change stays within the shown snippet and does not alter existing functionality, as the job does not rely on
GITHUB_TOKENor GitHub API access. - Concretely, in
.github/workflows/docker_apply_cache.yaml, locate therenv-cache-availablejob definition starting at line 70. Insert apermissions: {}line (properly indented) afterruns-on: ubuntu-latest(line 72) and beforeneeds: check-renv(line 73).
No additional methods, imports, or definitions are required: it is purely a YAML configuration change.
| @@ -70,6 +70,7 @@ | ||
| renv-cache-available: | ||
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: |
| name: "Trigger Build and Deploy Workflow" | ||
| runs-on: ubuntu-latest | ||
| needs: update-renv-cache | ||
| if: | | ||
| needs.update-renv-cache.result == 'success' || | ||
| needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: "Trigger Build and Deploy Workflow" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh workflow run docker_build_deploy.yaml --ref main | ||
| shell: bash | ||
| continue-on-error: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the fix is to add an explicit permissions block to the workflow (at the top level, or per‑job) so that GITHUB_TOKEN is limited to the minimal scopes required. This prevents the workflow from silently inheriting broader repository/organization defaults.
For this workflow, no steps modify repository contents or manage issues/PRs; they mainly read repo metadata, configure AWS via OIDC, upload to S3, and trigger another workflow using gh workflow run. The safe, minimal practical set is to define a root‑level permissions block with contents: read and actions: write (needed so gh workflow run can dispatch another workflow). We can set this once near the top of .github/workflows/docker_apply_cache.yaml (e.g., after on: or after concurrency:), and it will apply to all jobs, including trigger-build-deploy, without changing any existing behavior.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - Insert a top‑level
permissions:block, aligned withon:andjobs:. - Use:
permissions: contents: read actions: write
- No additional imports or methods are needed; this is purely a workflow configuration change.
| @@ -13,6 +13,10 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: write | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, to fix this class of issue you explicitly define a permissions block either at the workflow level or per job, granting only the capabilities that job truly needs. This prevents GitHub from falling back to broader, repository-level defaults and reduces the blast radius of any compromised GITHUB_TOKEN.
For this specific workflow, the best minimally invasive change is to add a permissions block to the preflight job only. The other jobs (full-build and update-container-version) already declare explicit permissions, so no change is needed there. The preflight job appears to only need to read repository contents and metadata, so we can set permissions: contents: read. This satisfies CodeQL’s recommendation and adheres to least privilege without altering functionality.
Concretely:
- Edit
.github/workflows/docker_build_deploy.yaml. - Under
jobs: preflight: ... runs-on: ubuntu-latest, insert:
permissions:
contents: read- Keep indentation aligned with
runs-on:andenv:in that job. - No additional methods, imports, or external dependencies are required.
| @@ -39,6 +39,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
In general, the problem is fixed by explicitly adding a permissions: section to the workflow or to the individual jobs so the GITHUB_TOKEN has only the minimal rights required. Jobs that only need to read repository contents can use permissions: contents: read (or even permissions: read-all); jobs that need to open PRs or push code can request specific write scopes as already done for update_cache.
For this workflow, the safest, non‑breaking approach is:
- Add a workflow-level
permissionsblock near the top (afterdescription:oron:) that sets everything to read-only withcontents: read. This will apply to all jobs by default. - Keep the existing job-level
permissionsonupdate_cacheto override the default, since it already correctly grants specific write scopes. - Do not change job logic or steps; only add the
permissionsdeclaration.
Concretely:
-
Edit
.github/workflows/update-cache.yaml. -
Insert:
permissions: contents: read
after the
description:line (or beforeon:), sopreflightandcheck-renvwill run withcontents: readand no broader write access, whileupdate_cacheretains its explicit, more permissive block.
No additional imports, methods, or other definitions are required.
| @@ -1,5 +1,7 @@ | ||
| name: "02 Maintain: Check for Updated Packages" | ||
| description: "Check for updated R packages and create a pull request to update the lesson's renv lockfile and package cache" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| schedule: | ||
| - cron: '0 0 * * 2' |
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.3