Skip to content

Update Workflows to Version 0.18.3#76

Open
fherreazcue wants to merge 1 commit into
mainfrom
update/workflows
Open

Update Workflows to Version 0.18.3#76
fherreazcue wants to merge 1 commit into
mainfrom
update/workflows

Conversation

@fherreazcue

Copy link
Copy Markdown
Collaborator

🤖 This is an automated build

Update Workflows from sandpaper version 0.16.12 -> 0.18.3

@github-actions

Copy link
Copy Markdown

ℹ️ Modified Workflows

This pull request contains modified workflow files and no preview will be created.

Workflow files modified:

  • .github/workflows/README.md
  • .github/workflows/docker_apply_cache.yaml
  • .github/workflows/docker_build_deploy.yaml
  • .github/workflows/docker_pr_receive.yaml
  • .github/workflows/pr-comment.yaml
  • .github/workflows/pr-preflight.yaml
  • .github/workflows/sandpaper-version.txt
  • .github/workflows/update-cache.yaml
  • .github/workflows/update-workflows.yaml

If this is not from a trusted source, please inspect the changes for any malicious content.

Comment on lines +23 to +40
name: "Preflight: PR or Manual Trigger?"
runs-on: ubuntu-latest
outputs:
do-apply: ${{ steps.check.outputs.merged_or_manual }}
steps:
- name: "Should we run cache application?"
id: check
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ||
("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then
echo "merged_or_manual=true" >> $GITHUB_OUTPUT
else
echo "This was not a manual trigger and no PR was merged. No action taken."
echo "merged_or_manual=false" >> $GITHUB_OUTPUT
fi
shell: bash

check-renv:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

In general, the problem is fixed by explicitly defining a permissions block for the workflow (or the specific job) and scoping the GITHUB_TOKEN to the minimal rights required. For the preflight job, no token access is needed, so the safest option is to set default workflow permissions to contents: read, which is GitHub’s recommended minimal baseline and is sufficient for most basic operations while avoiding unnecessary write access. Jobs that require additional privileges can still override this with their own permissions blocks, as check-renv already does.

For this file, the best fix without changing existing functionality is:

  • Add a top-level permissions: block near the top of the workflow, after the on: block (line 15/16 area), setting contents: read. This will apply to all jobs that do not explicitly specify permissions, including preflight, no-renv-cache-used, renv-cache-available, update-renv-cache, and trigger-build-deploy.
  • Leave the existing permissions block in check-renv unchanged so it can still obtain id-token: write as required.
  • No additional imports or dependencies are needed; this is purely a YAML configuration change.

Concretely, edit .github/workflows/docker_apply_cache.yaml to insert:

permissions:
  contents: read

between the on: block (lines 3–14) and the concurrency: section (lines 16–19). This ensures the preflight job (highlighted by CodeQL) now has an explicit, least-privilege permission set.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -13,6 +13,9 @@
     branches:
       - main
 
+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
   group: docker-apply-cache
EOF
@@ -13,6 +13,9 @@
branches:
- main

permissions:
contents: read

# queue cache runs
concurrency:
group: docker-apply-cache
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +62 to +70
name: "No renv cache used"
runs-on: ubuntu-latest
needs: check-renv
if: needs.check-renv.outputs.renv-needed != 'true'
steps:
- name: "No renv cache needed"
run: echo "No renv cache needed for this lesson"

renv-cache-available:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix the issue, explicitly set GitHub token permissions instead of relying on the repository defaults. For jobs that don’t need the token, you should disable it entirely with permissions: {} (or permissions: read-all if you prefer a minimal read access). This enforces least privilege and satisfies CodeQL’s requirement for an explicit permissions block.

The best fix here without changing functionality is:

  • Add a root‑level permissions: block near the top of .github/workflows/docker_apply_cache.yaml to define safe defaults for all jobs (e.g., read-all).
  • For the no-renv-cache-used job specifically (line 62), add permissions: {} to disable the token for that job, overriding the workflow default.
  • Optionally, other trivial jobs like renv-cache-available and preflight can also get permissions: {}, but CodeQL’s reported location is no-renv-cache-used, so we’ll minimally ensure that job is explicitly configured.

No new imports, methods, or external definitions are needed; this is purely a YAML workflow configuration change within .github/workflows/docker_apply_cache.yaml.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -13,6 +13,9 @@
     branches:
       - main
 
+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
   group: docker-apply-cache
@@ -63,6 +66,7 @@
     runs-on: ubuntu-latest
     needs: check-renv
     if: needs.check-renv.outputs.renv-needed != 'true'
+    permissions: {}
     steps:
       - name: "No renv cache needed"
         run: echo "No renv cache needed for this lesson"
EOF
@@ -13,6 +13,9 @@
branches:
- main

permissions:
contents: read

# queue cache runs
concurrency:
group: docker-apply-cache
@@ -63,6 +66,7 @@
runs-on: ubuntu-latest
needs: check-renv
if: needs.check-renv.outputs.renv-needed != 'true'
permissions: {}
steps:
- name: "No renv cache needed"
run: echo "No renv cache needed for this lesson"
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +71 to +79
name: "renv cache available"
runs-on: ubuntu-latest
needs: check-renv
if: needs.check-renv.outputs.renv-cache-available == 'true'
steps:
- name: "renv cache available"
run: echo "renv cache available for this lesson"

update-renv-cache:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

In general, each job should have an explicit permissions block (or inherit from a restrictive root-level permissions block) that grants only the minimal rights needed. For jobs that do not need to call GitHub’s API or modify repository resources, you can set permissions: {} (no permissions) or permissions: contents: read if read access is required.

For this specific workflow:

  • The renv-cache-available job only prints a message via run: echo, so it does not need any token permissions. The safest fix is to add permissions: {} to that job.
  • This change stays within the shown snippet and does not alter existing functionality, as the job does not rely on GITHUB_TOKEN or GitHub API access.
  • Concretely, in .github/workflows/docker_apply_cache.yaml, locate the renv-cache-available job definition starting at line 70. Insert a permissions: {} line (properly indented) after runs-on: ubuntu-latest (line 72) and before needs: check-renv (line 73).

No additional methods, imports, or definitions are required: it is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -70,6 +70,7 @@
   renv-cache-available:
     name: "renv cache available"
     runs-on: ubuntu-latest
+    permissions: {}
     needs: check-renv
     if: needs.check-renv.outputs.renv-cache-available == 'true'
     steps:
EOF
@@ -70,6 +70,7 @@
renv-cache-available:
name: "renv cache available"
runs-on: ubuntu-latest
permissions: {}
needs: check-renv
if: needs.check-renv.outputs.renv-cache-available == 'true'
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +212 to +227
name: "Trigger Build and Deploy Workflow"
runs-on: ubuntu-latest
needs: update-renv-cache
if: |
needs.update-renv-cache.result == 'success' ||
needs.check-renv.outputs.renv-cache-available == 'true'
steps:
- uses: actions/checkout@v4

- name: "Trigger Build and Deploy Workflow"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh workflow run docker_build_deploy.yaml --ref main
shell: bash
continue-on-error: true

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, the fix is to add an explicit permissions block to the workflow (at the top level, or per‑job) so that GITHUB_TOKEN is limited to the minimal scopes required. This prevents the workflow from silently inheriting broader repository/organization defaults.

For this workflow, no steps modify repository contents or manage issues/PRs; they mainly read repo metadata, configure AWS via OIDC, upload to S3, and trigger another workflow using gh workflow run. The safe, minimal practical set is to define a root‑level permissions block with contents: read and actions: write (needed so gh workflow run can dispatch another workflow). We can set this once near the top of .github/workflows/docker_apply_cache.yaml (e.g., after on: or after concurrency:), and it will apply to all jobs, including trigger-build-deploy, without changing any existing behavior.

Concretely:

  • Edit .github/workflows/docker_apply_cache.yaml.
  • Insert a top‑level permissions: block, aligned with on: and jobs:.
  • Use:
    permissions:
      contents: read
      actions: write
  • No additional imports or methods are needed; this is purely a workflow configuration change.
Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -13,6 +13,10 @@
     branches:
       - main
 
+permissions:
+  contents: read
+  actions: write
+
 # queue cache runs
 concurrency:
   group: docker-apply-cache
EOF
@@ -13,6 +13,10 @@
branches:
- main

permissions:
contents: read
actions: write

# queue cache runs
concurrency:
group: docker-apply-cache
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines +40 to +70
name: "Preflight: Schedule, Push, or PR?"
runs-on: ubuntu-latest
outputs:
do-build: ${{ steps.build-check.outputs.do-build }}
renv-needed: ${{ steps.build-check.outputs.renv-needed }}
renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }}
workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }}
wb-vers: ${{ steps.wb-vers.outputs.container-version }}
last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }}
workbench-update: ${{ steps.wb-vers.outputs.workbench-update }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: "Should we run build and deploy?"
id: build-check
uses: carpentries/actions/build-preflight@main

- name: "Checkout Lesson"
if: steps.build-check.outputs.do-build == 'true'
uses: actions/checkout@v4

- name: "Get container version info"
id: wb-vers
if: steps.build-check.outputs.do-build == 'true'
uses: carpentries/actions/container-version@main
with:
WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
renv-needed: ${{ steps.build-check.outputs.renv-needed }}
token: ${{ secrets.GITHUB_TOKEN }}

full-build:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

In general, to fix this class of issue you explicitly define a permissions block either at the workflow level or per job, granting only the capabilities that job truly needs. This prevents GitHub from falling back to broader, repository-level defaults and reduces the blast radius of any compromised GITHUB_TOKEN.

For this specific workflow, the best minimally invasive change is to add a permissions block to the preflight job only. The other jobs (full-build and update-container-version) already declare explicit permissions, so no change is needed there. The preflight job appears to only need to read repository contents and metadata, so we can set permissions: contents: read. This satisfies CodeQL’s recommendation and adheres to least privilege without altering functionality.

Concretely:

  • Edit .github/workflows/docker_build_deploy.yaml.
  • Under jobs: preflight: ... runs-on: ubuntu-latest, insert:
    permissions:
      contents: read
  • Keep indentation aligned with runs-on: and env: in that job.
  • No additional methods, imports, or external dependencies are required.
Suggested changeset 1
.github/workflows/docker_build_deploy.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_build_deploy.yaml b/.github/workflows/docker_build_deploy.yaml
--- a/.github/workflows/docker_build_deploy.yaml
+++ b/.github/workflows/docker_build_deploy.yaml
@@ -39,6 +39,8 @@
   preflight:
     name: "Preflight: Schedule, Push, or PR?"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       do-build: ${{ steps.build-check.outputs.do-build }}
       renv-needed: ${{ steps.build-check.outputs.renv-needed }}
EOF
@@ -39,6 +39,8 @@
preflight:
name: "Preflight: Schedule, Push, or PR?"
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
do-build: ${{ steps.build-check.outputs.do-build }}
renv-needed: ${{ steps.build-check.outputs.renv-needed }}
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines 35 to +57
@@ -33,48 +52,42 @@ jobs:
echo "ok=false" >> $GITHUB_OUTPUT
echo "Not Running Today"
fi
shell: bash

check_renv:
name: "Check if We Need {renv}"
runs-on: ubuntu-22.04
check-renv:
name: "Check If We Need {renv}"
runs-on: ubuntu-latest
needs: preflight
if: ${{ needs.preflight.outputs.ok == 'true'}}
if: ${{ needs.preflight.outputs.ok == 'true' }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

In general, the problem is fixed by explicitly adding a permissions: section to the workflow or to the individual jobs so the GITHUB_TOKEN has only the minimal rights required. Jobs that only need to read repository contents can use permissions: contents: read (or even permissions: read-all); jobs that need to open PRs or push code can request specific write scopes as already done for update_cache.

For this workflow, the safest, non‑breaking approach is:

  • Add a workflow-level permissions block near the top (after description: or on:) that sets everything to read-only with contents: read. This will apply to all jobs by default.
  • Keep the existing job-level permissions on update_cache to override the default, since it already correctly grants specific write scopes.
  • Do not change job logic or steps; only add the permissions declaration.

Concretely:

  • Edit .github/workflows/update-cache.yaml.

  • Insert:

    permissions:
      contents: read

    after the description: line (or before on:), so preflight and check-renv will run with contents: read and no broader write access, while update_cache retains its explicit, more permissive block.

No additional imports, methods, or other definitions are required.

Suggested changeset 1
.github/workflows/update-cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml
--- a/.github/workflows/update-cache.yaml
+++ b/.github/workflows/update-cache.yaml
@@ -1,5 +1,7 @@
 name: "02 Maintain: Check for Updated Packages"
 description: "Check for updated R packages and create a pull request to update the lesson's renv lockfile and package cache"
+permissions:
+  contents: read
 on:
   schedule:
     - cron: '0 0 * * 2'
EOF
@@ -1,5 +1,7 @@
name: "02 Maintain: Check for Updated Packages"
description: "Check for updated R packages and create a pull request to update the lesson's renv lockfile and package cache"
permissions:
contents: read
on:
schedule:
- cron: '0 0 * * 2'
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants