Update Workflows to Version 0.18.3 #135
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the problem is fixed by explicitly defining GitHub Actions permissions, either at the workflow root (applies to all jobs that don't override it) or per job. For a job that does not need any token permissions, we should set permissions: {} to fully disable the GITHUB_TOKEN. For jobs that do need specific scopes, we grant only those scopes.
The minimal, least-privilege change here is:
- Add a workflow-level
permissions: read-all(or equivalent) if we want a common default, and then override for individual jobs as needed; or - More strictly, add a job-level
permissions: {}topreflight, since it only runs a bash condition and does not need GITHUB_TOKEN at all.
Because we must avoid changing functionality and we only know the full needs of the shown jobs, the safest targeted change is:
- Add
permissions: {}to thepreflightjob to explicitly disable GITHUB_TOKEN there. - Keep the existing
permissionsblock incheck-renvunchanged. - Leave other jobs untouched since they are not part of the finding and their permission needs are not fully visible.
Concretely, in .github/workflows/docker_apply_cache.yaml, under jobs.preflight, insert a permissions: {} entry between runs-on: ubuntu-latest (line 24) and outputs: (line 25). No imports or additional methods are needed; this is a pure YAML configuration change.
| @@ -22,6 +22,7 @@ | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the issue is fixed by explicitly specifying GitHub Actions permissions to follow least privilege, either at the workflow root (applies to all jobs without their own block) or per job. For a job that only runs a simple shell command and does not call the GitHub API, the correct least privilege is permissions: {} to disable the GITHUB_TOKEN entirely for that job.
The best minimal change that does not alter existing functionality is to add a permissions: {} block to the no-renv-cache-used job. That job currently only prints a message and does not use GITHUB_TOKEN, so removing token permissions will not affect behavior. We leave other jobs unchanged, including check-renv which already has an explicit permissions block.
Concretely, in .github/workflows/docker_apply_cache.yaml, under the no-renv-cache-used: job definition (around line 62), insert permissions: {} between runs-on: ubuntu-latest and needs: check-renv. No imports or additional methods are required because this is pure YAML configuration.
| @@ -61,6 +61,7 @@ | ||
| no-renv-cache-used: | ||
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the problem, the job that currently has no explicit permissions block (renv-cache-available) should be given explicit, least‑privilege GitHub token permissions. Since this job only prints a message and does not use the token at all, the safest option is to disable the token for this job by setting permissions: {}. This ensures that even if future steps are added inadvertently, they will not have implicit read‑write access without consciously adjusting permissions.
Concretely, in .github/workflows/docker_apply_cache.yaml, locate the renv-cache-available job starting at line 70 (name: "renv cache available"). Under runs-on: ubuntu-latest (line 72), add a permissions: {} block at the same indentation level as runs-on, needs, and if. No imports or additional definitions are needed; this is purely a YAML configuration change within the workflow.
| @@ -70,6 +70,7 @@ | ||
| renv-cache-available: | ||
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: |
| name: "Trigger Build and Deploy Workflow" | ||
| runs-on: ubuntu-latest | ||
| needs: update-renv-cache | ||
| if: | | ||
| needs.update-renv-cache.result == 'success' || | ||
| needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: "Trigger Build and Deploy Workflow" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh workflow run docker_build_deploy.yaml --ref main | ||
| shell: bash | ||
| continue-on-error: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, to fix this class of problem you explicitly declare a permissions: block in the workflow or specific jobs, limiting the default GITHUB_TOKEN scopes to only what is required (e.g., contents: read). This overrides potentially broader repo/org defaults and aligns with least privilege.
For this specific workflow, the best minimally invasive fix without changing behavior is to add a single top‑level permissions: block applying to all jobs. This will also address the CodeQL warning on the trigger-build-deploy job. Place the block after the on: section (a common, clear location) and set contents: read, which is sufficient for actions/checkout@v4 and for using the GitHub CLI with GITHUB_TOKEN to trigger another workflow. No other scopes (like issues or pull-requests) are clearly required from the provided snippet.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - Insert:
permissions:
contents: readbetween the on: block (ending at line 14) and the concurrency: block (starting at line 17). No additional imports or dependencies are needed.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the fix is to add an explicit permissions block to the preflight job so that the automatically provided GITHUB_TOKEN is restricted to the least privilege required. Since this job primarily runs preflight checks and determines whether to build, it likely only needs read access to repository contents (and possibly nothing more). This aligns it with the other jobs in the workflow that already declare scoped permissions.
Concretely, in .github/workflows/docker_build_deploy.yaml, under the preflight job definition (around lines 39–52), add a permissions section specifying contents: read. Place it at the same indentation level as runs-on, outputs, env, and steps. This will ensure that the implicit GITHUB_TOKEN used by this job is limited to read-only access to repository contents, while not changing any of the existing environment variables, steps, or behavior. No additional imports or external dependencies are required; this is purely a workflow configuration change.
| @@ -39,6 +39,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| name: "Preflight: Manual or Scheduled Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| ok: ${{ steps.check.outputs.ok }} | ||
| steps: | ||
| - id: check | ||
| run: | | ||
| if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then | ||
| if [[ "${{ github.event_name }}" == 'workflow_dispatch' ]]; then | ||
| echo "ok=true" >> $GITHUB_OUTPUT | ||
| echo "Running on request" | ||
| # using single brackets here to avoid 08 being interpreted as octal | ||
| # https://github.com/carpentries/sandpaper/issues/250 | ||
| elif [ `date +%d` -le 7 ]; then | ||
| # If the Tuesday lands in the first week of the month, run it | ||
| echo "ok=true" >> $GITHUB_OUTPUT | ||
| echo "Running on schedule" | ||
| else | ||
| echo "ok=false" >> $GITHUB_OUTPUT | ||
| echo "Not Running Today" | ||
| fi | ||
| shell: bash | ||
|
|
||
| check_renv: | ||
| name: "Check if We Need {renv}" | ||
| runs-on: ubuntu-22.04 | ||
| check-renv: | ||
| name: "Check If We Need {renv}" | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | ||
| if: ${{ needs.preflight.outputs.ok == 'true' }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
In general, the problem is fixed by explicitly defining a restrictive permissions block at the root of the workflow, which applies to all jobs that do not have their own permissions block. Jobs that need broader permissions (like update_cache) can continue to override permissions at the job level.
For this workflow, the best minimal change that preserves functionality is:
- Add a workflow-level
permissionsblock just after theon:section. - Set
contents: readas a sensible least-privilege default forpreflightandcheck-renv, which only need to read repo contents and metadata. - Leave the existing
permissionsblock under theupdate_cachejob unchanged so it preserves its required write permissions.
Concretely:
- Edit
.github/workflows/update-cache.yaml. - Insert:
permissions:
contents: readbetween the on: block (ending at line 26) and the env: block (starting at line 28). No imports or additional definitions are required, since this is a pure YAML configuration change within the workflow.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.3