Update Workflows to Version 0.18.4 #254
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, to fix this class of issue you explicitly declare permissions either at the top level of the workflow or per job, limiting GITHUB_TOKEN to the minimum required scopes. Jobs that don’t need to touch the GitHub API at all can safely use permissions: {} (no permissions) or a read-only contents: read if they need to read repo data via the API.
For this specific workflow, the preflight job just evaluates the event context and sets an output. It does not use secrets.GITHUB_TOKEN, call the GitHub API, or perform any GitHub-side write actions. The safest and least-privilege configuration is therefore to give it no token permissions. Concretely, in .github/workflows/docker_apply_cache.yaml, under jobs: preflight:, add a permissions: {} block alongside runs-on and outputs. This change does not modify any existing behavior, because the job never used the token’s capabilities; it only tightens what the token would be allowed to do if the script were ever changed in the future.
| @@ -22,6 +22,7 @@ | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, fix this by explicitly configuring GitHub Actions permissions so that jobs get only the minimal GITHUB_TOKEN capabilities they need. Jobs that do not need the token can set permissions: {} (no permissions), while jobs that need limited access can request only specific scopes (e.g., contents: read).
For this workflow, the simplest, least-disruptive fix centered on the flagged job is to add an explicit permissions: {} block to the no-renv-cache-used job. That job only prints a message and does not require any GitHub API operations or token use, so it can safely run with no token permissions at all. We do not need to change its steps or add any imports. Concretely, in .github/workflows/docker_apply_cache.yaml, under jobs: no-renv-cache-used:, insert a permissions: {} line between runs-on: ubuntu-latest and needs: check-renv. No other parts of the file need to be modified for this specific CodeQL report.
| @@ -61,6 +61,7 @@ | ||
| no-renv-cache-used: | ||
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to explicitly define a minimal permissions block at the workflow level so all jobs get least-privilege defaults, and then override permissions per job only where broader access is strictly required. This prevents jobs from inheriting potentially broad repository defaults.
The best targeted fix here is:
- Add a
permissionsblock near the top of.github/workflows/docker_apply_cache.yaml(at the workflow root) to setcontents: readandid-token: write(the latter is already required bycheck-renv). This will apply to all jobs that don’t define their own permissions. - Remove the now-redundant
permissionsblock from thecheck-renvjob so it inherits the root-level settings. - Leave other jobs as-is; they will automatically inherit the safe defaults, and
trigger-build-deploywill still be able to useGITHUB_TOKENwith read-only repo contents, which is sufficient to invoke another workflow viagh workflow run(no package or admin writes are needed here based on the snippet).
Concretely:
- In
.github/workflows/docker_apply_cache.yaml, after theon:block (after line 15), insert:
permissions:
contents: read
id-token: write- In the
check-renvjob block, delete thepermissions:stanza currently at lines 45–47.
No additional imports or methods are needed; this is purely YAML configuration.
| @@ -13,6 +13,10 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache | ||
| @@ -42,8 +46,6 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| if: needs.preflight.outputs.do-apply == 'true' | ||
| permissions: | ||
| id-token: write | ||
| outputs: | ||
| renv-needed: ${{ steps.check-for-renv.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.check-for-renv.outputs.renv-cache-hashsum }} |
| name: "Trigger Build and Deploy Workflow" | ||
| runs-on: ubuntu-latest | ||
| needs: update-renv-cache | ||
| if: | | ||
| needs.update-renv-cache.result == 'success' || | ||
| needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: "Trigger Build and Deploy Workflow" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh workflow run docker_build_deploy.yaml --ref main | ||
| shell: bash | ||
| continue-on-error: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the problem is fixed by adding an explicit permissions block either at the top level of the workflow (applies to all jobs that don’t override it) or specifically to the jobs that need restricted permissions. This narrows the GITHUB_TOKEN scopes to the minimum necessary, rather than inheriting potentially broad repository defaults.
The best minimal fix here, without changing existing functionality, is to add a top-level permissions block with contents: read. All shown jobs only need to read repository metadata or contents (e.g., actions/checkout, conditional logic, and using gh workflow run which works with a read-contents token to inspect workflows and trigger runs). No code in the shown snippet writes to the repository (no pushes, no PR modifications, no release creation), so contents: read is sufficient and aligns with CodeQL’s suggested starting point. Adding this block near the top of .github/workflows/docker_apply_cache.yaml, aligned with name, description, and on, ensures the whole workflow token is restricted. No other imports or definitions are required.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - Insert:
permissions:
contents: readafter the description line (line 2) and before the on: line (line 3), maintaining YAML indentation (no leading spaces since it’s top-level). No other lines need to change.
| @@ -1,5 +1,7 @@ | ||
| name: "03 Maintain: Apply Package Cache" | ||
| description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
Generally, to fix this problem, you add a permissions block either at the workflow root (to affect all jobs) or on the specific job(s) that use GITHUB_TOKEN, granting only the minimal scopes needed (e.g., contents: read). This prevents the workflow from inheriting broader default repository permissions.
For this workflow, other jobs (full-build and update-container-version) already have explicit permissions tailored to their needs. The missing piece is the preflight job. To avoid changing existing behavior while following least-privilege, we should add a permissions block to preflight that grants read-only access to repository contents, which is sufficient for typical preflight checks and for actions that only need to read repository data. Specifically, in .github/workflows/docker_build_deploy.yaml, under the preflight job definition (around line 39–52), insert:
permissions:
contents: readThis ensures preflight no longer relies on default permissions and documents its intended minimal access. No additional methods, imports, or external definitions are required; this is purely a workflow configuration change.
| @@ -39,6 +39,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to explicitly define a permissions block either at the workflow root (applying to all jobs without their own block) or for each job, and restrict the GITHUB_TOKEN as much as possible, typically to contents: read for jobs that only need to read the repository. For jobs that truly do not need the token at all, permissions: {} or permissions: none can be used.
For this workflow, the most conservative change that does not alter existing behavior is:
- Add a root-level
permissionsblock after theon:section, settingcontents: read. This safely coverspreflightandcheck-renv, which only read repo content (checkout) or do not use the token explicitly. - Keep the existing explicit
permissionsblock on theupdate_cachejob, which already grants the necessary write scopes; per GitHub semantics, job-level permissions override the workflow default, so there is no behavior change for that job.
The concrete change in .github/workflows/update-cache.yaml is to insert:
permissions:
contents: readafter line 26 (the end of the on.workflow_dispatch.inputs section) and before the existing env: block. No additional imports or definitions are required.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
5de5983 to
e879476
Compare
epiverse-trace-bot
changed the title
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.4