Update Workflows to Version 0.18.4 #224
Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to explicitly define minimal permissions for the workflow or for individual jobs that currently rely on implicit repository defaults. For jobs that do not interact with the GitHub API or modify repository state, you can safely set permissions: {} (no token permissions), or permissions: contents: read if a read-only token is needed. For jobs that need specific write scopes, you grant them narrowly (e.g., pull-requests: write).
For this workflow, the simplest and safest change that does not alter existing behavior is:
- Add an explicit, least-privilege
permissionsblock at the top (workflow) level, right after theon:block. This will apply to all jobs that do not define their ownpermissions. - The
preflightjob does not appear to use the GitHub API, so it can inherit a very restrictive token. A good baseline for most workflows iscontents: read, which allows basic read operations but prevents writes. - The
check-renvjob already has explicitpermissions: id-token: write, and GitHub will merge this with workflow-level permissions, so we should not remove or change that; instead, we add the workflow-level permissions so that all other jobs are at least constrained to read-only contents. - Other jobs shown (
no-renv-cache-used,renv-cache-available,update-renv-cache,trigger-build-deploy) do not have explicit permissions; by setting the workflow-level permissions, we reduce their token privileges without changing their logic.
Concretely: edit .github/workflows/docker_apply_cache.yaml to insert:
permissions:
contents: readbetween the on: block (ending at line 14) and the concurrency: block (line 17). No additional imports or definitions are needed.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to define explicit permissions for the workflow so that the default GITHUB_TOKEN privileges are minimized, and then override them in individual jobs only where broader permissions are required. For jobs that do not need the token at all (like those just running echo or purely local commands), you can disable the token with permissions: {} or permissions: none. For jobs that need specific permissions, set only those scopes instead of broad write access.
The best way to fix this workflow without changing existing functionality is:
- Add a root-level
permissionsblock (near the top of the file, alongsidename,description, andon) that sets a safe default, e.g.contents: read. This will apply to all jobs that do not overridepermissions. - The
check-renvjob already haspermissions: id-token: writeto support OIDC with AWS, so we leave it as-is. - For jobs that clearly do not need GITHUB_TOKEN at all—
no-renv-cache-used,renv-cache-available, and likelyupdate-renv-cacheandtrigger-build-deploy—we should disable the token explicitly. However, we must not break existing functionality: thetrigger-build-deployjob uses theghCLI withGITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}, which is not the implicit GITHUB_TOKEN but a secret; therefore, we can safely setpermissions: {}orpermissions: nonethere without affecting access tosecrets.GITHUB_TOKEN. To directly address the CodeQL warning on theno-renv-cache-usedjob, we will addpermissions: {}to that job; additionally, we should still add a root default to ensure the whole workflow is hardened.
Concretely:
- In
.github/workflows/docker_apply_cache.yaml, after theon:block (after line 14 or 15), add:to define minimal default permissions for all jobs.permissions: contents: read
- In the
no-renv-cache-usedjob (around line 61–69), add:so that this job gets no GITHUB_TOKEN at all, matching its actual needs and resolving the specific CodeQL complaint.permissions: {}
No new imports or external libraries are needed; these are pure YAML configuration changes.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache | ||
| @@ -63,6 +66,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| permissions: {} | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
| name: "Trigger Build and Deploy Workflow" | ||
| runs-on: ubuntu-latest | ||
| needs: update-renv-cache | ||
| if: | | ||
| needs.update-renv-cache.result == 'success' || | ||
| needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: "Trigger Build and Deploy Workflow" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| gh workflow run docker_build_deploy.yaml --ref main | ||
| shell: bash | ||
| continue-on-error: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, this issue is fixed by explicitly specifying a permissions block in the workflow so that GITHUB_TOKEN has only the minimal scopes required. This can be done at the workflow root (applies to all jobs that don’t override it) or at individual jobs. Since none of the shown jobs perform repository write operations and only read repository contents and metadata (plus assume AWS roles via OIDC and call gh workflow run), contents: read is an appropriate minimal starting point.
The best way to fix this without changing functionality is to add a workflow-level permissions block near the top of .github/workflows/docker_apply_cache.yaml, just after the on: block (or after concurrency:), setting contents: read. This will apply to all jobs (preflight, check-renv, no-renv-cache-used, renv-cache-available, update-renv-cache, trigger-build-deploy, etc.) that do not have their own permissions block and will satisfy CodeQL’s requirement to restrict GITHUB_TOKEN. No additional imports or external dependencies are required; this is a pure YAML configuration change.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - Insert:
permissions:
contents: readafter the on: section (lines 3–14) or after the concurrency block (lines 16–19). Both are valid, but placing it immediately after on: is conventional and unambiguous. No other parts of the workflow need to be changed.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to add an explicit permissions block to the preflight job (or at the workflow root) that grants only the minimal required scopes, instead of relying on inherited defaults. Since preflight is an analysis/orchestration job and does not appear to push commits, open PRs, or publish artifacts, it most likely only needs read access to the repository contents.
The safest change without altering functionality is to add permissions: contents: read directly under the preflight job definition. This limits the GITHUB_TOKEN for that job to read-only repository contents, while keeping the more permissive, already-declared permissions for the other jobs (full-build and update-container-version) unchanged. No imports or additional methods are required; this is a pure YAML configuration change in .github/workflows/docker_build_deploy.yaml.
Concretely, in .github/workflows/docker_build_deploy.yaml, modify the preflight job definition (around lines 39–52) to insert:
permissions:
contents: readbetween runs-on: ubuntu-latest and outputs:. This applies least-privilege to the GITHUB_TOKEN used in that job.
| @@ -39,6 +39,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the problem is fixed by explicitly specifying a minimal permissions block for the GITHUB_TOKEN either at the workflow root (applies to all jobs that do not override it) or on each job. We should grant only the permissions needed: update_cache already has its job-level block; preflight and check-renv appear to require at most read access to repository contents for actions like actions/checkout. They do not create PRs, write issues, or modify repository state.
The best minimal fix without changing existing functionality is:
- Add a workflow-level
permissionsblock after theon:section that setscontents: read. This becomes the default forpreflightandcheck-renv. - Leave the existing job-level
permissionsforupdate_cacheunchanged so that job continues to have the broader rights it needs.
Concretely:
- Edit
.github/workflows/update-cache.yaml. - After line 26 (end of
workflow_dispatch.inputs), insert:
permissions:
contents: readThis ensures that:
preflightandcheck-renvrun withcontents: readonly.update_cacheretains its existing explicitpermissionsblock and overrides the default where necessary.
No additional imports, methods, or other definitions are needed.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
4ddb376 to
9215a89
Compare
epiverse-trace-bot
changed the title
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.4