Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
Add an explicit top-level permissions block to .github/workflows/docker_apply_cache.yaml so all jobs default to least privilege. The safest minimal baseline here is:
contents: read
This preserves normal read access for checkout/metadata usage while preventing unintended write scopes. The existing check-renv job already has permissions: id-token: write; that job-level block will continue to apply for OIDC needs. No functional behavior should change for jobs that only need read access.
Where to change: near the top of the file, after concurrency (or after on) and before jobs:.
No imports, methods, or definitions are needed (YAML workflow only).
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
Add an explicit workflow-level permissions block near the top of .github/workflows/docker_apply_cache.yaml (after concurrency and before jobs) so every job gets a restricted baseline token. Use least privilege that preserves existing behavior from the shown snippet:
contents: read(safe baseline for checkout/read operations),actions: read(safe baseline for using actions metadata),id-token: write(needed because at least one job currently requires OIDC and already declares it).
This resolves the CodeQL finding for jobs like no-renv-cache-used that currently have no explicit permissions, without changing functional logic. Existing job-level permissions can remain as-is; workflow-level permissions ensure consistent defaults across all jobs.
| @@ -18,6 +18,11 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
Add an explicit top-level permissions block in .github/workflows/docker_apply_cache.yaml, directly under the workflow metadata (name/description) and before on:. This sets least-privilege defaults for all jobs in this workflow that do not already define their own permissions.
Best single fix without changing functionality: add:
contents: read(safe baseline used by most workflows)packages: read(recommended baseline in your background; useful if packages/cache pulls are involved)
Keep existing job-level permissions (like the one already present in update-renv-cache) untouched; those will continue to override inherited defaults where needed.
| @@ -1,5 +1,8 @@ | ||
| name: "03 Maintain: Apply Package Cache" | ||
| description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub" | ||
| permissions: | ||
| contents: read | ||
| packages: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
Add an explicit permissions block to the preflight job in .github/workflows/docker_build_deploy.yaml.
Best single fix (minimal behavior change): add job-level permissions under preflight with contents: read. This satisfies CodeQL’s requirement and preserves existing behavior for other jobs that already declare their own permissions. It avoids potentially breaking jobs by changing workflow-wide defaults.
Edit region: in .github/workflows/docker_build_deploy.yaml, inside jobs.preflight, after runs-on and before outputs, insert:
permissions:contents: read
No imports, methods, or dependencies are needed.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
Add an explicit workflow-level permissions block near the top of .github/workflows/update-cache.yaml so all jobs have a restricted baseline token scope.
Use least privilege defaults that preserve current behavior:
- Set root/workflow permissions to
contents: read(safe default for checkout and read operations). - Keep existing elevated permissions on
update_cacheunchanged, since that job already explicitly requests writes it needs.
This is the best single fix because it addresses both currently-unrestricted jobs (preflight, check-renv) at once without changing functional logic or step behavior.
| @@ -1,5 +1,7 @@ | ||
| name: "02 Maintain: Check for Updated Packages" | ||
| description: "Check for updated R packages and create a pull request to update the lesson's renv lockfile and package cache" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| schedule: | ||
| - cron: '0 0 * * 2' |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
5de5983 to
e879476
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
e879476 to
fb34157
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
Add an explicit permissions block to the workflow root so all jobs get least-privilege defaults unless overridden.
Best minimal, non-functional-change fix for the shown workflow is:
- Add at top-level (after
on:block, beforeconcurrency:):permissions: {}
This sets GITHUB_TOKEN to no permissions by default, which matches the CodeQL suggested minimal starting point and should not change behavior for jobs that don’t require token scopes. Since the shown jobs use local shell logic, third-party actions, AWS OIDC, and artifact upload, this is the least intrusive baseline. If any unseen job later needs specific scopes, that job can add its own permissions override.
| @@ -13,6 +13,8 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: {} | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
2 times, most recently
from
2a230be to
f4b14c0
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
f4b14c0 to
7b1daef
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
7b1daef to
471cb01
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
471cb01 to
857da73
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
857da73 to
b2537e1
Compare
3 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.1