Bringing feature/new-rstudio-server up-to-date with master#938
Merged
jaclyn-taroni merged 199 commits intofeature/new-rstudio-serverfrom Feb 25, 2026
Merged
Bringing feature/new-rstudio-server up-to-date with master#938jaclyn-taroni merged 199 commits intofeature/new-rstudio-serverfrom
feature/new-rstudio-server up-to-date with master#938jaclyn-taroni merged 199 commits intofeature/new-rstudio-serverfrom
Conversation
…t patient A and B are indeed really patients A and B and not dummy variables created for teaching
Pathway analysis typos and formatting fixes
Co-authored-by: Ally Hawkins <54039191+allyhawkins@users.noreply.github.com>
…updates Miscalleneous scRNA-seq-adanced updates
Update advanced notebook formatting
…detected Remove non-detected genes before running AUCell
…e-type Reduce live path typing
Co-authored-by: Ally Hawkins <54039191+allyhawkins@users.noreply.github.com>
Spatial notebook 1: draft of import section
Co-authored-by: Joshua Shapiro <josh.shapiro@ccdatalab.org>
…he str output; it's truncated
Update intro R materials
…r mito because of nightmares
…ring-part1 Draft filtering section, part 1
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+28
to
+112
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - platform: linux/amd64 | ||
| runner: ubuntu-latest | ||
| - platform: linux/arm64 | ||
| runner: ubuntu-24.04-arm | ||
| runs-on: ${{ matrix.runner }} | ||
|
|
||
| # Steps represent a sequence of tasks that will be executed as part of the job | ||
| steps: | ||
| - name: Prepare env variables | ||
| run: | | ||
| platform=${{ matrix.platform }} | ||
| echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v5 | ||
|
|
||
| - name: Check that current-modules release-tag matches git tag | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| run: | | ||
| GIT_TAG=${GITHUB_REF#refs/tags/} | ||
| MODULES_TAG=$(jq -r '.release-tag' current-modules.json) | ||
| MODULES_TAG=$(jq -r '."release-tag"' current-modules.json) | ||
| if [ "$GIT_TAG" != "$MODULES_TAG" ]; then | ||
| echo "Error: current-modules.json release-tag ($MODULES_TAG) does not match git tag ($GIT_TAG)" | ||
| echo "Please update release-tag in current-modules.json to match the git tag (and modules, if needed), then update the GitHub release accordingly." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Load 1Password secrets | ||
| uses: 1password/load-secrets-action@v2 | ||
| uses: 1password/load-secrets-action@v3 | ||
| with: | ||
| export-env: true | ||
| env: | ||
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TRAINING_OP_SERVICE_ACCOUNT_TOKEN }} | ||
| DOCKER_USER: ${{ secrets.OP_DOCKER_USERNAME }} | ||
| DOCKER_PASSWORD: ${{ secrets.OP_DOCKER_PASSWORD }} | ||
| ACTION_MONITORING_SLACK: ${{ secrets.OP_ACTION_MONITORING_SLACK }} | ||
|
|
||
| # Login to Dockerhub | ||
| - name: Login to DockerHub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ env.DOCKER_USER }} | ||
| password: ${{ env.DOCKER_PASSWORD }} | ||
|
|
||
| # set up Docker build | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ccdl/training_rstudio | ||
| images: ${{ env.REGISTRY_IMAGE }} | ||
|
|
||
| # Build Docker image, push only on push events | ||
| - name: Build Docker image | ||
| id: build | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| push: ${{ github.event_name == 'push' }} | ||
| platforms: ${{ matrix.platform }} | ||
| outputs: type=image,push-by-digest=true,name-canonical=true | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| tags: ${{ env.REGISTRY_IMAGE }} | ||
| cache-from: type=registry,ref=${{ env.REGISTRY_IMAGE }}:buildcache-${{ env.PLATFORM_PAIR }} | ||
| cache-to: type=registry,ref=${{ env.REGISTRY_IMAGE }}:buildcache-${{ env.PLATFORM_PAIR }},mode=max | ||
|
|
||
| - name: Export digest | ||
| if: github.event_name == 'push' | ||
| run: | | ||
| mkdir -p ${{ runner.temp }}/digests | ||
| digest="${{ steps.build.outputs.digest }}" | ||
| touch "${{ runner.temp }}/digests/${digest#sha256:}" | ||
|
|
||
| - name: Upload digest | ||
| if: github.event_name == 'push' | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: digests-${{ env.PLATFORM_PAIR }} | ||
| path: ${{ runner.temp }}/digests/* | ||
| if-no-files-found: error | ||
| retention-days: 1 | ||
|
|
||
| merge: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to add an explicit permissions: block limiting GITHUB_TOKEN to the least privileges required. Since this workflow only checks out the code, uses Docker and external actions, and uploads/downloads artifacts, it does not need to write to the repository. The minimal safe default is permissions: contents: read at the workflow (root) level, which will apply to both build and merge jobs.
Concretely, in .github/workflows/build-docker.yml, add a top-level permissions: block after the name: and on: keys (or directly after on:/before env:) with contents: read. No jobs appear to require any other token scopes such as pull-requests, packages, or id-token. No imports or other code changes are needed; this is purely a YAML configuration adjustment.
Suggested changeset
1
.github/workflows/build-docker.yml
| @@ -21,6 +21,9 @@ | ||
| - current-modules.json | ||
| - .github/workflows/build-docker.yml | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| REGISTRY_IMAGE: ccdl/training_rstudio | ||
| jobs: |
Copilot is powered by AI and may make mistakes. Always verify output.
sjspielman
approved these changes
Feb 25, 2026
| summarize(mean(log_fold_change), | ||
| sd(log_fold_change)) | ||
| dplyr::summarize( | ||
| # name the columns mean_lfc an sd_lfc |
Member
There was a problem hiding this comment.
sad. this should be "and".
We'll fix this separately though!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Does what it says. We are looking to merge in
feature/new-rstudio-serversoon.