Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
Add an explicit top-level permissions block to the workflow so all jobs default to minimal token access, then keep/override job-level permissions where needed (already done for check-renv with id-token: write).
Best single fix in this file: insert at workflow root (after concurrency is a clean location) this block:
permissions:contents: read
This preserves functionality for typical checkout/read operations while preventing implicit broad write access. check-renv can continue to request id-token: write at job level as it already does.
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
Add an explicit workflow-level permissions block near the top of .github/workflows/docker_apply_cache.yaml so all jobs default to least privilege. Use contents: read as a safe baseline. Existing job-level overrides (like check-renv with id-token: write) remain valid and will continue to apply for that job. This avoids changing behavior while ensuring every job has explicit token scoping.
Best single change:
- Edit
.github/workflows/docker_apply_cache.yaml - Insert after
description(beforeon:):permissions: contents: read
No imports/dependencies/methods are needed.
| @@ -1,5 +1,7 @@ | ||
| name: "03 Maintain: Apply Package Cache" | ||
| description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
Add an explicit top-level permissions: block in .github/workflows/docker_apply_cache.yaml so all jobs without their own permissions inherit restricted token rights.
Best minimal fix that preserves behavior: set workflow-level read-only defaults:
contents: readpackages: read
Keep existing job-level permissions blocks (like update-renv-cache) unchanged; job-level settings override workflow defaults where needed.
Edit region: immediately after the concurrency block and before jobs:.
No imports, methods, or dependencies are needed.
| @@ -18,6 +18,10 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
Add an explicit permissions block to the preflight job in .github/workflows/docker_build_deploy.yaml, directly under runs-on (before outputs), granting only minimal required access.
Best single fix without changing functionality: set:
contents: read
This satisfies the CodeQL recommendation and supports actions/checkout plus typical read-only API usage in preflight checks. No imports/dependencies are needed.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
Add explicit least-privilege permissions blocks to jobs that currently lack them (preflight and check-renv).
Best minimal fix without changing behavior:
- In
.github/workflows/update-cache.yaml, underjobs.preflight, add:permissions: {}
This denies token permissions for that job, which is appropriate since it only runs local shell logic.
- Under
jobs.check-renv, add:permissions:contents: read
This allows checkout (actions/checkout) while keeping access minimal.
No imports/dependencies/methods are needed (YAML config only).
| @@ -34,6 +34,7 @@ | ||
| preflight: | ||
| name: "Preflight: Manual or Scheduled Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| ok: ${{ steps.check.outputs.ok }} | ||
| steps: | ||
| @@ -59,6 +60,8 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| renv-needed: ${{ steps.renv-check.outputs.renv-needed }} | ||
| steps: |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
df82016 to
123a51d
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
123a51d to
4dac433
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
Add an explicit permissions block at the workflow root in .github/workflows/docker_apply_cache.yaml, directly after concurrency and before jobs.
Use least privilege needed by the shown steps:
contents: read(safe baseline for checkout/read operations).id-token: write(required foraws-actions/configure-aws-credentials@v6OIDC federation).actions: read(sufficient for normal workflow/action usage in this snippet).
This resolves the “workflow does not contain permissions” finding without changing workflow behavior.
| @@ -18,6 +18,11 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
4dac433 to
b666d51
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
b666d51 to
1fde194
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
1fde194 to
339882b
Compare
epiverse-trace-bot
changed the title
3 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.1