Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
To fix the issue, add an explicit permissions block to the preflight job that disables the default GITHUB_TOKEN permissions. Since preflight only evaluates conditions and writes to $GITHUB_OUTPUT, it does not need to call any GitHub APIs, so the most restrictive and accurate setting is permissions: {} for that job. This prevents the token from having any scopes in this job even if the repo/org default is broader.
Concretely, in .github/workflows/docker_apply_cache.yaml, within the jobs.preflight section (around line 23), insert a permissions: {} line beneath runs-on: ubuntu-latest. No additional imports or methods are needed, and this does not change functionality because the job is not using the token.
| @@ -22,6 +22,7 @@ | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, the workflow should define an explicit permissions block that restricts the default GITHUB_TOKEN permissions to the minimal scope needed, either at the workflow root (applying to all jobs that don’t override it) or per job. Jobs that only run shell commands or print messages should typically have permissions: {} (no token) or at most read‑only permissions like contents: read. Jobs that call actions needing specific scopes can override or extend this.
For this workflow, the simplest, non‑invasive fix is:
- Add a top‑level
permissionsblock right after theon:section, settingcontents: read. This documents that the default token is read‑only for this workflow and will be stable even if repo/org defaults change. - Keep the existing
permissionsoverride oncheck-renv(id-token: write) as‑is so that job continues to function. - The flagged job
no-renv-cache-used(and other jobs without their ownpermissions) will then automatically inherit the safe read‑only token, which is more than sufficient for echoing a message and other simple steps.
All required changes are within .github/workflows/docker_apply_cache.yaml; no extra imports or methods are needed.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, the fix is to add an explicit permissions: block that constrains the GITHUB_TOKEN to the minimal scopes required. The recommended pattern is to set restrictive permissions at the workflow root, and then override with more permissive job-level permissions: only where strictly necessary.
For this specific workflow, we can safely set permissions: read-all at the workflow level because:
- The shown jobs primarily run checks, echo messages, and upload artifacts.
actions/upload-artifactworks withGITHUB_TOKENat read-level (it writes to the workflow run’s artifacts, not the repo itself).- The external action
carpentries/actions/renv-checks@mainalready receives an explicittoken: ${{ secrets.GITHUB_TOKEN }}, and typical operations (checking repo contents, labels, etc.) only need read access.
To implement this without changing behavior, we will:
- Add a single workflow-level
permissions:block directly under theon:section (after line 15, beforeconcurrency:). - Use
permissions: read-all, which is the concise equivalent of granting read-only for all scopes, matching the recommendation for least privilege and ensuring all jobs—includingrenv-cache-availableon line 71—have constrained permissions unless individually overridden. - Leave existing job structure and steps unchanged.
No additional imports or methods are required since this is only a YAML configuration change within .github/workflows/docker_apply_cache.yaml.
| @@ -13,6 +13,8 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: read-all | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, the fix is to explicitly declare GitHub token permissions for workflows/jobs instead of relying on repository defaults. For a “preflight” job that only needs to read repository contents and metadata, contents: read is usually sufficient; you can extend this if the called actions require more, but start from a minimal set.
The best targeted fix here is to add a permissions block to the preflight job, mirroring CodeQL’s suggested minimal starting point. Since the snippet doesn’t show any write operations (no pushes, PR updates, etc.), we can safely restrict it to contents: read. This keeps functionality unchanged for typical read-only operations (checking refs, reading files), while ensuring the GITHUB_TOKEN can’t perform unnecessary writes. Concretely, in .github/workflows/docker_build_deploy.yaml, within the preflight job definition (lines 43–56), insert a permissions: section under runs-on: ubuntu-latest (and before outputs:) with contents: read. No imports or external dependencies are needed, as this is pure workflow configuration.
| @@ -43,6 +43,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, the problem is fixed by explicitly defining a permissions block that restricts the GITHUB_TOKEN to the minimal required scopes. This can be set at the workflow root (applies to all jobs unless overridden) and optionally overridden per job for jobs that need additional permissions.
For this workflow, the best minimal change is:
- Add a root-level
permissionsblock near the top (afteron:or beforeenv:) that setscontents: read. This documents and enforces least privilege for jobs likepreflightandcheck-renv, which do not require write access. - Keep the existing
permissionsblock on theupdate_cachejob, as it appears to legitimately need write access to contents, pull requests, actions, issues, and id-token to perform updates and create a pull request. - No other behavior of the workflow changes; only the token permissions for jobs without explicit permissions are restricted.
Concretely, edit .github/workflows/update-cache.yaml to insert:
permissions:
contents: readafter the on: block and before the existing env: block (around current line 28). No additional imports or methods are needed since this is YAML configuration only.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
df82016 to
123a51d
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
123a51d to
4dac433
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 days ago
In general, this should be fixed by adding an explicit permissions: block with least privilege, either at the top level of the workflow (to apply to all jobs) or specifically for the record-cache-result job. Since other jobs in this workflow interact with AWS and caches but not with repository contents, a minimal, safe default is to set contents: read at the workflow level, which is equivalent to the recommended read‑only default. If any job needed write permissions to issues, PRs, or contents, that job could then override permissions locally.
The single best fix without changing functionality is: add a top‑level permissions: section after the on: block, setting contents: read. This constrains the GITHUB_TOKEN globally, including for record-cache-result, and documents the intended scope. No existing steps rely on higher privileges, so behavior remains unchanged in practice. No new imports or external dependencies are required; this is purely a YAML configuration change within .github/workflows/docker_apply_cache.yaml.
Concretely:
- In
.github/workflows/docker_apply_cache.yaml, after theon:section (lines 3–14) and beforeconcurrency:, insert:permissions: contents: read
- Leave the rest of the workflow as is, including the
env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}line; the token will now be constrained to read‑only repository contents (which is sufficient, and in fact unused by current steps).
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
2 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.5