Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, add an explicit permissions block to the preflight job (the one starting at line 22). Since this job only runs a shell script and does not interact with repository contents, PRs, or other resources via the GitHub API, it can safely be restricted to contents: read (or even contents: none; however, contents: read is a very common minimal default and matches the query’s recommended pattern). This explicitly documents and constrains the GITHUB_TOKEN permissions for that job while leaving the behavior of the workflow unchanged.
Concretely:
- In
.github/workflows/docker_apply_cache.yaml, within thepreflightjob definition (lines 22–38), insert apermissions:section underruns-on: ubuntu-latest, settingcontents: read. - No additional imports, methods, or definitions are needed; this is a pure YAML configuration change.
| @@ -22,6 +22,8 @@ | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly set a permissions block to restrict GITHUB_TOKEN to the least privilege needed. This can be done either at the workflow root (applies to all jobs that don’t override it) or per job. Since one job (check-renv) already has its own permissions block, the cleanest approach is to set a minimal read-only default at the workflow level and leave check-renv’s specific id-token: write override as-is.
Concretely:
- Add a root-level
permissions:block near the top of.github/workflows/docker_apply_cache.yaml(e.g., after theon:section and beforeconcurrency:) that setscontents: read. This is a safe, minimal default that will apply to jobs such aspreflight,no-renv-cache-used,renv-cache-available,update-renv-cache, andrecord-cache-result, none of which need write access to repository contents. - Keep the existing
permissionsblock forcheck-renvunchanged so it can still obtain an OIDCid-tokenfor AWS role assumption. - No additional imports, methods, or definitions are needed since this is a GitHub Actions YAML configuration change only.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, fix this by explicitly specifying permissions: for the workflow (and overriding per job if a job needs more than the minimal set). For jobs that only need to read repository contents and metadata, contents: read is sufficient; jobs that upload artifacts to the Actions storage do not need extra repo permissions beyond this. Only jobs that interact with issues, PRs, packages, etc. should request write scopes for those specific resources.
For this specific workflow, the simplest and least intrusive fix is to add a root-level permissions block that applies to all jobs, specifying a minimal, read-only configuration. From the visible code, the jobs shown (check-renv, no-renv-cache-used, renv-cache-available, update-renv-cache, record-cache-result) either call other actions, echo text, or upload an artifact. None of these require write access to repository contents. Therefore, adding at the top level:
permissions:
contents: readwill constrain GITHUB_TOKEN appropriately without breaking existing behavior. We do not need to add job-specific permissions for renv-cache-available or record-cache-result; they will inherit the root permissions. The change should be inserted after the on: block (for clarity) and before concurrency: or jobs:. No new imports, methods, or other definitions are needed, since this is a YAML configuration change only.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix the problem, explicitly declare restricted permissions for the preflight job so it does not inherit broad repository defaults. Since preflight only runs checks and calls actions that read repository metadata, contents: read is sufficient and aligns with the CodeQL recommendation.
The best minimally invasive fix is:
- Add a
permissionsblock underjobs.preflightwith onlycontents: read. - Leave the existing
permissionsblocks forfull-buildandupdate-container-versionunchanged. - Do not alter any steps, environment variables, or other job configuration.
Concretely, in .github/workflows/docker_build_deploy.yaml, edit the preflight job definition (around lines 44–57). Insert:
permissions:
contents: readbetween runs-on: ubuntu-latest and outputs:. No imports or additional definitions are required, as this is pure workflow YAML.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly declare minimal permissions for jobs so they don’t inherit broader repository defaults. For this workflow, the best approach is:
- Add a root-level
permissionsblock that setscontents: read(a safe baseline for most workflows). - Override that baseline for individual jobs:
preflightandcheck-renvdo not need any token access, so setpermissions: {}for those jobs to fully disableGITHUB_TOKEN.- Leave the existing permissions for
update_cacheunchanged, since it already declares explicit scopes includingcontents: write,pull-requests: write, etc.
This preserves existing functionality while tightening security for the jobs that don’t need token permissions and documenting a minimal baseline for the workflow. All changes are in .github/workflows/update-cache.yaml:
- Insert a root-level
permissions:block after theon:definition and beforeenv:. - Add
permissions: {}to thepreflightandcheck-renvjob definitions.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} | ||
| @@ -34,6 +37,7 @@ | ||
| preflight: | ||
| name: "Preflight: Manual or Scheduled Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| ok: ${{ steps.check.outputs.ok }} | ||
| steps: | ||
| @@ -58,6 +62,7 @@ | ||
| name: "Check If We Need {renv}" | ||
| runs-on: ubuntu-latest | ||
| needs: preflight | ||
| permissions: {} | ||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | ||
| outputs: | ||
| renv-needed: ${{ steps.renv-check.outputs.renv-needed }} |
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
2c7beb2 to
3e904fb
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
3e904fb to
44c88e6
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, the fix is to explicitly declare a permissions block in the workflow (at the top level or per-job) that grants only the minimal scopes required. If none of the jobs need to modify repository contents, issues, or pull requests, you can set contents: read at the workflow level. This both documents the intended access and prevents the workflow from accidentally inheriting broader write permissions from the repository or organization defaults.
For this specific workflow file .github/workflows/docker_apply_cache.yaml, the simplest and safest fix without changing functionality is to add a top-level permissions block right after the on: section. The jobs shown (including record-cache-result) only read workflow context, configure AWS credentials via OIDC, and upload an artifact. None of these operations require write access to repository contents, issues, or pull requests. Therefore, setting permissions: contents: read at the workflow root is appropriate and will apply to all jobs, including record-cache-result, unless any job overrides it. No additional imports or methods are required as this is purely a YAML configuration change.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - After the
on:block (after line 14), insert:
permissions:
contents: read- Keep indentation consistent with the existing top-level keys (
name,description,on,concurrency,jobs). - No other regions or files need to be altered.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
44c88e6 to
eab816c
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
eab816c to
87c38f3
Compare
epiverse-trace-bot
changed the title
2 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.0