Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, the fix is to add an explicit permissions block to the workflow, at either the workflow root (to apply to all jobs) or to individual jobs, and set the minimum required permissions. For jobs that do not need GITHUB_TOKEN at all, permissions: {} or permissions: read-all or permissions: contents: read are typical; for jobs that need to assume AWS roles via OIDC, id-token: write must be granted.
The best fix here without changing functionality is:
- Add a root-level
permissionsblock that restricts the default token permissions for all jobs to read-only repository contents:
permissions: contents: read. - Keep the existing, more specific
permissionsblock oncheck-renv(id-token: write), which will override the root default for that job. - The
preflight,no-renv-cache-used,renv-cache-available,update-renv-cache, andrecord-cache-resultjobs do not appear to need write permissions, so inheritingcontents: readis safe and minimal.
Concretely, edit .github/workflows/docker_apply_cache.yaml:
- Insert a root-level
permissionsblock after theon:section (after line 14–15, beforeconcurrency:), with:permissions: contents: read
No new methods, imports, or other definitions are needed; this is pure workflow configuration.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, fix this by explicitly setting a restrictive permissions block at the workflow root (so it applies to all jobs by default) and then overriding it only in jobs that require broader or specialized permissions. For jobs that do not need to write to the repository or other resources via GITHUB_TOKEN, permissions: contents: read (or even permissions: {} if truly no token is needed) is sufficient.
For this file, the best minimal change without altering functionality is:
- Add a root-level
permissionsblock after theon:section, settingcontents: read. This will constrain the default GITHUB_TOKEN permissions for all jobs. - Keep the existing
permissionsblock in thecheck-renvjob as-is; GitHub will merge/override appropriately, andid-token: writeis still allowed alongside the root defaults. - No changes are needed per-job (including
no-renv-cache-used), since the root-level block is enough to satisfy the CodeQL warning and enforce least privilege.
Concretely, edit .github/workflows/docker_apply_cache.yaml to insert:
permissions:
contents: readbetween the on: block (ending at line 14) and the concurrency: block (starting at line 17). No imports or external libraries are involved.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, the fix is to explicitly add a permissions: block to the workflow or each job, setting the minimum required scopes (often contents: read, or even permissions: {} / permissions: read-all / permissions: write-all depending on needs). For jobs that do not require the GITHUB_TOKEN at all (no repository writes, no API calls, no actions that implicitly need it), we can set permissions: {} (or permissions: none on newer runners) at the job level to prevent the token from being granted.
In this specific workflow snippet, the renv-cache-available job only runs a single shell command that echoes a message and does not interact with the GitHub API, repository contents, or other securable resources. Therefore, the best minimal fix, without changing any behavior, is to add an explicit permissions: {} block to that job so that CodeQL recognizes that this job’s GITHUB_TOKEN is fully disabled. We will insert this directly under the job header (near the other job-level keys like runs-on and needs). Other jobs (e.g., update-renv-cache, record-cache-result) may legitimately require some permissions, but the error CodeQL highlighted is specifically for the renv-cache-available job; we will confine our change to that job only as per the instructions.
| @@ -72,6 +72,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| permissions: {} | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, the fix is to explicitly declare a permissions block to scope down the GITHUB_TOKEN privileges for the affected job (or at the workflow root). For the highlighted preflight job, we should add a job-level permissions section with the minimal permissions needed. Based on the snippet, preflight mainly performs checks, checks out the repository, and calls Carpentries actions likely needing to read repository contents and perhaps workflow metadata, but not to write code, issues, or PRs. A safe minimal starting point consistent with the CodeQL suggestion is contents: read. If additional scopes were needed later, they can be added explicitly.
Concretely, in .github/workflows/docker_build_deploy.yaml, inside the preflight job, add a permissions: mapping aligned with other job keys (e.g., same indentation as runs-on: and outputs:). Place it after runs-on: ubuntu-latest (or before outputs:) for clarity:
permissions:
contents: readThis does not change existing functionality except to limit what the default token can do to read-only on repository contents for this job, which is the intended least-privilege configuration. No new methods, imports, or external dependencies are required because this is a pure workflow-configuration change.
| @@ -43,6 +43,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, the fix is to define an explicit permissions: block that grants only the minimal required scopes. You can do this either at the workflow root (applies to all jobs without their own permissions) or per job. Since update_cache already has its own explicit (and broader) permissions, the cleanest fix is to add a restrictive permissions: block at the workflow root that applies to preflight and check-renv, while leaving update_cache unchanged.
Concretely, in .github/workflows/update-cache.yaml, add a top-level permissions: section after the on: block and before env:. Set it to read-only repository access, which is the minimal safe default for most workflows that only need to read the code or metadata. A typical least-privilege baseline is:
permissions:
contents: readBoth preflight and check-renv only read metadata and repository content (via actions/checkout and an external composite action), and do not require write access, so contents: read is sufficient. The update_cache job already has its own permissions: block including contents: write, pull-requests: write, etc., which will override the workflow default for that job, so we should not change that block.
No new imports or external libraries are needed; this is purely a YAML configuration change within the shown workflow file.
| @@ -25,6 +25,9 @@ | ||
| default: false | ||
| type: boolean | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| LOCKFILE_CACHE_GEN: ${{ vars.LOCKFILE_CACHE_GEN || github.event.inputs.generate-cache || 'false' }} | ||
| FORCE_RENV_INIT: ${{ vars.FORCE_RENV_INIT || github.event.inputs.force-renv-init || 'false' }} |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
9d070c9 to
b72e8e1
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
b72e8e1 to
cdd9f49
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, the fix is to add an explicit permissions block that limits the GITHUB_TOKEN to the least privileges needed. Since the shown jobs only run shell commands, configure AWS credentials, upload to S3, and upload artifacts (all of which do not require repository write access), we can set contents: read at the workflow level, which is the minimal standard baseline and matches GitHub’s recommended starting point.
The single best fix, without changing existing functionality, is:
- Add a root-level
permissions:block after theon:section, settingcontents: read. - This applies to all jobs (
preflight,check-renv,no-renv-cache-used,renv-cache-available,update-renv-cache, andrecord-cache-result) unless they override it. - No additional imports, methods, or YAML keys are necessary; this is a purely declarative change.
Concretely, in .github/workflows/docker_apply_cache.yaml, insert:
permissions:
contents: readbetween the existing on: block (line 3–14) and the concurrency: block (line 16–19). This keeps behavior identical while ensuring that GITHUB_TOKEN is restricted to read-only access to repository contents.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
cdd9f49 to
8f12949
Compare
2 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 0.18.5