Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix this type of issue you explicitly declare a permissions block either at the workflow root (applies to all jobs without their own block) or on each job, and reduce the GITHUB_TOKEN privileges to the minimum needed (often contents: read, or {} if no API access is required).
For this workflow, the preflight job only evaluates event context and writes to GITHUB_OUTPUT; it doesn’t use GITHUB_TOKEN, call GitHub APIs, or check out the repo. The safest and least-privilege fix without changing functionality is to add a permissions block to that job and set it to an empty mapping, which disables all default permissions for that job. Other jobs already have their own permissions where needed (e.g., check-renv has id-token: write), so we only change preflight.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - Within the
preflightjob definition, betweenruns-on: ubuntu-latest(line 24) andoutputs:(line 25), add:permissions: {}
This leaves functionality unchanged while explicitly restricting the job’s token permissions.
| @@ -22,6 +22,7 @@ | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to add an explicit permissions block to the workflow or to each job, restricting the GITHUB_TOKEN to the minimal scopes required. Jobs that do not interact with the repository or GitHub APIs can use permissions: { contents: read } as a safe, minimal baseline; jobs that need elevated permissions (like id-token: write for OIDC) should declare only those.
For this workflow, the simplest and least-disruptive change is to add a root-level permissions block (applies to all jobs) that sets contents: read. This satisfies CodeQL for jobs such as no-renv-cache-used, renv-cache-available, update-renv-cache, and record-cache-result, which only echo, run external actions, or upload artifacts and do not require repository writes. The existing check-renv job already has a permissions block with id-token: write; per GitHub’s rules, a job-level permissions block overrides the workflow default, so we should keep that intact and only add the new workflow-level permissions above jobs:.
Concretely:
- In
.github/workflows/docker_apply_cache.yaml, insert a root-levelpermissions:section (e.g., after theconcurrencyblock) withcontents: read. - Do not modify existing job definitions or the
check-renvjob’spermissionsblock, as it already expresses its special requirement.
No new imports or methods are needed; this is purely a YAML workflow configuration change.
| @@ -18,6 +18,9 @@ | ||
| group: docker-apply-cache | ||
| cancel-in-progress: false | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, this problem is fixed by explicitly defining a permissions block that restricts the default GITHUB_TOKEN privileges, either at the workflow root (affecting all jobs) or per-job. For a job that does not need to access the GitHub API at all, we can safely set permissions: {} (or an explicit mapping with only contents: read if some read access is needed). This documents the intended permissions and protects the workflow if repository/organization defaults are permissive.
The single best fix here, without changing any existing behavior, is to add a minimal permissions block to the renv-cache-available job, because that is the job CodeQL flagged. Since the only step in that job is a simple run: echo "renv cache available for this lesson", it does not need the GITHUB_TOKEN at all, so we can completely disable token permissions for that job using an empty permissions map. Concretely, in .github/workflows/docker_apply_cache.yaml, under the renv-cache-available job (around lines 70–77), insert a permissions: {} line at the same indentation level as runs-on, needs, and if. No additional imports, methods, or external definitions are needed; this is purely a YAML configuration change.
| @@ -72,6 +72,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| permissions: {} | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
To fix this, explicitly declare a permissions block so that the preflight job does not inherit broad default repository/organization permissions. The least-privilege baseline for jobs that only need to read repository contents (for example, for preflight checks and determining container versions) is contents: read. Because this job already passes secrets.GITHUB_TOKEN into actions and does not appear to push commits, create releases, or modify issues/PRs, there is no indication it requires any write scopes.
The best minimal change without altering functionality is to add a permissions block under the preflight job definition. Concretely, in .github/workflows/docker_build_deploy.yaml, immediately under runs-on: ubuntu-latest for the preflight job, add:
permissions:
contents: readThis constrains only that job’s GITHUB_TOKEN while leaving the existing, more permissive permissions blocks for the full-build and update-container-version jobs unchanged. No imports or additional methods are needed; this is a pure workflow YAML configuration change.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the problem is fixed by adding an explicit permissions block that restricts the GITHUB_TOKEN to the minimal scopes required. This can be done at the workflow root (applies to all jobs that don’t override it) or per job. Here, we already have an explicit permissions block for the update_cache job; the preflight and check-renv jobs don’t need write access and can safely run with read-only repository access. The cleanest fix is to add a root-level permissions block with read-only contents (and no other scopes), which will apply to preflight and check-renv while leaving the existing permissions on update_cache unchanged.
Concretely:
- Add a new
permissions:section near the top of.github/workflows/update-cache.yaml, at the workflow root level (same indentation asname,description,on,env,jobs). - Set it to
contents: read, which is the minimal common read-only permission equivalent to a read-only default and sufficient for basic operations that might require token-based repository access (and harmless if unused). - Keep the existing
permissionsblock underupdate_cacheas-is; per GitHub’s semantics, job-level permissions override the workflow default, soupdate_cacheretains its broader rights, whilepreflight(the line CodeQL flagged) andcheck-renvnow have explicit, limited permissions.
No imports or external dependencies are involved; this is a pure YAML configuration change confined to .github/workflows/update-cache.yaml.
| @@ -1,5 +1,7 @@ | ||
| name: "02 Maintain: Check for Updated Packages" | ||
| description: "Check for updated R packages and create a pull request to update the lesson's renv lockfile and package cache" | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| schedule: | ||
| - cron: '0 0 * * 2' |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
5b9361c to
c22179a
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
c22179a to
90a0e04
Compare
epiverse-trace-bot
changed the title
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to add an explicit permissions block either at the top level of the workflow (to apply to all jobs) or specifically to the record-cache-result job, granting only the minimal scopes required (likely just contents: read for actions metadata and artifact upload). This restricts the GITHUB_TOKEN so it cannot perform unintended write operations even if the repository default is permissive.
The safest, least‑intrusive fix here is to add a root‑level permissions block right after the on: section, setting contents: read. None of the shown jobs appears to need to write to the repository, open issues, or modify pull requests; the AWS access for S3 uses OIDC and the AWS role, not GITHUB_TOKEN. actions/upload-artifact does not require write access to repo contents; it interacts with GitHub’s artifact service. Therefore, contents: read at the workflow root is a good minimal baseline and should not change existing behavior.
Concretely, in .github/workflows/docker_apply_cache.yaml, insert:
permissions:
contents: readbetween the on: block (ending at line 14) and the concurrency: block (starting at line 16). This will apply to all jobs, including record-cache-result, satisfying the CodeQL requirement and aligning with least‑privilege principles without changing workflow functionality.
| @@ -13,6 +13,9 @@ | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| # queue cache runs | ||
| concurrency: | ||
| group: docker-apply-cache |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
2 times, most recently
from
88f7fe4 to
e5eec7a
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
e5eec7a to
10d2db4
Compare
epiverse-trace-bot
changed the title
2 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.0