Conversation
ℹ️ Modified WorkflowsThis pull request contains modified workflow files and no preview will be created. Workflow files modified:
If this is not from a trusted source, please inspect the changes for any malicious content. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: | ||
| - name: "Should we run cache application?" | ||
| id: check | ||
| run: | | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" || | ||
| ("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then | ||
| echo "merged_or_manual=true" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "This was not a manual trigger and no PR was merged. No action taken." | ||
| echo "merged_or_manual=false" >> $GITHUB_OUTPUT | ||
| fi | ||
| shell: bash | ||
|
|
||
| check-renv: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, fix this by explicitly declaring a permissions block either at the workflow root or per job, granting only the minimal scopes needed. Jobs that do not need GITHUB_TOKEN at all can use permissions: {} (or permissions: { contents: read } if read access is required).
For this workflow, the preflight job does not interact with the repository, GitHub API, or any actions that require authentication; it simply inspects github context variables and sets an output. The safest, least-privilege fix is to add permissions: {} to that job so that GITHUB_TOKEN is not granted. Concretely, in .github/workflows/docker_apply_cache.yaml, under jobs: preflight:, insert a permissions: {} block aligned with other job keys (e.g., between runs-on: ubuntu-latest and outputs:). No imports or additional definitions are needed.
| @@ -22,6 +22,7 @@ | ||
| preflight: | ||
| name: "Preflight: PR or Manual Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| do-apply: ${{ steps.check.outputs.merged_or_manual }} | ||
| steps: |
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: | ||
| - name: "No renv cache needed" | ||
| run: echo "No renv cache needed for this lesson" | ||
|
|
||
| renv-cache-available: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, to fix this kind of issue you either (a) add a top-level permissions block to the workflow to set minimal defaults for all jobs, or (b) add a per-job permissions block to each job, granting only what that job needs. Jobs that do not interact with the GitHub API or repository contents can set permissions: {} (or omit specific scopes) to effectively disable GITHUB_TOKEN.
For this specific workflow and the highlighted no-renv-cache-used job, the single best minimal change is to add a permissions: {} block to that job so it does not receive a token at all, without altering any behavior. This job only prints a message; it does not use GITHUB_TOKEN or perform any GitHub operations. Therefore, we can safely disable permissions entirely for this job.
Concretely:
- Edit
.github/workflows/docker_apply_cache.yaml. - In the
no-renv-cache-usedjob definition (around lines 61–69), insert apermissions: {}block betweenruns-on: ubuntu-latestandneeds: check-renv, respecting YAML indentation. - No imports or other definitions are needed, because this is a YAML workflow configuration change only.
| @@ -61,6 +61,7 @@ | ||
| no-renv-cache-used: | ||
| name: "No renv cache used" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-needed != 'true' | ||
| steps: |
| name: "renv cache available" | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" | ||
|
|
||
| update-renv-cache: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to add an explicit permissions: block with the minimal scopes each job actually needs. For jobs that never call GitHub APIs or use actions that require the token, you can typically set permissions: { contents: read } or even permissions: {} (no permissions) if nothing requires the token. Jobs that need to push commits, create releases, or otherwise modify repository state should be given only the specific write scopes they need (e.g., contents: write, pull-requests: write, etc.).
For this specific workflow, the renv-cache-available job (lines 70–77) only runs a shell command that prints a message and does not use GITHUB_TOKEN or any GitHub API–using action. It therefore doesn’t need any permissions at all. The safest least‑privilege fix, without changing functionality, is to add permissions: {} to that job so that the GITHUB_TOKEN has no associated scopes there. This change should be placed under the job’s other top-level keys (e.g., after if: or needs:), following YAML structure. No imports or additional definitions are needed, as this is a YAML configuration change only.
| @@ -72,6 +72,7 @@ | ||
| runs-on: ubuntu-latest | ||
| needs: check-renv | ||
| if: needs.check-renv.outputs.renv-cache-available == 'true' | ||
| permissions: {} | ||
| steps: | ||
| - name: "renv cache available" | ||
| run: echo "renv cache available for this lesson" |
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }} | ||
| workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }} | ||
| wb-vers: ${{ steps.wb-vers.outputs.container-version }} | ||
| last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }} | ||
| workbench-update: ${{ steps.wb-vers.outputs.workbench-update }} | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Should we run build and deploy?" | ||
| id: build-check | ||
| uses: carpentries/actions/build-preflight@main | ||
|
|
||
| - name: "Checkout Lesson" | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: "Get container version info" | ||
| id: wb-vers | ||
| if: steps.build-check.outputs.do-build == 'true' | ||
| uses: carpentries/actions/container-version@main | ||
| with: | ||
| WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| full-build: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 days ago
To fix the problem, explicitly declare least‑privilege permissions for the preflight job so it no longer relies on repository/organization defaults. This documents what the job needs and prevents accidental elevation if defaults change or the workflow is copied elsewhere.
The single best fix with minimal functional change is:
- Add a
permissionsblock underjobs.preflightthat grants only read access to repository contents, which is sufficient for typical preflight/check/checkout operations:contents: read
- Do not alter the existing permissions of other jobs (
full-build,update-container-version), as those are already explicitly defined and may require writes.
Concretely:
- In
.github/workflows/docker_build_deploy.yaml, under thepreflightjob (lines 44–57 region), insert:
permissions:
contents: readbetween runs-on: ubuntu-latest and outputs:. No new imports or external dependencies are needed; this is pure workflow configuration.
| @@ -44,6 +44,8 @@ | ||
| preflight: | ||
| name: "Preflight: Schedule, Push, or PR?" | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| outputs: | ||
| do-build: ${{ steps.build-check.outputs.do-build }} | ||
| renv-needed: ${{ steps.build-check.outputs.renv-needed }} |
| @@ -33,48 +52,42 @@ jobs: | |||
| echo "ok=false" >> $GITHUB_OUTPUT | |||
| echo "Not Running Today" | |||
| fi | |||
| shell: bash | |||
|
|
|||
| check_renv: | |||
| name: "Check if We Need {renv}" | |||
| runs-on: ubuntu-22.04 | |||
| check-renv: | |||
| name: "Check If We Need {renv}" | |||
| runs-on: ubuntu-latest | |||
| needs: preflight | |||
| if: ${{ needs.preflight.outputs.ok == 'true'}} | |||
| if: ${{ needs.preflight.outputs.ok == 'true' }} | |||
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to explicitly declare a permissions block for jobs that currently rely on default GITHUB_TOKEN permissions, restricting them to the minimum needed (or to none if the job does not require the token). This documents the intent and prevents the job from accidentally gaining broader privileges if repo defaults change.
For this workflow, the preflight job only runs a bash script and does not need to access repository contents or any GitHub APIs. The safest, least-privilege option is to add permissions: {} to that job, which disables the GITHUB_TOKEN for it. This leaves the existing update_cache job’s explicit permissions unchanged. Concretely, in .github/workflows/update-cache.yaml, under jobs: preflight:, insert a permissions: {} line just after runs-on: ubuntu-latest (around line 36). No other imports or definitions are needed.
| @@ -34,6 +34,7 @@ | ||
| preflight: | ||
| name: "Preflight: Manual or Scheduled Trigger?" | ||
| runs-on: ubuntu-latest | ||
| permissions: {} | ||
| outputs: | ||
| ok: ${{ steps.check.outputs.ok }} | ||
| steps: |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
5de5983 to
e879476
Compare
epiverse-trace-bot
changed the title
epiverse-trace-bot
changed the title
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
e879476 to
fb34157
Compare
| name: "Record Caching Status" | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| steps: | ||
| - name: "Record cache result" | ||
|
|
||
| run: | | ||
| echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result | ||
| shell: bash | ||
|
|
||
| - name: "Upload cache result" | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: apply-cache-result | ||
| path: ${{ github.workspace }}/apply-cache-result |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to add an explicit permissions block that restricts the GITHUB_TOKEN to the least privileges required. This can be added at the root of the workflow (applying to all jobs that don’t override it) or per job. Since the CodeQL finding is on the record-cache-result job, and based on the visible behavior that job only uploads an artifact and does not require repository write access, the best fix is to add permissions: contents: read to that job (or an equivalent minimal set such as permissions: {} if absolutely nothing is required, though actions/upload-artifact typically assumes basic repo read context).
Concretely, in .github/workflows/docker_apply_cache.yaml, under jobs: record-cache-result:, add a permissions: block before runs-on:. This will ensure that for this job the GITHUB_TOKEN has only read access to repository contents, which is sufficient for common marketplace actions that only need to identify the repo and workflow run, and avoids unintended write capabilities. No additional imports or methods are needed; it is purely a YAML configuration change.
| @@ -210,6 +210,8 @@ | ||
|
|
||
| record-cache-result: | ||
| name: "Record Caching Status" | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| needs: [check-renv, update-renv-cache] | ||
| if: always() |
epiverse-trace-bot
force-pushed
the
update/workflows
branch
2 times, most recently
from
2a230be to
f4b14c0
Compare
epiverse-trace-bot
force-pushed
the
update/workflows
branch
from
f4b14c0 to
7b1daef
Compare
epiverse-trace-bot
changed the title
2 participants
🤖 This is an automated build
Update Workflows from sandpaper version 0.16.12 -> 1.0.0