diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 101967e4..7076ddd9 100755 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -2,7 +2,7 @@ This directory contains workflows to be used for Lessons using the {sandpaper} lesson infrastructure. Two of these workflows require R (`sandpaper-main.yaml` -and `pr-recieve.yaml`) and the rest are bots to handle pull request management. +and `pr-receive.yaml`) and the rest are bots to handle pull request management. These workflows will likely change as {sandpaper} evolves, so it is important to keep them up-to-date. To do this in your lesson you can do the following in your @@ -94,9 +94,9 @@ branch called `update/workflows` and a pull request is created. Maintainers are encouraged to review the changes and accept the pull request if the outputs are okay. -This update is run ~~weekly or~~ on demand. +This update is run weekly or on demand. -### 03 Maintain: Update Pacakge Cache (update-cache.yaml) +### 03 Maintain: Update Package Cache (update-cache.yaml) For lessons that have generated content, we use {renv} to ensure that the output is stable. This is controlled by a single lockfile which documents the packages @@ -140,7 +140,7 @@ Once the checks are finished, a comment is issued to the pull request, which will allow maintainers to determine if it is safe to run the "Receive Pull Request" workflow from new contributors. -### Recieve Pull Request (pr-recieve.yaml) +### Receive Pull Request (pr-receive.yaml) **Note of caution:** This workflow runs arbitrary code by anyone who creates a pull request. GitHub has safeguarded the token used in this workflow to have no @@ -171,7 +171,7 @@ The artifacts produced are used by the next workflow. ### Comment on Pull Request (pr-comment.yaml) -This workflow is triggered if the `pr-recieve.yaml` workflow is successful. +This workflow is triggered if the `pr-receive.yaml` workflow is successful. The steps in this workflow are: 1. Test if the workflow is valid and comment the validity of the workflow to the diff --git a/.github/workflows/pr-close-signal.yaml b/.github/workflows/pr-close-signal.yaml index 9c5a603e..b1303c26 100755 --- a/.github/workflows/pr-close-signal.yaml +++ b/.github/workflows/pr-close-signal.yaml @@ -8,7 +8,7 @@ on: jobs: send-close-signal: name: "Send closing signal" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: ${{ github.event.action == 'closed' }} steps: - name: "Create PRtifact" @@ -16,8 +16,7 @@ jobs: mkdir -p ./pr printf ${{ github.event.number }} > ./pr/NUM - name: Upload Diff - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: - name: pr + name: pr path: ./pr - diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index 3a2bbac6..f80d9d0c 100755 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -20,9 +20,9 @@ jobs: # - no .github files were committed test-pr: name: "Test if pull request is valid" - runs-on: ubuntu-latest - if: > - github.event.workflow_run.event == 'pull_request' && + runs-on: ubuntu-22.04 + if: > + github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} @@ -74,13 +74,15 @@ jobs: create-branch: name: "Create Git Branch" needs: test-pr - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: NR: ${{ needs.test-pr.outputs.number }} + permissions: + contents: write steps: - name: 'Checkout md outputs' - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: md-outputs path: built @@ -104,9 +106,9 @@ jobs: git config --local user.name "GitHub Actions" CURR_HEAD=$(git rev-parse HEAD) git checkout --orphan md-outputs-PR-${NR} - git add -A + git add -A git commit -m "source commit: ${CURR_HEAD}" - ls -A | grep -v '^.git$' | xargs rm -r + ls -A | grep -v '^.git$' | xargs -I _ rm -r '_' cd .. unzip -o -d built built.zip cd built @@ -118,10 +120,12 @@ jobs: comment-pr: name: "Comment on Pull Request" needs: [test-pr, create-branch] - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: NR: ${{ needs.test-pr.outputs.number }} + permissions: + pull-requests: write steps: - name: 'Download comment artifact' id: dl @@ -129,7 +133,7 @@ jobs: with: run: ${{ github.event.workflow_run.id }} name: 'diff' - + - if: ${{ steps.dl.outputs.success == 'true' }} run: unzip ${{ github.workspace }}/diff.zip @@ -138,7 +142,7 @@ jobs: if: ${{ steps.dl.outputs.success == 'true' }} uses: carpentries/actions/comment-diff@main with: - pr: ${{ env.NR }} + pr: ${{ env.NR }} path: ${{ github.workspace }}/diff.md # Comment if the PR is open and matches the SHA, but the workflow files have @@ -146,11 +150,13 @@ jobs: comment-changed-workflow: name: "Comment if workflow files have changed" needs: test-pr - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: ${{ always() && needs.test-pr.outputs.is_valid == 'false' }} env: NR: ${{ github.event.workflow_run.pull_requests[0].number }} body: ${{ needs.test-pr.outputs.msg }} + permissions: + pull-requests: write steps: - name: 'Check for spoofing' id: dl @@ -176,4 +182,3 @@ jobs: with: pr: ${{ env.NR }} body: ${{ env.body }} - diff --git a/.github/workflows/pr-post-remove-branch.yaml b/.github/workflows/pr-post-remove-branch.yaml index 338230f8..9419e2be 100755 --- a/.github/workflows/pr-post-remove-branch.yaml +++ b/.github/workflows/pr-post-remove-branch.yaml @@ -9,10 +9,12 @@ on: jobs: delete: name: "Delete branch from Pull Request" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: > github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + permissions: + contents: write steps: - name: 'Download artifact' uses: carpentries/actions/download-workflow-artifact@main diff --git a/.github/workflows/pr-preflight.yaml b/.github/workflows/pr-preflight.yaml index 496abcd1..34ad7aed 100755 --- a/.github/workflows/pr-preflight.yaml +++ b/.github/workflows/pr-preflight.yaml @@ -11,9 +11,11 @@ jobs: test-pr: name: "Test if pull request is valid" if: ${{ github.event.action != 'closed' }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} + permissions: + pull-requests: write steps: - name: "Get Invalid Hashes File" id: hash diff --git a/.github/workflows/pr-receive.yaml b/.github/workflows/pr-receive.yaml index 04942042..7fbff6cd 100755 --- a/.github/workflows/pr-receive.yaml +++ b/.github/workflows/pr-receive.yaml @@ -13,7 +13,7 @@ jobs: test-pr: name: "Record PR number" if: ${{ github.event.action != 'closed' }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} steps: @@ -25,7 +25,7 @@ jobs: - name: "Upload PR number" id: upload if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: pr path: ${{ github.workspace }}/NR @@ -48,7 +48,7 @@ jobs: build-md-source: name: "Build markdown source files if valid" needs: test-pr - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} @@ -58,10 +58,10 @@ jobs: MD: ${{ github.workspace }}/site/built steps: - name: "Check Out Main Branch" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: "Check Out Staging Branch" - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: md-outputs path: ${{ env.MD }} @@ -107,20 +107,21 @@ jobs: shell: Rscript {0} - name: "Upload PR" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: pr path: ${{ env.PR }} + overwrite: true - name: "Upload Diff" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: diff path: ${{ env.CHIVE }} retention-days: 1 - + - name: "Upload Build" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: built path: ${{ env.MD }} diff --git a/.github/workflows/sandpaper-main.yaml b/.github/workflows/sandpaper-main.yaml index e17707ac..b3d1de8c 100755 --- a/.github/workflows/sandpaper-main.yaml +++ b/.github/workflows/sandpaper-main.yaml @@ -21,7 +21,10 @@ on: jobs: full-build: name: "Build Full Site" - runs-on: ubuntu-latest + + # 2024-10-01: ubuntu-latest is now 24.04 and R is not installed by default in the runner image + # pin to 22.04 for now + runs-on: ubuntu-22.04 permissions: checks: write contents: write @@ -32,7 +35,7 @@ jobs: steps: - name: "Checkout Lesson" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: "Set up R" uses: r-lib/actions/setup-r@v2 diff --git a/.github/workflows/sandpaper-version.txt b/.github/workflows/sandpaper-version.txt index 35ad3442..ce62dc55 100644 --- a/.github/workflows/sandpaper-version.txt +++ b/.github/workflows/sandpaper-version.txt @@ -1 +1 @@ -0.11.4 +0.16.9 diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml index 69eb2c6d..a011c0c0 100755 --- a/.github/workflows/update-cache.yaml +++ b/.github/workflows/update-cache.yaml @@ -14,7 +14,7 @@ on: jobs: preflight: name: "Preflight Check" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: ok: ${{ steps.check.outputs.ok }} steps: @@ -36,14 +36,14 @@ jobs: check_renv: name: "Check if We Need {renv}" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: preflight if: ${{ needs.preflight.outputs.ok == 'true'}} outputs: needed: ${{ steps.renv.outputs.exists }} steps: - name: "Checkout Lesson" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - id: renv run: | if [[ -d renv ]]; then @@ -52,7 +52,7 @@ jobs: check_token: name: "Check SANDPAPER_WORKFLOW token" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: check_renv if: ${{ needs.check_renv.outputs.needed == 'true' }} outputs: @@ -69,14 +69,14 @@ jobs: name: "Update Package Cache" needs: check_token if: ${{ needs.check_token.outputs.repo== 'true' }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 env: GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} RENV_PATHS_ROOT: ~/.local/share/renv/ steps: - name: "Checkout Lesson" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: "Set up R" uses: r-lib/actions/setup-r@v2 @@ -93,7 +93,7 @@ jobs: - name: Create Pull Request id: cpr if: ${{ steps.update.outputs.n > 0 }} - uses: peter-evans/create-pull-request@v4.2.0 + uses: carpentries/create-pull-request@main with: token: ${{ secrets.SANDPAPER_WORKFLOW }} delete-branch: true @@ -119,7 +119,7 @@ jobs: ``` - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }} - - [1]: https://github.com/peter-evans/create-pull-request + + [1]: https://github.com/carpentries/create-pull-request/tree/main labels: "type: package cache" draft: false diff --git a/.github/workflows/update-workflows.yaml b/.github/workflows/update-workflows.yaml index 8f2a4b10..6414cf28 100755 --- a/.github/workflows/update-workflows.yaml +++ b/.github/workflows/update-workflows.yaml @@ -18,7 +18,7 @@ on: jobs: check_token: name: "Check SANDPAPER_WORKFLOW token" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 outputs: workflow: ${{ steps.validate.outputs.wf }} repo: ${{ steps.validate.outputs.repo }} @@ -31,23 +31,23 @@ jobs: update_workflow: name: "Update Workflow" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 needs: check_token if: ${{ needs.check_token.outputs.workflow == 'true' }} steps: - name: "Checkout Repository" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Update Workflows id: update uses: carpentries/actions/update-workflows@main with: clean: ${{ github.event.inputs.clean }} - + - name: Create Pull Request id: cpr if: "${{ steps.update.outputs.new }}" - uses: peter-evans/create-pull-request@v4.2.0 + uses: carpentries/create-pull-request@main with: token: ${{ secrets.SANDPAPER_WORKFLOW }} delete-branch: true @@ -60,7 +60,7 @@ jobs: Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }} - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }} - - [1]: https://github.com/peter-evans/create-pull-request + + [1]: https://github.com/carpentries/create-pull-request/tree/main labels: "type: template and tools" draft: false