[actions] update sandpaper workflow to version 0.16.9

Author: zkamvar

.github/workflows/README.md

@@ -2,7 +2,7 @@
 
 This directory contains workflows to be used for Lessons using the {sandpaper}
 lesson infrastructure. Two of these workflows require R (`sandpaper-main.yaml`
-and `pr-recieve.yaml`) and the rest are bots to handle pull request management.
+and `pr-receive.yaml`) and the rest are bots to handle pull request management.
 
 These workflows will likely change as {sandpaper} evolves, so it is important to
 keep them up-to-date. To do this in your lesson you can do the following in your
@@ -94,9 +94,9 @@ branch called `update/workflows` and a pull request is created. Maintainers are
 encouraged to review the changes and accept the pull request if the outputs
 are okay.
 
-This update is run ~~weekly or~~ on demand.
+This update is run weekly or on demand.
 
-### 03 Maintain: Update Pacakge Cache (update-cache.yaml)
+### 03 Maintain: Update Package Cache (update-cache.yaml)
 
 For lessons that have generated content, we use {renv} to ensure that the output
 is stable. This is controlled by a single lockfile which documents the packages
@@ -140,7 +140,7 @@ Once the checks are finished, a comment is issued to the pull request, which
 will allow maintainers to determine if it is safe to run the 
 "Receive Pull Request" workflow from new contributors.
 
-### Recieve Pull Request (pr-recieve.yaml)
+### Receive Pull Request (pr-receive.yaml)
 
 **Note of caution:** This workflow runs arbitrary code by anyone who creates a
 pull request. GitHub has safeguarded the token used in this workflow to have no
@@ -171,7 +171,7 @@ The artifacts produced are used by the next workflow.
 
 ### Comment on Pull Request (pr-comment.yaml)
 
-This workflow is triggered if the `pr-recieve.yaml` workflow is successful.
+This workflow is triggered if the `pr-receive.yaml` workflow is successful.
 The steps in this workflow are:
 
 1. Test if the workflow is valid and comment the validity of the workflow to the

.github/workflows/pr-close-signal.yaml

@@ -8,16 +8,15 @@ on:
 jobs:
   send-close-signal:
     name: "Send closing signal"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ github.event.action == 'closed' }}
     steps:
       - name: "Create PRtifact"
         run: |
           mkdir -p ./pr
           printf ${{ github.event.number }} > ./pr/NUM
       - name: Upload Diff
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
-          name: pr 
+          name: pr
           path: ./pr
-

.github/workflows/pr-comment.yaml

@@ -20,9 +20,9 @@ jobs:
   #  - no .github files were committed
   test-pr:
     name: "Test if pull request is valid"
-    runs-on: ubuntu-latest
-    if: > 
-      github.event.workflow_run.event == 'pull_request' && 
+    runs-on: ubuntu-22.04
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
@@ -74,13 +74,15 @@ jobs:
   create-branch:
     name: "Create Git Branch"
     needs: test-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      contents: write
     steps:
       - name: 'Checkout md outputs'
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: md-outputs
           path: built
@@ -104,9 +106,9 @@ jobs:
           git config --local user.name "GitHub Actions"
           CURR_HEAD=$(git rev-parse HEAD)
           git checkout --orphan md-outputs-PR-${NR}
-          git add -A 
+          git add -A
           git commit -m "source commit: ${CURR_HEAD}"
-          ls -A | grep -v '^.git$' | xargs rm -r
+          ls -A | grep -v '^.git$' | xargs -I _ rm -r '_'
           cd ..
           unzip -o -d built built.zip
           cd built
@@ -118,18 +120,20 @@ jobs:
   comment-pr:
     name: "Comment on Pull Request"
     needs: [test-pr, create-branch]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Download comment artifact'
         id: dl
         uses: carpentries/actions/download-workflow-artifact@main
         with:
           run: ${{ github.event.workflow_run.id }}
           name: 'diff'
-          
+
       - if: ${{ steps.dl.outputs.success == 'true' }}
         run: unzip ${{ github.workspace }}/diff.zip
 
@@ -138,19 +142,21 @@ jobs:
         if: ${{ steps.dl.outputs.success == 'true' }}
         uses: carpentries/actions/comment-diff@main
         with:
-          pr: ${{ env.NR }} 
+          pr: ${{ env.NR }}
           path: ${{ github.workspace }}/diff.md
 
   # Comment if the PR is open and matches the SHA, but the workflow files have
   # changed
   comment-changed-workflow:
     name: "Comment if workflow files have changed"
     needs: test-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ always() && needs.test-pr.outputs.is_valid == 'false' }}
     env:
       NR: ${{ github.event.workflow_run.pull_requests[0].number }}
       body: ${{ needs.test-pr.outputs.msg }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Check for spoofing'
         id: dl
@@ -176,4 +182,3 @@ jobs:
         with:
           pr: ${{ env.NR }}
           body: ${{ env.body }}
-

.github/workflows/pr-post-remove-branch.yaml

@@ -9,10 +9,12 @@ on:
 jobs:
   delete:
     name: "Delete branch from Pull Request"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: write
     steps:
       - name: 'Download artifact'
         uses: carpentries/actions/download-workflow-artifact@main

.github/workflows/pr-preflight.yaml

@@ -11,9 +11,11 @@ jobs:
   test-pr:
     name: "Test if pull request is valid"
     if: ${{ github.event.action != 'closed' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
+    permissions:
+      pull-requests: write
     steps:
       - name: "Get Invalid Hashes File"
         id: hash

.github/workflows/pr-receive.yaml

@@ -13,7 +13,7 @@ jobs:
   test-pr:
     name: "Record PR number"
     if: ${{ github.event.action != 'closed' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
     steps:
@@ -25,7 +25,7 @@ jobs:
       - name: "Upload PR number"
         id: upload
         if: ${{ always() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: pr
           path: ${{ github.workspace }}/NR
@@ -48,7 +48,7 @@ jobs:
   build-md-source:
     name: "Build markdown source files if valid"
     needs: test-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
@@ -58,10 +58,10 @@ jobs:
       MD: ${{ github.workspace }}/site/built
     steps:
       - name: "Check Out Main Branch"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: "Check Out Staging Branch"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: md-outputs
           path: ${{ env.MD }}
@@ -107,20 +107,21 @@ jobs:
         shell: Rscript {0}
 
       - name: "Upload PR"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: pr
           path: ${{ env.PR }}
+          overwrite: true
 
       - name: "Upload Diff"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: diff
           path: ${{ env.CHIVE }}
           retention-days: 1
-      
+
       - name: "Upload Build"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: built
           path: ${{ env.MD }}

.github/workflows/sandpaper-main.yaml

@@ -21,7 +21,10 @@ on:
 jobs:
   full-build:
     name: "Build Full Site"
-    runs-on: ubuntu-latest
+
+    # 2024-10-01: ubuntu-latest is now 24.04 and R is not installed by default in the runner image
+    # pin to 22.04 for now
+    runs-on: ubuntu-22.04
     permissions:
       checks: write
       contents: write
@@ -32,7 +35,7 @@ jobs:
     steps:
 
       - name: "Checkout Lesson"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: "Set up R"
         uses: r-lib/actions/setup-r@v2

.github/workflows/sandpaper-version.txt

@@ -1 +1 @@
-0.11.4
+0.16.9

.github/workflows/update-cache.yaml

@@ -14,7 +14,7 @@ on:
 jobs:
   preflight:
     name: "Preflight Check"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       ok: ${{ steps.check.outputs.ok }}
     steps:
@@ -36,14 +36,14 @@ jobs:
 
   check_renv:
     name: "Check if We Need {renv}"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: preflight
     if: ${{ needs.preflight.outputs.ok == 'true'}}
     outputs:
       needed: ${{ steps.renv.outputs.exists }}
     steps:
       - name: "Checkout Lesson"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - id: renv
         run: |
           if [[ -d renv ]]; then
@@ -52,7 +52,7 @@ jobs:
 
   check_token:
     name: "Check SANDPAPER_WORKFLOW token"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: check_renv
     if: ${{ needs.check_renv.outputs.needed == 'true' }}
     outputs:
@@ -69,14 +69,14 @@ jobs:
     name: "Update Package Cache"
     needs: check_token
     if: ${{ needs.check_token.outputs.repo== 'true' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
       RENV_PATHS_ROOT: ~/.local/share/renv/
     steps:
 
       - name: "Checkout Lesson"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: "Set up R"
         uses: r-lib/actions/setup-r@v2
@@ -93,7 +93,7 @@ jobs:
       - name: Create Pull Request
         id: cpr
         if: ${{ steps.update.outputs.n > 0 }}
-        uses: peter-evans/create-pull-request@v4.2.0
+        uses: carpentries/create-pull-request@main
         with:
           token: ${{ secrets.SANDPAPER_WORKFLOW }}
           delete-branch: true
@@ -119,7 +119,7 @@ jobs:
             ```
 
             - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}
-            
-            [1]: https://github.com/peter-evans/create-pull-request
+
+            [1]: https://github.com/carpentries/create-pull-request/tree/main
           labels: "type: package cache"
           draft: false

.github/workflows/update-workflows.yaml

@@ -18,7 +18,7 @@ on:
 jobs:
   check_token:
     name: "Check SANDPAPER_WORKFLOW token"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       workflow: ${{ steps.validate.outputs.wf }}
       repo: ${{ steps.validate.outputs.repo }}
@@ -31,23 +31,23 @@ jobs:
 
   update_workflow:
     name: "Update Workflow"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: check_token
     if: ${{ needs.check_token.outputs.workflow == 'true' }}
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Update Workflows
         id: update
         uses: carpentries/actions/update-workflows@main
         with:
           clean: ${{ github.event.inputs.clean }}
-      
+
       - name: Create Pull Request
         id: cpr
         if: "${{ steps.update.outputs.new }}"
-        uses: peter-evans/create-pull-request@v4.2.0
+        uses: carpentries/create-pull-request@main
         with:
           token: ${{ secrets.SANDPAPER_WORKFLOW }}
           delete-branch: true
@@ -60,7 +60,7 @@ jobs:
             Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }}
 
             - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}
-            
-            [1]: https://github.com/peter-evans/create-pull-request
+
+            [1]: https://github.com/carpentries/create-pull-request/tree/main
           labels: "type: template and tools"
           draft: false