diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 77d624a..d6edf88 100755 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -96,7 +96,7 @@ are okay. This update is run ~~weekly or~~ on demand. -### 03 Maintain: Update Pacakge Cache (update-cache.yaml) +### 03 Maintain: Update Package Cache (update-cache.yaml) For lessons that have generated content, we use {renv} to ensure that the output is stable. This is controlled by a single lockfile which documents the packages @@ -147,6 +147,11 @@ pull request. GitHub has safeguarded the token used in this workflow to have no priviledges in the repository, but we have taken precautions to protect against spoofing. +This workflow is triggered with every push to a pull request. If this workflow +is already running and a new push is sent to the pull request, the workflow +running from the previous push will be cancelled and a new workflow run will be +started. + The first step of this workflow is to check if it is valid (e.g. that no workflow files have been modified). If there are workflow files that have been modified, a comment is made that indicates that the workflow is not run. If @@ -160,7 +165,7 @@ request. This builds the content and uploads three artifacts: 3. The rendered files (build) Because this workflow builds generated content, it follows the same general -process as the sandpaper-main workflow with the same caching mechanisms. +process as the `sandpaper-main` workflow with the same caching mechanisms. The artifacts produced are used by the next workflow. @@ -176,7 +181,7 @@ The steps in this workflow are: 3. If it is valid: update the pull request comment with the summary of changes Importantly: if the pull request is invalid, the branch is not created so any -malicious code is not published. +malicious code is not published. From here, the maintainer can request changes from the author and eventually either merge or reject the PR. When this happens, if the PR was valid, the diff --git a/.github/workflows/pr-close-signal.yaml b/.github/workflows/pr-close-signal.yaml index 9c5a603..9b129d5 100755 --- a/.github/workflows/pr-close-signal.yaml +++ b/.github/workflows/pr-close-signal.yaml @@ -16,8 +16,8 @@ jobs: mkdir -p ./pr printf ${{ github.event.number }} > ./pr/NUM - name: Upload Diff - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: - name: pr + name: pr path: ./pr diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index e5d542e..bb2eb03 100755 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -8,6 +8,11 @@ on: types: - completed +concurrency: + group: pr-${{ github.event.workflow_run.pull_requests[0].number }} + cancel-in-progress: true + + jobs: # Pull requests are valid if: # - they match the sha of the workflow run head commit @@ -16,8 +21,8 @@ jobs: test-pr: name: "Test if pull request is valid" runs-on: ubuntu-latest - if: > - github.event.workflow_run.event == 'pull_request' && + if: > + github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} @@ -58,6 +63,7 @@ jobs: with: pr: ${{ steps.get-pr.outputs.NUM }} sha: ${{ github.event.workflow_run.head_sha }} + headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }} fail_on_error: true @@ -72,6 +78,8 @@ jobs: if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: NR: ${{ needs.test-pr.outputs.number }} + permissions: + contents: write steps: - name: 'Checkout md outputs' uses: actions/checkout@v3 @@ -98,9 +106,9 @@ jobs: git config --local user.name "GitHub Actions" CURR_HEAD=$(git rev-parse HEAD) git checkout --orphan md-outputs-PR-${NR} - git add -A + git add -A git commit -m "source commit: ${CURR_HEAD}" - ls -A | grep -v '^.git$' | xargs rm -r + ls -A | grep -v '^.git$' | xargs -I _ rm -r '_' cd .. unzip -o -d built built.zip cd built @@ -116,6 +124,8 @@ jobs: if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: NR: ${{ needs.test-pr.outputs.number }} + permissions: + pull-requests: write steps: - name: 'Download comment artifact' id: dl @@ -123,7 +133,7 @@ jobs: with: run: ${{ github.event.workflow_run.id }} name: 'diff' - + - if: ${{ steps.dl.outputs.success == 'true' }} run: unzip ${{ github.workspace }}/diff.zip @@ -132,7 +142,7 @@ jobs: if: ${{ steps.dl.outputs.success == 'true' }} uses: carpentries/actions/comment-diff@main with: - pr: ${{ env.NR }} + pr: ${{ env.NR }} path: ${{ github.workspace }}/diff.md # Comment if the PR is open and matches the SHA, but the workflow files have @@ -145,6 +155,8 @@ jobs: env: NR: ${{ github.event.workflow_run.pull_requests[0].number }} body: ${{ needs.test-pr.outputs.msg }} + permissions: + pull-requests: write steps: - name: 'Check for spoofing' id: dl diff --git a/.github/workflows/pr-post-remove-branch.yaml b/.github/workflows/pr-post-remove-branch.yaml index 338230f..62c2e98 100755 --- a/.github/workflows/pr-post-remove-branch.yaml +++ b/.github/workflows/pr-post-remove-branch.yaml @@ -13,6 +13,8 @@ jobs: if: > github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + permissions: + contents: write steps: - name: 'Download artifact' uses: carpentries/actions/download-workflow-artifact@main diff --git a/.github/workflows/pr-preflight.yaml b/.github/workflows/pr-preflight.yaml index 496abcd..d0d7420 100755 --- a/.github/workflows/pr-preflight.yaml +++ b/.github/workflows/pr-preflight.yaml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} + permissions: + pull-requests: write steps: - name: "Get Invalid Hashes File" id: hash diff --git a/.github/workflows/pr-receive.yaml b/.github/workflows/pr-receive.yaml index aad7ecb..371ef54 100755 --- a/.github/workflows/pr-receive.yaml +++ b/.github/workflows/pr-receive.yaml @@ -5,6 +5,10 @@ on: types: [opened, synchronize, reopened] +concurrency: + group: ${{ github.ref }} + cancel-in-progress: true + jobs: test-pr: name: "Record PR number" @@ -21,7 +25,7 @@ jobs: - name: "Upload PR number" id: upload if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: pr path: ${{ github.workspace }}/NR @@ -103,20 +107,20 @@ jobs: shell: Rscript {0} - name: "Upload PR" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: pr path: ${{ env.PR }} - name: "Upload Diff" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: diff path: ${{ env.CHIVE }} retention-days: 1 - + - name: "Upload Build" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: built path: ${{ env.MD }} diff --git a/.github/workflows/sandpaper-version.txt b/.github/workflows/sandpaper-version.txt index 1a46c7f..288adf5 100644 --- a/.github/workflows/sandpaper-version.txt +++ b/.github/workflows/sandpaper-version.txt @@ -1 +1 @@ -0.10.8 +0.13.3 diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml index 69eb2c6..676d742 100755 --- a/.github/workflows/update-cache.yaml +++ b/.github/workflows/update-cache.yaml @@ -93,7 +93,7 @@ jobs: - name: Create Pull Request id: cpr if: ${{ steps.update.outputs.n > 0 }} - uses: peter-evans/create-pull-request@v4.2.0 + uses: carpentries/create-pull-request@main with: token: ${{ secrets.SANDPAPER_WORKFLOW }} delete-branch: true @@ -119,7 +119,7 @@ jobs: ``` - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }} - - [1]: https://github.com/peter-evans/create-pull-request + + [1]: https://github.com/carpentries/create-pull-request/tree/main labels: "type: package cache" draft: false diff --git a/.github/workflows/update-workflows.yaml b/.github/workflows/update-workflows.yaml index 8f2a4b1..288bcd1 100755 --- a/.github/workflows/update-workflows.yaml +++ b/.github/workflows/update-workflows.yaml @@ -43,11 +43,11 @@ jobs: uses: carpentries/actions/update-workflows@main with: clean: ${{ github.event.inputs.clean }} - + - name: Create Pull Request id: cpr if: "${{ steps.update.outputs.new }}" - uses: peter-evans/create-pull-request@v4.2.0 + uses: carpentries/create-pull-request@main with: token: ${{ secrets.SANDPAPER_WORKFLOW }} delete-branch: true @@ -60,7 +60,7 @@ jobs: Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }} - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }} - - [1]: https://github.com/peter-evans/create-pull-request + + [1]: https://github.com/carpentries/create-pull-request/tree/main labels: "type: template and tools" draft: false