🔄 Synced file(s) with ottrproject/OTTR_Template_Website#48
Conversation
OTTR Check ResultsSummary
🎉 All checks passed!Last Updated: 2026-04-23-15:20:13 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Load user automation choices | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Use the yaml-env-action action. | ||
| - name: Load environment from YAML | ||
| uses: doughepi/yaml-env-action@v1.0.0 | ||
| with: | ||
| files: config_automation.yml # Pass a space-separated list of configuration files. Rightmost files take precedence. | ||
| outputs: | ||
| toggle_url_check_periodically: "${{ env.URL_CHECK_PERIODICALLY }}" | ||
|
|
||
| url-check: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the issue, we will add a permissions block at the root level of the workflow to define the minimum required permissions for the GITHUB_TOKEN. Based on the operations in the workflow, the following permissions are needed:
contents: writefor committing and pushing changes to the repository.pull-requests: writeif the workflow interacts with pull requests (e.g., adding labels or comments).actions: readfor accessing workflow artifacts or listing workflows.
We will add these permissions to the workflow file, ensuring that no unnecessary permissions are granted.
| @@ -2,2 +2,6 @@ | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
|
|
||
| on: |
| name: Check URLs | ||
| needs: set-up | ||
| if: ${{needs.set-up.outputs.toggle_url_check_periodically == 'true'}} | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: jhudsl/base_ottr:main | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Delete the branch if this has been run before | ||
| - name: Delete branch locally and remotely | ||
| run: git push origin --delete preview-spell-error || echo "No branch to delete" | ||
|
|
||
| # Make the branch fresh | ||
| - name: Make the branch fresh | ||
| run: | | ||
| git config --global --add safe.directory $GITHUB_WORKSPACE | ||
| git config --global user.name 'github-actions[bot]' | ||
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | ||
|
|
||
| echo branch doesnt exist | ||
| git checkout -b preview-spell-error || echo branch exists | ||
| git push --set-upstream origin preview-spell-error || echo echo branch exists remotely | ||
| shell: bash | ||
|
|
||
| - name: Run the check | ||
| uses: ottrproject/ottr-reports@main | ||
| id: check_results | ||
| continue-on-error: true | ||
| with: | ||
| check_type: urls | ||
| error_min: 1 | ||
|
|
||
| - name: Declare file path and time | ||
| id: check-report | ||
| run: | | ||
| error_num=$(cat check_reports/url_checks.tsv | wc -l) | ||
| error_num="$((error_num-1))" | ||
| echo "error_num=$error_num" >> $GITHUB_OUTPUT | ||
| echo "error_url=https://github.com/${GITHUB_REPOSITORY}/blob/preview-spell-error/check_reports/url_checks.tsv" >> $GITHUB_OUTPUT | ||
| shell: bash | ||
|
|
||
| - name: Stop if failure | ||
| if: steps.check_results.outcome == 'failure' | ||
| run: exit 1 | ||
|
|
||
| - name: Print out error variables | ||
| run: | | ||
| echo ${{ steps.check-report.outputs.error_url }} | ||
| echo ${{ steps.check-report.outputs.error_num }} | ||
|
|
||
| # Commit file | ||
| - name: Commit spell check file | ||
| if: ${{ steps.check-report.outputs.error_num >= 1 }} | ||
| env: | ||
| GH_PAT: ${{ secrets.GH_PAT }} | ||
| run: | | ||
| git add --force check_reports/url_checks.tsv | ||
| git commit -m 'Add spell check file' || echo "No changes to commit" | ||
| git push --set-upstream origin preview-spell-error || echo echo branch exists remotely | ||
|
|
||
| - name: Find issues | ||
| id: find-issue | ||
| env: | ||
| GH_PAT: ${{ secrets.GH_PAT }} | ||
| run: | | ||
| echo "$GITHUB_REPOSITORY" | ||
| curl -o find_issue.R https://raw.githubusercontent.com/ottrproject/ottr-reports/main/scripts/find_issue.R | ||
| issue_exists=$(Rscript --vanilla find_issue.R --repo $GITHUB_REPOSITORY --git_pat $GH_PAT) | ||
| echo URL issue exists: $issue_exists | ||
| echo "issue_existence=$issue_exists" >> $GITHUB_OUTPUT | ||
|
|
||
| - name: If too many URL errors, then make an issue | ||
| if: ${{ steps.check-report.outputs.error_num >= 1 && steps.find-issue.outputs.issue_existence == 0}} | ||
| uses: JasonEtco/create-an-issue@v2 | ||
| with: | ||
| filename: .github/ISSUE_TEMPLATE/url-error.md | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| FILE_URL: ${{ steps.check-report.outputs.error_url }} | ||
| ERROR_NUM: ${{ steps.check-report.outputs.error_num }} | ||
|
|
||
| - name: If no URL errors than delete the branch we made | ||
| if: ${{ steps.check-report.outputs.error_num < 1 }} | ||
| run: | | ||
| git config --system --add safe.directory "$GITHUB_WORKSPACE" | ||
| git push origin --delete preview-spell-error || echo "No branch to delete" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the issue, we need to explicitly define the permissions required for the workflow. Since the workflow performs actions like checking out the repository, committing files, pushing branches, and creating issues, we should grant the minimal necessary permissions. Specifically:
- Add a
permissionsblock at the root of the workflow to define the default permissions for all jobs. - Set
contents: writeto allow committing and pushing changes to the repository. - Set
issues: writeto allow creating issues. - Set other permissions to
reador omit them if not required.
The permissions block will be added at the root level of the workflow to ensure all jobs inherit these permissions unless overridden.
| @@ -2,2 +2,6 @@ | ||
|
|
||
| permissions: | ||
| contents: write | ||
| issues: write | ||
|
|
||
| on: |
| name: Build Docker image | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: checkout repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Verify Dockerfiles changed? | ||
| uses: tj-actions/verify-changed-files@v17 | ||
| id: verify-changed-files | ||
| with: | ||
| files: | | ||
| ${{ inputs.directory }}/Dockerfile | ||
| ${{ inputs.directory }}/github_package_list.tsv | ||
|
|
||
| - name: Login as jhudsl-robot | ||
| run: | | ||
| git config --local user.email "itcrtrainingnetwork@gmail.com" | ||
| git config --local user.name "jhudsl-robot" | ||
|
|
||
| # Set up Docker build | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v1 | ||
|
|
||
| # Setup layer cache | ||
| - name: Cache Docker layers | ||
| uses: actions/cache@v2 | ||
| with: | ||
| path: /tmp/.buildx-cache | ||
| key: ${{ runner.os }}-buildx-${{ github.sha }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-buildx- | ||
|
|
||
| - name: Set up Docker Build | ||
| uses: docker/setup-buildx-action@v1 | ||
|
|
||
| - name: Get token | ||
| run: echo ${{ secrets.GH_PAT }} > ${{ inputs.directory }}/git_token.txt | ||
|
|
||
| - name: Build Docker image | ||
| uses: docker/build-push-action@v2 | ||
| with: | ||
| push: false | ||
| load: true | ||
| context: ${{ inputs.directory }} | ||
| file: ${{ inputs.directory }}/Dockerfile | ||
| tags: ${{ inputs.tag }} | ||
|
|
||
| # Login to Dockerhub | ||
| - name: Login to DockerHub | ||
| if: ${{ inputs.dockerhubpush != 'false' }} | ||
| uses: docker/login-action@v1 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| # Push the Docker image if set to true from a manual trigger | ||
| - name: Push Docker image if manual trigger set to true | ||
| if: ${{ inputs.dockerhubpush != 'false' }} | ||
| run: docker push ${{ inputs.tag }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the operations performed in the workflow, the contents: read permission is sufficient, as the workflow primarily reads repository contents and does not perform write operations. The permissions block should be added at the root level of the workflow to apply to all jobs.
| @@ -4,2 +4,4 @@ | ||
| name: Build Docker Image | ||
| permissions: | ||
| contents: read | ||
|
|
| name: Style code | ||
| needs: yaml-check | ||
| if: ${{needs.yaml-check.outputs.toggle_url_check == 'yes'}} | ||
| uses: jhudsl/ottr-reports/.github/workflows/report-maker.yml@main | ||
| with: | ||
| check_type: urls | ||
| error_min: 0 | ||
| secrets: | ||
| gh_pat: ${{ secrets.GH_PAT }} | ||
|
|
||
| render-preview: | ||
| name: Render preview | ||
| needs: [yaml-check, build-collection] | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}} | ||
| container: | ||
| image: ${{needs.yaml-check.outputs.rendering_docker_image}} | ||
| if: ${{needs.yaml-check.outputs.toggle_render_preview == 'yes'}} | ||
| image: jhudsl/base_ottr:main | ||
|
|
||
| steps: | ||
| - name: Checkout files | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Set up git checkout | ||
| - name: Set up git checkout | ||
| - name: Run styler | ||
| run: Rscript -e "styler::style_file(list.files(pattern = '(R|q)md$', recursive = FALSE, full.names = TRUE));warnings()" | ||
|
|
||
| - name: Commit styled files | ||
| run: | | ||
| git config --system --add safe.directory "$GITHUB_WORKSPACE" | ||
| git config --local user.email "itcrtrainingnetwork@gmail.com" | ||
| git config --local user.name "jhudsl-robot" | ||
| branch_name='preview-${{ github.event.pull_request.number }}' | ||
| git fetch --all | ||
| git checkout $branch_name | ||
| git merge -s recursive --strategy-option=theirs origin/${{ github.head_ref }} --allow-unrelated-histories | ||
| shell: bash | ||
|
|
||
| # We want a fresh run of the renders each time | ||
| - name: Delete old docs/* | ||
| run: rm -rf docs/* | ||
|
|
||
| # Now we want to render Rmd -> html | ||
| - name: Convert Rmd to html | ||
| id: bookdown | ||
| run: | | ||
| Rscript scripts/build.R | ||
|
|
||
| # Run TOC-less version | ||
| # Rendered content for Leanpub and Coursera is very similar. | ||
| # This job creates a shared scaffold for both. | ||
| - name: Run TOC-less version of render | ||
| id: tocless | ||
| run: Rscript -e "devtools::install_github('jhudsl/ottrpal', upgrade = 'never'); ottrpal::render_without_toc()" | ||
| env: | ||
| GITHUB_PAT: ${{ secrets.GH_PAT }} | ||
|
|
||
| # This checks on the steps before it and makes sure that they completed. | ||
| # If the renders didn't complete we don't want to commit the file changes | ||
| - name: Check on render steps | ||
| if: steps.bookdown.outcome != 'success' || steps.tocless.outcome != 'success' | ||
| run: | | ||
| echo Bookdown status ${{steps.bookdown.outcome}} | ||
| echo Toc-less status ${{steps.tocless.outcome}} | ||
| exit 1 | ||
| git add \*md | ||
| git commit -m 'Style *mds' || echo "No changes to commit" | ||
| git push origin || echo "No changes to commit" | ||
|
|
||
| # Commit the rendered bookdown files | ||
| - name: Commit rendered bookdown files to preview branch | ||
| id: commit | ||
| run: | | ||
| branch_name='preview-${{ github.event.pull_request.number }}' | ||
| git diff origin/main -- docs >/dev/null && changes=true || changes=false | ||
| echo "changes=$changes" >> $GITHUB_OUTPUT | ||
| git add . --force | ||
| git commit -m 'Render preview' || echo "No changes to commit" | ||
| git pull --set-upstream origin $branch_name --allow-unrelated-histories --strategy-option=ours | ||
| git push --force || echo "No changes to commit" | ||
| shell: bash | ||
| ############################# Readability Report ################################### | ||
|
|
||
| - name: Find Comment | ||
| uses: peter-evans/find-comment@v2 | ||
| id: fc | ||
| with: | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| comment-author: 'github-actions[bot]' | ||
| body-includes: latest commit | ||
| readability-report: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Add an explicit permissions block to the style-code job in .github/workflows/pull_request.yml.
Best fix (without changing functionality):
- In the
style-codejob (around lines 101–107), add:permissions:contents: write
- Place it at job level (same indentation as
runs-on,if,container), so only this job gets the required permission. - This preserves current behavior (
git push origin) while avoiding implicit default token permissions.
No imports/dependencies/methods are needed; this is a YAML-only change.
| @@ -103,6 +103,8 @@ | ||
| needs: yaml-check | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}} | ||
| permissions: | ||
| contents: write | ||
| container: | ||
| image: jhudsl/base_ottr:main | ||
|
|
| name: Readability report | ||
| needs: yaml-check | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}} | ||
|
|
||
| - name: Build components of the comment | ||
| id: build-components | ||
| run: | | ||
| course_name=$(head -n 1 _bookdown.yml | cut -d'"' -f 2| tr " " "-") | ||
| bookdown_link=$(echo "https://htmlpreview.github.io/?https://raw.githubusercontent.com/$GITHUB_REPOSITORY/preview-${{ github.event.pull_request.number }}/docs/index.html") | ||
| tocless_link=$(echo "https://htmlpreview.github.io/?https://raw.githubusercontent.com/$GITHUB_REPOSITORY/preview-${{ github.event.pull_request.number }}/docs/no_toc/index.html") | ||
| echo "bookdown_link=$bookdown_link" >> $GITHUB_OUTPUT | ||
| echo "tocless_link=$tocless_link" >> $GITHUB_OUTPUT | ||
| echo "time=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | ||
| echo "commit_id=$GITHUB_SHA" >> $GITHUB_OUTPUT | ||
| echo ${{steps.commit.outputs.changes}} | ||
|
|
||
| - name: Create or update comment | ||
| if: steps.commit.outputs.changes == 'true' | ||
| uses: peter-evans/create-or-update-comment@v2 | ||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| comment-id: ${{ steps.fc.outputs.comment-id }} | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| body: | | ||
| Re-rendered previews from the latest commit: | ||
| - See [preview of Bookdown here](${{ steps.build-components.outputs.bookdown_link }}) | ||
| - See [preview of Coursera/Leanpub version here](${{ steps.build-components.outputs.tocless_link }}) | ||
| _Note that `DT::datatable()` content does not appear in preview._ | ||
|
|
||
| _Updated at ${{ steps.build-components.outputs.time }} with changes from ${{ steps.build-components.outputs.commit_id }}_ | ||
| edit-mode: replace | ||
|
|
||
| - name: Comment if no changes | ||
| if: steps.commit.outputs.changes == 'false' | ||
| uses: peter-evans/create-or-update-comment@v2 | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Readability report | ||
| uses: Rebilly/lexi@v2 | ||
| with: | ||
| comment-id: ${{ steps.fc.outputs.comment-id }} | ||
| issue-number: ${{ github.event.pull_request.number }} | ||
| body: | | ||
| The latest commit did not produce rendering changes. | ||
| github-token: ${{ secrets.GH_PAT }} | ||
| glob: '**/*.md' | ||
|
|
||
| _Updated at ${{ steps.build-components.outputs.time }} with changes from ${{ steps.build-components.outputs.commit_id }}_ | ||
| edit-mode: replace | ||
| ############################# Render Preview ################################### | ||
| render-preview: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Add an explicit permissions block to the readability-report job in .github/workflows/pull_request.yml, scoped to the minimum needed. Since this job checks out code and runs a reporting action, the minimal safe starting point is:
contents: read
This avoids changing functionality while ensuring the job does not inherit broader token privileges.
| @@ -129,6 +129,8 @@ | ||
| needs: yaml-check | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}} | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repo |
| name: Load user automation choices | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Use the yaml-env-action action. | ||
| - name: Load environment from YAML | ||
| uses: doughepi/yaml-env-action@v1.0.0 | ||
| with: | ||
| files: config_automation.yml # Pass a space-separated list of configuration files. Rightmost files take precedence. | ||
| outputs: | ||
| toggle_website: "${{ env.RENDER_WEBSITE }}" | ||
| rendering_docker_image: "${{ env.RENDERING_DOCKER_IMAGE }}" | ||
|
|
||
| render-website: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Add an explicit top-level permissions block in .github/workflows/render-all.yml, immediately after name: (or before jobs:), to ensure all jobs get least-privilege token access by default.
Best single fix without changing behavior: set:
permissions:contents: read
This is the minimal recommended baseline and is sufficient for this workflow as shown (especially since privileged operations are already using GH_PAT). No imports, methods, or dependencies are needed.
| @@ -12,6 +12,9 @@ | ||
|
|
||
| name: Render website | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: |
|
Re-rendered previews from the latest commit:
* note not all html features will be properly displayed in the "quick preview" but it will give you a rough idea. Updated at 2026-04-23 with changes from the latest commit 81608b4 |
release-renderActionTry2
…hub/workflows/render-all.yml' release-renderActionTry2
….yml' release-renderActionTry2
jhudsl-robot
force-pushed
the
repo-sync/OTTR_Template_Website/default
branch
from
670d62d to
89a595b
Compare
| name: Build Collection | ||
| needs: yaml-check | ||
| uses: ./.github/workflows/build-collection.yml | ||
| with: | ||
| render-type: 'preview' | ||
| repository: $GITHUB_REPOSITORY | ||
| image-name: ${{needs.yaml-check.outputs.rendering_docker_image}} | ||
| secrets: | ||
| gh_pat: ${{ secrets.GH_PAT }} | ||
|
|
||
| ########################## Make the Website #################################### | ||
|
|
||
| render-website: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Add an explicit permissions block at the workflow root (right below name or before jobs) so it applies to all jobs that do not override permissions. The safest minimal baseline that preserves typical read operations is:
contents: readpackages: read
This directly addresses the CodeQL finding without changing workflow behavior, and keeps permissions documented and stable if repository defaults change.
Edit only .github/workflows/render-all.yml by inserting the root-level permissions block after line 13 (name: Render website).
| @@ -12,6 +12,10 @@ | ||
|
|
||
| name: Render website | ||
|
|
||
| permissions: | ||
| contents: read | ||
| packages: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: |
| name: Render website | ||
| needs: [yaml-check, build-collection] | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| token: ${{ secrets.GH_PAT }} | ||
|
|
||
| - name: Run render | ||
| id: render | ||
| uses: ottrproject/ottr-preview@main | ||
| with: | ||
| toggle_website: ${{needs.yaml-check.outputs.toggle_website}} | ||
| preview: false | ||
| token: ${{ secrets.GH_PAT }} | ||
| docker_image: ${{needs.yaml-check.outputs.rendering_docker_image}} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 18 days ago
Add an explicit top-level permissions block in .github/workflows/render-all.yml so all jobs default to least privilege. The safest minimal fix that preserves behavior is:
permissions:contents: read
This directly addresses CodeQL’s recommendation and avoids unintentionally granting write scopes to GITHUB_TOKEN. Place it at workflow root (after name and before on, or anywhere at root level) so it applies consistently to all jobs unless overridden. No imports, methods, or additional definitions are needed.
| @@ -12,6 +12,9 @@ | ||
|
|
||
| name: Render website | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: |
|
I believe this is now merged with the custom workflow for the collection :) |
3 participants
Synced local file(s) with ottrproject/OTTR_Template_Website.
Changed files
.github/workflows/with remote directory.github/workflows/.github/workflows/render-site.ymlfrom remote.github/workflows/render-all.ymlconfig_automation.ymlwith remoteconfig_automation.ymlThis PR was created automatically by the repo-file-sync-action workflow run #15499754522