🔄 Synced file(s) with ottrproject/OTTR_Template#2
Conversation
….yml' release-renderAction
…hub/workflows/send-updates.yml' release-renderAction
…'.github/workflows/test-send-updates.yml' release-renderAction
…ch_sync_repo.R' release-renderAction
|
Please carefully review these changes and decide which are useful for your course.
You may want to unenroll your repository from the sync GitHub actions by filing a PR on |
Updated the pull request workflow configuration to match with new OTTR
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Style code | ||
| needs: yaml-check | ||
| if: ${{needs.yaml-check.outputs.toggle_url_check == 'yes'}} | ||
| uses: jhudsl/ottr-reports/.github/workflows/report-maker.yml@main | ||
| with: | ||
| check_type: urls | ||
| error_min: 0 | ||
| gh_pat: secrets.GH_PAT | ||
|
|
||
| quiz-check: | ||
| name: Check quiz formatting | ||
| if: ${{needs.yaml-check.outputs.toggle_quiz_check == 'yes'}} | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}} | ||
| container: | ||
| image: jhudsl/base_ottr:main | ||
|
|
||
| steps: | ||
| - name: Checkout files | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Run styler | ||
| run: Rscript -e "styler::style_file(list.files(pattern = '(R|q)md$', recursive = FALSE, full.names = TRUE));warnings()" | ||
|
|
||
| - name: Commit styled files | ||
| run: | | ||
| git config --system --add safe.directory "$GITHUB_WORKSPACE" | ||
| git add \*md | ||
| git commit -m 'Style *mds' || echo "No changes to commit" | ||
| git push origin || echo "No changes to commit" | ||
|
|
||
| ############################# Readability Report ################################### | ||
|
|
||
| readability-report: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, add an explicit permissions block that grants only the minimal scopes required. In this case, the style-code job must push commits back to the repository, so it needs contents: write. It does not appear to need any other scopes (no issues, PRs, workflows, etc.), so contents: write alone is sufficient.
The best change with minimal impact is to add a job-level permissions block under the style-code job definition, similar to what is already done for the ottr-reports job. This keeps other jobs unaffected and clearly documents that only this job needs write access to repository contents. No imports or additional definitions are needed because this is purely a YAML configuration change.
Concretely:
- Edit
.github/workflows/pull_request.yml. - In the
style-codejob (lines 88–105), insert:
permissions:
contents: write- Place it after
needs: yaml-check(or beforeruns-on:) so indentation and structure are consistent with theottr-reportsjob’s existingpermissionsblock.
| @@ -88,6 +88,8 @@ | ||
| style-code: | ||
| name: Style code | ||
| needs: yaml-check | ||
| permissions: | ||
| contents: write | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}} | ||
| container: |
| name: Readability report | ||
| needs: yaml-check | ||
| uses: jhudsl/ottr-reports/.github/workflows/report-maker.yml@main | ||
| with: | ||
| check_type: quiz_format | ||
| error_min: 0 | ||
| gh_pat: secrets.GH_PAT | ||
| runs-on: ubuntu-latest | ||
| if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}} | ||
|
|
||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Readability report | ||
| uses: Rebilly/lexi@v2 | ||
| with: | ||
| github-token: ${{ secrets.GH_PAT }} | ||
| glob: '**/*.md' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
In general, to fix this class of problem you add an explicit permissions: block either at the workflow root (applies to all jobs without their own permissions) or on the specific job that should have restricted permissions, and set only the scopes actually needed (often just contents: read).
For this workflow, there is already a permissions block on the ottr-reports job (with pull-requests: write), so we should not override that at the root. Instead, we will add a job-level permissions: block to the readability-report job so that its GITHUB_TOKEN is limited to read-only. The job checks out the repository and runs Rebilly/lexi@v2 with a github-token input; for analyzing files and posting results via the provided token, read access to repository contents is sufficient. Therefore, we will add:
permissions:
contents: readimmediately under runs-on: ubuntu-latest (line 117) in the readability-report job. No imports or other code changes are required.
| @@ -115,6 +115,8 @@ | ||
| name: Readability report | ||
| needs: yaml-check | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}} | ||
|
|
||
| steps: |
|
Need to resolve conflicts and update render-both workflow |
2 participants
Synced local file(s) with ottrproject/OTTR_Template.
Changed files
config_automation.ymlwith remoteconfig_automation.yml.github/workflows/send-updates.ymlwith remote.github/workflows/send-updates.yml.github/workflows/test-send-updates.ymlwith remote.github/workflows/test-send-updates.yml.github/switch_sync_repo.Rwith remote.github/switch_sync_repo.RThis PR was created automatically by the repo-file-sync-action workflow run #15498355326