Skip to content

Update Workflows to Version 0.18.5 #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
epiverse-trace-bot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Workflows to Version 0.18.5 #218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
246 changes: 180 additions & 66 deletions .github/workflows/README.md
View file
Open in desktop

Large diffs are not rendered by default.

229 changes: 229 additions & 0 deletions .github/workflows/docker_apply_cache.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,229 @@
name: "03 Maintain: Apply Package Cache"
description: "Generate the package cache for the lesson after a pull request has been merged or via manual trigger, and cache in S3 or GitHub"
on:
workflow_dispatch:
inputs:
name:
description: 'Who triggered this build?'
required: true
default: 'Maintainer (via GitHub)'
pull_request:
types:
- closed
branches:
- main

# queue cache runs
concurrency:
group: docker-apply-cache
cancel-in-progress: false

jobs:
preflight:
name: "Preflight: PR or Manual Trigger?"
runs-on: ubuntu-latest
outputs:
do-apply: ${{ steps.check.outputs.merged_or_manual }}
steps:
- name: "Should we run cache application?"
id: check
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" ||
("${{ github.ref }}" == "refs/heads/main" && "${{ github.event.action }}" == "closed" && "${{ github.event.pull_request.merged }}" == "true") ]]; then
echo "merged_or_manual=true" >> $GITHUB_OUTPUT
else
echo "This was not a manual trigger and no PR was merged. No action taken."
echo "merged_or_manual=false" >> $GITHUB_OUTPUT
fi
shell: bash

check-renv:
Comment on lines +23 to +40

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

In general, to fix this type of issue you explicitly declare a permissions block either at the workflow root (applies to all jobs without their own block) or on each job, and reduce the GITHUB_TOKEN privileges to the minimum needed (often contents: read, or {} if no API access is required).

For this workflow, the preflight job only evaluates event context and writes to GITHUB_OUTPUT; it doesn’t use GITHUB_TOKEN, call GitHub APIs, or check out the repo. The safest and least-privilege fix without changing functionality is to add a permissions block to that job and set it to an empty mapping, which disables all default permissions for that job. Other jobs already have their own permissions where needed (e.g., check-renv has id-token: write), so we only change preflight.

Concretely:

  • Edit .github/workflows/docker_apply_cache.yaml.
  • Within the preflight job definition, between runs-on: ubuntu-latest (line 24) and outputs: (line 25), add: 
        permissions: {}

This leaves functionality unchanged while explicitly restricting the job’s token permissions.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -22,6 +22,7 @@
   preflight:
     name: "Preflight: PR or Manual Trigger?"
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       do-apply: ${{ steps.check.outputs.merged_or_manual }}
     steps:
EOF
@@ -22,6 +22,7 @@
preflight:
name: "Preflight: PR or Manual Trigger?"
runs-on: ubuntu-latest
permissions: {}
outputs:
do-apply: ${{ steps.check.outputs.merged_or_manual }}
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
name: "Check If We Need {renv}"
runs-on: ubuntu-latest
needs: preflight
if: needs.preflight.outputs.do-apply == 'true'
permissions:
id-token: write
outputs:
renv-needed: ${{ steps.check-for-renv.outputs.renv-needed }}
renv-cache-hashsum: ${{ steps.check-for-renv.outputs.renv-cache-hashsum }}
renv-cache-available: ${{ steps.check-for-renv.outputs.renv-cache-available }}
steps:
- name: "Check for renv"
id: check-for-renv
uses: carpentries/actions/renv-checks@main
with:
role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG || 'latest' }}
token: ${{ secrets.GITHUB_TOKEN }}

no-renv-cache-used:
name: "No renv cache used"
runs-on: ubuntu-latest
needs: check-renv
if: needs.check-renv.outputs.renv-needed != 'true'
steps:
- name: "No renv cache needed"
run: echo "No renv cache needed for this lesson"

renv-cache-available:
Comment on lines +62 to +70

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

In general, the fix is to add an explicit permissions block to the workflow or to each job, restricting the GITHUB_TOKEN to the minimal scopes required. Jobs that do not interact with the repository or GitHub APIs can use permissions: { contents: read } as a safe, minimal baseline; jobs that need elevated permissions (like id-token: write for OIDC) should declare only those.

For this workflow, the simplest and least-disruptive change is to add a root-level permissions block (applies to all jobs) that sets contents: read. This satisfies CodeQL for jobs such as no-renv-cache-used, renv-cache-available, update-renv-cache, and record-cache-result, which only echo, run external actions, or upload artifacts and do not require repository writes. The existing check-renv job already has a permissions block with id-token: write; per GitHub’s rules, a job-level permissions block overrides the workflow default, so we should keep that intact and only add the new workflow-level permissions above jobs:.

Concretely:

  • In .github/workflows/docker_apply_cache.yaml, insert a root-level permissions: section (e.g., after the concurrency block) with contents: read.
  • Do not modify existing job definitions or the check-renv job’s permissions block, as it already expresses its special requirement.

No new imports or methods are needed; this is purely a YAML workflow configuration change.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -18,6 +18,9 @@
   group: docker-apply-cache
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   preflight:
     name: "Preflight: PR or Manual Trigger?"
EOF
@@ -18,6 +18,9 @@
group: docker-apply-cache
cancel-in-progress: false

permissions:
contents: read

jobs:
preflight:
name: "Preflight: PR or Manual Trigger?"
Copilot is powered by AI and may make mistakes. Always verify output.
name: "renv cache available"
runs-on: ubuntu-latest
needs: check-renv
if: needs.check-renv.outputs.renv-cache-available == 'true'
steps:
- name: "renv cache available"
run: echo "renv cache available for this lesson"

update-renv-cache:
Comment on lines +71 to +79

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

In general, this problem is fixed by explicitly defining a permissions block that restricts the default GITHUB_TOKEN privileges, either at the workflow root (affecting all jobs) or per-job. For a job that does not need to access the GitHub API at all, we can safely set permissions: {} (or an explicit mapping with only contents: read if some read access is needed). This documents the intended permissions and protects the workflow if repository/organization defaults are permissive.

The single best fix here, without changing any existing behavior, is to add a minimal permissions block to the renv-cache-available job, because that is the job CodeQL flagged. Since the only step in that job is a simple run: echo "renv cache available for this lesson", it does not need the GITHUB_TOKEN at all, so we can completely disable token permissions for that job using an empty permissions map. Concretely, in .github/workflows/docker_apply_cache.yaml, under the renv-cache-available job (around lines 70–77), insert a permissions: {} line at the same indentation level as runs-on, needs, and if. No additional imports, methods, or external definitions are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -72,6 +72,7 @@
     runs-on: ubuntu-latest
     needs: check-renv
     if: needs.check-renv.outputs.renv-cache-available == 'true'
+    permissions: {}
     steps:
       - name: "renv cache available"
         run: echo "renv cache available for this lesson"
EOF
@@ -72,6 +72,7 @@
runs-on: ubuntu-latest
needs: check-renv
if: needs.check-renv.outputs.renv-cache-available == 'true'
permissions: {}
steps:
- name: "renv cache available"
run: echo "renv cache available for this lesson"
Copilot is powered by AI and may make mistakes. Always verify output.
name: "Update renv Cache"
runs-on: ubuntu-latest
needs: check-renv
if: |
needs.check-renv.outputs.renv-needed == 'true' &&
needs.check-renv.outputs.renv-cache-available != 'true' &&
(
github.event_name == 'workflow_dispatch' ||
(
github.event.pull_request.merged == true &&
(
(
contains(
join(github.event.pull_request.labels.*.name, ','),
'type: package cache'
) &&
github.event.pull_request.head.ref == 'update/packages'
)
||
(
contains(
join(github.event.pull_request.labels.*.name, ','),
'type: workflows'
) &&
github.event.pull_request.head.ref == 'update/workflows'
)
||
(
contains(
join(github.event.pull_request.labels.*.name, ','),
'type: docker version'
) &&
github.event.pull_request.head.ref == 'update/workbench-docker-version'
)
)
)
)
permissions:
checks: write
contents: write
pages: write
id-token: write
container:
image: ghcr.io/carpentries/workbench-docker:${{ vars.WORKBENCH_TAG || 'latest' }}
env:
WORKBENCH_PROFILE: "ci"
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
RENV_PATHS_ROOT: /home/rstudio/lesson/renv
RENV_PROFILE: "lesson-requirements"
RENV_VERSION: ${{ needs.check-renv.outputs.renv-cache-hashsum }}
RENV_CONFIG_EXTERNAL_LIBRARIES: "/usr/local/lib/R/site-library"
volumes:
- ${{ github.workspace }}:/home/rstudio/lesson
options: --cpus 2
steps:
- uses: actions/checkout@v4

- name: "Debugging Info"
run: |
echo "Current Directory: $(pwd)"
ls -lah /home/rstudio/.workbench
ls -lah $(pwd)
Rscript -e 'sessionInfo()'
shell: bash

- name: "Mark Repository as Safe"
run: |
git config --global --add safe.directory $(pwd)
shell: bash

- name: "Ensure sandpaper is loadable"
run: |
.libPaths()
library(sandpaper)
shell: Rscript {0}

- name: "Setup Lesson Dependencies"
run: |
Rscript /home/rstudio/.workbench/setup_lesson_deps.R
shell: bash

- name: "Fortify renv Cache"
run: |
Rscript /home/rstudio/.workbench/fortify_renv_cache.R
shell: bash

- name: "Get Container Version Used"
id: wb-vers
uses: carpentries/actions/container-version@main
with:
WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
renv-needed: ${{ needs.check-renv.outputs.renv-needed }}
token: ${{ secrets.GITHUB_TOKEN }}

- name: "Validate Current Org and Workflow"
id: validate-org-workflow
uses: carpentries/actions/validate-org-workflow@main
with:
repo: ${{ github.repository }}
workflow: ${{ github.workflow }}

- name: "Configure AWS credentials via OIDC"
id: aws-creds
env:
role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
if: |
steps.validate-org-workflow.outputs.is_valid == 'true' &&
env.role-to-assume != '' &&
env.aws-region != ''
uses: aws-actions/configure-aws-credentials@v5.0.0
with:
role-to-assume: ${{ env.role-to-assume }}
aws-region: ${{ env.aws-region }}
output-credentials: true

- name: "Upload cache object to S3"
id: upload-cache
uses: carpentries/actions-cache@frog-matchedkey-1
with:
accessKey: ${{ steps.aws-creds.outputs.aws-access-key-id }}
secretKey: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
sessionToken: ${{ steps.aws-creds.outputs.aws-session-token }}
bucket: workbench-docker-caches
path: |
/home/rstudio/lesson/renv
/usr/local/lib/R/site-library
key: ${{ github.repository }}/${{ steps.wb-vers.outputs.container-version }}_renv-${{ needs.check-renv.outputs.renv-cache-hashsum }}
restore-keys:
${{ github.repository }}/${{ steps.wb-vers.outputs.container-version }}_renv-

record-cache-result:
name: "Record Caching Status"
runs-on: ubuntu-latest
needs: [check-renv, update-renv-cache]
if: always()
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: "Record cache result"

run: |
echo "${{ needs.update-renv-cache.result == 'success' || needs.check-renv.outputs.renv-cache-available == 'true' || 'false' }}" > ${{ github.workspace }}/apply-cache-result
shell: bash

- name: "Upload cache result"
uses: actions/upload-artifact@v4
with:
name: apply-cache-result
path: ${{ github.workspace }}/apply-cache-result
Comment on lines +212 to +229

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 21 days ago

In general, the fix is to add an explicit permissions block either at the top level of the workflow (to apply to all jobs) or specifically to the record-cache-result job, granting only the minimal scopes required (likely just contents: read for actions metadata and artifact upload). This restricts the GITHUB_TOKEN so it cannot perform unintended write operations even if the repository default is permissive.

The safest, least‑intrusive fix here is to add a root‑level permissions block right after the on: section, setting contents: read. None of the shown jobs appears to need to write to the repository, open issues, or modify pull requests; the AWS access for S3 uses OIDC and the AWS role, not GITHUB_TOKEN. actions/upload-artifact does not require write access to repo contents; it interacts with GitHub’s artifact service. Therefore, contents: read at the workflow root is a good minimal baseline and should not change existing behavior.

Concretely, in .github/workflows/docker_apply_cache.yaml, insert:

permissions:
  contents: read

between the on: block (ending at line 14) and the concurrency: block (starting at line 16). This will apply to all jobs, including record-cache-result, satisfying the CodeQL requirement and aligning with least‑privilege principles without changing workflow functionality.

Suggested changeset 1
.github/workflows/docker_apply_cache.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
--- a/.github/workflows/docker_apply_cache.yaml
+++ b/.github/workflows/docker_apply_cache.yaml
@@ -13,6 +13,9 @@
     branches:
       - main
 
+permissions:
+  contents: read
+
 # queue cache runs
 concurrency:
   group: docker-apply-cache
EOF
@@ -13,6 +13,9 @@
branches:
- main

permissions:
contents: read

# queue cache runs
concurrency:
group: docker-apply-cache
Copilot is powered by AI and may make mistakes. Always verify output.
159 changes: 159 additions & 0 deletions .github/workflows/docker_build_deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
name: "01 Maintain: Build and Deploy Site"
description: "Build and deploy the lesson site using the carpentries/workbench-docker container"
on:
push:
branches:
- 'main'
paths-ignore:
- '.github/workflows/**.yaml'
- '.github/workbench-docker-version.txt'
schedule:
- cron: '0 0 * * 2'
workflow_run:
workflows: ["03 Maintain: Apply Package Cache"]
types:
- completed
workflow_dispatch:
inputs:
name:
description: 'Who triggered this build?'
required: true
default: 'Maintainer (via GitHub)'
CACHE_VERSION:
description: 'Optional renv cache version override'
required: false
default: ''
reset:
description: 'Reset cached markdown files'
required: true
default: false
type: boolean
force-skip-manage-deps:
description: 'Skip build-time dependency management'
required: true
default: false
type: boolean

# only one build/deploy at a time
concurrency:
group: docker-build-deploy
cancel-in-progress: true

jobs:
preflight:
name: "Preflight: Schedule, Push, or PR?"
runs-on: ubuntu-latest
outputs:
do-build: ${{ steps.build-check.outputs.do-build }}
renv-needed: ${{ steps.build-check.outputs.renv-needed }}
renv-cache-hashsum: ${{ steps.build-check.outputs.renv-cache-hashsum }}
workbench-container-file-exists: ${{ steps.wb-vers.outputs.workbench-container-file-exists }}
wb-vers: ${{ steps.wb-vers.outputs.container-version }}
last-wb-vers: ${{ steps.wb-vers.outputs.last-container-version }}
workbench-update: ${{ steps.wb-vers.outputs.workbench-update }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: "Should we run build and deploy?"
id: build-check
uses: carpentries/actions/build-preflight@main

- name: "Checkout Lesson"
if: steps.build-check.outputs.do-build == 'true'
uses: actions/checkout@v4

- name: "Get container version info"
id: wb-vers
if: steps.build-check.outputs.do-build == 'true'
uses: carpentries/actions/container-version@main
with:
WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
renv-needed: ${{ steps.build-check.outputs.renv-needed }}
token: ${{ secrets.GITHUB_TOKEN }}

full-build:
Comment on lines +44 to +74

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 21 days ago

In general, the fix is to add an explicit permissions block that grants the least privileges the job needs. For a job that only needs to read the repository and possibly metadata, the safe baseline is permissions: contents: read. This overrides any broader repository default and clearly documents what the job can do.

For this specific workflow, we already see other jobs (full-build and update-container-version) with more permissive, job-level permissions suited to their tasks. The preflight job should similarly define its own explicit, minimal permissions. Since it only performs preflight checks, checks out the code, and queries container version information, read access to repository contents should suffice. Therefore, in .github/workflows/docker_build_deploy.yaml, within the preflight job definition (lines 43–55), add a permissions block under runs-on (or anywhere within that job’s mapping, alongside env and outputs) that sets contents: read. No new imports or external dependencies are required; this is purely a workflow YAML change and does not alter functional behavior beyond restricting token capabilities.

Concretely:

  • Edit .github/workflows/docker_build_deploy.yaml.
  • In the jobs.preflight section, add: 
      permissions:
    contents: read
    just after runs-on: ubuntu-latest (line 45).
    This will satisfy CodeQL and enforce least-privilege for the preflight job.
Suggested changeset 1
.github/workflows/docker_build_deploy.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker_build_deploy.yaml b/.github/workflows/docker_build_deploy.yaml
--- a/.github/workflows/docker_build_deploy.yaml
+++ b/.github/workflows/docker_build_deploy.yaml
@@ -43,6 +43,8 @@
   preflight:
     name: "Preflight: Schedule, Push, or PR?"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       do-build: ${{ steps.build-check.outputs.do-build }}
       renv-needed: ${{ steps.build-check.outputs.renv-needed }}
EOF
@@ -43,6 +43,8 @@
preflight:
name: "Preflight: Schedule, Push, or PR?"
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
do-build: ${{ steps.build-check.outputs.do-build }}
renv-needed: ${{ steps.build-check.outputs.renv-needed }}
Copilot is powered by AI and may make mistakes. Always verify output.
name: "Build Full Site"
runs-on: ubuntu-latest
needs: preflight
if: |
needs.preflight.outputs.do-build == 'true' &&
needs.preflight.outputs.workbench-update != 'true'
env:
RENV_EXISTS: ${{ needs.preflight.outputs.renv-needed }}
RENV_HASH: ${{ needs.preflight.outputs.renv-cache-hashsum }}
permissions:
checks: write
contents: write
pages: write
id-token: write
container:
image: ghcr.io/carpentries/workbench-docker:${{ vars.WORKBENCH_TAG || 'latest' }}
env:
WORKBENCH_PROFILE: "ci"
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
RENV_PATHS_ROOT: /home/rstudio/lesson/renv
RENV_PROFILE: "lesson-requirements"
RENV_CONFIG_EXTERNAL_LIBRARIES: "/usr/local/lib/R/site-library"
volumes:
- ${{ github.workspace }}:/home/rstudio/lesson
options: --cpus 1
steps:
- uses: actions/checkout@v4

- name: "Debugging Info"
run: |
cd /home/rstudio/lesson
echo "Current Directory: $(pwd)"
echo "RENV_HASH is $RENV_HASH"
ls -lah /home/rstudio/.workbench
ls -lah $(pwd)
Rscript -e 'sessionInfo()'
shell: bash

- name: "Mark Repository as Safe"
run: |
git config --global --add safe.directory $(pwd)
shell: bash

- name: "Setup Lesson Dependencies"
id: build-container-deps
uses: carpentries/actions/build-container-deps@main
with:
CACHE_VERSION: ${{ vars.CACHE_VERSION || github.event.inputs.CACHE_VERSION || '' }}
WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG || 'latest' }}
LESSON_PATH: ${{ vars.LESSON_PATH || '/home/rstudio/lesson' }}
role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
token: ${{ secrets.GITHUB_TOKEN }}

- name: "Run Container and Build Site"
id: build-and-deploy
uses: carpentries/actions/build-and-deploy@main
with:
reset: ${{ vars.BUILD_RESET || github.event.inputs.reset || 'false' }}
skip-manage-deps: ${{ github.event.inputs.force-skip-manage-deps == 'true' || steps.build-container-deps.outputs.renv-cache-available || steps.build-container-deps.outputs.backup-cache-used || 'false' }}

update-container-version:
name: "Update container version used"
runs-on: ubuntu-latest
needs: [preflight]
permissions:
actions: write
contents: write
pull-requests: write
id-token: write
if: |
needs.preflight.outputs.do-build == 'true' &&
(
needs.preflight.outputs.workbench-container-file-exists == 'false' ||
needs.preflight.outputs.workbench-update == 'true'
)
steps:
- name: "Record container version used"
uses: carpentries/actions/record-container-version@main
with:
CONTAINER_VER: ${{ needs.preflight.outputs.wb-vers }}
AUTO_MERGE: ${{ vars.AUTO_MERGE_CONTAINER_VERSION_UPDATE || 'true' }}
token: ${{ secrets.GITHUB_TOKEN }}
role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
Loading
Loading