Merge pull request #421 from carpentries/update-workflows-2023-03

update workflows to give explicit permissions
carpentries · Mar 22, 2023 · 514acae · 514acae
2 parents 31926e3 + 12ee5cb
commit 514acae
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 16 deletions.
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -1,6 +1,6 @@
 Package: sandpaper
 Title: Create and Curate Carpentries Lessons
-Version: 0.11.11.001
+Version: 0.11.12
 Authors@R: c(
     person(given = "Zhian N.",
            family = "Kamvar",

diff --git a/NEWS.md b/NEWS.md
@@ -1,4 +1,20 @@
-# sandpaper 0.11.12 (unreleased)
+# sandpaper 0.11.12 (2023-03-22)
+
+CONTINUOUS INTEGRATION
+----------------------
+
+* workflow files now have explicit permissions to comment on pull requests or
+  create new branches when called. This fixes an issue where new lessons would
+  not have the ability to preview pull requests or update workflows.
+  (reported: #420, @zkamvar; fixed #421, @zkamvar)
+* the `create-pull-request` action is now coming from a fork in The Carpentries
+  organisation for security. 
+
+MISC
+----
+
+* A typo has been fixed in the package cache vignette
+- The CONTRIBUTING boilerplate has been updated to fix formatting issues
 
 # sandpaper 0.11.11 (2023-03-17)
 

diff --git a/inst/workflows/pr-close-signal.yaml b/inst/workflows/pr-close-signal.yaml
@@ -16,8 +16,8 @@ jobs:
           mkdir -p ./pr
           printf ${{ github.event.number }} > ./pr/NUM
       - name: Upload Diff
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
-          name: pr 
+          name: pr
           path: ./pr
 
diff --git a/inst/workflows/pr-comment.yaml b/inst/workflows/pr-comment.yaml
@@ -78,6 +78,8 @@ jobs:
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      contents: write
     steps:
       - name: 'Checkout md outputs'
         uses: actions/checkout@v3
@@ -122,6 +124,8 @@ jobs:
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Download comment artifact'
         id: dl
@@ -151,6 +155,8 @@ jobs:
     env:
       NR: ${{ github.event.workflow_run.pull_requests[0].number }}
       body: ${{ needs.test-pr.outputs.msg }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Check for spoofing'
         id: dl

diff --git a/inst/workflows/pr-post-remove-branch.yaml b/inst/workflows/pr-post-remove-branch.yaml
@@ -13,6 +13,8 @@ jobs:
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: write
     steps:
       - name: 'Download artifact'
         uses: carpentries/actions/download-workflow-artifact@main

diff --git a/inst/workflows/pr-preflight.yaml b/inst/workflows/pr-preflight.yaml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
+    permissions:
+      pull-requests: write
     steps:
       - name: "Get Invalid Hashes File"
         id: hash

diff --git a/inst/workflows/pr-receive.yaml b/inst/workflows/pr-receive.yaml
@@ -25,7 +25,7 @@ jobs:
       - name: "Upload PR number"
         id: upload
         if: ${{ always() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: pr
           path: ${{ github.workspace }}/NR
@@ -107,20 +107,20 @@ jobs:
         shell: Rscript {0}
 
       - name: "Upload PR"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: pr
           path: ${{ env.PR }}
 
       - name: "Upload Diff"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: diff
           path: ${{ env.CHIVE }}
           retention-days: 1
-      
+
       - name: "Upload Build"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: built
           path: ${{ env.MD }}

diff --git a/inst/workflows/update-cache.yaml b/inst/workflows/update-cache.yaml
@@ -93,7 +93,7 @@ jobs:
       - name: Create Pull Request
         id: cpr
         if: ${{ steps.update.outputs.n > 0 }}
-        uses: peter-evans/create-pull-request@v4.2.0
+        uses: carpentries/create-pull-request@main
         with:
           token: ${{ secrets.SANDPAPER_WORKFLOW }}
           delete-branch: true
@@ -119,7 +119,7 @@ jobs:
             ```
 
             - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}
-            
-            [1]: https://github.com/peter-evans/create-pull-request
+
+            [1]: https://github.com/carpentries/create-pull-request/tree/main
           labels: "type: package cache"
           draft: false
diff --git a/inst/workflows/update-workflows.yaml b/inst/workflows/update-workflows.yaml
@@ -43,11 +43,11 @@ jobs:
         uses: carpentries/actions/update-workflows@main
         with:
           clean: ${{ github.event.inputs.clean }}
-      
+
       - name: Create Pull Request
         id: cpr
         if: "${{ steps.update.outputs.new }}"
-        uses: peter-evans/create-pull-request@v4.2.0
+        uses: carpentries/create-pull-request@main
         with:
           token: ${{ secrets.SANDPAPER_WORKFLOW }}
           delete-branch: true
@@ -60,7 +60,7 @@ jobs:
             Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }}
 
             - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}
-            
-            [1]: https://github.com/peter-evans/create-pull-request
+
+            [1]: https://github.com/carpentries/create-pull-request/tree/main
           labels: "type: template and tools"
           draft: false