Skip to content

🔄 Synced file(s) with ottrproject/OTTR_Template_Website #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jhudsl-robot wants to merge 3 commits into
base: main
Choose a base branch
from
Open

🔄 Synced file(s) with ottrproject/OTTR_Template_Website #48

jhudsl-robot wants to merge 3 commits into from

Conversation

@jhudsl-robot
Copy link
Collaborator

@jhudsl-robot jhudsl-robot commented Jun 6, 2025
edited
Loading

Synced local file(s) with ottrproject/OTTR_Template_Website.

Changed files
  • Synced local directory .github/workflows/ with remote directory .github/workflows/
  • Created local .github/workflows/render-site.yml from remote .github/workflows/render-all.yml
  • Synced local config_automation.yml with remote config_automation.yml

This PR was created automatically by the repo-file-sync-action workflow run #15499754522

@github-actions
Copy link

github-actions bot commented Jun 6, 2025
edited
Loading

OTTR Check Results

Summary

  • Spelling check: ✅ PASSED (0 errors found, threshold: 0)
  • URL check: ✅ PASSED (0 errors found, threshold: 0)

🎉 All checks passed!

Last Updated: 2025-06-06-21:07:01

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 6, 2025
View reviewed changes
.github/workflows/check-url.yml
Comment on lines +10 to +26
name: Load user automation choices
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0

# Use the yaml-env-action action.
- name: Load environment from YAML
uses: doughepi/yaml-env-action@v1.0.0
with:
files: config_automation.yml # Pass a space-separated list of configuration files. Rightmost files take precedence.
outputs:
toggle_url_check_periodically: "${{ env.URL_CHECK_PERIODICALLY }}"

url-check:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root level of the workflow to define the minimum required permissions for the GITHUB_TOKEN. Based on the operations in the workflow, the following permissions are needed:

  • contents: write for committing and pushing changes to the repository.
  • pull-requests: write if the workflow interacts with pull requests (e.g., adding labels or comments).
  • actions: read for accessing workflow artifacts or listing workflows.

We will add these permissions to the workflow file, ensuring that no unnecessary permissions are granted.

Suggested changeset 1
.github/workflows/check-url.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-url.yml b/.github/workflows/check-url.yml
--- a/.github/workflows/check-url.yml
+++ b/.github/workflows/check-url.yml
@@ -2,2 +2,6 @@
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
EOF
@@ -2,2 +2,6 @@

permissions:
contents: write
pull-requests: write

on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/check-url.yml
Comment on lines +27 to +117
name: Check URLs
needs: set-up
if: ${{needs.set-up.outputs.toggle_url_check_periodically == 'true'}}
runs-on: ubuntu-latest
container:
image: jhudsl/base_ottr:main

steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0

# Delete the branch if this has been run before
- name: Delete branch locally and remotely
run: git push origin --delete preview-spell-error || echo "No branch to delete"

# Make the branch fresh
- name: Make the branch fresh
run: |
git config --global --add safe.directory $GITHUB_WORKSPACE
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
echo branch doesnt exist
git checkout -b preview-spell-error || echo branch exists
git push --set-upstream origin preview-spell-error || echo echo branch exists remotely
shell: bash

- name: Run the check
uses: ottrproject/ottr-reports@main
id: check_results
continue-on-error: true
with:
check_type: urls
error_min: 1

- name: Declare file path and time
id: check-report
run: |
error_num=$(cat check_reports/url_checks.tsv | wc -l)
error_num="$((error_num-1))"
echo "error_num=$error_num" >> $GITHUB_OUTPUT
echo "error_url=https://github.com/${GITHUB_REPOSITORY}/blob/preview-spell-error/check_reports/url_checks.tsv" >> $GITHUB_OUTPUT
shell: bash

- name: Stop if failure
if: steps.check_results.outcome == 'failure'
run: exit 1

- name: Print out error variables
run: |
echo ${{ steps.check-report.outputs.error_url }}
echo ${{ steps.check-report.outputs.error_num }}
# Commit file
- name: Commit spell check file
if: ${{ steps.check-report.outputs.error_num >= 1 }}
env:
GH_PAT: ${{ secrets.GH_PAT }}
run: |
git add --force check_reports/url_checks.tsv
git commit -m 'Add spell check file' || echo "No changes to commit"
git push --set-upstream origin preview-spell-error || echo echo branch exists remotely
- name: Find issues
id: find-issue
env:
GH_PAT: ${{ secrets.GH_PAT }}
run: |
echo "$GITHUB_REPOSITORY"
curl -o find_issue.R https://raw.githubusercontent.com/ottrproject/ottr-reports/main/scripts/find_issue.R
issue_exists=$(Rscript --vanilla find_issue.R --repo $GITHUB_REPOSITORY --git_pat $GH_PAT)
echo URL issue exists: $issue_exists
echo "issue_existence=$issue_exists" >> $GITHUB_OUTPUT
- name: If too many URL errors, then make an issue
if: ${{ steps.check-report.outputs.error_num >= 1 && steps.find-issue.outputs.issue_existence == 0}}
uses: JasonEtco/create-an-issue@v2
with:
filename: .github/ISSUE_TEMPLATE/url-error.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
FILE_URL: ${{ steps.check-report.outputs.error_url }}
ERROR_NUM: ${{ steps.check-report.outputs.error_num }}

- name: If no URL errors than delete the branch we made
if: ${{ steps.check-report.outputs.error_num < 1 }}
run: |
git config --system --add safe.directory "$GITHUB_WORKSPACE"
git push origin --delete preview-spell-error || echo "No branch to delete"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we need to explicitly define the permissions required for the workflow. Since the workflow performs actions like checking out the repository, committing files, pushing branches, and creating issues, we should grant the minimal necessary permissions. Specifically:

  1. Add a permissions block at the root of the workflow to define the default permissions for all jobs.
  2. Set contents: write to allow committing and pushing changes to the repository.
  3. Set issues: write to allow creating issues.
  4. Set other permissions to read or omit them if not required.

The permissions block will be added at the root level of the workflow to ensure all jobs inherit these permissions unless overridden.

Suggested changeset 1
.github/workflows/check-url.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/check-url.yml b/.github/workflows/check-url.yml
--- a/.github/workflows/check-url.yml
+++ b/.github/workflows/check-url.yml
@@ -2,2 +2,6 @@
 
+permissions:
+  contents: write
+  issues: write
+
 on:
EOF
@@ -2,2 +2,6 @@

permissions:
contents: write
issues: write

on:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/docker-test.yml
Comment on lines +31 to +90
name: Build Docker image
runs-on: ubuntu-latest

steps:
- name: checkout repo
uses: actions/checkout@v4

- name: Verify Dockerfiles changed?
uses: tj-actions/verify-changed-files@v17
id: verify-changed-files
with:
files: |
${{ inputs.directory }}/Dockerfile
${{ inputs.directory }}/github_package_list.tsv
- name: Login as jhudsl-robot
run: |
git config --local user.email "itcrtrainingnetwork@gmail.com"
git config --local user.name "jhudsl-robot"
# Set up Docker build
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1

# Setup layer cache
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Set up Docker Build
uses: docker/setup-buildx-action@v1

- name: Get token
run: echo ${{ secrets.GH_PAT }} > ${{ inputs.directory }}/git_token.txt

- name: Build Docker image
uses: docker/build-push-action@v2
with:
push: false
load: true
context: ${{ inputs.directory }}
file: ${{ inputs.directory }}/Dockerfile
tags: ${{ inputs.tag }}

# Login to Dockerhub
- name: Login to DockerHub
if: ${{ inputs.dockerhubpush != 'false' }}
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

# Push the Docker image if set to true from a manual trigger
- name: Push Docker image if manual trigger set to true
if: ${{ inputs.dockerhubpush != 'false' }}
run: docker push ${{ inputs.tag }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we need to add a permissions block to the workflow. This block should specify the minimal permissions required for the workflow to function correctly. Based on the operations performed in the workflow, the contents: read permission is sufficient, as the workflow primarily reads repository contents and does not perform write operations. The permissions block should be added at the root level of the workflow to apply to all jobs.

Suggested changeset 1
.github/workflows/docker-test.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
--- a/.github/workflows/docker-test.yml
+++ b/.github/workflows/docker-test.yml
@@ -4,2 +4,4 @@
 name: Build Docker Image
+permissions:
+  contents: read
 
EOF
@@ -4,2 +4,4 @@
name: Build Docker Image
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/pull_request.yml
Comment on lines +89 to +114
name: Style code
needs: yaml-check
if: ${{needs.yaml-check.outputs.toggle_url_check == 'yes'}}
uses: jhudsl/ottr-reports/.github/workflows/report-maker.yml@main
with:
check_type: urls
error_min: 0
secrets:
gh_pat: ${{ secrets.GH_PAT }}

render-preview:
name: Render preview
needs: [yaml-check, build-collection]
runs-on: ubuntu-latest
if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}}
container:
image: ${{needs.yaml-check.outputs.rendering_docker_image}}
if: ${{needs.yaml-check.outputs.toggle_render_preview == 'yes'}}
image: jhudsl/base_ottr:main

steps:
- name: Checkout files
uses: actions/checkout@v4
with:
fetch-depth: 0

# Set up git checkout
- name: Set up git checkout
- name: Run styler
run: Rscript -e "styler::style_file(list.files(pattern = '(R|q)md$', recursive = FALSE, full.names = TRUE));warnings()"

- name: Commit styled files
run: |
git config --system --add safe.directory "$GITHUB_WORKSPACE"
git config --local user.email "itcrtrainingnetwork@gmail.com"
git config --local user.name "jhudsl-robot"
branch_name='preview-${{ github.event.pull_request.number }}'
git fetch --all
git checkout $branch_name
git merge -s recursive --strategy-option=theirs origin/${{ github.head_ref }} --allow-unrelated-histories
shell: bash

# We want a fresh run of the renders each time
- name: Delete old docs/*
run: rm -rf docs/*

# Now we want to render Rmd -> html
- name: Convert Rmd to html
id: bookdown
run: |
Rscript scripts/build.R
# Run TOC-less version
# Rendered content for Leanpub and Coursera is very similar.
# This job creates a shared scaffold for both.
- name: Run TOC-less version of render
id: tocless
run: Rscript -e "devtools::install_github('jhudsl/ottrpal', upgrade = 'never'); ottrpal::render_without_toc()"
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}

# This checks on the steps before it and makes sure that they completed.
# If the renders didn't complete we don't want to commit the file changes
- name: Check on render steps
if: steps.bookdown.outcome != 'success' || steps.tocless.outcome != 'success'
run: |
echo Bookdown status ${{steps.bookdown.outcome}}
echo Toc-less status ${{steps.tocless.outcome}}
exit 1
git add \*md
git commit -m 'Style *mds' || echo "No changes to commit"
git push origin || echo "No changes to commit"
# Commit the rendered bookdown files
- name: Commit rendered bookdown files to preview branch
id: commit
run: |
branch_name='preview-${{ github.event.pull_request.number }}'
git diff origin/main -- docs >/dev/null && changes=true || changes=false
echo "changes=$changes" >> $GITHUB_OUTPUT
git add . --force
git commit -m 'Render preview' || echo "No changes to commit"
git pull --set-upstream origin $branch_name --allow-unrelated-histories --strategy-option=ours
git push --force || echo "No changes to commit"
shell: bash
############################# Readability Report ###################################

- name: Find Comment
uses: peter-evans/find-comment@v2
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: latest commit
readability-report:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add an explicit permissions block to the style-code job. Since the job involves committing styled files back to the repository, it requires contents: write permissions. This change ensures that the job has only the permissions it needs, adhering to the principle of least privilege.

Suggested changeset 1
.github/workflows/pull_request.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -92,2 +92,4 @@
     if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}}
+    permissions:
+      contents: write
     container:
EOF
@@ -92,2 +92,4 @@
if: ${{needs.yaml-check.outputs.toggle_style_code == 'true'}}
permissions:
contents: write
container:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/pull_request.yml
Comment on lines +115 to +133
name: Readability report
needs: yaml-check
runs-on: ubuntu-latest
if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}}

- name: Build components of the comment
id: build-components
run: |
course_name=$(head -n 1 _bookdown.yml | cut -d'"' -f 2| tr " " "-")
bookdown_link=$(echo "https://htmlpreview.github.io/?https://raw.githubusercontent.com/$GITHUB_REPOSITORY/preview-${{ github.event.pull_request.number }}/docs/index.html")
tocless_link=$(echo "https://htmlpreview.github.io/?https://raw.githubusercontent.com/$GITHUB_REPOSITORY/preview-${{ github.event.pull_request.number }}/docs/no_toc/index.html")
echo "bookdown_link=$bookdown_link" >> $GITHUB_OUTPUT
echo "tocless_link=$tocless_link" >> $GITHUB_OUTPUT
echo "time=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
echo "commit_id=$GITHUB_SHA" >> $GITHUB_OUTPUT
echo ${{steps.commit.outputs.changes}}
- name: Create or update comment
if: steps.commit.outputs.changes == 'true'
uses: peter-evans/create-or-update-comment@v2
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
Re-rendered previews from the latest commit:
- See [preview of Bookdown here](${{ steps.build-components.outputs.bookdown_link }})
- See [preview of Coursera/Leanpub version here](${{ steps.build-components.outputs.tocless_link }})
_Note that `DT::datatable()` content does not appear in preview._
_Updated at ${{ steps.build-components.outputs.time }} with changes from ${{ steps.build-components.outputs.commit_id }}_
edit-mode: replace

- name: Comment if no changes
if: steps.commit.outputs.changes == 'false'
uses: peter-evans/create-or-update-comment@v2
fetch-depth: 0

- name: Readability report
uses: Rebilly/lexi@v2
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
The latest commit did not produce rendering changes.
github-token: ${{ secrets.GH_PAT }}
glob: '**/*.md'

_Updated at ${{ steps.build-components.outputs.time }} with changes from ${{ steps.build-components.outputs.commit_id }}_
edit-mode: replace
############################# Render Preview ###################################
render-preview:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block to the readability-report job. Based on the job's functionality, it likely only needs contents: read to access the repository's files for analysis. This change will explicitly limit the permissions of the GITHUB_TOKEN to the minimum required, adhering to the principle of least privilege.

Suggested changeset 1
.github/workflows/pull_request.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -118,2 +118,4 @@
     if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}}
+    permissions:
+      contents: read
 
EOF
@@ -118,2 +118,4 @@
if: ${{needs.yaml-check.outputs.toggle_readability == 'true'}}
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/render-all.yml
Comment on lines +19 to +34
name: Load user automation choices
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

# Use the yaml-env-action action.
- name: Load environment from YAML
uses: doughepi/yaml-env-action@v1.0.0
with:
files: config_automation.yml # Pass a space-separated list of configuration files. Rightmost files take precedence.
outputs:
toggle_website: "${{ env.RENDER_WEBSITE }}"
rendering_docker_image: "${{ env.RENDERING_DOCKER_IMAGE }}"

render-website:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we need to add a permissions block to the workflow or individual jobs to restrict the GITHUB_TOKEN permissions to the minimum required. Based on the workflow's functionality, the contents: read permission is sufficient for the yaml-check job, and the render-website job may require additional permissions depending on its interaction with repository contents.

The fix involves:

  1. Adding a permissions block at the workflow level or job level.
  2. Assigning contents: read to the yaml-check job.
  3. Assigning contents: read and any other necessary permissions to the render-website job.
Suggested changeset 1
.github/workflows/render-all.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/render-all.yml b/.github/workflows/render-all.yml
--- a/.github/workflows/render-all.yml
+++ b/.github/workflows/render-all.yml
@@ -20,2 +20,4 @@
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
@@ -37,3 +39,4 @@
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
EOF
@@ -20,2 +20,4 @@
runs-on: ubuntu-latest
permissions:
contents: read
steps:
@@ -37,3 +39,4 @@
runs-on: ubuntu-latest

permissions:
contents: read
steps:
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/render-all.yml
Comment on lines +35 to +53
name: Render website
needs: yaml-check
runs-on: ubuntu-latest

steps:
- name: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GH_PAT }}

- name: Run render
id: render
uses: ottrproject/ottr-preview@main
with:
toggle_website: ${{needs.yaml-check.outputs.toggle_website}}
preview: false
token: ${{ secrets.GH_PAT }}
docker_image: ${{needs.yaml-check.outputs.rendering_docker_image}}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root level of the workflow to explicitly define the minimal permissions required. Based on the workflow's operations, it primarily interacts with repository contents (e.g., checking out code and rendering the website). Therefore, we will set contents: read as the minimal permission. If additional permissions are required in the future, they can be added explicitly.

Suggested changeset 1
.github/workflows/render-all.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/render-all.yml b/.github/workflows/render-all.yml
--- a/.github/workflows/render-all.yml
+++ b/.github/workflows/render-all.yml
@@ -4,2 +4,4 @@
 name: Render website
+permissions:
+  contents: read
 
EOF
@@ -4,2 +4,4 @@
name: Render website
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions
Copy link

github-actions bot commented Jun 6, 2025
edited
Loading

Re-rendered previews from the latest commit:

* note not all html features will be properly displayed in the "quick preview" but it will give you a rough idea.

Updated at 2025-06-06 with changes from the latest commit 7d4ed10

@jhudsl-robot jhudsl-robot force-pushed the repo-sync/OTTR_Template_Website/default branch from 670d62d to 89a595b Compare June 6, 2025 21:06
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 6, 2025
View reviewed changes
.github/workflows/render-site.yml
Comment on lines +35 to +53
name: Render website
needs: yaml-check
uses: ./.github/workflows/build-collection.yml
with:
render-type: 'main'
repository: $GITHUB_REPOSITORY
image-name: ${{needs.yaml-check.outputs.rendering_docker_image}}
secrets:
gh_pat: ${{ secrets.GH_PAT }}

render-main:
runs-on: ubuntu-latest
# install.packages("remotes") # in case we decide not to go with the container...
# remotes::install_cran("rmarkdown")
# remotes::install_deps(dependencies = TRUE)
needs: [yaml-check, build-collection]
container:
image: ${{needs.yaml-check.outputs.rendering_docker_image}}
# Steps represent a sequence of tasks that will be executed as part of the job

steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: checkout
uses: actions/checkout@v4
with:
# get the full repo
fetch-depth: 0
# use github PAT
token: ${{ secrets.GH_PAT }}

# We want a fresh run of the renders each time
- name: Delete old docs/*
run: rm -rf docs/*

# Now we want to render Rmd -> html
- name: Convert Rmd to html
id: bookdown
run: |
Rscript scripts/build.R
# Run TOC-less version
# Rendered content for Leanpub and Coursera is very similar.
# This job creates a shared scaffold for both.
- name: Run TOC-less version of render
id: tocless
run: Rscript -e "devtools::install_github('jhudsl/ottrpal', upgrade = 'never'); ottrpal::render_without_toc()"
env:
GITHUB_PAT: ${{ secrets.gh_pat }}

# Commit the rendered site files - html files and site_libs files
- name: Commit rendered site files
run: |
git config --global --add safe.directory ${GITHUB_WORKSPACE}
git config --local user.email "actions@github.com"
git config --local user.name "GitHub Actions"
git config --global pull.ff true
git add . --force
git commit -m 'Render site' || echo "No changes to commit"
git pull --allow-unrelated-histories --strategy-option=ours
git push origin main || echo "No changes to push"
- name: Run render
id: render
uses: ottrproject/ottr-preview@main
with:
toggle_website: ${{needs.yaml-check.outputs.toggle_website}}
preview: false
token: ${{ secrets.GH_PAT }}
docker_image: ${{needs.yaml-check.outputs.rendering_docker_image}}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 6 months ago

To fix the issue, we will add a permissions block at the root of the workflow to define the least privileges required. Based on the workflow's operations, it primarily interacts with repository contents (e.g., checking out the repository and rendering the website). Therefore, we will set contents: read as the minimal permission. If additional permissions are required for specific steps, they can be added later.

Suggested changeset 1
.github/workflows/render-site.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/render-site.yml b/.github/workflows/render-site.yml
--- a/.github/workflows/render-site.yml
+++ b/.github/workflows/render-site.yml
@@ -4,2 +4,4 @@
 name: Render website
+permissions:
+  contents: read
 
EOF
@@ -4,2 +4,4 @@
name: Render website
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

sync

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhudsl-robot