diff --git a/.github/workflows/README.md b/.github/workflows/README.md index cc4a94d..101967e 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -46,8 +46,11 @@ This workflow has two caches; one cache is for the lesson infrastructure and the other is for the the lesson dependencies if the lesson contains rendered content. These caches are invalidated by new versions of the infrastructure and the `renv.lock` file, respectively. If there is a problem with the cache, -manual invaliation is necessary and can be done by setting the `CACHE_VERSION` -secret to the current date. +manual invaliation is necessary. You will need maintain access to the repository +and you can either go to the actions tab and [click on the caches button to find +and invalidate the failing cache](https://github.blog/changelog/2022-10-20-manage-caches-in-your-actions-workflows-from-web-interface/) +or by setting the `CACHE_VERSION` secret to the current date (which will +invalidate all of the caches). ## Updates @@ -86,24 +89,25 @@ will do the following: 1. check the recorded version of sandpaper against the current version on github 2. update the files if there is a difference in versions -After the files are updated, a pull request is created if there are any changes. -Maintainers are encouraged to review the changes and accept the pull request. +After the files are updated, if there are any changes, they are pushed to a +branch called `update/workflows` and a pull request is created. Maintainers are +encouraged to review the changes and accept the pull request if the outputs +are okay. This update is run ~~weekly or~~ on demand. -TODO: - - perform check if a pull request exists before creating pull request - ### 03 Maintain: Update Pacakge Cache (update-cache.yaml) For lessons that have generated content, we use {renv} to ensure that the output is stable. This is controlled by a single lockfile which documents the packages -needed for the lesson and the version numbers. +needed for the lesson and the version numbers. This workflow is skipped in +lessons that do not have generated content. Because the lessons need to remain current with the package ecosystem, it's a good idea to make sure these packages can be updated periodically. The -update cache workflow will do this by checking for updates, applying them and -creating a pull request with _only the lockfile changed_. +update cache workflow will do this by checking for updates, applying them in a +branch called `updates/packages` and creating a pull request with _only the +lockfile changed_. From here, the markdown documents will be rebuilt and you can inspect what has changed based on how the packages have updated. @@ -143,6 +147,11 @@ pull request. GitHub has safeguarded the token used in this workflow to have no priviledges in the repository, but we have taken precautions to protect against spoofing. +This workflow is triggered with every push to a pull request. If this workflow +is already running and a new push is sent to the pull request, the workflow +running from the previous push will be cancelled and a new workflow run will be +started. + The first step of this workflow is to check if it is valid (e.g. that no workflow files have been modified). If there are workflow files that have been modified, a comment is made that indicates that the workflow is not run. If @@ -156,7 +165,7 @@ request. This builds the content and uploads three artifacts: 3. The rendered files (build) Because this workflow builds generated content, it follows the same general -process as the sandpaper-main workflow with the same caching mechanisms. +process as the `sandpaper-main` workflow with the same caching mechanisms. The artifacts produced are used by the next workflow. @@ -172,7 +181,7 @@ The steps in this workflow are: 3. If it is valid: update the pull request comment with the summary of changes Importantly: if the pull request is invalid, the branch is not created so any -malicious code is not published. +malicious code is not published. From here, the maintainer can request changes from the author and eventually either merge or reject the PR. When this happens, if the PR was valid, the diff --git a/.github/workflows/deploy-aws.yaml b/.github/workflows/deploy-aws.yaml deleted file mode 100644 index d154a7d..0000000 --- a/.github/workflows/deploy-aws.yaml +++ /dev/null @@ -1,60 +0,0 @@ -name: "Deploy to AWS" - -on: - workflow_run: - workflows: ["01 Build and Deploy Site"] - types: - - completed - workflow_dispatch: - -jobs: - preflight: - name: "Preflight Check" - runs-on: ubuntu-latest - outputs: - ok: ${{ steps.check.outputs.ok }} - folder: ${{ steps.check.outputs.folder }} - steps: - - id: check - run: | - if [[ -z "${{ secrets.AWS_S3_BUCKET }}" || -z "${{ secrets.AWS_ACCESS_KEY_ID }}" || -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ]]; then - echo ":information_source: No site configured" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "To deploy on AWS, you need the `AWS_S3_BUCKET`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY` secrets set up" >> $GITHUB_STEP_SUMMARY - else - echo "::set-output name=folder::"$(sed -E 's^.+/(.+)^\1^' <<< ${{ github.repository }}) - echo "::set-output name=ok::true" - fi - - full-build: - name: "Deploy to AWS" - needs: [preflight] - if: ${{ needs.preflight.outputs.ok }} - runs-on: ubuntu-latest - steps: - - - name: "Checkout site folder" - uses: actions/checkout@v3 - with: - ref: 'gh-pages' - path: 'source' - - - name: "Deploy to Bucket" - uses: jakejarvis/s3-sync-action@v0.5.1 - with: - args: --acl public-read --follow-symlinks --delete --exclude '.git/*' - env: - AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - SOURCE_DIR: 'source' - DEST_DIR: ${{ needs.preflight.outputs.folder }} - - - name: "Invalidate CloudFront" - uses: chetan/invalidate-cloudfront-action@master - env: - PATHS: /* - AWS_REGION: 'us-east-1' - DISTRIBUTION: ${{ secrets.DISTRIBUTION }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/pr-close-signal.yaml b/.github/workflows/pr-close-signal.yaml index 9c5a603..9b129d5 100644 --- a/.github/workflows/pr-close-signal.yaml +++ b/.github/workflows/pr-close-signal.yaml @@ -16,8 +16,8 @@ jobs: mkdir -p ./pr printf ${{ github.event.number }} > ./pr/NUM - name: Upload Diff - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: - name: pr + name: pr path: ./pr diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index dff6e26..bb2eb03 100644 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -8,6 +8,11 @@ on: types: - completed +concurrency: + group: pr-${{ github.event.workflow_run.pull_requests[0].number }} + cancel-in-progress: true + + jobs: # Pull requests are valid if: # - they match the sha of the workflow run head commit @@ -16,8 +21,8 @@ jobs: test-pr: name: "Test if pull request is valid" runs-on: ubuntu-latest - if: > - github.event.workflow_run.event == 'pull_request' && + if: > + github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} @@ -37,7 +42,7 @@ jobs: id: get-pr run: | unzip pr.zip - echo "::set-output name=NUM::$(<./NR)" + echo "NUM=$(<./NR)" >> $GITHUB_OUTPUT - name: "Fail if PR number was not present" id: bad-pr @@ -48,7 +53,9 @@ jobs: - name: "Get Invalid Hashes File" id: hash run: | - echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json) + echo "json<> $GITHUB_OUTPUT - name: "Check PR" id: check-pr if: ${{ steps.dl.outputs.success == 'true' }} @@ -56,6 +63,7 @@ jobs: with: pr: ${{ steps.get-pr.outputs.NUM }} sha: ${{ github.event.workflow_run.head_sha }} + headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }} fail_on_error: true @@ -70,9 +78,11 @@ jobs: if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: NR: ${{ needs.test-pr.outputs.number }} + permissions: + contents: write steps: - name: 'Checkout md outputs' - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v3 with: ref: md-outputs path: built @@ -96,11 +106,11 @@ jobs: git config --local user.name "GitHub Actions" CURR_HEAD=$(git rev-parse HEAD) git checkout --orphan md-outputs-PR-${NR} - git add -A + git add -A git commit -m "source commit: ${CURR_HEAD}" - ls -A | grep -v '^.git' | xargs rm -r + ls -A | grep -v '^.git$' | xargs -I _ rm -r '_' cd .. - unzip -d built built.zip + unzip -o -d built built.zip cd built git add -A git commit --allow-empty -m "differences for PR #${NR}" @@ -114,6 +124,8 @@ jobs: if: ${{ needs.test-pr.outputs.is_valid == 'true' }} env: NR: ${{ needs.test-pr.outputs.number }} + permissions: + pull-requests: write steps: - name: 'Download comment artifact' id: dl @@ -121,7 +133,7 @@ jobs: with: run: ${{ github.event.workflow_run.id }} name: 'diff' - + - if: ${{ steps.dl.outputs.success == 'true' }} run: unzip ${{ github.workspace }}/diff.zip @@ -130,7 +142,7 @@ jobs: if: ${{ steps.dl.outputs.success == 'true' }} uses: carpentries/actions/comment-diff@main with: - pr: ${{ env.NR }} + pr: ${{ env.NR }} path: ${{ github.workspace }}/diff.md # Comment if the PR is open and matches the SHA, but the workflow files have @@ -143,6 +155,8 @@ jobs: env: NR: ${{ github.event.workflow_run.pull_requests[0].number }} body: ${{ needs.test-pr.outputs.msg }} + permissions: + pull-requests: write steps: - name: 'Check for spoofing' id: dl diff --git a/.github/workflows/pr-post-remove-branch.yaml b/.github/workflows/pr-post-remove-branch.yaml index 2225f12..62c2e98 100644 --- a/.github/workflows/pr-post-remove-branch.yaml +++ b/.github/workflows/pr-post-remove-branch.yaml @@ -13,6 +13,8 @@ jobs: if: > github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' + permissions: + contents: write steps: - name: 'Download artifact' uses: carpentries/actions/download-workflow-artifact@main @@ -23,7 +25,7 @@ jobs: id: get-pr run: | unzip pr.zip - echo "::set-output name=NUM::$(<./NUM)" + echo "NUM=$(<./NUM)" >> $GITHUB_OUTPUT - name: 'Remove branch' uses: carpentries/actions/remove-branch@main with: diff --git a/.github/workflows/pr-preflight.yaml b/.github/workflows/pr-preflight.yaml index 47d5b03..d0d7420 100644 --- a/.github/workflows/pr-preflight.yaml +++ b/.github/workflows/pr-preflight.yaml @@ -14,11 +14,15 @@ jobs: runs-on: ubuntu-latest outputs: is_valid: ${{ steps.check-pr.outputs.VALID }} + permissions: + pull-requests: write steps: - name: "Get Invalid Hashes File" id: hash run: | - echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json) + echo "json<> $GITHUB_OUTPUT - name: "Check PR" id: check-pr uses: carpentries/actions/check-valid-pr@main diff --git a/.github/workflows/pr-receive.yaml b/.github/workflows/pr-receive.yaml index 0448e97..371ef54 100644 --- a/.github/workflows/pr-receive.yaml +++ b/.github/workflows/pr-receive.yaml @@ -5,6 +5,10 @@ on: types: [opened, synchronize, reopened] +concurrency: + group: ${{ github.ref }} + cancel-in-progress: true + jobs: test-pr: name: "Record PR number" @@ -21,17 +25,19 @@ jobs: - name: "Upload PR number" id: upload if: ${{ always() }} - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: pr path: ${{ github.workspace }}/NR - name: "Get Invalid Hashes File" id: hash run: | - echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json) + echo "json<> $GITHUB_OUTPUT - name: "echo output" run: | - echo ${{ steps.hash.outputs.json }} + echo "${{ steps.hash.outputs.json }}" - name: "Check PR" id: check-pr uses: carpentries/actions/check-valid-pr@main @@ -52,10 +58,10 @@ jobs: MD: ${{ github.workspace }}/site/built steps: - name: "Check Out Main Branch" - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: "Check Out Staging Branch" - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: ref: md-outputs path: ${{ env.MD }} @@ -68,8 +74,6 @@ jobs: - name: "Set up Pandoc" uses: r-lib/actions/setup-pandoc@v2 - with: - pandoc-version: "2.11.4" - name: "Setup Lesson Engine" uses: carpentries/actions/setup-sandpaper@main @@ -103,20 +107,20 @@ jobs: shell: Rscript {0} - name: "Upload PR" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: pr path: ${{ env.PR }} - name: "Upload Diff" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: diff path: ${{ env.CHIVE }} retention-days: 1 - + - name: "Upload Build" - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: built path: ${{ env.MD }} diff --git a/.github/workflows/sandpaper-main.yaml b/.github/workflows/sandpaper-main.yaml index 1e5ff0f..e17707a 100644 --- a/.github/workflows/sandpaper-main.yaml +++ b/.github/workflows/sandpaper-main.yaml @@ -32,7 +32,7 @@ jobs: steps: - name: "Checkout Lesson" - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: "Set up R" uses: r-lib/actions/setup-r@v2 @@ -42,8 +42,6 @@ jobs: - name: "Set up Pandoc" uses: r-lib/actions/setup-pandoc@v2 - with: - pandoc-version: "2.11.4" - name: "Setup Lesson Engine" uses: carpentries/actions/setup-sandpaper@main diff --git a/.github/workflows/sandpaper-version.txt b/.github/workflows/sandpaper-version.txt index 9b40aa6..4aa0906 100644 --- a/.github/workflows/sandpaper-version.txt +++ b/.github/workflows/sandpaper-version.txt @@ -1 +1 @@ -0.10.4 +0.11.15 diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml index d16e7a3..676d742 100644 --- a/.github/workflows/update-cache.yaml +++ b/.github/workflows/update-cache.yaml @@ -21,16 +21,16 @@ jobs: - id: check run: | if [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then - echo "::set-output name=ok::true" + echo "ok=true" >> $GITHUB_OUTPUT echo "Running on request" # using single brackets here to avoid 08 being interpreted as octal # https://github.com/carpentries/sandpaper/issues/250 elif [ `date +%d` -le 7 ]; then # If the Tuesday lands in the first week of the month, run it - echo "::set-output name=ok::true" + echo "ok=true" >> $GITHUB_OUTPUT echo "Running on schedule" else - echo "::set-output name=ok::false" + echo "ok=false" >> $GITHUB_OUTPUT echo "Not Running Today" fi @@ -43,11 +43,11 @@ jobs: needed: ${{ steps.renv.outputs.exists }} steps: - name: "Checkout Lesson" - uses: actions/checkout@v2 + uses: actions/checkout@v3 - id: renv run: | if [[ -d renv ]]; then - echo "::set-output name=exists::true" + echo "exists=true" >> $GITHUB_OUTPUT fi check_token: @@ -76,7 +76,7 @@ jobs: steps: - name: "Checkout Lesson" - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: "Set up R" uses: r-lib/actions/setup-r@v2 @@ -93,17 +93,17 @@ jobs: - name: Create Pull Request id: cpr if: ${{ steps.update.outputs.n > 0 }} - uses: peter-evans/create-pull-request@v3.10.0 + uses: carpentries/create-pull-request@main with: token: ${{ secrets.SANDPAPER_WORKFLOW }} delete-branch: true - branch: "update-${{ steps.update.outputs.n }}-packages-${{ steps.update.outputs.date }}" + branch: "update/packages" commit-message: "[actions] update ${{ steps.update.outputs.n }} packages" title: "Update ${{ steps.update.outputs.n }} packages" body: | :robot: This is an automated build - This will update the following package versions in your lesson: + This will update ${{ steps.update.outputs.n }} packages in your lesson with the following versions: ``` ${{ steps.update.outputs.report }} @@ -114,12 +114,12 @@ jobs: If you want to inspect these changes locally, you can use the following code to check out a new branch: ```bash - git fetch origin update-${{ steps.update.outputs.n }}-packages-${{ steps.update.outputs.date }} - git checkout update-${{ steps.update.outputs.n }}-packages-${{ steps.update.outputs.date }} + git fetch origin update/packages + git checkout update/packages ``` - - Auto-generated by [create-pull-request][1] via ${{ github.event.inputs.name }} - - [1]: https://github.com/peter-evans/create-pull-request - labels: "type:package cache" + - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }} + + [1]: https://github.com/carpentries/create-pull-request/tree/main + labels: "type: package cache" draft: false diff --git a/.github/workflows/update-workflows.yaml b/.github/workflows/update-workflows.yaml index 1dbf438..288bcd1 100644 --- a/.github/workflows/update-workflows.yaml +++ b/.github/workflows/update-workflows.yaml @@ -36,22 +36,22 @@ jobs: if: ${{ needs.check_token.outputs.workflow == 'true' }} steps: - name: "Checkout Repository" - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Update Workflows id: update uses: carpentries/actions/update-workflows@main with: clean: ${{ github.event.inputs.clean }} - + - name: Create Pull Request id: cpr if: "${{ steps.update.outputs.new }}" - uses: peter-evans/create-pull-request@v3.10.0 + uses: carpentries/create-pull-request@main with: token: ${{ secrets.SANDPAPER_WORKFLOW }} delete-branch: true - branch: "update-workflows-version-${{ steps.update.outputs.new }}" + branch: "update/workflows" commit-message: "[actions] update sandpaper workflow to version ${{ steps.update.outputs.new }}" title: "Update Workflows to Version ${{ steps.update.outputs.new }}" body: | @@ -59,8 +59,8 @@ jobs: Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }} - - Auto-generated by [create-pull-request][1] via ${{ github.event.inputs.name }} - - [1]: https://github.com/peter-evans/create-pull-request - labels: "type:template and tools" + - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }} + + [1]: https://github.com/carpentries/create-pull-request/tree/main + labels: "type: template and tools" draft: false