Merge pull request #3 from adamancer/update-workflows-version-0.16.12

Update Workflows to Version 0.16.12

Author: adamancer

.github/workflows/README.md

@@ -2,7 +2,7 @@
 
 This directory contains workflows to be used for Lessons using the {sandpaper}
 lesson infrastructure. Two of these workflows require R (`sandpaper-main.yaml`
-and `pr-recieve.yaml`) and the rest are bots to handle pull request management.
+and `pr-receive.yaml`) and the rest are bots to handle pull request management.
 
 These workflows will likely change as {sandpaper} evolves, so it is important to
 keep them up-to-date. To do this in your lesson you can do the following in your
@@ -43,11 +43,14 @@ This workflow does the following:
 #### Caching
 
 This workflow has two caches; one cache is for the lesson infrastructure and 
-the other is for the the lesson dependencies if the lesson contains rendered
+the other is for the lesson dependencies if the lesson contains rendered
 content. These caches are invalidated by new versions of the infrastructure and
 the `renv.lock` file, respectively. If there is a problem with the cache, 
-manual invaliation is necessary and can be done by setting the `CACHE_VERSION`
-secret to the current date.
+manual invaliation is necessary. You will need maintain access to the repository
+and you can either go to the actions tab and [click on the caches button to find
+and invalidate the failing cache](https://github.blog/changelog/2022-10-20-manage-caches-in-your-actions-workflows-from-web-interface/) 
+or by setting the `CACHE_VERSION` secret to the current date (which will
+invalidate all of the caches).
 
 ## Updates
 
@@ -56,15 +59,15 @@ secret to the current date.
 These workflows run on a schedule and at the maintainer's request. Because they
 create pull requests that update workflows/require the downstream actions to run,
 they need a special repository/organization secret token called 
-`SANDPAPER_WORKFLOW` and it must have the `repo` and `workflow` scope. 
+`SANDPAPER_WORKFLOW` and it must have the `public_repo` and `workflow` scope. 
 
 This can be an individual user token, OR it can be a trusted bot account. If you
 have a repository in one of the official Carpentries accounts, then you do not
 need to worry about this token being present because the Carpentries Core Team
 will take care of supplying this token.
 
 If you want to use your personal account: you can go to 
-<https://github.com/settings/tokens/new?scopes=repo,workflow&description=Sandpaper%20Token>
+<https://github.com/settings/tokens/new?scopes=public_repo,workflow&description=Sandpaper%20Token>
 to create a token. Once you have created your token, you should copy it to your
 clipboard and then go to your repository's settings > secrets > actions and
 create or edit the `SANDPAPER_WORKFLOW` secret, pasting in the generated token.
@@ -86,24 +89,25 @@ will do the following:
 1. check the recorded version of sandpaper against the current version on github
 2. update the files if there is a difference in versions
 
-After the files are updated, a pull request is created if there are any changes.
-Maintainers are encouraged to review the changes and accept the pull request.
+After the files are updated, if there are any changes, they are pushed to a
+branch called `update/workflows` and a pull request is created. Maintainers are
+encouraged to review the changes and accept the pull request if the outputs
+are okay.
 
-This update is run ~~weekly or~~ on demand.
+This update is run weekly or on demand.
 
-TODO: 
-  - perform check if a pull request exists before creating pull request
-
-### 03 Maintain: Update Pacakge Cache (update-cache.yaml)
+### 03 Maintain: Update Package Cache (update-cache.yaml)
 
 For lessons that have generated content, we use {renv} to ensure that the output
 is stable. This is controlled by a single lockfile which documents the packages
-needed for the lesson and the version numbers.
+needed for the lesson and the version numbers. This workflow is skipped in 
+lessons that do not have generated content.
 
 Because the lessons need to remain current with the package ecosystem, it's a
 good idea to make sure these packages can be updated periodically. The 
-update cache workflow will do this by checking for updates, applying them and
-creating a pull request with _only the lockfile changed_. 
+update cache workflow will do this by checking for updates, applying them in a
+branch called `updates/packages` and creating a pull request with _only the
+lockfile changed_. 
 
 From here, the markdown documents will be rebuilt and you can inspect what has
 changed based on how the packages have updated. 
@@ -136,13 +140,18 @@ Once the checks are finished, a comment is issued to the pull request, which
 will allow maintainers to determine if it is safe to run the 
 "Receive Pull Request" workflow from new contributors.
 
-### Recieve Pull Request (pr-recieve.yaml)
+### Receive Pull Request (pr-receive.yaml)
 
 **Note of caution:** This workflow runs arbitrary code by anyone who creates a
 pull request. GitHub has safeguarded the token used in this workflow to have no
 priviledges in the repository, but we have taken precautions to protect against
 spoofing.
 
+This workflow is triggered with every push to a pull request. If this workflow
+is already running and a new push is sent to the pull request, the workflow
+running from the previous push will be cancelled and a new workflow run will be
+started.
+
 The first step of this workflow is to check if it is valid (e.g. that no
 workflow files have been modified). If there are workflow files that have been
 modified, a comment is made that indicates that the workflow is not run. If 
@@ -156,13 +165,13 @@ request. This builds the content and uploads three artifacts:
 3. The rendered files (build)
 
 Because this workflow builds generated content, it follows the same general 
-process as the sandpaper-main workflow with the same caching mechanisms.
+process as the `sandpaper-main` workflow with the same caching mechanisms.
 
 The artifacts produced are used by the next workflow.
 
 ### Comment on Pull Request (pr-comment.yaml)
 
-This workflow is triggered if the `pr-recieve.yaml` workflow is successful.
+This workflow is triggered if the `pr-receive.yaml` workflow is successful.
 The steps in this workflow are:
 
 1. Test if the workflow is valid and comment the validity of the workflow to the
@@ -172,7 +181,7 @@ The steps in this workflow are:
 3. If it is valid: update the pull request comment with the summary of changes
 
 Importantly: if the pull request is invalid, the branch is not created so any
-malicious code is not published. 
+malicious code is not published.
 
 From here, the maintainer can request changes from the author and eventually 
 either merge or reject the PR. When this happens, if the PR was valid, the 

.github/workflows/pr-close-signal.yaml

@@ -8,16 +8,15 @@ on:
 jobs:
   send-close-signal:
     name: "Send closing signal"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ github.event.action == 'closed' }}
     steps:
       - name: "Create PRtifact"
         run: |
           mkdir -p ./pr
           printf ${{ github.event.number }} > ./pr/NUM
       - name: Upload Diff
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
-          name: pr 
+          name: pr
           path: ./pr
-

.github/workflows/pr-comment.yaml

@@ -8,15 +8,22 @@ on:
     types:
       - completed
 
+concurrency:
+  group: pr-${{ github.event.workflow_run.pull_requests[0].number }}
+  cancel-in-progress: true
+
+
 jobs:
   # Pull requests are valid if:
   #  - they match the sha of the workflow run head commit
   #  - they are open
   #  - no .github files were committed
   test-pr:
     name: "Test if pull request is valid"
-    runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-22.04
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
       payload: ${{ steps.check-pr.outputs.payload }}
@@ -35,7 +42,7 @@ jobs:
         id: get-pr
         run: |
           unzip pr.zip
-          echo "::set-output name=NUM::$(<./NR)"
+          echo "NUM=$(<./NR)" >> $GITHUB_OUTPUT
 
       - name: "Fail if PR number was not present"
         id: bad-pr
@@ -46,14 +53,17 @@ jobs:
       - name: "Get Invalid Hashes File"
         id: hash
         run: |
-          echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json)
+          echo "json<<EOF
+          $(curl -sL https://files.carpentries.org/invalid-hashes.json)
+          EOF" >> $GITHUB_OUTPUT
       - name: "Check PR"
         id: check-pr
         if: ${{ steps.dl.outputs.success == 'true' }}
         uses: carpentries/actions/check-valid-pr@main
         with:
           pr: ${{ steps.get-pr.outputs.NUM }}
           sha: ${{ github.event.workflow_run.head_sha }}
+          headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire
           invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }}
           fail_on_error: true
 
@@ -64,13 +74,15 @@ jobs:
   create-branch:
     name: "Create Git Branch"
     needs: test-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      contents: write
     steps:
       - name: 'Checkout md outputs'
-        uses: actions/checkout@v2.3.4
+        uses: actions/checkout@v4
         with:
           ref: md-outputs
           path: built
@@ -94,11 +106,11 @@ jobs:
           git config --local user.name "GitHub Actions"
           CURR_HEAD=$(git rev-parse HEAD)
           git checkout --orphan md-outputs-PR-${NR}
-          git add -A 
+          git add -A
           git commit -m "source commit: ${CURR_HEAD}"
-          ls -A | grep -v '^.git' | xargs rm -r
+          ls -A | grep -v '^.git$' | xargs -I _ rm -r '_'
           cd ..
-          unzip -d built built.zip
+          unzip -o -d built built.zip
           cd built
           git add -A
           git commit --allow-empty -m "differences for PR #${NR}"
@@ -108,18 +120,20 @@ jobs:
   comment-pr:
     name: "Comment on Pull Request"
     needs: [test-pr, create-branch]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Download comment artifact'
         id: dl
         uses: carpentries/actions/download-workflow-artifact@main
         with:
           run: ${{ github.event.workflow_run.id }}
           name: 'diff'
-          
+
       - if: ${{ steps.dl.outputs.success == 'true' }}
         run: unzip ${{ github.workspace }}/diff.zip
 
@@ -128,19 +142,21 @@ jobs:
         if: ${{ steps.dl.outputs.success == 'true' }}
         uses: carpentries/actions/comment-diff@main
         with:
-          pr: ${{ env.NR }} 
+          pr: ${{ env.NR }}
           path: ${{ github.workspace }}/diff.md
 
   # Comment if the PR is open and matches the SHA, but the workflow files have
   # changed
   comment-changed-workflow:
     name: "Comment if workflow files have changed"
     needs: test-pr
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ always() && needs.test-pr.outputs.is_valid == 'false' }}
     env:
       NR: ${{ github.event.workflow_run.pull_requests[0].number }}
       body: ${{ needs.test-pr.outputs.msg }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Check for spoofing'
         id: dl
@@ -166,4 +182,3 @@ jobs:
         with:
           pr: ${{ env.NR }}
           body: ${{ env.body }}
-

.github/workflows/pr-post-remove-branch.yaml

@@ -9,10 +9,12 @@ on:
 jobs:
   delete:
     name: "Delete branch from Pull Request"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: >
-      ${{ github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.conclusion == 'success' }}
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: write
     steps:
       - name: 'Download artifact'
         uses: carpentries/actions/download-workflow-artifact@main
@@ -23,7 +25,7 @@ jobs:
         id: get-pr
         run: |
           unzip pr.zip
-          echo "::set-output name=NUM::$(<./NUM)"
+          echo "NUM=$(<./NUM)" >> $GITHUB_OUTPUT
       - name: 'Remove branch'
         uses: carpentries/actions/remove-branch@main
         with:

.github/workflows/pr-preflight.yaml

@@ -11,14 +11,18 @@ jobs:
   test-pr:
     name: "Test if pull request is valid"
     if: ${{ github.event.action != 'closed' }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
+    permissions:
+      pull-requests: write
     steps:
       - name: "Get Invalid Hashes File"
         id: hash
         run: |
-          echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json)
+          echo "json<<EOF
+          $(curl -sL https://files.carpentries.org/invalid-hashes.json)
+          EOF" >> $GITHUB_OUTPUT
       - name: "Check PR"
         id: check-pr
         uses: carpentries/actions/check-valid-pr@main