Skip to content

Commit

Permalink
[actions] update sandpaper workflow to version 0.16.7
Browse files Browse the repository at this point in the history
  • Loading branch information
@tobyhodges
tobyhodges authored Sep 10, 2024
1 parent 623c5ea commit a111808
Show file tree
Hide file tree
Showing 10 changed files with 104 additions and 80 deletions.
53 changes: 26 additions & 27 deletions .github/workflows/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

This directory contains workflows to be used for Lessons using the {sandpaper}
lesson infrastructure. Two of these workflows require R (`sandpaper-main.yaml`
and `pr-recieve.yaml`) and the rest are bots to handle pull request management.
and `pr-receive.yaml`) and the rest are bots to handle pull request management.

These workflows will likely change as {sandpaper} evolves, so it is important to
keep them up-to-date. To do this in your lesson you can do the following in your
Expand Down Expand Up @@ -46,18 +46,11 @@ This workflow has two caches; one cache is for the lesson infrastructure and
the other is for the the lesson dependencies if the lesson contains rendered
content. These caches are invalidated by new versions of the infrastructure and
the `renv.lock` file, respectively. If there is a problem with the cache,
manual invaliation is necessary and can be done by setting the `CACHE_VERSION`
secret to the current date.

### Deploy to AWS (deploy-aws.yaml)

If you have an AWS bucket that is set up to deploy the site from a folder, this
workflow will deploy the site to that folder after `01 Build and Deploy` runs.
It can also be triggered manually.

Note: for this to work, you must have the `AWS_S3_BUCKET`, `AWS_ACCESS_KEY_ID`,
and `AWS_SECRET_ACCESS_KEY` in your repository secrets. If any of these are
missing, the workflow will not run.
manual invaliation is necessary. You will need maintain access to the repository
and you can either go to the actions tab and [click on the caches button to find
and invalidate the failing cache](https://github.blog/changelog/2022-10-20-manage-caches-in-your-actions-workflows-from-web-interface/)
or by setting the `CACHE_VERSION` secret to the current date (which will
invalidate all of the caches).

## Updates

Expand Down Expand Up @@ -96,24 +89,25 @@ will do the following:
1. check the recorded version of sandpaper against the current version on github
2. update the files if there is a difference in versions

After the files are updated, a pull request is created if there are any changes.
Maintainers are encouraged to review the changes and accept the pull request.
After the files are updated, if there are any changes, they are pushed to a
branch called `update/workflows` and a pull request is created. Maintainers are
encouraged to review the changes and accept the pull request if the outputs
are okay.

This update is run ~~weekly or~~ on demand.
This update is run weekly or on demand.

TODO:
- perform check if a pull request exists before creating pull request

### 03 Maintain: Update Pacakge Cache (update-cache.yaml)
### 03 Maintain: Update Package Cache (update-cache.yaml)

For lessons that have generated content, we use {renv} to ensure that the output
is stable. This is controlled by a single lockfile which documents the packages
needed for the lesson and the version numbers.
needed for the lesson and the version numbers. This workflow is skipped in
lessons that do not have generated content.

Because the lessons need to remain current with the package ecosystem, it's a
good idea to make sure these packages can be updated periodically. The
update cache workflow will do this by checking for updates, applying them and
creating a pull request with _only the lockfile changed_.
update cache workflow will do this by checking for updates, applying them in a
branch called `updates/packages` and creating a pull request with _only the
lockfile changed_.

From here, the markdown documents will be rebuilt and you can inspect what has
changed based on how the packages have updated.
Expand Down Expand Up @@ -146,13 +140,18 @@ Once the checks are finished, a comment is issued to the pull request, which
will allow maintainers to determine if it is safe to run the
"Receive Pull Request" workflow from new contributors.

### Recieve Pull Request (pr-recieve.yaml)
### Receive Pull Request (pr-receive.yaml)

**Note of caution:** This workflow runs arbitrary code by anyone who creates a
pull request. GitHub has safeguarded the token used in this workflow to have no
priviledges in the repository, but we have taken precautions to protect against
spoofing.

This workflow is triggered with every push to a pull request. If this workflow
is already running and a new push is sent to the pull request, the workflow
running from the previous push will be cancelled and a new workflow run will be
started.

The first step of this workflow is to check if it is valid (e.g. that no
workflow files have been modified). If there are workflow files that have been
modified, a comment is made that indicates that the workflow is not run. If
Expand All @@ -166,13 +165,13 @@ request. This builds the content and uploads three artifacts:
3. The rendered files (build)

Because this workflow builds generated content, it follows the same general
process as the sandpaper-main workflow with the same caching mechanisms.
process as the `sandpaper-main` workflow with the same caching mechanisms.

The artifacts produced are used by the next workflow.

### Comment on Pull Request (pr-comment.yaml)

This workflow is triggered if the `pr-recieve.yaml` workflow is successful.
This workflow is triggered if the `pr-receive.yaml` workflow is successful.
The steps in this workflow are:

1. Test if the workflow is valid and comment the validity of the workflow to the
Expand All @@ -182,7 +181,7 @@ The steps in this workflow are:
3. If it is valid: update the pull request comment with the summary of changes

Importantly: if the pull request is invalid, the branch is not created so any
malicious code is not published.
malicious code is not published.

From here, the maintainer can request changes from the author and eventually
either merge or reject the PR. When this happens, if the PR was valid, the
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pr-close-signal.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ jobs:
mkdir -p ./pr
printf ${{ github.event.number }} > ./pr/NUM
- name: Upload Diff
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
with:
name: pr
name: pr
path: ./pr

34 changes: 25 additions & 9 deletions .github/workflows/pr-comment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ on:
types:
- completed

concurrency:
group: pr-${{ github.event.workflow_run.pull_requests[0].number }}
cancel-in-progress: true


jobs:
# Pull requests are valid if:
# - they match the sha of the workflow run head commit
Expand All @@ -16,7 +21,9 @@ jobs:
test-pr:
name: "Test if pull request is valid"
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
outputs:
is_valid: ${{ steps.check-pr.outputs.VALID }}
payload: ${{ steps.check-pr.outputs.payload }}
Expand All @@ -35,7 +42,7 @@ jobs:
id: get-pr
run: |
unzip pr.zip
echo "::set-output name=NUM::$(<./NR)"
echo "NUM=$(<./NR)" >> $GITHUB_OUTPUT
- name: "Fail if PR number was not present"
id: bad-pr
Expand All @@ -46,14 +53,17 @@ jobs:
- name: "Get Invalid Hashes File"
id: hash
run: |
echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json)
echo "json<<EOF
$(curl -sL https://files.carpentries.org/invalid-hashes.json)
EOF" >> $GITHUB_OUTPUT
- name: "Check PR"
id: check-pr
if: ${{ steps.dl.outputs.success == 'true' }}
uses: carpentries/actions/check-valid-pr@main
with:
pr: ${{ steps.get-pr.outputs.NUM }}
sha: ${{ github.event.workflow_run.head_sha }}
headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire
invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }}
fail_on_error: true

Expand All @@ -68,9 +78,11 @@ jobs:
if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
env:
NR: ${{ needs.test-pr.outputs.number }}
permissions:
contents: write
steps:
- name: 'Checkout md outputs'
uses: actions/checkout@v2.3.4
uses: actions/checkout@v4
with:
ref: md-outputs
path: built
Expand All @@ -94,11 +106,11 @@ jobs:
git config --local user.name "GitHub Actions"
CURR_HEAD=$(git rev-parse HEAD)
git checkout --orphan md-outputs-PR-${NR}
git add -A
git add -A
git commit -m "source commit: ${CURR_HEAD}"
ls -A | grep -v '^.git' | xargs rm -r
ls -A | grep -v '^.git$' | xargs -I _ rm -r '_'
cd ..
unzip -d built built.zip
unzip -o -d built built.zip
cd built
git add -A
git commit --allow-empty -m "differences for PR #${NR}"
Expand All @@ -112,14 +124,16 @@ jobs:
if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
env:
NR: ${{ needs.test-pr.outputs.number }}
permissions:
pull-requests: write
steps:
- name: 'Download comment artifact'
id: dl
uses: carpentries/actions/download-workflow-artifact@main
with:
run: ${{ github.event.workflow_run.id }}
name: 'diff'

- if: ${{ steps.dl.outputs.success == 'true' }}
run: unzip ${{ github.workspace }}/diff.zip

Expand All @@ -128,7 +142,7 @@ jobs:
if: ${{ steps.dl.outputs.success == 'true' }}
uses: carpentries/actions/comment-diff@main
with:
pr: ${{ env.NR }}
pr: ${{ env.NR }}
path: ${{ github.workspace }}/diff.md

# Comment if the PR is open and matches the SHA, but the workflow files have
Expand All @@ -141,6 +155,8 @@ jobs:
env:
NR: ${{ github.event.workflow_run.pull_requests[0].number }}
body: ${{ needs.test-pr.outputs.msg }}
permissions:
pull-requests: write
steps:
- name: 'Check for spoofing'
id: dl
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/pr-post-remove-branch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@ jobs:
name: "Delete branch from Pull Request"
runs-on: ubuntu-latest
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' }}
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
permissions:
contents: write
steps:
- name: 'Download artifact'
uses: carpentries/actions/download-workflow-artifact@main
Expand All @@ -23,7 +25,7 @@ jobs:
id: get-pr
run: |
unzip pr.zip
echo "::set-output name=NUM::$(<./NUM)"
echo "NUM=$(<./NUM)" >> $GITHUB_OUTPUT
- name: 'Remove branch'
uses: carpentries/actions/remove-branch@main
with:
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/pr-preflight.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,15 @@ jobs:
runs-on: ubuntu-latest
outputs:
is_valid: ${{ steps.check-pr.outputs.VALID }}
permissions:
pull-requests: write
steps:
- name: "Get Invalid Hashes File"
id: hash
run: |
echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json)
echo "json<<EOF
$(curl -sL https://files.carpentries.org/invalid-hashes.json)
EOF" >> $GITHUB_OUTPUT
- name: "Check PR"
id: check-pr
uses: carpentries/actions/check-valid-pr@main
Expand Down
27 changes: 16 additions & 11 deletions .github/workflows/pr-receive.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
types:
[opened, synchronize, reopened]

concurrency:
group: ${{ github.ref }}
cancel-in-progress: true

jobs:
test-pr:
name: "Record PR number"
Expand All @@ -21,17 +25,19 @@ jobs:
- name: "Upload PR number"
id: upload
if: ${{ always() }}
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
with:
name: pr
path: ${{ github.workspace }}/NR
- name: "Get Invalid Hashes File"
id: hash
run: |
echo "::set-output name=json::"$(curl -sL https://files.carpentries.org/invalid-hashes.json)
echo "json<<EOF
$(curl -sL https://files.carpentries.org/invalid-hashes.json)
EOF" >> $GITHUB_OUTPUT
- name: "echo output"
run: |
echo ${{ steps.hash.outputs.json }}
echo "${{ steps.hash.outputs.json }}"
- name: "Check PR"
id: check-pr
uses: carpentries/actions/check-valid-pr@main
Expand All @@ -52,10 +58,10 @@ jobs:
MD: ${{ github.workspace }}/site/built
steps:
- name: "Check Out Main Branch"
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: "Check Out Staging Branch"
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
ref: md-outputs
path: ${{ env.MD }}
Expand All @@ -68,8 +74,6 @@ jobs:

- name: "Set up Pandoc"
uses: r-lib/actions/setup-pandoc@v2
with:
pandoc-version: "2.11.4"

- name: "Setup Lesson Engine"
uses: carpentries/actions/setup-sandpaper@main
Expand Down Expand Up @@ -103,20 +107,21 @@ jobs:
shell: Rscript {0}

- name: "Upload PR"
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
with:
name: pr
path: ${{ env.PR }}
overwrite: true

- name: "Upload Diff"
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
with:
name: diff
path: ${{ env.CHIVE }}
retention-days: 1

- name: "Upload Build"
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
with:
name: built
path: ${{ env.MD }}
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/sandpaper-main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
steps:

- name: "Checkout Lesson"
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: "Set up R"
uses: r-lib/actions/setup-r@v2
Expand All @@ -42,8 +42,6 @@ jobs:

- name: "Set up Pandoc"
uses: r-lib/actions/setup-pandoc@v2
with:
pandoc-version: "2.11.4"

- name: "Setup Lesson Engine"
uses: carpentries/actions/setup-sandpaper@main
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sandpaper-version.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.9.4
0.16.7
Loading

0 comments on commit a111808

Please sign in to comment.