[actions] update sandpaper workflow to version 0.11.16

Author: zkamvar

.github/workflows/README.md

@@ -147,6 +147,11 @@ pull request. GitHub has safeguarded the token used in this workflow to have no
 priviledges in the repository, but we have taken precautions to protect against
 spoofing.
 
+This workflow is triggered with every push to a pull request. If this workflow
+is already running and a new push is sent to the pull request, the workflow
+running from the previous push will be cancelled and a new workflow run will be
+started.
+
 The first step of this workflow is to check if it is valid (e.g. that no
 workflow files have been modified). If there are workflow files that have been
 modified, a comment is made that indicates that the workflow is not run. If 
@@ -160,7 +165,7 @@ request. This builds the content and uploads three artifacts:
 3. The rendered files (build)
 
 Because this workflow builds generated content, it follows the same general 
-process as the sandpaper-main workflow with the same caching mechanisms.
+process as the `sandpaper-main` workflow with the same caching mechanisms.
 
 The artifacts produced are used by the next workflow.
 
@@ -176,7 +181,7 @@ The steps in this workflow are:
 3. If it is valid: update the pull request comment with the summary of changes
 
 Importantly: if the pull request is invalid, the branch is not created so any
-malicious code is not published. 
+malicious code is not published.
 
 From here, the maintainer can request changes from the author and eventually 
 either merge or reject the PR. When this happens, if the PR was valid, the 

.github/workflows/pr-close-signal.yaml

@@ -16,8 +16,8 @@ jobs:
           mkdir -p ./pr
           printf ${{ github.event.number }} > ./pr/NUM
       - name: Upload Diff
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
-          name: pr 
+          name: pr
           path: ./pr
 

.github/workflows/pr-comment.yaml

@@ -8,6 +8,11 @@ on:
     types:
       - completed
 
+concurrency:
+  group: pr-${{ github.event.workflow_run.pull_requests[0].number }}
+  cancel-in-progress: true
+
+
 jobs:
   # Pull requests are valid if:
   #  - they match the sha of the workflow run head commit
@@ -16,8 +21,8 @@ jobs:
   test-pr:
     name: "Test if pull request is valid"
     runs-on: ubuntu-latest
-    if: > 
-      github.event.workflow_run.event == 'pull_request' && 
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
@@ -58,6 +63,7 @@ jobs:
         with:
           pr: ${{ steps.get-pr.outputs.NUM }}
           sha: ${{ github.event.workflow_run.head_sha }}
+          headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire
           invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }}
           fail_on_error: true
 
@@ -72,6 +78,8 @@ jobs:
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      contents: write
     steps:
       - name: 'Checkout md outputs'
         uses: actions/checkout@v3
@@ -98,9 +106,9 @@ jobs:
           git config --local user.name "GitHub Actions"
           CURR_HEAD=$(git rev-parse HEAD)
           git checkout --orphan md-outputs-PR-${NR}
-          git add -A 
+          git add -A
           git commit -m "source commit: ${CURR_HEAD}"
-          ls -A | grep -v '^.git$' | xargs rm -r
+          ls -A | grep -v '^.git$' | xargs -I _ rm -r '_'
           cd ..
           unzip -o -d built built.zip
           cd built
@@ -116,14 +124,16 @@ jobs:
     if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
     env:
       NR: ${{ needs.test-pr.outputs.number }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Download comment artifact'
         id: dl
         uses: carpentries/actions/download-workflow-artifact@main
         with:
           run: ${{ github.event.workflow_run.id }}
           name: 'diff'
-          
+
       - if: ${{ steps.dl.outputs.success == 'true' }}
         run: unzip ${{ github.workspace }}/diff.zip
 
@@ -132,7 +142,7 @@ jobs:
         if: ${{ steps.dl.outputs.success == 'true' }}
         uses: carpentries/actions/comment-diff@main
         with:
-          pr: ${{ env.NR }} 
+          pr: ${{ env.NR }}
           path: ${{ github.workspace }}/diff.md
 
   # Comment if the PR is open and matches the SHA, but the workflow files have
@@ -145,6 +155,8 @@ jobs:
     env:
       NR: ${{ github.event.workflow_run.pull_requests[0].number }}
       body: ${{ needs.test-pr.outputs.msg }}
+    permissions:
+      pull-requests: write
     steps:
       - name: 'Check for spoofing'
         id: dl

.github/workflows/pr-post-remove-branch.yaml

@@ -13,6 +13,8 @@ jobs:
     if: >
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: write
     steps:
       - name: 'Download artifact'
         uses: carpentries/actions/download-workflow-artifact@main

.github/workflows/pr-preflight.yaml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       is_valid: ${{ steps.check-pr.outputs.VALID }}
+    permissions:
+      pull-requests: write
     steps:
       - name: "Get Invalid Hashes File"
         id: hash

.github/workflows/pr-receive.yaml

@@ -5,6 +5,10 @@ on:
     types:
       [opened, synchronize, reopened]
 
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test-pr:
     name: "Record PR number"
@@ -21,7 +25,7 @@ jobs:
       - name: "Upload PR number"
         id: upload
         if: ${{ always() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: pr
           path: ${{ github.workspace }}/NR
@@ -103,20 +107,20 @@ jobs:
         shell: Rscript {0}
 
       - name: "Upload PR"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: pr
           path: ${{ env.PR }}
 
       - name: "Upload Diff"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: diff
           path: ${{ env.CHIVE }}
           retention-days: 1
-      
+
       - name: "Upload Build"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: built
           path: ${{ env.MD }}

.github/workflows/sandpaper-version.txt

@@ -1 +1 @@
-0.10.8
+0.11.16

.github/workflows/update-cache.yaml

@@ -93,7 +93,7 @@ jobs:
       - name: Create Pull Request
         id: cpr
         if: ${{ steps.update.outputs.n > 0 }}
-        uses: peter-evans/create-pull-request@v4.2.0
+        uses: carpentries/create-pull-request@main
         with:
           token: ${{ secrets.SANDPAPER_WORKFLOW }}
           delete-branch: true
@@ -119,7 +119,7 @@ jobs:
             ```
 
             - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}
-            
-            [1]: https://github.com/peter-evans/create-pull-request
+
+            [1]: https://github.com/carpentries/create-pull-request/tree/main
           labels: "type: package cache"
           draft: false

.github/workflows/update-workflows.yaml

@@ -43,11 +43,11 @@ jobs:
         uses: carpentries/actions/update-workflows@main
         with:
           clean: ${{ github.event.inputs.clean }}
-      
+
       - name: Create Pull Request
         id: cpr
         if: "${{ steps.update.outputs.new }}"
-        uses: peter-evans/create-pull-request@v4.2.0
+        uses: carpentries/create-pull-request@main
         with:
           token: ${{ secrets.SANDPAPER_WORKFLOW }}
           delete-branch: true
@@ -60,7 +60,7 @@ jobs:
             Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }}
 
             - Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}
-            
-            [1]: https://github.com/peter-evans/create-pull-request
+
+            [1]: https://github.com/carpentries/create-pull-request/tree/main
           labels: "type: template and tools"
           draft: false