Tidying output messages, fixing some more logic

froggleston · froggleston · commit a25d18368808 · 2025-11-13T16:27:58.000Z
diff --git a/.github/workflows/docker_apply_cache.yaml b/.github/workflows/docker_apply_cache.yaml
@@ -30,6 +30,7 @@ jobs:
             echo "This was not a manual trigger and no PR was merged. No action taken."
             echo "merged_or_manual=false" >> $GITHUB_OUTPUT
           fi
+        shell: bash
 
   check-renv:
     name: "Check If We Need {renv}"
@@ -112,10 +113,12 @@ jobs:
           ls -lah /home/rstudio/.workbench
           ls -lah $(pwd)
           Rscript -e 'sessionInfo()'
+        shell: bash
 
       - name: "Mark Repository as Safe"
         run: |
           git config --global --add safe.directory $(pwd)
+        shell: bash
 
       - name: "Ensure sandpaper is loadable"
         run: |
@@ -126,17 +129,20 @@ jobs:
       - name: "Setup Lesson Dependencies"
         run: |
           Rscript /home/rstudio/.workbench/setup_lesson_deps.R
+        shell: bash
 
       - name: "Fortify renv Cache"
         run: |
           Rscript /home/rstudio/.workbench/fortify_renv_cache.R
+        shell: bash
 
       - name: "Get Container Version Used"
         id: wb-vers
         uses: carpentries/actions/container-version@frog-s3-test-1
         with:
           WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
           renv-needed: ${{ needs.check-renv.outputs.renv-needed }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Validate Current Org and Workflow"
         id: validate-org-workflow
diff --git a/.github/workflows/docker_build_deploy.yaml b/.github/workflows/docker_build_deploy.yaml
@@ -61,6 +61,7 @@ jobs:
         with:
           WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
           renv-needed: ${{ steps.build-check.outputs.renv-needed }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
   full-build:
     name: "Build Full Site"
@@ -100,10 +101,12 @@ jobs:
           ls -lah /home/rstudio/.workbench
           ls -lah $(pwd)
           Rscript -e 'sessionInfo()'
+        shell: bash
 
       - name: "Mark Repository as Safe"
         run: |
           git config --global --add safe.directory $(pwd)
+        shell: bash
 
       - name: "Setup Lesson Dependencies"
         id: build-container-deps
@@ -114,6 +117,7 @@ jobs:
           LESSON_PATH: ${{ vars.LESSON_PATH || '/home/rstudio/lesson' }}
           role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
           aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Run Container and Build Site"
         id: build-and-deploy
@@ -127,6 +131,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [preflight]
     permissions:
+      actions: write  # This is critical!
       contents: write
       pull-requests: write
       id-token: write # OIDC permission required
diff --git a/.github/workflows/docker_pr_receive.yaml b/.github/workflows/docker_pr_receive.yaml
@@ -31,13 +31,20 @@ jobs:
       - name: "Check if md-outputs branch exists"
         id: check
         run: |
+          # 💡 Checking for md-outputs branch #
           if [[ -n $(git ls-remote --exit-code --heads origin md-outputs) ]]; then
             echo "exists=true" >> $GITHUB_OUTPUT
           else
             echo "exists=false" >> $GITHUB_OUTPUT
-            echo "❌ md-outputs branch required. Please merge any open package update PRs, and run the '03 Maintain: Apply Package Cache' and '01: Maintain: Build and Deploy Site' workflows."
+            echo "::error::md-outputs branch required but does not exist."
+            echo "::error::Please merge any open package update PRs, and run the '03 Maintain: Apply Package Cache' and '01: Maintain: Build and Deploy Site' workflows."
+
+            echo "## ❌ ERROR: md-outputs branch required" >> $GITHUB_STEP_SUMMARY
+            echo "Please merge any open package update PRs, and run the '03 Maintain: Apply Package Cache' and '01: Maintain: Build and Deploy Site' workflows." >> $GITHUB_STEP_SUMMARY
+
             exit 1
           fi
+        shell: bash
 
   test-pr:
     name: "Record PR number"
@@ -49,27 +56,24 @@ jobs:
       pr_number: ${{ env.NR }}
       pr_branch: ${{ env.PR_BRANCH }}
     steps:
-      - name: "Auto: Grab PR"
-        if: github.event_name == 'pull_request'
+      - name: "Grab PR"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          echo ${{ github.event.number }} > ${{ github.workspace }}/NR
-          echo "NR=${{ github.event.number }}" >> $GITHUB_ENV
-          echo "PR_BRANCH=$(gh -R ${{ github.repository }} pr view ${{ github.event.number }} --json headRefName --jq '.headRefName')" >> $GITHUB_ENV
+          if [[ "${{ github.event_name }}" == "pull_request" ]] ; then
+            PR_NUMBER=${{ github.event.number }}
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]] ; then
+            PR_NUMBER=${{ inputs.pr_number }}
+          fi
 
-      - name: "Manual: Grab PR"
-        if: ${{ github.event_name == 'workflow_dispatch' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo ${{ inputs.pr_number }} > ${{ github.workspace }}/NR
-          echo "NR=${{ inputs.pr_number }}" >> $GITHUB_ENV
-          echo "PR_BRANCH=$(gh -R ${{ github.repository }} pr view ${{ inputs.pr_number }} --json headRefName --jq '.headRefName')" >> $GITHUB_ENV
+          echo $PR_NUMBER > ${{ github.workspace }}/NR
+          echo "NR=$PR_NUMBER" >> $GITHUB_ENV
+          echo "PR_BRANCH=$(gh -R ${{ github.repository }} pr view $PR_NUMBER --json headRefName --jq '.headRefName')" >> $GITHUB_ENV
+        shell: bash
 
       - name: "Upload PR number"
         id: upload
-        if: ${{ always() }}
+        if: always()
         uses: actions/upload-artifact@v4
         with:
           name: pr
@@ -81,10 +85,12 @@ jobs:
           echo "json<<EOF
           $(curl -sL https://files.carpentries.org/invalid-hashes.json)
           EOF" >> $GITHUB_OUTPUT
+        shell: bash
 
-      - name: "echo output"
+      - name: "Debug Hashes Output"
         run: |
           echo "${{ steps.hash.outputs.json }}"
+        shell: bash
 
       - name: "Check PR"
         id: check-pr
@@ -156,6 +162,7 @@ jobs:
         run: |
           git config --global --add safe.directory $(pwd)
           git config --global --add safe.directory /home/rstudio/lesson
+        shell: bash
 
       - name: "Ensure sandpaper is loadable"
         run: |
@@ -166,6 +173,7 @@ jobs:
       - name: Setup Lesson Dependencies
         run: |
           Rscript /home/rstudio/.workbench/setup_lesson_deps.R
+        shell: bash
 
       - name: Get Container Version Used
         id: wb-vers
@@ -174,6 +182,7 @@ jobs:
         with:
           WORKBENCH_TAG: ${{ vars.WORKBENCH_TAG }}
           renv-needed: ${{ needs.check-renv.outputs.renv-needed }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Validate Current Org and Workflow"
         id: validate-org-workflow
@@ -217,6 +226,7 @@ jobs:
           steps.s3-cache.outputs.cache-hit != 'true'
         run: |
           Rscript /home/rstudio/.workbench/fortify_renv_cache.R
+        shell: bash
 
       - name: "Validate and Build Markdown"
         id: build-site
diff --git a/.github/workflows/update-cache.yaml b/.github/workflows/update-cache.yaml
@@ -53,6 +53,7 @@ jobs:
             echo "ok=false" >> $GITHUB_OUTPUT
             echo "Not Running Today"
           fi
+        shell: bash
 
   check-renv:
     name: "Check If We Need {renv}"
@@ -123,14 +124,14 @@ jobs:
       - name: "Set PAT from AWS Secrets Manager"
         if: steps.validate-org-workflow.outputs.is_valid == 'true'
         id: set-pat
-        shell: bash
         run: |
           SECRET=$(aws secretsmanager get-secret-value \
                    --secret-id carpentries-bot/github-pat \
                    --query SecretString --output text)
           PAT=$(echo "$SECRET" | jq -r .[])
           echo "::add-mask::$PAT"
           echo "pat=$PAT" >> "$GITHUB_OUTPUT"
+        shell: bash
 
       - name: "Validate token"
         id: validate-token
@@ -141,7 +142,7 @@ jobs:
       # Create the PR with the following roles in order of preference:
       # - Carpentries Bot classic PAT fetched from AWS (will only work in official Carpentries repos)
       # - repo-scoped SANDPAPER_WORKFLOW classic PAT (will work in all scenarios)
-      # - default GITHUB_TOKEN (will work suitably, but PR preflight checks will not occur)
+      # - default GITHUB_TOKEN (will work suitably, but workflows need to be triggered)
       - name: "Create Pull Request"
         id: cpr
         if: |
@@ -185,6 +186,7 @@ jobs:
         if: steps.update.outputs.n == 0
         run: |
           echo "No updates needed, skipping PR creation"
+        shell: bash
 
       - name: "Trigger Apply Cache Workflow"
         if: steps.update.outputs.n == 0
diff --git a/.github/workflows/update-workflows.yaml b/.github/workflows/update-workflows.yaml
@@ -43,14 +43,14 @@ jobs:
 
       - name: Set PAT from AWS Secrets Manager
         id: set-pat
-        shell: bash
         run: |
           SECRET=$(aws secretsmanager get-secret-value \
                    --secret-id carpentries-bot/github-pat \
                    --query SecretString --output text)
           PAT=$(echo "$SECRET" | jq -r .[])
           echo "::add-mask::$PAT"
           echo "pat=$PAT" >> "$GITHUB_OUTPUT"
+        shell: bash
 
       - name: "Validate token"
         id: validate-token
