Add V2 objects.inv workflow #1435
Conversation
doctorperceptron
requested review from
Alan-eMartin,
rashidnhm,
ashishks0522 and
jontoye
doctorperceptron
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| env: | ||
| AWS_REGION: ${{ secrets.aws_region }} | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }} | ||
| AWS_S3_HTML_BUCKET_ID: ${{ secrets.aws_html_s3_bucket_id }} | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ inputs.branch }} | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Install pandoc and opencl | ||
| run: | | ||
| sudo apt-get install -y \ | ||
| ocl-icd-opencl-dev \ | ||
| pandoc | ||
|
|
||
| - name: Setup Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.10' | ||
|
|
||
| - name: Install dependencies | ||
| run: pip install . && poetry config warnings.export false | ||
|
|
||
| - name: Build all demos in HTML format | ||
| run: | | ||
| qml build \ | ||
| --format html \ | ||
| --keep-going \ | ||
| --no-quiet \ | ||
| ${{ inputs.dev && '--dev' || '--no-dev' }} | ||
|
|
||
| - name: Sync objects.inv to HTML Bucket | ||
| run: aws s3 cp ./_build/objects.inv s3://$AWS_S3_HTML_BUCKET_ID/qml/objects.inv |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
To fix this issue, we need to explicitly define the permissions key at the workflow level to limit the GITHUB_TOKEN permissions. From the workflow's logic, it primarily interacts with AWS and performs build processes, which do not require GitHub API write permissions. The contents permission can be set to read since the workflow checks out the repository contents. No other GitHub API permissions appear necessary.
The fix involves adding a permissions block at the root of the workflow file (before the jobs block). This ensures that all jobs in the workflow inherit these minimal permissions unless overridden.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: V2 Sync objects.inv | ||
| on: | ||
| workflow_call: |
The
objects.invfile is generated by Sphinx and is used to enable easy syntax for referencing demos from the PennyLane docs.This PR adds a workflow that builds all demos in a specified branch and uploads the generated
objects.infile to s3. Thev2-build-demos-swc-envworkflow calls this workflow after merges tomasterordev(currently using testing branches), so that theobjects.invfiles are created and uploaded whenever new demos are deployed to those environments.This new workflow is set to run on merges to the two testing branches,
test-v2-masterandtest-v2-dev. We don't have testing buckets though, so merges to thetest-v2-devbranch will push theobjects.invfile to thedevbucket, while merges to thetest-v2-masterbranch will push theobjects.invfile to thestagingbucket. Because this will push to the dev environment, we should hold off on merging this until after PennyLane v0.42.0 is released next week, or merge before then but refrain from testing the dev version of this workflow until then.Note: I've been executing a lot of demos locally and am getting annoyed by the generated
sg_execution_times.rstfile tainting my branch, so I've also added this to.gitignore.