Closed ManonMarchand closed 1 year ago
Hello again, @ManonMarchand!
How can we add our own action to our repo (that updates the figures of our lessons with current data)?
There are two ways:
.yml
extension (not .yaml
). This will prevent the update-workflows.yaml
action from destroying that file. ORsandpaper-main.yaml
workflow file and continuously monitor the diffs of that file for changes. The PR bot prevents us from doing this. Could it really be malicious if we don't touch the carpentries actions?
The PR bot does not prevent you from doing this per se, it gives you strong warnings if you try to modify content and workflows at the same time (e.g. https://github.com/carpentries-incubator/bioc-intro/pull/97#issuecomment-1540622467). The rationale behind this can be found in The "Risk Mangement" section in the documentation. The protections are less for The Carpentries Infrastructure (sensitive data is not accessible through the lessons or the tokens used to generate pull requests) and more of good practices in general. This way, it's harder for a new maintainer to accept a malicious pull request.
That being said, if you are the one submitting the PR, then you can be reasonably confident that the workflows are correct and you can ignore any warnings like that.
This is also somewhat related to https://github.com/carpentries/sandpaper/issues/267
Thanks a lot for the detailed answer! :) On my side, this issue can be closed
Hello and thanks for the template,
How can we add our own action to our repo (that updates the figures of our lessons with current data)? The PR bot prevents us from doing this. Could it really be malicious if we don't touch the carpentries actions?
Have a lovely day,