Update github actions to use 1password (#482)

* update docker build to use github secrets

use updated cacheing

* Make R versions consistent across actions

* Move github config

* fix yaml

* Style Rmds

* Revert "Style Rmds"

This reverts commit fc8b78b.

* Use docs bot for checkout & push

* install curl?

* apt update first

* Style Rmds

* trigger docker build

* use checkout v3 in build

* test build push (expect failure)

* revert build test (didn't fail, but that's okay)

---------

Co-authored-by: GitHub Actions <actions@github.com>

.github/workflows/check-frontend-urls.yml

@@ -12,11 +12,11 @@ jobs:
   check-frontend-urls:
     runs-on: ubuntu-latest
     container:
-      image: rocker/tidyverse:4.0.2
+      image: rocker/tidyverse:4.0.5
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Install dependencies
         run: Rscript -e "install.packages(c('optparse', 'jsonlite'))"
@@ -26,7 +26,7 @@ jobs:
         run: |
           links=https://raw.githubusercontent.com/AlexsLemonade/refinebio-frontend/master/src/common/examples-links.json
           results=$(Rscript "scripts/check-frontend-urls.R" --links $links)
-          echo "::set-output name=missing_urls::$results"
+          echo "missing_urls=$results" >> "$GITHUB_OUTPUT"
 
       # Fail if any number besides 0 is returned
       - name: Check if any URLs were missing

.github/workflows/docker-build-push.yml

@@ -11,14 +11,25 @@ jobs:
     runs-on: ubuntu-latest
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
+      - name: Load 1Password secrets
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TRAINING_OP_SERVICE_ACCOUNT_TOKEN }}
+          DOCKER_USER: ${{ secrets.OP_DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.OP_DOCKER_PASSWORD }}
+          ACTION_MONITORING_SLACK: ${{ secrets.OP_ACTION_MONITORING_SLACK }}
+          DOCS_BOT_GITHUB_TOKEN: ${{ secrets.OP_DOCS_BOT_GITHUB_TOKEN }}
+
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - name: checkout
-        uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
           # get the full repo
           fetch-depth: 0
           # use alexslemonade-docs-bot
-          token: ${{ secrets.DOCS_BOT_GITHUB_TOKEN }}
+          token: ${{ env.DOCS_BOT_GITHUB_TOKEN }}
 
       - name: Checkout pages branch and sync with changes
         run: |
@@ -37,30 +48,34 @@ jobs:
 
       # Login to Dockerhub
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
-          username: ${{ secrets.DOCKER_ID }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ env.DOCKER_USER }}
+          password: ${{ env.DOCKER_PASSWORD }}
+
       # set up Docker build
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
+
       # Build the Docker image
       - name: Build and Load Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           push: false
           load: true
           context: docker
           file: docker/Dockerfile
           tags: ccdl/refinebio-examples:latest
+
       # push the Docker image if this is staging
       - name: Push Docker image
         if: github.ref == 'refs/heads/staging'
         run: docker push ccdl/refinebio-examples:latest
+
       # retag and push the Docker image if this is master
       - name: Push release Docker image
         if: github.ref == 'refs/heads/master'
-        run: | 
+        run: |
           docker tag ccdl/refinebio-examples:latest ccdl/refinebio-examples:release
           docker push ccdl/refinebio-examples:release
 
@@ -91,14 +106,14 @@ jobs:
           git add -A
           git commit -m 'Render html and publish' || echo "No changes to commit"
           git push origin gh-pages || echo "No changes to push"
-      
+
       # If we have a failure, Slack us
       - name: Report failure to Slack
         if: always()
-        uses: ravsamhq/notify-slack-action@v1.1
+        uses: ravsamhq/notify-slack-action@v2
         with:
           status: ${{ job.status }}
           notify_when: 'failure'
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }} 
+          SLACK_WEBHOOK_URL: ${{ env.ACTION_MONITORING_SLACK }}
           SLACK_MESSAGE: 'Build, Render, and Push failed'

.github/workflows/docker-build.yml

@@ -16,40 +16,40 @@ jobs:
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
+      - name: Load 1Password secrets
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TRAINING_OP_SERVICE_ACCOUNT_TOKEN }}
+          ACTION_MONITORING_SLACK: ${{ secrets.OP_ACTION_MONITORING_SLACK }}
+
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - name: Checkout code
+        uses: actions/checkout@v3
 
       # set up Docker build
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      # setup layer cache
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
+        uses: docker/setup-buildx-action@v2
 
       # Build docker image
       - name: Build Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
         with:
           push: false
           context: docker
           file: docker/Dockerfile
           tags: ccdl/refinebio-examples:latest
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       # If we have a failure, Slack us
       - name: Report failure to Slack
         if: always()
-        uses: ravsamhq/notify-slack-action@v1.1
+        uses: ravsamhq/notify-slack-action@v2
         with:
           status: ${{ job.status }}
           notify_when: 'failure'
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }} 
+          SLACK_WEBHOOK_URL: ${{ env.ACTION_MONITORING_SLACK }}
           SLACK_MESSAGE: 'Build Docker failed'

.github/workflows/style-and-sp-check.yml

@@ -13,14 +13,33 @@ jobs:
   style-n-check:
     runs-on: ubuntu-latest
     container:
-      image: rocker/tidyverse:4.0.2
+      image: rocker/tidyverse:4.0.5
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v2
+      - name: Install curl
+        run: apt-get update && apt-get install -y --no-install-recommends curl
+
+      - name: Load 1Password secrets
+        uses: 1password/load-secrets-action@v1
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.TRAINING_OP_SERVICE_ACCOUNT_TOKEN }}
+          DOCS_BOT_GITHUB_TOKEN: ${{ secrets.OP_DOCS_BOT_GITHUB_TOKEN }}
+
+      - name: Checkout
+        uses: actions/checkout@v3
         # What branch to commit to: the one from the pull request
         with:
           ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ env.DOCS_BOT_GITHUB_TOKEN }}
+
+      - name: Configure git
+        run: |
+            git config --global --add safe.directory "$GITHUB_WORKSPACE"
+            git config --local user.email "actions@github.com"
+            git config --local user.name "GitHub Actions"
 
       - name: Install packages
         run: Rscript -e "install.packages(c('styler', 'spelling'))"
@@ -29,10 +48,11 @@ jobs:
         id: spell_check_run
         run: |
           results=$(Rscript "scripts/spell-check.R")
-          echo "::set-output name=sp_chk_results::$results"
+          echo "sp_chk_results=$results" >> "$GITHUB_OUTPUT"
           cat spell_check_results.tsv
+
       - name: Archive spelling errors
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: spell-check-results
           path: spell_check_results.tsv
@@ -47,8 +67,6 @@ jobs:
 
       - name: Commit
         run: |
-          git config --local user.email "actions@github.com"
-          git config --local user.name "GitHub Actions"
           git add \*.Rmd
           git commit -m 'Style Rmds' || echo "No changes to commit"
           git push origin || echo "No changes to commit"

04-advanced-topics/validate_differential_expression_adv_topics_01.Rmd

@@ -399,7 +399,6 @@ test.gene <- refine.bio.df %>%
 
 # Make a dataframe with the group information
 box.plot <- data.frame(test.gene, subgroup = metadata$subgroup) %>%
-
   # Use ggplot2 to make a boxplot from this info
   ggplot(., aes(x = subgroup, y = test.gene)) +
   geom_boxplot() +

docker/Dockerfile

@@ -25,7 +25,8 @@ RUN apt-get -y --no-install-recommends install \
 
 # Install pip3 and instalation tools
 RUN apt-get -y --no-install-recommends install \
-    python3-pip  python3-dev
+    python3-pip \
+    python3-dev
 
 RUN pip3 install \
     "setuptools==49.3.0" \