Suggested hardening for linkcheck.yml
This repo's .github/workflows/linkcheck.yml (download-latest-release-HTML + QuantEcon/action-link-checker) is now shared, near-verbatim, with lecture-python-intro. During the Copilot review of the intro migration PR (QuantEcon/lecture-python-intro#783) three robustness improvements were surfaced and applied there. Filing them here so both repos can stay in sync — none are urgent, and the current workflow works today.
The three improvements
| # |
Change |
Why |
| 1 |
Add contents: read to the job permissions |
The block only grants issues: write; because permissions: resets every unlisted scope to none, the gh api .../releases/latest call runs with contents: none and can fail under org policy / on private repos |
| 2 |
set -euo pipefail, select a single asset, error if none |
An empty or multi-line asset match currently flows silently into curl, producing a confusing downstream failure instead of a clear one |
| 3 |
curl -fsSL instead of curl -sL |
Without -f, an HTTP error page (404/permission) is piped into tar and fails as a cryptic extraction error rather than a clear download failure |
Concrete diff (the two steps + permissions)
permissions:
contents: read # read latest release assets via gh api
issues: write # required for QuantEcon link-checker
steps:
- name: Get latest release asset URL
id: release
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euo pipefail
ASSET_URL=$(gh api repos/${{ github.repository }}/releases/latest \
--jq '[.assets[] | select(.name | endswith(".tar.gz")) | .browser_download_url] | first // ""')
if [ -z "$ASSET_URL" ]; then
echo "::error::No .tar.gz asset found on the latest release"
exit 1
fi
echo "asset-url=$ASSET_URL" >> "$GITHUB_OUTPUT"
- name: Download and extract release HTML
run: |
set -euo pipefail
mkdir -p _site
curl -fsSL "${{ steps.release.outputs.asset-url }}" | tar -xz -C _site
Not changing: the action pin
Copilot also suggested pinning QuantEcon/action-link-checker@main to a tag/SHA. We opted to keep @main — it is a first-party QuantEcon action and @main is the org convention used across the lecture repos. Noting here only so the decision is on record; if we ever decide to pin QuantEcon actions org-wide, both repos should change together.
Reference: applied in QuantEcon/lecture-python-intro#783.
🤖 Generated with Claude Code
Suggested hardening for
linkcheck.ymlThis repo's
.github/workflows/linkcheck.yml(download-latest-release-HTML +QuantEcon/action-link-checker) is now shared, near-verbatim, withlecture-python-intro. During the Copilot review of the intro migration PR (QuantEcon/lecture-python-intro#783) three robustness improvements were surfaced and applied there. Filing them here so both repos can stay in sync — none are urgent, and the current workflow works today.The three improvements
contents: readto the jobpermissionsissues: write; becausepermissions:resets every unlisted scope tonone, thegh api .../releases/latestcall runs withcontents: noneand can fail under org policy / on private reposset -euo pipefail, select a single asset, error if nonecurl, producing a confusing downstream failure instead of a clear onecurl -fsSLinstead ofcurl -sL-f, an HTTP error page (404/permission) is piped intotarand fails as a cryptic extraction error rather than a clear download failureConcrete diff (the two steps + permissions)
Not changing: the action pin
Copilot also suggested pinning
QuantEcon/action-link-checker@mainto a tag/SHA. We opted to keep@main— it is a first-party QuantEcon action and@mainis the org convention used across the lecture repos. Noting here only so the decision is on record; if we ever decide to pin QuantEcon actions org-wide, both repos should change together.Reference: applied in QuantEcon/lecture-python-intro#783.
🤖 Generated with Claude Code