cisagov · felddy · Feb 24, 2020 · Feb 10, 2020 · Feb 10, 2020 · Feb 11, 2020
@@ -10,20 +10,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
-
-      - name: Set up Python 3.7
-        uses: actions/setup-python@v1
-        with:
-          python-version: 3.7
-
-      - name: Cache pre-commit hooks
-        uses: actions/cache@v1
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v1
         with:
-          path: ~/.cache/pre-commit
-          key: "${{ runner.os }}-pre-commit-\
-            ${{ hashFiles('**/.pre-commit-config.yaml') }}"
-
+          python-version: 3.8
       - name: Cache pip test requirements
         uses: actions/cache@v1
         with:
@@ -33,11 +23,15 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pip-test-
             ${{ runner.os }}-pip-
-
+      - name: Cache pre-commit hooks
+        uses: actions/cache@v1
+        with:
+          path: ~/.cache/pre-commit
+          key: "${{ runner.os }}-pre-commit-\
+            ${{ hashFiles('**/.pre-commit-config.yaml') }}"
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install --upgrade -r requirements-test.txt
-
+          pip install --upgrade --requirement requirements-test.txt
       - name: Run pre-commit on all files
         run: pre-commit run --all-files
@@ -2,4 +2,5 @@
 __pycache__
 .python-version
 .coverage
+.mypy_cache
 .pytest_cache
@@ -7,6 +7,6 @@ import_heading_thirdparty=Third-Party Libraries
 import_heading_firstparty=cisagov Libraries
 
 # Should be auto-populated by seed-isort-config hook
-known_third_party=docopt,github
+known_third_party=docopt,github,nacl,requests,setuptools,schema
 # These must be manually set to correctly separate them from third party libraries
 known_first_party=
@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.4.0
+    rev: v2.5.0
     hooks:
       - id: check-executables-have-shebangs
       - id: check-json
@@ -27,13 +27,13 @@ repos:
       - id: requirements-txt-fixer
       - id: trailing-whitespace
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.19.0
+    rev: v0.22.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.json
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.18.0
+    rev: v1.20.0
     hooks:
       - id: yamllint
   - repo: https://github.com/detailyang/pre-commit-shell
@@ -47,7 +47,7 @@ repos:
         additional_dependencies:
           - flake8-docstrings
   - repo: https://github.com/asottile/pyupgrade
-    rev: v1.25.1
+    rev: v2.0.0
     hooks:
       - id: pyupgrade
   - repo: https://github.com/PyCQA/bandit
@@ -62,31 +62,35 @@ repos:
       - id: black
   # Disabling seed-isort-config since it doesn't identifying docopt, et al.
   # as third-party libraries.
-  # - repo: https://github.com/asottile/seed-isort-config
-  #   rev: v1.9.3
-  #   hooks:
-  #     - id: seed-isort-config
+  #- repo: https://github.com/asottile/seed-isort-config
+  #  rev: v1.9.4
+  #  hooks:
+  #    - id: seed-isort-config
   - repo: https://github.com/pre-commit/mirrors-isort
     # pick the isort version you'd like to use from
     # https://github.com/pre-commit/mirrors-isort/releases
     rev: v4.3.21
     hooks:
       - id: isort
   - repo: https://github.com/ansible/ansible-lint.git
-    rev: v4.1.1a5
+    rev: v4.2.0
     hooks:
       - id: ansible-lint
-        # files: molecule/default/playbook.yml
+      # files: molecule/default/playbook.yml
   - repo: https://github.com/antonbabenko/pre-commit-terraform.git
     rev: v1.12.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate_no_variables
   - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v1.0.0
+    rev: v1.0.1
     hooks:
       - id: docker-compose-check
   - repo: https://github.com/prettier/prettier
     rev: 1.19.1
     hooks:
       - id: prettier
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v0.761
+    hooks:
+      - id: mypy
@@ -102,7 +102,7 @@ commands:
 cd development-guide
 pyenv virtualenv <python_version_to_use> development-guide
 pyenv local development-guide
-pip install -r requirements-dev.txt
+pip install --requirement requirements-dev.txt
 ```
 
 #### Installing the pre-commit hook ####

@@ -110,50 +110,36 @@ usage of the tool is:
 This file will now contain definitions for all the Ansible roles.  Edit
 the file, and remove any role that will not be required for your project.
 
-## Terraform IAM Credentials to Travis Tool 🔑‍👉👷🏻 ##
+## Terraform IAM Credentials to GitHub Secrets 🔑‍👉🤫 ##
 
-When Travis-CI needs credentials to run we provide them in its `.travis.yml`
-file in an encrypted format.  Extracting fresh IAM credentials from a
-Terraform run,
-[encrypting them properly](https://docs.travis-ci.com/user/environment-variables/#defining-encrypted-variables-in-travisyml)
-, and then formatting them into well-formed `yml` that will make the linters
-happy is no small task.
+When GitHub Actions workflows require credentials to run we provide them via
+[secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets).
+This usually involves extracting the secrets from the Terraform state
+json output.  Then some pointing, clicking, cutting and pasting on the
+repository's settings.
 
-To simplify this task use the [`iam-to-travis`](scripts/iam-to-travis) tool
-located in the [`scripts`](scripts) directory.  The tool will output `yml`
-that can be pasted directly into a `.travis.yml` file.  The tool has
-adjustable indentation and width with reasonable defaults.
+To simplify this task use the [`iam-to-github`](scripts/iam-to-github) tool
+located in the [`scripts`](scripts) directory.  The tool will create secrets
+using your
+[personal access token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
+Note: Your PAT needs to have the "repo" scope set.
 
 Execute the tool from your GitHub project's terraform directory:
 
 ```bash
-iam-to-travis
+iam-to-github 9f4ae878de917c7cf191b9861d3c1cf9224939f7
 ```
 
-```yml
-# AWS_ACCESS_KEY_ID
-- secure: "UZVXTpslA2qID+51nIlVOPaDZNdIuTuEw7AMG7045zEAuxtmViHBKL5z6fpwUnmV\
-  vqnjZksQGLuLnYFIX+E85ObwrFBjhnr0m5baARG3wdS3+KrQjruStetz8gpKeXLA+L81VfhxF\
-  Z3pCTATN86FSEcVFSgA8hGGr1nKqpVKFqxnKCXnBeQCgqD0MrQ1bfj7AvhY1s97pf6kXBwQ7/\
-  MoRhFgwcnituhhDpb6QZWFo6L6W/UUKL5sATA3H2tGSLtS8W8a0MMTKr6n8uSoiQwNO8+qGvm\
-  Iu10tl+XPzHzYGdpmBZignA63HFOcodtDy3PJJzICrEmkGZ9zvp0kgtHi7hBLXSLf82D28lMt\
-  r8QC+ZCnuaH+ar0SaSueDS7MkUVXl0DNIkqjQZP4/AwTuAomJ4i60cpPS3Xte8GO8dUqwkc+/\
-  2mg1cqeUQAVaIMsFzs3U11LfC5CMzHNe9qe8jRt6aVylxpdXEpxLeD3kNG3mBEGxOAQD0YkYw\
-  tp1paKJOt2CHEnTkDrs8hJ9bZzlwGrmu0vIfFoO0k1/rYbemNGZ+VCY1TWtxOdqxeJRLVYZBJ\
-  J0cTlYf5N3//RUZS6QZ85dJ/7zKn4SRjalLMAD/zjAte5EsRag34KWG6LurRojKqpPUfzaxRu\
-  IEYQ1+ATLZoEgMLYETiEWG6Il2QNv1c6uOM="
-
-# AWS_SECRET_ACCESS_KEY
-- secure: "PcuGEOpW7f448RSA6TB07EwI2IlcCoWkrjztO8zz34rKE2VYNTaNEseZizTg0B0p\
-  s80jvlJRfkuQi+h0nYsLCANjsX+o1HooXnNBFsREzuKhYu1qB80Tcpl3DY/uYXF0yLbe0Qk0s\
-  ZmDxK3Fe62bjLzlMTh2i5Aocf+e176zQ+VrJqHG4qSVrgRPXeRcKRrKFyOYA/HbmC7Wcno85d\
-  nsj0s3U4sDxrn6rWaHetHFxEml5kD86XhJ4xKXhZfwCR+aVgvKEdiY4ft6wmfbogVhAqfa5NG\
-  N4CrCs1ooKutB/95axlmuxEG73mnYdBaE2FphOvx+2lL8JOVjtUK5ENac1QumHngztAASTtVc\
-  RXpEaRH5OGEgWkmqptN3fJAqZyfLu74zOr61/thJuh6fkAciXDoKt8e2CyCxAqbAB+6SKwxG3\
-  +K6rEtms6c3dwtHrssoHOsozADxVeK/I2two1QzcVsw92hRfF9ecWyV+QUaJ6iZYEk2VqgsDi\
-  NuBbVa2SQT9mO3A4fcn23fRjHy/ac/Cmz9q3hGKnMWl27CSRaPq7PR4sNPr9ebabRRrjAZ0I2\
-  UaWaDqIOwz85EWTQ6Y/53dgr2Zgv8KpfzfdNWhKtKS4woJGYPoU1k17V2TGZhs2S85XfT2aB3\
-  injrwJ5qqmcUljFdByuA08WyX4UkBCWtkJE="
+```console
+2020-02-22 15:50:36,059 INFO Using GitHub repository name: cisagov/ansible-role-dev-ssh-access
+2020-02-22 15:50:36,060 INFO Searching Terraform state for IAM credentials.
+2020-02-22 15:50:40,643 INFO Found credentials for user: test-ansible-role-dev-ssh-access
+2020-02-22 15:50:40,643 INFO Creating GitHub API session using personal access token.
+2020-02-22 15:50:40,644 INFO Requesting public key for repository cisagov/ansible-role-dev-ssh-access
+2020-02-22 15:50:40,832 INFO Setting secrets for user: test-ansible-role-dev-ssh-access
+2020-02-22 15:50:40,832 INFO Creating secret AWS_ACCESS_KEY_ID
+2020-02-22 15:50:41,027 INFO Creating secret AWS_SECRET_ACCESS_KEY
+2020-02-22 15:50:41,036 INFO Success!
 ```
 
 ## Managing SSM Parameters from Files 🗂👉☁️ ##