From 57b4abe8fd21bfd03d1010f82ff20d33aea353c4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 18:04:15 -0400 Subject: [PATCH 001/383] Update actions/setup-go from v2 to v3 Additionally as of v3.1.0 of actions/setup-go there is a go-version output value to retrieve the version of Go installed by the Action. This allows us to remove the step to manually retrieve this information from the Go executable. --- .github/workflows/build.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27b2dcf..3216eec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,14 +26,10 @@ jobs: python-version: "3.10" # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - - uses: actions/setup-go@v2 + - id: setup-go + uses: actions/setup-go@v3 with: go-version: "1.16" - - name: Store installed Go version - id: go-version - run: | - echo "::set-output name=version::"\ - "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" - name: Lookup Go cache directory id: go-cache run: | @@ -42,7 +38,7 @@ jobs: env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ - go${{ steps.go-version.outputs.version }}-\ + go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: From 8f6849857bc2a66254cafa94db31526692fab209 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 18:07:10 -0400 Subject: [PATCH 002/383] Update the version of Go used from 1.16 to 1.18 Go 1.16 is no longer supported as of the release of 1.18 so it makes sense to update to the latest version available. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3216eec..d4c50c5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,7 @@ jobs: - id: setup-go uses: actions/setup-go@v3 with: - go-version: "1.16" + go-version: "1.18" - name: Lookup Go cache directory id: go-cache run: | From fc55e84feba28e9652e2a21b976e3f8225b708af Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 8 Nov 2022 13:27:47 -0500 Subject: [PATCH 003/383] Update the version of Go used from 1.18 to 1.19 Go 1.19 was released while this branch was in the wings and it makes sense to bump to the latest Go release. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d4c50c5..66e0c95 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,7 @@ jobs: - id: setup-go uses: actions/setup-go@v3 with: - go-version: "1.18" + go-version: "1.19" - name: Lookup Go cache directory id: go-cache run: | From 2775dfa470b433cb9692b5b8c604ad55aa24ea2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Nov 2022 20:00:23 +0000 Subject: [PATCH 004/383] Bump hashicorp/setup-terraform from 1 to 2 Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 1 to 2. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v1...v2) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 66e0c95..37df1a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,7 +74,7 @@ jobs: ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" sudo mv /usr/local/bin/packer /usr/local/bin/packer-default sudo ln -s /opt/packer/packer /usr/local/bin/packer - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install shfmt From 1f7c62e5f21f1ee0a034122b1e96e2e035ae4a5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Nov 2022 20:06:28 +0000 Subject: [PATCH 005/383] Bump actions/setup-python from 3 to 4 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 37df1a3..a624fe2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v3 - id: setup-python - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: "3.10" # We need the Go version and Go cache location for the actions/cache step, From 6a9c630f869dbd96001d9a00ea300e3195f2c05d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 17:30:33 -0400 Subject: [PATCH 006/383] Add an ownership comment to the Dependabot configuration Add a comment that states that the commented out ignore directives are managed by cisagov/skeleton-generic. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 208659c..38ffdc0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: schedule: interval: "weekly" # ignore: + # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout # - dependency-name: actions/setup-python From dfd54e9ad294cedce783c61071f5dab151cf79e5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 17:38:06 -0400 Subject: [PATCH 007/383] Add additional Dependabot ignore directives This adds the other versioned Actions that should be managed by cisagov/skeleton-generic to the list of commented out dependencies to ignore. --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 38ffdc0..fef57f5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,7 +15,10 @@ updates: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout + # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: hashicorp/setup-terraform + # - dependency-name: mxschmitt/action-tmate - package-ecosystem: "pip" directory: "/" From 71a88a5694347f17115f90f69e8ab09108aae1ed Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 11 Oct 2022 10:57:16 -0400 Subject: [PATCH 008/383] Remove usage of set-output from our GitHub Actions workflow GitHub has deprecated the set-output command per: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ This updates the GitHub Actions workflow to use the newly preferred method to set the output for a job's step. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a624fe2..8d17421 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,7 +33,7 @@ jobs: - name: Lookup Go cache directory id: go-cache run: | - echo "::set-output name=dir::$(go env GOCACHE)" + echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v3 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ From 21a68f461cf04ee5009c22e6311afdfdeff6f0fe Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 7 Sep 2022 13:35:44 -0400 Subject: [PATCH 009/383] Enable the allow-non-breakable-inline-mappings rule for yamllint --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 76a1cce..b5b302f 100644 --- a/.yamllint +++ b/.yamllint @@ -8,6 +8,14 @@ rules: # this behavior. comments-indentation: disable + # yamllint does not allow inline mappings that exceed the line length by + # default. There are many scenarios where the inline mapping may be a key, + # hash, or other long value that would exceed the line length but cannot + # reasonably be broken across lines. + line-length: + # This rule implies the allow-non-breakable-words rule + allow-non-breakable-inline-mappings: true + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From 3547c4f28d98a0e08582f5cf02e53d102a9e5dac Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 7 Sep 2022 13:37:21 -0400 Subject: [PATCH 010/383] Increase the maximum line length in the yamllint configuration Increase the line length maximum from the default of 80 to 88. This 10% increase mirrors the line length allowed in other linter configurations such as black. --- .yamllint | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.yamllint b/.yamllint index b5b302f..8f4e6bf 100644 --- a/.yamllint +++ b/.yamllint @@ -15,7 +15,8 @@ rules: line-length: # This rule implies the allow-non-breakable-words rule allow-non-breakable-inline-mappings: true - + # Allows a 10% overage from the default limit of 80 + max: 88 # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From b1ea3d4239179f9dc15a3509593f921c77dedc6b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 14 Oct 2022 09:48:04 -0400 Subject: [PATCH 011/383] Fix the repo of the flake8 pre-commit hook Per PyCQA/flake8#1290 this hook moved from GitLab to GitHub. The version we use is bumped to the latest tag on GitHub as well. --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5c2e10..804fa6c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -91,8 +91,8 @@ repos: rev: 22.3.0 hooks: - id: black - - repo: https://gitlab.com/pycqa/flake8 - rev: 3.9.2 + - repo: https://github.com/PyCQA/flake8 + rev: 5.0.4 hooks: - id: flake8 additional_dependencies: From fb8d13f5baff79b0f0e8a231cdf2c68817695d4e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 18:45:45 -0400 Subject: [PATCH 012/383] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back due to issues with upgrading to v6. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 804fa6c..25f8d1d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 + rev: v4.3.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.31.1 + rev: v0.32.2 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.6.1 + rev: v3.0.0-alpha.4 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.26.3 + rev: v1.28.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.14.2 + rev: 0.18.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.17.0 + rev: v2.20.0 hooks: - id: validate_manifest @@ -88,7 +88,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.3.0 + rev: 22.10.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -102,11 +102,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.942 + rev: v0.990 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.31.1 + rev: v3.2.0 hooks: - id: pyupgrade @@ -119,14 +119,14 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.64.0 + rev: v1.76.0 hooks: - id: terraform_fmt - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v2.1.0 + rev: v2.1.1 hooks: - id: docker-compose-check From e5fbd70b2035b6de74c5bcc804af929a19d9cb17 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 5 Oct 2022 04:44:13 -0400 Subject: [PATCH 013/383] Add a label configuration file This configuration file stores information about the labels expected in this repository. --- .github/labels.yml | 67 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/labels.yml diff --git a/.github/labels.yml b/.github/labels.yml new file mode 100644 index 0000000..7d7f7f3 --- /dev/null +++ b/.github/labels.yml @@ -0,0 +1,67 @@ +--- +# Rather than breaking up descriptions into multiline strings we disable that +# specific rule in yamllint for this file. +# yamllint disable rule:line-length +- color: "#eb6420" + description: This issue or pull request is awaiting the outcome of another issue or pull request + name: blocked +- color: "#000000" + description: This issue or pull request involves changes to existing functionality + name: breaking change +- color: "#d73a4a" + description: This issue or pull request addresses broken functionality + name: bug +- color: "#07648d" + description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) + name: code.gov +- color: "#0366d6" + description: Pull requests that update a dependency file + name: dependencies +- color: "#5319e7" + description: This issue or pull request improves or adds to documentation + name: documentation +- color: "#5319e7" + description: This issue or pull request improves or adds to documentation + name: documentation +- color: "#cfd3d7" + description: This issue or pull request already exists or is covered in another issue or pull request + name: duplicate +- color: "#b005bc" + description: A high-level objective issue encompassing multiple issues instead of a specific unit of work + name: epic +- color: "#000000" + description: Pull requests that update GitHub Actions code + name: github-actions +- color: "#0e8a16" + description: This issue or pull request is well-defined and good for newcomers + name: good first issue +- color: "#ff7518" + description: Pull request that should count toward Hacktoberfest participation + name: hacktoberfest-accepted +- color: "#a2eeef" + description: This issue or pull request will add or improve functionality, maintainability, or ease of use + name: improvement +- color: "#fef2c0" + description: This issue or pull request is not applicable, incorrect, or obsolete + name: invalid +- color: "#ce099a" + description: This pull request is ready to merge during the next Lineage Kraken release + name: kraken 🐙 +- color: "#a4fc5d" + description: This issue or pull request requires further information + name: need info +- color: "#fcdb45" + description: This pull request is awaiting an action or decision to move forward + name: on hold +- color: "#ef476c" + description: This issue is a request for information or needs discussion + name: question +- color: "#1d76db" + description: This issue or pull request pulls in upstream updates + name: upstream update +- color: "#d4c5f9" + description: This issue or pull request increments the version number + name: version bump +- color: "#ffffff" + description: This issue will not be incorporated + name: wontfix From b9792a8d18d3690b8497e0cfe31ce855c85a7c2b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 5 Oct 2022 04:57:03 -0400 Subject: [PATCH 014/383] Add a workflow to synchronize repository labels This adds a workflow to ensure that the repository labels are updated to reflect changes to the label configuration file .github/labels.yml. --- .github/workflows/sync-labels.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/sync-labels.yml diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml new file mode 100644 index 0000000..ae7c091 --- /dev/null +++ b/.github/workflows/sync-labels.yml @@ -0,0 +1,29 @@ +--- +name: sync-labels + +on: + push: + paths: + - '.github/labels.yml' + - '.github/workflows/sync-labels.yml' + +permissions: + contents: read + +jobs: + labeler: + permissions: + # actions/checkout needs this to fetch code + contents: read + # crazy-max/ghaction-github-labeler needs this to manage repository labels + issues: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Sync repository labels + if: success() + uses: crazy-max/ghaction-github-labeler@v4 + with: + # This is a hideous ternary equivalent so we only do a dry run unless + # this workflow is triggered by the develop branch. + dry-run: ${{ github.ref_name == 'develop' && 'false' || 'true' }} From 161c4aebba002d4073a634749f3ae67f649a8a2a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Oct 2022 15:56:30 -0400 Subject: [PATCH 015/383] Remove duplicate label --- .github/labels.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 7d7f7f3..24bd511 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -20,9 +20,6 @@ - color: "#5319e7" description: This issue or pull request improves or adds to documentation name: documentation -- color: "#5319e7" - description: This issue or pull request improves or adds to documentation - name: documentation - color: "#cfd3d7" description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate From 5993231c3a136c86fe2dad178ac47495771cccce Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Oct 2022 15:56:49 -0400 Subject: [PATCH 016/383] Add a label for issues or PRs that involve test code --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 24bd511..b108748 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -53,6 +53,9 @@ - color: "#ef476c" description: This issue is a request for information or needs discussion name: question +- color: "#00008b" + description: This issue or pull request adds or otherwise modifies test code + name: test - color: "#1d76db" description: This issue or pull request pulls in upstream updates name: upstream update From 6cc53dc1f0bf5123465082100c57bb6a325024cf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Nov 2022 11:23:04 -0500 Subject: [PATCH 017/383] Fix GitHub label color values Update the configuration for repository labels to remove the leading `#` from color values. With a `#` leading the values they are seen as invalid by the GitHub API. --- .github/labels.yml | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index b108748..500b000 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,66 +2,66 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "#eb6420" +- color: "eb6420" description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked -- color: "#000000" +- color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "#d73a4a" +- color: "d73a4a" description: This issue or pull request addresses broken functionality name: bug -- color: "#07648d" +- color: "07648d" description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "#0366d6" +- color: "0366d6" description: Pull requests that update a dependency file name: dependencies -- color: "#5319e7" +- color: "5319e7" description: This issue or pull request improves or adds to documentation name: documentation -- color: "#cfd3d7" +- color: "cfd3d7" description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "#b005bc" +- color: "b005bc" description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic -- color: "#000000" +- color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "#0e8a16" +- color: "0e8a16" description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "#ff7518" +- color: "ff7518" description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "#a2eeef" +- color: "a2eeef" description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "#fef2c0" +- color: "fef2c0" description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "#ce099a" +- color: "ce099a" description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "#a4fc5d" +- color: "a4fc5d" description: This issue or pull request requires further information name: need info -- color: "#fcdb45" +- color: "fcdb45" description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "#ef476c" +- color: "ef476c" description: This issue is a request for information or needs discussion name: question -- color: "#00008b" +- color: "00008b" description: This issue or pull request adds or otherwise modifies test code name: test -- color: "#1d76db" +- color: "1d76db" description: This issue or pull request pulls in upstream updates name: upstream update -- color: "#d4c5f9" +- color: "d4c5f9" description: This issue or pull request increments the version number name: version bump -- color: "#ffffff" +- color: "ffffff" description: This issue will not be incorporated name: wontfix From 8f1263549992de1edd4d4e30afae3fd7c8a8c546 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Nov 2022 11:24:25 -0500 Subject: [PATCH 018/383] Correct spacing in yamllint rules There was a missing empty line in the `.yamllint` file between two rule definitions. --- .yamllint | 1 + 1 file changed, 1 insertion(+) diff --git a/.yamllint b/.yamllint index 8f4e6bf..2a119a6 100644 --- a/.yamllint +++ b/.yamllint @@ -17,6 +17,7 @@ rules: allow-non-breakable-inline-mappings: true # Allows a 10% overage from the default limit of 80 max: 88 + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From d9a1c30d72c7847a3281dda9df731e964296f719 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 26 Nov 2022 04:57:17 -0500 Subject: [PATCH 019/383] Pin Python 3.6 testing to Ubuntu 20.04 There is no Python 3.6 on Ubuntu 22.04 release available from actions/python-versions. Since Ubuntu 22.04 is what is being used for the `ubuntu-latest` tag we need to pin Python 3.6 testing to use the old `ubuntu-20.04` tag. --- .github/workflows/build.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db8491c..8e447cf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -107,16 +107,20 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: - runs-on: ubuntu-latest + runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: + os: + - ubuntu-latest python-version: - - "3.6" - "3.7" - "3.8" - "3.9" - "3.10" + include: + - os: ubuntu-20.04 + python-version: "3.6" steps: - uses: actions/checkout@v3 - id: setup-python @@ -193,17 +197,21 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE build: - runs-on: ubuntu-latest - needs: [lint, test] + runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: + os: + - ubuntu-latest python-version: - - "3.6" - "3.7" - "3.8" - "3.9" - "3.10" + include: + - os: ubuntu-20.04 + python-version: "3.6" + needs: [lint, test] steps: - uses: actions/checkout@v3 - id: setup-python From b389d8a67b4aa5392deadfc8631b16483f43d26a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 7 Jan 2023 14:53:37 -0500 Subject: [PATCH 020/383] Add a `python` label Since this project is for a Python package it makes sense to include a `python` label. --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 500b000..7cdfd79 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -50,6 +50,9 @@ - color: "fcdb45" description: This pull request is awaiting an action or decision to move forward name: on hold +- color: "3772a4" + description: Pull requests that update Python code + name: python - color: "ef476c" description: This issue is a request for information or needs discussion name: question From 62c839435c5cab2661c17c97b3a62c8828923033 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Nov 2022 16:21:04 -0500 Subject: [PATCH 021/383] Update the version of the second bandit hook The `bandit (everything else)` hook was not updated in sync with the `bandit (tests tree)` hook and is using an older version of bandit. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f346c22..4b816a8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -92,7 +92,7 @@ repos: - --config=.bandit.yml # Run bandit everything but tests directory - repo: https://github.com/PyCQA/bandit - rev: 1.7.0 + rev: 1.7.4 hooks: - id: bandit name: bandit (everything else) From 99ee709871deca8ffa403b4dc1d5e9b33584c581 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Nov 2022 16:22:50 -0500 Subject: [PATCH 022/383] Correct poor English in comments for the bandit pre-commit hooks Co-authored-by: dav3r --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4b816a8..5f14849 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -81,7 +81,7 @@ repos: - id: shell-lint # Python hooks - # Run bandit on "tests" tree with a configuration + # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit rev: 1.7.4 hooks: @@ -90,7 +90,7 @@ repos: files: tests args: - --config=.bandit.yml - # Run bandit everything but tests directory + # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit rev: 1.7.4 hooks: From f3f9d920c68e1f75c716c98071c64e13fc4352a4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 26 Nov 2022 04:42:37 -0500 Subject: [PATCH 023/383] Add a CodeQL status badge to the README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7f20bda..f3438b3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # skeleton-python-library # [![GitHub Build Status](https://github.com/cisagov/skeleton-python-library/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions) +[![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) [![Total alerts](https://img.shields.io/lgtm/alerts/g/cisagov/skeleton-python-library.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-python-library/alerts/) [![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/cisagov/skeleton-python-library.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-python-library/context:python) From fa30ebbe5dd1780ab2a2e4f109cd17e5826cb1b9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 5 Jan 2023 02:27:06 -0500 Subject: [PATCH 024/383] Remove LGTM badges from the README Now that LGTM has been deprecated in favor of GitHub code scanning (CodeQL) we have removed the integration from the organization. As a result we need to remove these badges. --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index f3438b3..79390aa 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,6 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-python-library/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions) [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) -[![Total alerts](https://img.shields.io/lgtm/alerts/g/cisagov/skeleton-python-library.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-python-library/alerts/) -[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/cisagov/skeleton-python-library.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-python-library/context:python) [![Known Vulnerabilities](https://snyk.io/test/github/cisagov/skeleton-python-library/develop/badge.svg)](https://snyk.io/test/github/cisagov/skeleton-python-library) This is a generic skeleton project that can be used to quickly get a From abb931136b0b8b285cb7be53d6191455a756229a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 29 Oct 2022 06:56:26 -0400 Subject: [PATCH 025/383] Add additional PyPI trove classifiers Since we only support Python 3 and only test against CPython (the reference implementation) it would be helpful to indicate these facts with our trove classifiers. --- setup.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup.py b/setup.py index f123137..106a1fb 100644 --- a/setup.py +++ b/setup.py @@ -74,11 +74,13 @@ def get_version(version_file): # Specify the Python versions you support here. In particular, ensure # that you indicate whether you support Python 2, Python 3 or both. "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3 :: Only", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: Implementation :: CPython", ], python_requires=">=3.6", # What does your project relate to? From 56c90d6fd15ba20698b76724c74ef5936621bd72 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 13 Sep 2022 09:59:08 -0400 Subject: [PATCH 026/383] Fix overly match-happy sed commands We saw in cisagov/postfix-docker#47 that the sed commands in the bump_version.sh script could inadvertently match the CC0 version in the README.md file. This change escapes the periods in the version before passing it on to sed so that they only match periods and not just any character. --- bump_version.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/bump_version.sh b/bump_version.sh index e1324b8..bd520bd 100755 --- a/bump_version.sh +++ b/bump_version.sh @@ -11,6 +11,9 @@ VERSION_FILE=src/example/_version.py HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|finalize)" old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} if [ $# -ne 1 ]; then echo "$HELP_INFORMATION" @@ -22,7 +25,7 @@ else # A temp file is used to provide compatability with macOS development # as a result of macOS using the BSD version of sed tmp_file=/tmp/version.$$ - sed "s/$old_version/$new_version/" $VERSION_FILE > $tmp_file + sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file mv $tmp_file $VERSION_FILE git add $VERSION_FILE git commit -m"Bump version from $old_version to $new_version" @@ -34,10 +37,10 @@ else # A temp file is used to provide compatability with macOS development # as a result of macOS using the BSD version of sed tmp_file=/tmp/version.$$ - sed "s/$old_version/$new_version/" $VERSION_FILE > $tmp_file + sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file mv $tmp_file $VERSION_FILE git add $VERSION_FILE - git commit -m"Bump version from $old_version to $new_version" + git commit -m"Finalize version from $old_version to $new_version" git push ;; show) From 034cef89078b397fad4b00c605999a413540c75e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 5 Jan 2023 15:03:19 -0500 Subject: [PATCH 027/383] Add a GitHub Actions job to test wheels This job will test thw wheels created during the `build` job to ensure the distribution artifact also passes tests. --- .github/workflows/build.yml | 53 +++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4cabcb8..a1532c6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -242,3 +242,56 @@ jobs: - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE + test-build: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + python-version: + - "3.7" + - "3.8" + - "3.9" + - "3.10" + include: + - os: ubuntu-20.04 + python-version: "3.6" + needs: [build] + steps: + - uses: actions/checkout@v3 + - id: setup-python + uses: actions/setup-python@v4 + with: + python-version: ${{ matrix.python-version }} + - uses: actions/cache@v3 + env: + BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}-" + with: + path: ${{ env.PIP_CACHE_DIR }} + # We do not use '**/setup.py' in the cache key so only the 'setup.py' + # file in the root of the repository is used. This is in case a Python + # package were to have a 'setup.py' as part of its internal codebase. + key: "${{ env.BASE_CACHE_KEY }}\ + ${{ hashFiles('**/requirements.txt') }}-\ + ${{ hashFiles('setup.py') }}" + restore-keys: | + ${{ env.BASE_CACHE_KEY }} + - name: Retrieve the built wheel + uses: actions/download-artifact@v3 + with: + name: dist-${{ matrix.python-version }} + - name: Install testing dependencies + run: | + python -m pip install --upgrade pip setuptools wheel + python -m pip install --upgrade pytest pytest-cov + - name: Install the built wheel (there should only be one) + run: python -m pip install *.whl + - name: Run tests + env: + RELEASE_TAG: ${{ github.event.release.tag_name }} + run: pytest + - name: Setup tmate debug session + uses: mxschmitt/action-tmate@v3 + if: env.RUN_TMATE From 63f4a731e8308dd582166d9bc92f96e5ee8e8228 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 5 Jan 2023 15:04:55 -0500 Subject: [PATCH 028/383] Prefer block-style to flow-style in GitHub Actions job needs --- .github/workflows/build.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a1532c6..94c9569 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -159,7 +159,8 @@ jobs: if: env.RUN_TMATE coveralls-finish: runs-on: ubuntu-latest - needs: test + needs: + - test steps: - uses: actions/checkout@v3 - id: setup-python @@ -194,6 +195,9 @@ jobs: if: env.RUN_TMATE build: runs-on: ${{ matrix.os }} + needs: + - lint + - test strategy: fail-fast: false matrix: @@ -207,7 +211,6 @@ jobs: include: - os: ubuntu-20.04 python-version: "3.6" - needs: [lint, test] steps: - uses: actions/checkout@v3 - id: setup-python @@ -244,6 +247,8 @@ jobs: if: env.RUN_TMATE test-build: runs-on: ${{ matrix.os }} + needs: + - build strategy: fail-fast: false matrix: @@ -257,7 +262,6 @@ jobs: include: - os: ubuntu-20.04 python-version: "3.6" - needs: [build] steps: - uses: actions/checkout@v3 - id: setup-python From 6a5c15687560619529743896b33ad2ee7e21ab50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 29 Oct 2022 06:53:04 -0400 Subject: [PATCH 029/383] Add support for Python 3.11 With the release of Python 3.11 on 2022-10-24 we should add it to our supported Python versions. This includes an appropriate PyPI trove classifier and adding it to the Python versions that are tested in our GitHub Actions workflow. --- .github/workflows/build.yml | 3 +++ setup.py | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 94c9569..2d91593 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -114,6 +114,7 @@ jobs: - "3.8" - "3.9" - "3.10" + - "3.11" include: - os: ubuntu-20.04 python-version: "3.6" @@ -208,6 +209,7 @@ jobs: - "3.8" - "3.9" - "3.10" + - "3.11" include: - os: ubuntu-20.04 python-version: "3.6" @@ -259,6 +261,7 @@ jobs: - "3.8" - "3.9" - "3.10" + - "3.11" include: - os: ubuntu-20.04 python-version: "3.6" diff --git a/setup.py b/setup.py index 106a1fb..f417c83 100644 --- a/setup.py +++ b/setup.py @@ -80,6 +80,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", "Programming Language :: Python :: Implementation :: CPython", ], python_requires=">=3.6", From abd6218987345384203aae1207b8dfb2fdeae3d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 7 Jan 2023 15:41:40 -0500 Subject: [PATCH 030/383] Bump version from 0.1.0 to 0.2.0 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index 5eb9b0e..6baaa6f 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,2 +1,2 @@ """This file defines the version of this module.""" -__version__ = "0.1.0" +__version__ = "0.2.0" From c7c0ee9fe3a74819a49f9719997ecbcbdd667bb8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 7 Jan 2023 20:45:57 +0000 Subject: [PATCH 031/383] Bump actions/upload-artifact from 2 to 3 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2d91593..baa8c3b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -240,7 +240,7 @@ jobs: - name: Build artifacts run: python -m build - name: Upload artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v3 with: name: dist-${{ matrix.python-version }} path: dist From 4709716d332f060e68aa7248ecb955914d9acfff Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 7 Jan 2023 16:17:06 -0500 Subject: [PATCH 032/383] Add ignore directives to the dependabot configuration Add ignore directives and an attribution comment to the dependabot configurtation. These will be uncommented in descendants of this project (cisagov/skeleton-python-library) so that version changes to these Actions are controlled through this project. --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5fe9a06..5bb8e67 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,6 +19,9 @@ updates: - dependency-name: actions/setup-python - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate + # # Managed by cisagov/skeleton-python-library + # - dependency-name: actions/download-artifact + # - dependency-name: actions/upload-artifact - package-ecosystem: "pip" directory: "/" From 0bb91c5654db04ad15182dc8c0e491ae0664394f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:06:42 -0500 Subject: [PATCH 033/383] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back to be updated independently to v6. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 25f8d1d..2764bb4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.32.2 + rev: v0.33.0 hooks: - id: markdownlint args: @@ -41,7 +41,7 @@ repos: hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.28.0 + rev: v1.29.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.18.4 + rev: 0.21.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.20.0 + rev: v3.0.2 hooks: - id: validate_manifest @@ -88,25 +88,25 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.10.0 + rev: 22.12.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 5.0.4 + rev: 6.0.0 hooks: - id: flake8 additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.10.1 + rev: 5.12.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.990 + rev: v0.991 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.2.0 + rev: v3.3.1 hooks: - id: pyupgrade @@ -119,7 +119,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.77.0 hooks: - id: terraform_fmt - id: terraform_validate From 313e79263e8b6a1fbd311e5b9543a2b9a99ab93b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 2 Feb 2023 13:56:59 -0500 Subject: [PATCH 034/383] Add a security label --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 500b000..5b16492 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -53,6 +53,9 @@ - color: "ef476c" description: This issue is a request for information or needs discussion name: question +- color: "d73a4a" + description: This issue or pull request addresses a security issue + name: security - color: "00008b" description: This issue or pull request adds or otherwise modifies test code name: test From 0c52e4684d527fdcb991f49c2e0957d1b5fc087a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Jan 2023 00:54:03 -0500 Subject: [PATCH 035/383] Update wheel installation in the `test-build` job Retrieve the wheel to a `dist/` sub-directory and get the name of the specific file (wheel) to be installed. Then update the installation step to use this found filename instead of a wildcard. --- .github/workflows/build.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index baa8c3b..bcacbea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -289,12 +289,14 @@ jobs: uses: actions/download-artifact@v3 with: name: dist-${{ matrix.python-version }} - - name: Install testing dependencies - run: | - python -m pip install --upgrade pip setuptools wheel - python -m pip install --upgrade pytest pytest-cov - - name: Install the built wheel (there should only be one) - run: python -m pip install *.whl + path: dist + - id: find-wheel + name: Get the name of the retrieved wheel (there should only be one) + run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT + - name: Update core Python packages + run: python -m pip install --upgrade pip setuptools wheel + - name: Install the built wheel + run: python -m pip install ${{ steps.find-wheel.outputs.wheel }} - name: Run tests env: RELEASE_TAG: ${{ github.event.release.tag_name }} From 22bce632cd5d850d5ec8e48ac3f5b8aee5fb24c4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Jan 2023 00:56:10 -0500 Subject: [PATCH 036/383] Install the `test` dependencies of the built wheel When installing the wheel that was built in the `build` job we will also install the `test` optional dependencies. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bcacbea..00b6dc7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -295,8 +295,8 @@ jobs: run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT - name: Update core Python packages run: python -m pip install --upgrade pip setuptools wheel - - name: Install the built wheel - run: python -m pip install ${{ steps.find-wheel.outputs.wheel }} + - name: Install the built wheel (along with testing dependencies) + run: python -m pip install ${{ steps.find-wheel.outputs.wheel }}[test] - name: Run tests env: RELEASE_TAG: ${{ github.event.release.tag_name }} From 659a9eb05185633c4ee1cc5e88f0cdbc94f94cc2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Feb 2023 14:04:21 -0500 Subject: [PATCH 037/383] Adjust key order in the build workflow Sort all pre-`steps` keys alphabetically descending. Sorting all keys alphabetically would be somewhat onerous because the `strategy` key would come after the `steps` key even though it's configuration information. We can at least sort everything but the `steps` key in alphabetically descending order and make the `steps` the last for a job. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00b6dc7..82f1382 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -195,10 +195,10 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE build: - runs-on: ${{ matrix.os }} needs: - lint - test + runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: @@ -248,9 +248,9 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test-build: - runs-on: ${{ matrix.os }} needs: - build + runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: From 0f3dd3911b05a9488cf13c34d46ca19d62a875ff Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Feb 2023 14:14:05 -0500 Subject: [PATCH 038/383] Make build workflow job names more descriptive Add `name` keys to the `test`, `build`, and `test-build` jobs that are both more descriptive and include the Python version from the job's matrix. This will produce consistent and more helpful job names in the GitHub Actions log in the GitHub web UI. --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 82f1382..ab4a66f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,6 +103,7 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + name: test source - py${{ matrix.python-version }} runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -195,6 +196,7 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE build: + name: build wheel - py${{ matrix.python-version }} needs: - lint - test @@ -248,6 +250,7 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test-build: + name: test built wheel - py${{ matrix.python-version }} needs: - build runs-on: ${{ matrix.os }} From 744f07eb7497619ef4124bfe20ef8a6d2d071fb5 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 24 Mar 2023 11:06:27 -0400 Subject: [PATCH 039/383] Add @jasonodoom as a default codeowner --- .github/CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 371258c..8f5c8c5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,8 +3,8 @@ # These owners will be the default owners for everything in the # repo. Unless a later match takes precedence, these owners will be # requested for review when someone opens a pull request. -* @dav3r @felddy @jsf9k @mcdonnnj +* @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. -/.github/ @dav3r @felddy @jsf9k @mcdonnnj +/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj From 8d39c8b402fc24084d57a27f33dada98832cced6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 19 Apr 2023 11:56:30 -0400 Subject: [PATCH 040/383] Use Python 3.11 for the `lint` job in the `build` workflow This is the latest minor release of Python so it makes sense to use it as the default for this job. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8d17421..dc14a7d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,7 +23,7 @@ jobs: - id: setup-python uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: "3.11" # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go From db5e7ffebaa44d240b1fb333bef5e34512115aa8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 27 Mar 2023 08:37:24 -0400 Subject: [PATCH 041/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. However the `ansible-lint` hook is manually kept back as we have not tested functionality to confirm that our roles will generally pass with the new version. --- .pre-commit-config.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2764bb4..0dabeb6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,11 +37,11 @@ repos: args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.4 + rev: v3.0.0-alpha.6 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.29.0 + rev: v1.30.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.21.0 + rev: 0.22.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.0.2 + rev: v3.2.1 hooks: - id: validate_manifest @@ -82,13 +82,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 + rev: 1.7.5 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.12.0 + rev: 23.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -102,7 +102,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.991 + rev: v1.1.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade @@ -119,7 +119,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 + rev: v1.77.1 hooks: - id: terraform_fmt - id: terraform_validate From 4c595e68e41d663fe934124fcbeb289747cb1d54 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Mar 2023 15:54:24 +0000 Subject: [PATCH 042/383] Bump actions/setup-go from 3 to 4 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc14a7d..269122b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v3 + uses: actions/setup-go@v4 with: go-version: "1.19" - name: Lookup Go cache directory From 9984792a22f733d33421b7b6cc77f0fb44ca8d7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 24 Feb 2023 11:17:03 -0500 Subject: [PATCH 043/383] Install/upgrade setuptools and wheel when upgrading pip When wheel gets installed alongside other packages, it may not get used when those other packages are installed. When that happens I see warnings like this: DEPRECATION: ansible-core is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at https://github.com/pypa/pip/issues/8559 This change should get rid of these warnings. Nota bene: This is the practice we follow in the Dockerfile in cisagov/skeleton-docker, but for some reason we never started using it in our workflows. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 269122b..bdd8c98 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -89,7 +89,7 @@ jobs: run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install dependencies run: | - python -m pip install --upgrade pip + python -m pip install --upgrade pip setuptools wheel pip install --upgrade --requirement requirements-test.txt - name: Set up pre-commit hook environments run: pre-commit install-hooks From a0bc20bb08292f0d532f52378b8af4f585c94427 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 14:00:52 -0400 Subject: [PATCH 044/383] Add Go hooks to support go code for our projects --- .pre-commit-config.yaml | 56 +++++++++++++++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0dabeb6..65c676b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.33.0 + rev: v0.34.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.6 + rev: v3.0.0-alpha.9-for-vscode hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.30.0 + rev: v1.31.0 hooks: - id: yamllint args: @@ -49,17 +49,51 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.22.0 + rev: 0.23.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.2.1 + rev: v3.3.1 hooks: - id: validate_manifest + # Go hooks + - repo: https://github.com/TekWizely/pre-commit-golang + rev: v1.0.0-rc.1 + hooks: + # Style Checkers + - id: go-lint + - id: go-critic + # Go Build + - id: go-build-mod + - id: go-build-pkg + - id: go-build-repo-mod + - id: go-build-repo-pkg + + # Go Mod Tidy + - id: go-mod-tidy + - id: go-mod-tidy-repo + + # Go Test + - id: go-test-mod + - id: go-test-pkg + - id: go-test-repo-mod + - id: go-test-repo-pkg + + # Go Vet + - id: go-vet + - id: go-vet-mod + - id: go-vet-pkg + - id: go-vet-repo-mod + - id: go-vet-repo-pkg + # GoSec + - id: go-sec-mod + - id: go-sec-pkg + - id: go-sec-repo-mod + - id: go-sec-repo-pkg # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt rev: v0.0.2 @@ -88,7 +122,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.1.0 + rev: 23.3.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -102,31 +136,31 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.1.1 + rev: v1.2.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.3.1 + rev: v3.3.2 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - rev: v5.4.0 + rev: v6.15.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + rev: v1.78.0 hooks: - id: terraform_fmt - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v2.1.1 + rev: v3.0.1 hooks: - id: docker-compose-check From 3628e5fa20d334723ca4733a873110b52b07b406 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 14:08:25 -0400 Subject: [PATCH 045/383] Add Staticcheck --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 65c676b..b04a130 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -67,6 +67,11 @@ repos: # Style Checkers - id: go-lint - id: go-critic + # StaticCheck + - id: go-staticcheck-mod + - id: go-staticcheck-pkg + - id: go-staticcheck-repo-mod + - id: go-staticcheck-repo-pkg # Go Build - id: go-build-mod - id: go-build-pkg From 668724f0a5fc2742a5fd9ce7de16753664876d02 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:07:08 -0400 Subject: [PATCH 046/383] Fix indentation Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b04a130..10d005e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -64,7 +64,7 @@ repos: - repo: https://github.com/TekWizely/pre-commit-golang rev: v1.0.0-rc.1 hooks: - # Style Checkers + # Style Checkers - id: go-lint - id: go-critic # StaticCheck From 3d422b8493f09867ce17b2254ba25678a9759d03 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:07:17 -0400 Subject: [PATCH 047/383] Fix indentation Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 10d005e..20e57fa 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -67,7 +67,7 @@ repos: # Style Checkers - id: go-lint - id: go-critic - # StaticCheck + # StaticCheck - id: go-staticcheck-mod - id: go-staticcheck-pkg - id: go-staticcheck-repo-mod From 5571f4756c1499d29da617b6f53afe8bfaebcf8d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:07:25 -0400 Subject: [PATCH 048/383] Fix indentation Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 20e57fa..9d698a8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -72,7 +72,7 @@ repos: - id: go-staticcheck-pkg - id: go-staticcheck-repo-mod - id: go-staticcheck-repo-pkg - # Go Build + # Go Build - id: go-build-mod - id: go-build-pkg - id: go-build-repo-mod From 4fd9501f753e1789261307b9e3829dd19dd3d42f Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:07:44 -0400 Subject: [PATCH 049/383] Fix formatting Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9d698a8..4946d17 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -77,7 +77,6 @@ repos: - id: go-build-pkg - id: go-build-repo-mod - id: go-build-repo-pkg - # Go Mod Tidy - id: go-mod-tidy - id: go-mod-tidy-repo From 412101aff6363f06a9155fa21679637d5d5ca7dd Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:08:16 -0400 Subject: [PATCH 050/383] Fix formatting Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4946d17..837d28b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -86,7 +86,6 @@ repos: - id: go-test-pkg - id: go-test-repo-mod - id: go-test-repo-pkg - # Go Vet - id: go-vet - id: go-vet-mod From a346fb5a789040104624eb0b193460463a8d811a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:10:19 -0400 Subject: [PATCH 051/383] Fix formatting Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 837d28b..9ac7fd1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -80,7 +80,6 @@ repos: # Go Mod Tidy - id: go-mod-tidy - id: go-mod-tidy-repo - # Go Test - id: go-test-mod - id: go-test-pkg From c47038b51d4b537b9bd64b0299c1b99ca0b6e455 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:19:50 -0400 Subject: [PATCH 052/383] Revert updated versions for existing hooks --- .pre-commit-config.yaml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9ac7fd1..d14f75a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.34.0 + rev: v0.33.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.9-for-vscode + rev: v3.0.0-alpha.6 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.31.0 + rev: v1.30.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.23.0 + rev: 0.22.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.3.1 + rev: v3.2.1 hooks: - id: validate_manifest @@ -96,6 +96,7 @@ repos: - id: go-sec-pkg - id: go-sec-repo-mod - id: go-sec-repo-pkg + # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt rev: v0.0.2 @@ -124,7 +125,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -138,31 +139,31 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.2.0 + rev: v1.1.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.3.2 + rev: v3.3.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - rev: v6.15.0 + rev: v5.4.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.78.0 + rev: v1.77.1 hooks: - id: terraform_fmt - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v3.0.1 + rev: v2.1.1 hooks: - id: docker-compose-check @@ -171,4 +172,4 @@ repos: rev: v0.0.2 hooks: - id: packer_validate - - id: packer_fmt + - id: packer_fmt \ No newline at end of file From eb52678f773e6f05857b6880b34b9f8afdb71dc5 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 16:30:11 -0400 Subject: [PATCH 053/383] Fix formatting --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d14f75a..6e8143b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -172,4 +172,4 @@ repos: rev: v0.0.2 hooks: - id: packer_validate - - id: packer_fmt \ No newline at end of file + - id: packer_fmt From f8179f1aa31be65b2c363fd86badd6bf7883a033 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Fri, 5 May 2023 17:16:19 -0400 Subject: [PATCH 054/383] Remove extra hook ids --- .pre-commit-config.yaml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6e8143b..0810309 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -69,33 +69,16 @@ repos: - id: go-critic # StaticCheck - id: go-staticcheck-mod - - id: go-staticcheck-pkg - - id: go-staticcheck-repo-mod - - id: go-staticcheck-repo-pkg # Go Build - id: go-build-mod - - id: go-build-pkg - - id: go-build-repo-mod - - id: go-build-repo-pkg # Go Mod Tidy - id: go-mod-tidy - - id: go-mod-tidy-repo # Go Test - id: go-test-mod - - id: go-test-pkg - - id: go-test-repo-mod - - id: go-test-repo-pkg # Go Vet - id: go-vet - - id: go-vet-mod - - id: go-vet-pkg - - id: go-vet-repo-mod - - id: go-vet-repo-pkg # GoSec - id: go-sec-mod - - id: go-sec-pkg - - id: go-sec-repo-mod - - id: go-sec-repo-pkg # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt From 42820e2e7d1fb492be77faa313de934f1c472cd2 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 8 May 2023 09:41:46 -0400 Subject: [PATCH 055/383] Replace hooks with repo based option when available --- .pre-commit-config.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0810309..3a798f0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -68,17 +68,17 @@ repos: - id: go-lint - id: go-critic # StaticCheck - - id: go-staticcheck-mod + - id: go-staticcheck-repo-mod # Go Build - - id: go-build-mod + - id: go-build-repo-mod # Go Mod Tidy - - id: go-mod-tidy + - id: go-mod-tidy-repo # Go Test - - id: go-test-mod + - id: go-test-repo-mod # Go Vet - - id: go-vet + - id: go-vet-repo-mod # GoSec - - id: go-sec-mod + - id: go-sec-repo-mod # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt From 7f372e63ac7875b3fb8d25dd094f7b9183e6e42e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 7 Jun 2023 11:11:13 -0400 Subject: [PATCH 056/383] Remove the go-lint hook from the pre-commit configuration The golang/lint tool was archived on May 9th, 2021 and based on golang/go#38968 no future work is planned. Coupled with the fact that it is not available from brew we are removing this hook as local development may be hindered by trying to satisfy running this hook. Co-authored-by: Shane Frasier Co-authored-by: dav3r --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3a798f0..4f826b1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -65,7 +65,6 @@ repos: rev: v1.0.0-rc.1 hooks: # Style Checkers - - id: go-lint - id: go-critic # StaticCheck - id: go-staticcheck-repo-mod From b8231113bac671a5d9f026fc519e9d3088eda935 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 31 May 2023 12:45:10 -0400 Subject: [PATCH 057/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0dabeb6..724b3e6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.33.0 + rev: v0.34.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.6 + rev: v3.0.0-alpha.9-for-vscode hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.30.0 + rev: v1.32.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.22.0 + rev: 0.23.1 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.2.1 + rev: v3.3.2 hooks: - id: validate_manifest @@ -88,7 +88,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.1.0 + rev: 23.3.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -102,31 +102,31 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.1.1 + rev: v1.3.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.3.1 + rev: v3.4.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - rev: v5.4.0 + rev: v6.17.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + rev: v1.80.0 hooks: - id: terraform_fmt - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v2.1.1 + rev: v3.0.1 hooks: - id: docker-compose-check From b770fc687a7a954d5e0cc12ae264fcda62a3355a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 31 May 2023 12:29:10 -0400 Subject: [PATCH 058/383] Add apostrophe to Qapla --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index f526cdb..436d163 100755 --- a/setup-env +++ b/setup-env @@ -186,5 +186,5 @@ else: END_OF_LINE )" -# Qapla +# Qapla' echo "Success!" From 24a0008be136a946c2d742542ddb78dceb128073 Mon Sep 17 00:00:00 2001 From: arcsector <26469747+arcsector@users.noreply.github.com> Date: Wed, 17 May 2023 16:01:54 -0700 Subject: [PATCH 059/383] detecting virtualenv installation successfully --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 436d163..129102f 100755 --- a/setup-env +++ b/setup-env @@ -65,7 +65,7 @@ done eval set -- "$PARAMS" # Check to see if pyenv is installed -if [ -z "$(command -v pyenv)" ] || [ -z "$(command -v pyenv-virtualenv)" ]; then +if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ] ; }; then echo "pyenv and pyenv-virtualenv are required." if [[ "$OSTYPE" == "darwin"* ]]; then cat << 'END_OF_LINE' From f01965a1e56c2a6743eec95e9daa724037e7699d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 19 May 2023 11:46:28 -0400 Subject: [PATCH 060/383] Whitespace change to make shfmt linter happy --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 129102f..77926bf 100755 --- a/setup-env +++ b/setup-env @@ -65,7 +65,7 @@ done eval set -- "$PARAMS" # Check to see if pyenv is installed -if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ] ; }; then +if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ]; }; then echo "pyenv and pyenv-virtualenv are required." if [[ "$OSTYPE" == "darwin"* ]]; then cat << 'END_OF_LINE' From 43d588fe56c9522535bc341a4664569be798c6c4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Apr 2023 09:17:14 -0400 Subject: [PATCH 061/383] Fix two broken links Resolves cisagov/skeleton-generic#131. --- .ansible-lint | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 0e80b05..4ffc0ef 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,10 +1,9 @@ --- -# See https://ansible-lint.readthedocs.io/en/latest/configuring.html -# for a list of the configuration elements that can exist in this -# file. +# See https://ansible-lint.readthedocs.io/configuring/ for a list of +# the configuration elements that can exist in this file. enable_list: # Useful checks that one must opt-into. See here for more details: - # https://ansible-lint.readthedocs.io/en/latest/rules.html + # https://ansible-lint.readthedocs.io/rules/ - fcqn-builtins - no-log-password - no-same-owner From e0982552895542bd267696744548aeba18fee2d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 31 May 2023 13:39:14 -0400 Subject: [PATCH 062/383] Disable caching for the setup-go Action The cache key used relies on the existence of a go.sum file. Since we have no expectation for Go source code, including that file, and since we already include the Go cache in our job caching, we can safely disable caching in the Action. --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bdd8c98..4351bd2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,6 +29,9 @@ jobs: - id: setup-go uses: actions/setup-go@v4 with: + # There is no expectation for actual Go code so we disable caching as + # it relies on the existence of a go.sum file. + cache: false go-version: "1.19" - name: Lookup Go cache directory id: go-cache From edf133832040ef12c407b0772c40f18f64076eb8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 31 May 2023 13:41:03 -0400 Subject: [PATCH 063/383] Bump Go from 1.19 to 1.20 Bump the version of Go used in our GitHub Actions configuration to the latest stable Go release. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4351bd2..c992e8e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,7 +32,7 @@ jobs: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. cache: false - go-version: "1.19" + go-version: "1.20" - name: Lookup Go cache directory id: go-cache run: | From 4cb9a4b5863abc317de4daa8fa72487ac930c3d0 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 12:52:36 -0400 Subject: [PATCH 064/383] Add steps to setup go packages for pre-commit --- .github/workflows/build.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..f07c640 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,6 +33,22 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" + - id: setup-go-critic + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + - id: setup staticheck + uses: actions/checkout@v2 + with: + fetch-depth: 1 + - name: Run staticcheck + uses: dominikh/staticcheck-action@v1.3.0 + with: + version: "2022.1.3" + - id: setup-go-sec + uses: actions/checkout@v3 + env: + GO111MODULE: on + - name: Run Gosec Security Scanner + uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | From 53f56b01103783ba2d71c7ad64dc5c4c390c8388 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:01:24 -0400 Subject: [PATCH 065/383] Update action/checkout to use same version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f07c640..4731169 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: - id: setup-go-critic run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest - id: setup staticheck - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 1 - name: Run staticcheck From f2610994eacc942a8b4a3771c0c0d8d69fb286c1 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:17:46 -0400 Subject: [PATCH 066/383] Set specific gocritic version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4731169..cfbc847 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: cache: false go-version: "1.20" - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - id: setup staticheck uses: actions/checkout@v3 with: From 097b573a1eba564d2aeb260f676f01776ff10aba Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 19:34:48 -0400 Subject: [PATCH 067/383] Update build workflow with package installtion --- .github/workflows/build.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cfbc847..3cab3fb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,22 +33,6 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" - - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - - id: setup staticheck - uses: actions/checkout@v3 - with: - fetch-depth: 1 - - name: Run staticcheck - uses: dominikh/staticcheck-action@v1.3.0 - with: - version: "2022.1.3" - - id: setup-go-sec - uses: actions/checkout@v3 - env: - GO111MODULE: on - - name: Run Gosec Security Scanner - uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | @@ -80,6 +64,16 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -101,6 +95,11 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 254282a5f9c5c55c2e95459f929e41a1d85e9ae2 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 15:06:07 -0400 Subject: [PATCH 068/383] Group go tools together with comment --- .github/workflows/build.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3cab3fb..a3c90ea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,6 +64,7 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + # Install GoCrtitic, GoSec and Staticcheck Go tools - name: Install GoCritic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic @@ -74,6 +75,11 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -95,11 +101,6 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From ecf329956ac7e2428e2226e2ac0c9c3c0cea94bf Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:38:13 -0400 Subject: [PATCH 069/383] Update staticcheck id Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3c90ea..f54946c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,7 +78,7 @@ jobs: - name: Install Staticcheck env: PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: From 1eaedf57d23227522f0f302e6055ded6eb888a7a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:40:06 -0400 Subject: [PATCH 070/383] Update tool names to match author stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f54946c..db696ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,8 +64,8 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install GoCrtitic, GoSec and Staticcheck Go tools - - name: Install GoCritic + # Install go-critic, GoSec and staticcheck Go tools + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From fd04757b3339ed91a085e3028b2b88f9bf60e080 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:42:09 -0400 Subject: [PATCH 071/383] Update statcicheck stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db696ad..fee1ebe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -75,7 +75,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 12 Jul 2023 09:09:32 -0400 Subject: [PATCH 072/383] Temporarily use a different branch of cisagov/setup-env-github-action This is being done for testing purposes, and this commit can be reverted (or removed) once cisagov/setup-env-github-action#65 is merged. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fee1ebe..b7c0910 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 @@ -64,18 +64,18 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools + # Install go-critic, GoSec and staticcheck Go tools - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install GoSec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From a8af336b975def35f947694d61828ab633d8bc6d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 10:11:28 -0400 Subject: [PATCH 073/383] Move go packages install to separate section --- .github/workflows/build.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7c0910..4f0b8cd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,22 +64,6 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools - - name: Install go-critic - env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec - env: - PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec - PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -96,6 +80,22 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} + # Begin Go packages install below + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt From 1675b127e5ba645e36726d3f1858a974e7612998 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:32 -0400 Subject: [PATCH 074/383] Update go-critic name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4f0b8cd..faafd2f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -81,7 +81,7 @@ jobs: with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} # Begin Go packages install below - - name: Install GoCritic + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From c6ab22ea25d5608ab794542c96139bd5d65dac47 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:50 -0400 Subject: [PATCH 075/383] Update staticcheck name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index faafd2f..a799374 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,7 +91,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} From 29de03457f4ec4092d0dd98465d18a83a2193719 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 13 Jul 2023 10:05:20 -0400 Subject: [PATCH 076/383] Use the correct repo name for the ansible-lint pre-commit hook The repo name we were using redirects to the correct place, but we may as well cut out the middle man. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..9dc41ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -130,7 +130,7 @@ repos: - id: pyupgrade # Ansible hooks - - repo: https://github.com/ansible-community/ansible-lint + - repo: https://github.com/ansible/ansible-lint rev: v6.17.0 hooks: - id: ansible-lint From 1e7cb4f721542b260680ee51d4cd75126da0a979 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:53:34 -0400 Subject: [PATCH 077/383] Correct staticcheck reference to setup-env, sort alphabetically and correct staticcheck package URL Co-Authored By: @mcdonnnj --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a799374..7435881 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,16 +91,16 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install staticcheck + env: + PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 5f3bc132490dcdfcc7431133ed38c293eeeffaf5 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Thu, 13 Jul 2023 11:03:03 -0400 Subject: [PATCH 078/383] Remove Go section coment Co-authored-by: Shane Frasier --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7435881..00c5cdf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,6 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - # Begin Go packages install below - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic From d31182550a11db54cff212171bb9cc0dac8bb636 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:30:33 -0400 Subject: [PATCH 079/383] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..60f04c0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,10 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -20,12 +20,12 @@ updates: # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - - package-ecosystem: "pip" - directory: "/" + - package-ecosystem: pip + directory: / schedule: - interval: "weekly" + interval: weekly - - package-ecosystem: "terraform" - directory: "/" + - package-ecosystem: terraform + directory: / schedule: - interval: "weekly" + interval: weekly From 2294d4970596551c7c2c794b869d186dcda49921 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:41:38 -0400 Subject: [PATCH 080/383] Sort the keys in the Dependabot configuration Our standard practice for YAML files is to sort keys alphabetically. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 60f04c0..da2c02c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,8 @@ # these updates when the pull request(s) in the appropriate skeleton are merged # and Lineage processes these changes. -version: 2 updates: - - package-ecosystem: github-actions - directory: / - schedule: - interval: weekly + - directory: / # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -19,13 +15,17 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + package-ecosystem: github-actions + schedule: + interval: weekly - - package-ecosystem: pip - directory: / + - directory: / + package-ecosystem: pip schedule: interval: weekly - - package-ecosystem: terraform - directory: / + - directory: / + package-ecosystem: terraform schedule: interval: weekly +version: 2 From e678502adb77650dbd722134c469f20b5b46d32d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Jul 2023 15:06:13 -0400 Subject: [PATCH 081/383] Delete duplicate word "are" Co-authored-by: David Harris --- .bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bandit.yml b/.bandit.yml index 8ba42d1..ab3cb21 100644 --- a/.bandit.yml +++ b/.bandit.yml @@ -3,7 +3,7 @@ # https://bandit.readthedocs.io/en/latest/config.html # Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are are considered included. +# If `tests` is empty, all tests are considered included. tests: # - B101 From 948ebdeee11f77759311f85d256f19b5c4d7204d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 16 Aug 2023 10:20:21 -0400 Subject: [PATCH 082/383] Fix gosec stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00c5cdf..ec15b7d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,7 +85,7 @@ jobs: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install gosec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} From 98d3d3f6914b4601cf9d194ed7d750224a4fb401 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 22 Aug 2023 10:18:25 -0400 Subject: [PATCH 083/383] Revert "Temporarily use a different branch of cisagov/setup-env-github-action" This reverts commit ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7. This can be done now that cisagov/setup-env-github-action#65 has been merged. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec15b7d..34c3c6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton + uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 From 82db36a453deda26c99ee231879486b9e2d9ac1a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 28 Aug 2023 11:06:36 -0400 Subject: [PATCH 084/383] Add nixfmt pre-commit hook --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..e7262f6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -79,6 +79,12 @@ repos: # GoSec - id: go-sec-repo-mod + # Nix hooks + - repo: https://github.com/nix-community/nixpkgs-fmt + rev: v1.3.0 + hooks: + - id: nixpkgs-fmt + # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt rev: v0.0.2 From c0b5d5bb6cb644bf85171a8f5c89dfc3c770662f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 18:19:17 +0000 Subject: [PATCH 085/383] Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..3b38f76 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..b6f2024 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -19,7 +19,7 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v4 From b04654e922ec4eef978022b67374a2ab3cffab4c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:57:49 -0400 Subject: [PATCH 086/383] Bump crazy-max/ghaction-github-labeler from 4 to 5 --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..1c107e4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v3 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v4 + uses: crazy-max/ghaction-github-labeler@v5 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. From 49ac8c505181e79caefc12cfc2f8e906c1e88ab2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:59:09 -0400 Subject: [PATCH 087/383] Update the dependabot ignore configuration Add crazy-max/ghaction-github-labeler as a commented out dependency to ignore in the dependabot configuration file. This should be enabled in downstream projects to consolidate updating this Action to the cisagov/skeleton-generic repository. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..e1f2f34 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 94d753d10d8106be1e4634bac6a27c0fbfb51c40 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 3 Aug 2023 19:10:29 -0400 Subject: [PATCH 088/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5b7035..dad86ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,13 +31,13 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.34.0 + rev: v0.36.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.9-for-vscode + rev: v3.0.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.23.1 + rev: 0.26.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.3.2 + rev: v3.4.0 hooks: - id: validate_manifest @@ -113,11 +113,11 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.9.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 6.0.0 + rev: 6.1.0 hooks: - id: flake8 additional_dependencies: @@ -127,24 +127,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.3.0 + rev: v1.5.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.4.0 + rev: v3.10.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v6.17.0 + rev: v6.19.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.80.0 + rev: v1.83.2 hooks: - id: terraform_fmt - id: terraform_validate From 1bc2056836e544c813d944150932075bb7251e33 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 17:50:36 -0400 Subject: [PATCH 089/383] Switch to the pre-commit mirror for black This mirror was created to leverage performance optimizations from mypyc wheels that are available if black is installed from PyPI. These wheels are not available if black is installed from source as it would be using the old URL. Please see psf/black#3828 and psf/black#3405 for more information. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dad86ae..34f0253 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -112,7 +112,7 @@ repos: - id: bandit args: - --config=.bandit.yml - - repo: https://github.com/psf/black + - repo: https://github.com/psf/black-pre-commit-mirror rev: 23.9.1 hooks: - id: black From a62ebe79e749b4e66b1f2122b3f866fd6ab8c23e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 29 Aug 2023 17:10:03 -0400 Subject: [PATCH 090/383] Add the crazy-max/ghaction-github-status GitHub action This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9ab2270..2fdd39d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,6 +14,7 @@ updates: # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate package-ecosystem: github-actions diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c08880f..9382c48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,12 @@ env: RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: + diagnostics: + runs-on: ubuntu-latest + steps: + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 lint: runs-on: ubuntu-latest steps: From 3619c455e6bb559ed74f7f320026badcaa603ad9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 09:48:01 -0400 Subject: [PATCH 091/383] Make the lint job depend on the diagnostics job Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9382c48..1049da9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,8 @@ jobs: name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 lint: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env From f4370660795e7d97f3e5ef0d582ed5754b2c267f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:35:45 -0400 Subject: [PATCH 092/383] Add a GH Action to dump the context This can be useful when debugging why a GH Action failed. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fdd39d..dbb9b73 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1049da9..346fd81 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,6 +20,9 @@ jobs: - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics From c5e56a21c70e033b2093355b630dd172f85614f2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:36:31 -0400 Subject: [PATCH 093/383] Give the diagnostics job a descriptive name --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 346fd81..53c76f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ env: jobs: diagnostics: + name: Run diagnostics runs-on: ubuntu-latest steps: - id: github-status From 9afb516c20153c850088cfcc8318d7df3e68da92 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:47:40 -0400 Subject: [PATCH 094/383] Add the step-security/harden-runner GH Action This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dbb9b73..17220c6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,6 +18,7 @@ updates: # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 53c76f7..2fda8f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,11 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 From 9dc773cae76fcb144a8fde5b26118e915dea1a03 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 12:44:35 -0400 Subject: [PATCH 095/383] Add a harden-runner task to the lint job as well This task can only provide coverage for the job that contains it. --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fda8f7..3fbeff2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From bb81ec3a0418359c28fc495524959f9f897557b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 15:15:16 -0400 Subject: [PATCH 096/383] Add a reminder We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3fbeff2..e7b75a4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,8 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From b5e5c11bcd63fcf556d31e3753eb7b84e0a85e3e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Sep 2023 02:01:21 +0000 Subject: [PATCH 097/383] Bump crazy-max/ghaction-github-status from 3 to 4 Bumps [crazy-max/ghaction-github-status](https://github.com/crazy-max/ghaction-github-status) from 3 to 4. - [Release notes](https://github.com/crazy-max/ghaction-github-status/releases) - [Commits](https://github.com/crazy-max/ghaction-github-status/compare/v3...v4) --- updated-dependencies: - dependency-name: crazy-max/ghaction-github-status dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..894bb58 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: egress-policy: audit - id: github-status name: Check GitHub status - uses: crazy-max/ghaction-github-status@v3 + uses: crazy-max/ghaction-github-status@v4 - id: dump-context name: Dump context uses: crazy-max/ghaction-dump-context@v2 From 371179ef14354df4d00d7f961754ddb86c30929b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Sep 2023 12:48:59 -0400 Subject: [PATCH 098/383] Add a diagnostics job for the label syncing workflow Also add a runner hardening task to the labeler job. --- .github/workflows/sync-labels.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 44e8e19..5a20438 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -11,7 +11,26 @@ permissions: contents: read jobs: + diagnostics: + name: Run diagnostics + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 labeler: + needs: + - diagnostics permissions: # actions/checkout needs this to fetch code contents: read @@ -19,6 +38,11 @@ jobs: issues: write runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - name: Sync repository labels if: success() From 8a9d14984a45e2e6e4b8abd841af7dc67a38e43d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:07:29 -0400 Subject: [PATCH 099/383] Enable dependabot ignore directives Enable the new dependabot ignore directives that were added in cisagov/skeleton-generic. --- .github/dependabot.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 859c215..4ae51fc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,12 +13,12 @@ updates: - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status + - dependency-name: crazy-max/ghaction-dump-context + - dependency-name: crazy-max/ghaction-github-labeler + - dependency-name: crazy-max/ghaction-github-status - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner + - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-python-library # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact From 7f3d8441ccfc791a782cba63ed0adb11a0e121f6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:08:02 -0400 Subject: [PATCH 100/383] Bump actions/checkout from 3 to 4 This updates the remaining declarations to match what was pulled down from cisagov/skeleton-generic. --- .github/workflows/build.yml | 8 ++++---- .github/workflows/codeql-analysis.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b843fee..eb46061 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -162,7 +162,7 @@ jobs: - os: ubuntu-20.04 python-version: "3.6" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: @@ -206,7 +206,7 @@ jobs: needs: - test steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: @@ -258,7 +258,7 @@ jobs: - os: ubuntu-20.04 python-version: "3.6" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: @@ -311,7 +311,7 @@ jobs: - os: ubuntu-20.04 python-version: "3.6" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5e344d1..cfcd518 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 465a5a59a90f285ab593eb09949b25be2132ceca Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:09:30 -0400 Subject: [PATCH 101/383] Update job dependencies for the build.yml workflow Ensure the `diagnostics` job is a dependency for the other jobs. This aligns with what was done to the `lint` job in cisagov/skeleton-generic. --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eb46061..f102b0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -146,6 +146,8 @@ jobs: if: env.RUN_TMATE test: name: test source - py${{ matrix.python-version }} + needs: + - diagnostics runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -204,6 +206,7 @@ jobs: coveralls-finish: runs-on: ubuntu-latest needs: + - diagnostics - test steps: - uses: actions/checkout@v4 @@ -240,6 +243,7 @@ jobs: build: name: build wheel - py${{ matrix.python-version }} needs: + - diagnostics - lint - test runs-on: ${{ matrix.os }} @@ -294,6 +298,7 @@ jobs: test-build: name: test built wheel - py${{ matrix.python-version }} needs: + - diagnostics - build runs-on: ${{ matrix.os }} strategy: From 41cbf1ed8a5f53411d18f2379464c0d9636a29aa Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:12:14 -0400 Subject: [PATCH 102/383] Add runner hardening to all jobs in our workflows This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic. --- .github/workflows/build.yml | 20 ++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f102b0b..de3ff16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -164,6 +164,11 @@ jobs: - os: ubuntu-20.04 python-version: "3.6" steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 @@ -209,6 +214,11 @@ jobs: - diagnostics - test steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 @@ -262,6 +272,11 @@ jobs: - os: ubuntu-20.04 python-version: "3.6" steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 @@ -316,6 +331,11 @@ jobs: - os: ubuntu-20.04 python-version: "3.6" steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index cfcd518..44de6a1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,6 +37,12 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v4 From 12908198b5b9f637595479114d82d7711e0bccd2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:13:00 -0400 Subject: [PATCH 103/383] Bump the bandit hook from 1.7.4 to 1.7.5 This bumps the second bandit hook that is used in this project lineage. Since this hook does not exist in the configuration from cisagov/skeleton-generic we must update it here. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 10b9ecf..1cb6150 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -117,7 +117,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 + rev: 1.7.5 hooks: - id: bandit name: bandit (everything else) From aca5662780f00152a38d1818f55ae3fbc9f0d82f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 16:37:30 -0400 Subject: [PATCH 104/383] Remove unnecessary quotes in the codeql-analysis.yml workflow We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 44de6a1..b62120a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -4,7 +4,7 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -name: "CodeQL" +name: CodeQL on: push: From 1f611fc67710100e3e6efeb395d67b82e3f52eaa Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 14 Sep 2023 15:45:17 -0400 Subject: [PATCH 105/383] Make the dev team the owners of the linter configuration files Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/CODEOWNERS | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8f5c8c5..a22502d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,3 +8,12 @@ # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. /.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj + +# These folks own all linting configuration files. +/.*.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.*.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.*.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj From c356768305b027d915db7ef7be1126ee687757ad Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 14 Sep 2023 15:59:22 -0400 Subject: [PATCH 106/383] Make dev team members the codeowners of the requirements*.txt and setup-env files Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/CODEOWNERS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a22502d..b4e689e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -17,3 +17,5 @@ /.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements*.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj From 0195005cccab3e087ec8353c5049ea633d252835 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 15 Sep 2023 10:26:45 -0400 Subject: [PATCH 107/383] Explicitly list the linter config files the dev team should own @mcdonnnj correctly pointed out that other projects add their own configuration files that match, e.g., the /.*.yaml pattern. We want to ensure that we only own the linter configuration files from the skeleton. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/CODEOWNERS | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index b4e689e..229920c 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -10,12 +10,15 @@ /.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj # These folks own all linting configuration files. -/.*.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.*.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.*.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements*.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj /setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj From 05412001d8ae6487b077adc804e28708ca5f6a1d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 11 Oct 2023 16:24:42 -0400 Subject: [PATCH 108/383] Add a diagnostics job to the CodeQL workflow It's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144. --- .github/workflows/codeql-analysis.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5e344d1..139f7c0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,8 +20,27 @@ on: - cron: '0 14 * * 6' jobs: + diagnostics: + name: Run diagnostics + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 analyze: name: Analyze + needs: + - diagnostics runs-on: ubuntu-latest permissions: # required for all workflows @@ -37,6 +56,12 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v3 From 29d7d1c3c9a264910fbd001dc2f7feaee90e3f1f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 25 Oct 2023 14:23:53 -0400 Subject: [PATCH 109/383] Add support for Python version 3.12 in build workflow Note that these instances _will not_ be updated via the upstream pull request cisagov/skeleton-generic#154. --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49781ed..6087bcd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -119,6 +119,7 @@ jobs: - "3.9" - "3.10" - "3.11" + - "3.12" include: - os: ubuntu-20.04 python-version: "3.6" @@ -215,6 +216,7 @@ jobs: - "3.9" - "3.10" - "3.11" + - "3.12" include: - os: ubuntu-20.04 python-version: "3.6" @@ -268,6 +270,7 @@ jobs: - "3.9" - "3.10" - "3.11" + - "3.12" include: - os: ubuntu-20.04 python-version: "3.6" From b768a289e1702e9e46d81ad5a59f51abe666a976 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 18:41:36 +0000 Subject: [PATCH 110/383] Bump hashicorp/setup-terraform from 2 to 3 Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 2 to 3. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v2...v3) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..1ff72a9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -101,7 +101,7 @@ jobs: ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" sudo mv /usr/local/bin/packer /usr/local/bin/packer-default sudo ln -s /opt/packer/packer /usr/local/bin/packer - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install go-critic From 9f317002ac85066adc1efa05d9c2f55275ef7d9c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 2 Nov 2023 15:49:06 -0400 Subject: [PATCH 111/383] Prefer block style to flow style We prefer block style to flow style for sequences and mappings in YAML. --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..9332263 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,7 +5,8 @@ on: push: pull_request: repository_dispatch: - types: [apb] + types: + - apb env: CURL_CACHE_DIR: ~/.cache/curl From 696433ae2c3b3f9f2b3613562d3889c753c7bc34 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 2 Nov 2023 15:57:37 -0400 Subject: [PATCH 112/383] Alphabetize entries in the build workflow We prefer to alphabetize mapping keys in YAML documents whenever possible. --- .github/workflows/build.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9332263..2fef5d5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,8 +2,8 @@ name: build on: - push: pull_request: + push: repository_dispatch: types: - apb @@ -58,8 +58,8 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" - - name: Lookup Go cache directory - id: go-cache + - id: go-cache + name: Lookup Go cache directory run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v3 @@ -70,6 +70,10 @@ jobs: packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: + key: "${{ env.BASE_CACHE_KEY }}\ + ${{ hashFiles('**/requirements-test.txt') }}-\ + ${{ hashFiles('**/requirements.txt') }}-\ + ${{ hashFiles('**/.pre-commit-config.yaml') }}" # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the @@ -81,10 +85,6 @@ jobs: ${{ env.PRE_COMMIT_CACHE_DIR }} ${{ env.CURL_CACHE_DIR }} ${{ steps.go-cache.outputs.dir }} - key: "${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache From 6503a9e7f67d908833ff5aa178a2fd28faf5e803 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 2 Nov 2023 16:00:00 -0400 Subject: [PATCH 113/383] Add a `merge_group` trigger to the build workflow This should improve compatibility with merge queues. We configure it to only trigger on the `checks_requested` type which is currently the only supported type for this trigger. If additional types are added in the future they should be added if appropriate. --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fef5d5..1928cb0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,6 +2,9 @@ name: build on: + merge_group: + types: + - checks_requested pull_request: push: repository_dispatch: From 193e799a2601d030a0dd7bb6608752a076dc5981 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 18:59:21 +0000 Subject: [PATCH 114/383] Bump actions/setup-go from 4 to 5 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..f208d82 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -51,7 +51,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. From 5c84295bb6811bc49d3ff29de067adb2d179f879 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 18:59:25 +0000 Subject: [PATCH 115/383] Bump actions/setup-python from 4 to 5 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..366a16b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,7 +45,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: "3.11" # We need the Go version and Go cache location for the actions/cache step, From 580429a55b2c16f4d19dd317b20dd8dd55982c2f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:16:32 -0500 Subject: [PATCH 116/383] Add support for Python 3.12 to the package --- setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.py b/setup.py index f417c83..7aec68b 100644 --- a/setup.py +++ b/setup.py @@ -81,6 +81,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", "Programming Language :: Python :: Implementation :: CPython", ], python_requires=">=3.6", From 63ce46247563d606d423025f14e20ac26cc9e4c7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 18 Dec 2023 01:31:42 -0500 Subject: [PATCH 117/383] Add new, disabled dependabot ignore directives Add the Actions that are used in the CodeQL workflow as commented out dependencies to ignore in the dependabot configuration. These will be un-commented in downstream repositories so that only cisagov/skeleton-python-library will have dependabot PRs created for these dependencies. --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4ae51fc..c295142 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,6 +22,9 @@ updates: # # Managed by cisagov/skeleton-python-library # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact + # - dependency-name: github/codeql-action/analyze + # - dependency-name: github/codeql-action/autobuild + # - dependency-name: github/codeql-action/init package-ecosystem: github-actions schedule: interval: weekly From b550ea841a5c97450e4543bb2e4aed6b221d898d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 21:20:55 +0000 Subject: [PATCH 118/383] Bump github/codeql-action from 2 to 3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 14ec38e..d097360 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -67,7 +67,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} @@ -75,7 +75,7 @@ jobs: # Java). If this step fails, then you should remove it and run the build # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -89,4 +89,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 From 4effa910f15e36e6df5457a277f1801602a266ea Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 22 Dec 2023 10:04:38 -0500 Subject: [PATCH 119/383] Fix the dependabot ignore directive for github/codeql-action This was erroneously configured with each of the sub-Actions in the github/codeql-action repository. They are versioned as one under the github/codeql-action namespace. --- .github/dependabot.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c295142..f699134 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,9 +22,7 @@ updates: # # Managed by cisagov/skeleton-python-library # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact - # - dependency-name: github/codeql-action/analyze - # - dependency-name: github/codeql-action/autobuild - # - dependency-name: github/codeql-action/init + # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly From 4a63dbe91c946d74d963c103b67d4f3c0746f35c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:25:35 -0500 Subject: [PATCH 120/383] Switch pre-commit hooks for running shfmt This hook bundles the binaries for shfmt with a Python package which removes the need to manually install the tool for the hook to function. --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 34f0253..ed254a0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -86,8 +86,8 @@ repos: - id: nixpkgs-fmt # Shell script hooks - - repo: https://github.com/cisagov/pre-commit-shfmt - rev: v0.0.2 + - repo: https://github.com/scop/pre-commit-shfmt + rev: v3.7.0-4 hooks: - id: shfmt args: From 3236b1ba94d1c833dc2f9508944c6bc6e6a49f48 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 18 Jan 2024 17:43:00 -0500 Subject: [PATCH 121/383] Remove installation of shfmt in the `build` workflow The new pre-commit hook provides `shfmt` binaries so we no longer need to ensure it is installed. --- .github/workflows/build.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..b5d46cc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -114,11 +114,6 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install shfmt - env: - PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt - PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install staticcheck env: PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck From 5ddb14dab4e98019a6875278a1bc556c61e4bb69 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:56:43 -0500 Subject: [PATCH 122/383] Use long options for shfmt arguments Since shfmt now supports long command line options we should use them as that is our preference. The single quotes for the number of spaces to indent is changed to double quotes to align with our usual quotation style. --- .pre-commit-config.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ed254a0..ca36e5d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -92,14 +92,14 @@ repos: - id: shfmt args: # Indent by two spaces - - -i - - '2' + - --indent + - "2" # Binary operators may start a line - - -bn + - --binary-next-line # Switch cases are indented - - -ci + - --case-indent # Redirect operators are followed by a space - - -sr + - --space-redirects - repo: https://github.com/detailyang/pre-commit-shell rev: 1.0.5 hooks: From 8ecd95718a6d1b0db176cb85bf0790e4810364fb Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 18 Jan 2024 17:34:18 -0500 Subject: [PATCH 123/383] Add additional shfmt options These options are baked into the functionality of the old hook but must be explicitly declared for the new hook. --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ca36e5d..6b35e4a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -91,6 +91,10 @@ repos: hooks: - id: shfmt args: + # List files that will be formatted + - --list + # Write result to file instead of stdout + - --write # Indent by two spaces - --indent - "2" From 242921b9856e3ede0fa1a941324c1a3f0ba116f7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 21 Sep 2023 17:49:55 -0400 Subject: [PATCH 124/383] Set the default shell for all run steps in the build workflow This sets the default shell for any run steps in the build workflow to mirror our standard shellscript writing practices. In addition to enabling our standard options it will also enable errtrace and print any commands that are run which should make debugging/troubleshooting more straightforward. --- .github/workflows/build.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..7299f6b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,6 +7,14 @@ on: repository_dispatch: types: [apb] +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + env: CURL_CACHE_DIR: ~/.cache/curl PIP_CACHE_DIR: ~/.cache/pip From c7b18dc7e57c5261720324bd5b1425f6992e965e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 12 Jan 2024 17:55:34 -0500 Subject: [PATCH 125/383] Add linting with goimports to the pre-commit configuration This will run the Go tool `goimports` against the repository if it contains any Go files. This tool bundles the functionality of `go fmt` with the additional benefit of sorting Go imports much like the isort tool we use for Python code. --- .github/workflows/build.yml | 5 +++++ .pre-commit-config.yaml | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..8e14eab 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -109,6 +109,11 @@ jobs: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install goimports + env: + PACKAGE_URL: golang.org/x/tools/cmd/goimports + PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install gosec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 34f0253..7bb1f8c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -78,7 +78,11 @@ repos: - id: go-vet-repo-mod # GoSec - id: go-sec-repo-mod - + # goimports + - id: go-imports-repo + args: + # Write changes to files + - -w # Nix hooks - repo: https://github.com/nix-community/nixpkgs-fmt rev: v1.3.0 From f6d9d6e29249c4b6246fca71c285d744c7409f38 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 22 Jan 2024 12:31:43 -0600 Subject: [PATCH 126/383] Add ATX Header Support for terraform-docs This is a temporary fix until @mcdonnnj has his PR approved and merged into the terraform-docs repo. This fix will perform a shallow clone of his forked branch, build the binary, and install it. --- .github/workflows/build.yml | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7b75a4..e86b966 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,9 +8,12 @@ on: types: [apb] env: + BRANCH_NAME: improvement/support_atx_closed_markdown_headers CURL_CACHE_DIR: ~/.cache/curl + DEPTH: 1 PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit + REPO_URL: https://github.com/mcdonnnj/terraform-docs.git RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: @@ -124,11 +127,20 @@ jobs: PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Terraform-docs - env: - PACKAGE_URL: github.com/terraform-docs/terraform-docs - PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + # We are temporarily using @mcdonnnj's forked branch of terraform-docs + # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 + # is approved. This temporary fix will allow for ATX Header Support when + # terraform-docs is ran during lint. + - name: Clone ATX Headers branch from Terraform-docs Fork + run: | + git clone --branch $BRANCH_NAME --single-branch \ + --depth=$DEPTH $REPO_URL /tmp/terraform-docs + - name: Build and Install Terraform-docs Binary + run: | + cd /tmp/terraform-docs + GOBIN=$(go env GOPATH)/bin + go build -o $GOBIN/terraform-docs + echo "$GOBIN" >> $GITHUB_PATH - name: Install dependencies run: | python -m pip install --upgrade pip setuptools wheel From 544e4789e052978d00f982ef45d8d0de9f5e4748 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 22 Jan 2024 14:03:00 -0600 Subject: [PATCH 127/383] Add prepended names to variables to describe their function Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e86b966..99b42c1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,13 +8,13 @@ on: types: [apb] env: - BRANCH_NAME: improvement/support_atx_closed_markdown_headers CURL_CACHE_DIR: ~/.cache/curl - DEPTH: 1 PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit - REPO_URL: https://github.com/mcdonnnj/terraform-docs.git RUN_TMATE: ${{ secrets.RUN_TMATE }} + TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers + TERRAFORM_DOCS_REPO_DEPTH: 1 + TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git jobs: diagnostics: @@ -133,8 +133,10 @@ jobs: # terraform-docs is ran during lint. - name: Clone ATX Headers branch from Terraform-docs Fork run: | - git clone --branch $BRANCH_NAME --single-branch \ - --depth=$DEPTH $REPO_URL /tmp/terraform-docs + git clone --single-branch \ + --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \ + --depth $TERRAFORM_DOCS_REPO_DEPTH \ + $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs - name: Build and Install Terraform-docs Binary run: | cd /tmp/terraform-docs From f5fa0ff4ec1ded10a2906ade6300bba05cc2e81c Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 22 Jan 2024 14:05:01 -0600 Subject: [PATCH 128/383] Remove unnecessary capitalizations and fix grammar Co-authored-by: Shane Frasier --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 99b42c1..ca719aa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -129,15 +129,15 @@ jobs: run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} # We are temporarily using @mcdonnnj's forked branch of terraform-docs # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 - # is approved. This temporary fix will allow for ATX Header Support when - # terraform-docs is ran during lint. - - name: Clone ATX Headers branch from Terraform-docs Fork + # is approved. This temporary fix will allow for ATX header support when + # terraform-docs is run during linting. + - name: Clone ATX headers branch from terraform-docs fork run: | git clone --single-branch \ --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \ --depth $TERRAFORM_DOCS_REPO_DEPTH \ $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs - - name: Build and Install Terraform-docs Binary + - name: Build and install terraform-docs binary run: | cd /tmp/terraform-docs GOBIN=$(go env GOPATH)/bin From 36361dd1c74c9855b87f2b4aec5a9be1fa7c416e Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 22 Jan 2024 14:14:27 -0600 Subject: [PATCH 129/383] Simplify steps in the build/install portion of workflow PATH is handled by `setup-go` so we can refactor the code setting it. Also we are taking advantage of the -C switch to handle building from the cloned repository. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ca719aa..6ab90de 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -139,10 +139,9 @@ jobs: $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs - name: Build and install terraform-docs binary run: | - cd /tmp/terraform-docs - GOBIN=$(go env GOPATH)/bin - go build -o $GOBIN/terraform-docs - echo "$GOBIN" >> $GITHUB_PATH + go build \ + -C /tmp/terraform-docs \ + -o $(go env GOPATH)/bin/terraform-docs - name: Install dependencies run: | python -m pip install --upgrade pip setuptools wheel From 3711ebe461d81987b4121903d2f3f1b290fccad3 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 23 Jan 2024 08:04:07 -0600 Subject: [PATCH 130/383] Add TODO label --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6ab90de..f5ba773 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -51,7 +51,7 @@ jobs: uses: actions/setup-python@v4 with: python-version: "3.11" - # We need the Go version and Go cache location for the actions/cache step, + # TODO: We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go uses: actions/setup-go@v4 From d114fb4233f22cb9edb3e1a6555ca0a677bcfc7e Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 23 Jan 2024 08:24:12 -0600 Subject: [PATCH 131/383] Move TODO and add link to the issue `TODO` was placed on the wrong comment block. Also I am adding a link to the issue for the TODO. --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f5ba773..0068f1f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -51,7 +51,7 @@ jobs: uses: actions/setup-python@v4 with: python-version: "3.11" - # TODO: We need the Go version and Go cache location for the actions/cache step, + # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go uses: actions/setup-go@v4 @@ -127,6 +127,7 @@ jobs: PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + # TODO: https://github.com/cisagov/skeleton-generic/issues/165 # We are temporarily using @mcdonnnj's forked branch of terraform-docs # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 # is approved. This temporary fix will allow for ATX header support when From c907cfc82a8f329fbd4ad0ee17f3500922c51711 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 23 Jan 2024 08:41:41 -0600 Subject: [PATCH 132/383] Alphabetize switches Co-authored-by: dav3r --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0068f1f..35391d5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -134,9 +134,10 @@ jobs: # terraform-docs is run during linting. - name: Clone ATX headers branch from terraform-docs fork run: | - git clone --single-branch \ + git clone \ --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \ --depth $TERRAFORM_DOCS_REPO_DEPTH \ + --single-branch \ $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs - name: Build and install terraform-docs binary run: | From 48db3e3381aa61bdbe67dab64454db3e7f332c75 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 25 Jan 2024 12:19:41 -0600 Subject: [PATCH 133/383] Allow setup-env to specify Python version This commit is introducing 2 new flags into the setup-env script. -l or --list-versions will list available Python versions and allow the user to select a version interactively. The second flag -v or --version will allow a user to set the version if installed. (e.g. ./setup-env -v 3.9.6) --- setup-env | 42 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/setup-env b/setup-env index 77926bf..b99ec5f 100755 --- a/setup-env +++ b/setup-env @@ -25,6 +25,8 @@ Options: -h --help Show this message. -i --install-hooks Install hook environments for all environments in the pre-commit config file. + -v --version Specify the Python version for the virtual environment. + -l --list-versions List available Python versions and select interactively. END_OF_LINE ) @@ -35,6 +37,13 @@ FORCE=0 # Positional parameters PARAMS="" +# Flags to allow a user to specify which version of Python they want to use +PYTHON_VERSION="" +LIST_VERSIONS=0 + +# Temp file that is used to search through available installed Python versions +TMPFILE=/tmp/versions.$$ + # Parse command line arguments while (("$#")); do case "$1" in @@ -50,6 +59,14 @@ while (("$#")); do INSTALL_HOOKS=1 shift ;; + -v | --version) + PYTHON_VERSION=$2 + shift 2 + ;; + -l | --list-versions) + LIST_VERSIONS=1 + shift + ;; -*) # unsupported flags echo "Error: Unsupported flag $1" >&2 exit 1 @@ -111,6 +128,25 @@ else fi set -o nounset +# List Python versions and select one interactively +if [ $LIST_VERSIONS -ne 0 ]; then + echo Available Python versions: + pyenv versions --bare --skip-aliases --skip-envs + read -p -r "Enter the desired Python version: " PYTHON_VERSION +fi + +# Check if PYTHON_VERSION isn't empty. If it is installed, set it locally. +pyenv versions --bare --skip-aliases --skip-envs > $TMPFILE +if [ -n "$PYTHON_VERSION" ]; then + if grep --fixed-strings --quiet "$PYTHON_VERSION" $TMPFILE; then + echo Using Python version "$PYTHON_VERSION" + pyenv local "$PYTHON_VERSION" + else + echo Error: Python version "$PYTHON_VERSION" is not installed. + fi + exit 1 +fi + # Remove any lingering local configuration. if [ $FORCE -ne 0 ]; then rm -f .python-version @@ -130,10 +166,10 @@ fi # Create a new virtual environment for this project if ! pyenv virtualenv "${env_name}"; then cat << END_OF_LINE - An existing virtual environment named $env_name was found. Either delete this - environment yourself or re-run with --force option to have it deleted. + An existing virtual environment named $env_name was found. Either delete this + environment yourself or re-run with --force option to have it deleted. - pyenv virtualenv-delete ${env_name} + pyenv virtualenv-delete ${env_name} END_OF_LINE exit 1 From c10929afae693990a3d4d034faa2c1ab1b2689ee Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 25 Jan 2024 14:15:40 -0600 Subject: [PATCH 134/383] Add /dev/null and remove TMPFILE This makes the code a bit cleaner and still accomplishes the same functionality Co-authored-by: Shane Frasier --- setup-env | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/setup-env b/setup-env index b99ec5f..769522a 100755 --- a/setup-env +++ b/setup-env @@ -41,9 +41,6 @@ PARAMS="" PYTHON_VERSION="" LIST_VERSIONS=0 -# Temp file that is used to search through available installed Python versions -TMPFILE=/tmp/versions.$$ - # Parse command line arguments while (("$#")); do case "$1" in @@ -136,9 +133,8 @@ if [ $LIST_VERSIONS -ne 0 ]; then fi # Check if PYTHON_VERSION isn't empty. If it is installed, set it locally. -pyenv versions --bare --skip-aliases --skip-envs > $TMPFILE if [ -n "$PYTHON_VERSION" ]; then - if grep --fixed-strings --quiet "$PYTHON_VERSION" $TMPFILE; then + if pyenv versions --bare --skip-aliases --skip-envs | grep --fixed-strings "$PYTHON_VERSION" >/dev/null; then echo Using Python version "$PYTHON_VERSION" pyenv local "$PYTHON_VERSION" else From adada40e6fa6aed6fa14f253a5b86f313b3dfa8f Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 25 Jan 2024 14:19:54 -0600 Subject: [PATCH 135/383] Place flags in the correct order for -r and -p --- setup-env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup-env b/setup-env index 769522a..2adbd5a 100755 --- a/setup-env +++ b/setup-env @@ -129,12 +129,12 @@ set -o nounset if [ $LIST_VERSIONS -ne 0 ]; then echo Available Python versions: pyenv versions --bare --skip-aliases --skip-envs - read -p -r "Enter the desired Python version: " PYTHON_VERSION + read -r -p "Enter the desired Python version: " PYTHON_VERSION fi # Check if PYTHON_VERSION isn't empty. If it is installed, set it locally. if [ -n "$PYTHON_VERSION" ]; then - if pyenv versions --bare --skip-aliases --skip-envs | grep --fixed-strings "$PYTHON_VERSION" >/dev/null; then + if pyenv versions --bare --skip-aliases --skip-envs | grep --fixed-strings "$PYTHON_VERSION" > /dev/null; then echo Using Python version "$PYTHON_VERSION" pyenv local "$PYTHON_VERSION" else From 1861b9b86778613bdaeff804418f2d00706f4a08 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 25 Jan 2024 14:21:49 -0600 Subject: [PATCH 136/383] Remove unneccessary spacing --- setup-env | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup-env b/setup-env index 2adbd5a..5abb624 100755 --- a/setup-env +++ b/setup-env @@ -162,10 +162,10 @@ fi # Create a new virtual environment for this project if ! pyenv virtualenv "${env_name}"; then cat << END_OF_LINE - An existing virtual environment named $env_name was found. Either delete this - environment yourself or re-run with --force option to have it deleted. + An existing virtual environment named $env_name was found. Either delete this + environment yourself or re-run with --force option to have it deleted. - pyenv virtualenv-delete ${env_name} + pyenv virtualenv-delete ${env_name} END_OF_LINE exit 1 From 3f623e493752c581829271a148cb9fff3ad4f4ab Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 25 Jan 2024 14:25:37 -0600 Subject: [PATCH 137/383] Alphabetize flags and descriptions Co-authored-by: Shane Frasier --- setup-env | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup-env b/setup-env index 5abb624..5282e49 100755 --- a/setup-env +++ b/setup-env @@ -25,8 +25,8 @@ Options: -h --help Show this message. -i --install-hooks Install hook environments for all environments in the pre-commit config file. - -v --version Specify the Python version for the virtual environment. -l --list-versions List available Python versions and select interactively. + -v --version Specify the Python version for the virtual environment. END_OF_LINE ) @@ -56,14 +56,14 @@ while (("$#")); do INSTALL_HOOKS=1 shift ;; - -v | --version) - PYTHON_VERSION=$2 - shift 2 - ;; -l | --list-versions) LIST_VERSIONS=1 shift ;; + -v | --version) + PYTHON_VERSION=$2 + shift 2 + ;; -*) # unsupported flags echo "Error: Unsupported flag $1" >&2 exit 1 From 9497dc276e9f148211e32cc800342846cfa25e33 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 26 Jan 2024 10:08:25 -0500 Subject: [PATCH 138/383] Move misplaced exit If the Python version exists then we want the script to continue execution. --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 5282e49..5d15679 100755 --- a/setup-env +++ b/setup-env @@ -139,8 +139,8 @@ if [ -n "$PYTHON_VERSION" ]; then pyenv local "$PYTHON_VERSION" else echo Error: Python version "$PYTHON_VERSION" is not installed. + exit 1 fi - exit 1 fi # Remove any lingering local configuration. From e1d0f28ba1d96b2da0af91e277648ca88d0c3f35 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 26 Jan 2024 10:10:23 -0500 Subject: [PATCH 139/383] Remove premature pyenv local command pyenv local is run below. --- setup-env | 1 - 1 file changed, 1 deletion(-) diff --git a/setup-env b/setup-env index 5d15679..a78f940 100755 --- a/setup-env +++ b/setup-env @@ -136,7 +136,6 @@ fi if [ -n "$PYTHON_VERSION" ]; then if pyenv versions --bare --skip-aliases --skip-envs | grep --fixed-strings "$PYTHON_VERSION" > /dev/null; then echo Using Python version "$PYTHON_VERSION" - pyenv local "$PYTHON_VERSION" else echo Error: Python version "$PYTHON_VERSION" is not installed. exit 1 From 517b336210269d890c28e5c05d1c13e866fb7b15 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 26 Jan 2024 10:11:50 -0500 Subject: [PATCH 140/383] Include PYTHON_VERSION when running pyenv virtualenv If PYTHON_VERSION is an empty string then the system Python will be used. --- setup-env | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/setup-env b/setup-env index a78f940..0aa173d 100755 --- a/setup-env +++ b/setup-env @@ -37,8 +37,8 @@ FORCE=0 # Positional parameters PARAMS="" -# Flags to allow a user to specify which version of Python they want to use -PYTHON_VERSION="" +# A flag to allow a user to specify which version of Python they want +# to use. LIST_VERSIONS=0 # Parse command line arguments @@ -132,8 +132,9 @@ if [ $LIST_VERSIONS -ne 0 ]; then read -r -p "Enter the desired Python version: " PYTHON_VERSION fi -# Check if PYTHON_VERSION isn't empty. If it is installed, set it locally. -if [ -n "$PYTHON_VERSION" ]; then +# Check if PYTHON_VERSION is defined. If it is defined then check that +# it is a valid value. +if [ -n "${PYTHON_VERSION+x}" ]; then if pyenv versions --bare --skip-aliases --skip-envs | grep --fixed-strings "$PYTHON_VERSION" > /dev/null; then echo Using Python version "$PYTHON_VERSION" else @@ -159,7 +160,15 @@ END_OF_LINE fi # Create a new virtual environment for this project -if ! pyenv virtualenv "${env_name}"; then +# +# If $PYTHON_VERSION is undefined then the system Python will be used. +# +# We can't quote ${PYTHON_VERSION:=} below since if the variable is +# undefined then we want nothing to appear; this is the reason for the +# "shellcheck disable" line below. +# +# shellcheck disable=SC2086 +if ! pyenv virtualenv ${PYTHON_VERSION:=} "${env_name}"; then cat << END_OF_LINE An existing virtual environment named $env_name was found. Either delete this environment yourself or re-run with --force option to have it deleted. From 2e5794cb2aeaa76e8c94e3113f903954a9564eb4 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 30 Jan 2024 12:51:51 -0600 Subject: [PATCH 141/383] Add getopt variables and short flags --- setup-env | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/setup-env b/setup-env index 0aa173d..63cebd3 100755 --- a/setup-env +++ b/setup-env @@ -34,9 +34,21 @@ END_OF_LINE # Flag to force deletion and creation of virtual environment FORCE=0 +# Initialize the all other flags +INSTALL_HOOKS=0 +LIST_VERSIONS=0 +PYTHON_VERSION="" +VENV_NAME="" + # Positional parameters PARAMS="" +# Define short options for getopt +OPTS="fhilv:n:" + +# Parse options using BSD getopt +OPTIND=1 + # A flag to allow a user to specify which version of Python they want # to use. LIST_VERSIONS=0 From 8a5003195b6cc3a069fb0c4ec678f20372c4e10d Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 30 Jan 2024 12:54:12 -0600 Subject: [PATCH 142/383] Remove redundant flag initialization --- setup-env | 4 ---- 1 file changed, 4 deletions(-) diff --git a/setup-env b/setup-env index 63cebd3..da640f0 100755 --- a/setup-env +++ b/setup-env @@ -49,10 +49,6 @@ OPTS="fhilv:n:" # Parse options using BSD getopt OPTIND=1 -# A flag to allow a user to specify which version of Python they want -# to use. -LIST_VERSIONS=0 - # Parse command line arguments while (("$#")); do case "$1" in From 0df0e6aca8252e6356762b9284f3165ee39e2017 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 30 Jan 2024 13:59:04 -0600 Subject: [PATCH 143/383] Add getopt functionality and -n flag This commit makes a couple changes. The first change is adding the BSD getopt tool to simplify the parsing of flags and arguments. Second, we are adding the -n flag so the user can specify the name of the virtual environment if they choose. --- setup-env | 57 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/setup-env b/setup-env index da640f0..e097c82 100755 --- a/setup-env +++ b/setup-env @@ -49,40 +49,55 @@ OPTS="fhilv:n:" # Parse options using BSD getopt OPTIND=1 +# Display installed python versions +python_versions() { + pyenv versions --bare --skip-aliases --skip-envs +} + # Parse command line arguments -while (("$#")); do - case "$1" in - -f | --force) +while getopts :$OPTS opt; do + case $opt in + f) FORCE=1 - shift ;; - -h | --help) - echo "${USAGE}" + h) + echo "$USAGE" exit 0 ;; - -i | --install-hooks) + i) INSTALL_HOOKS=1 - shift ;; - -l | --list-versions) + l) LIST_VERSIONS=1 - shift ;; - -v | --version) - PYTHON_VERSION=$2 - shift 2 + n) + VENV_NAME="$OPTARG" + ;; + v) + PYTHON_VERSION="$OPTARG" + # Check if Python version is valid and installed + if ! python_versions | grep --fixed-strings "$PYTHON_VERSION" > /dev/null; then + echo "Error: Python version $PYTHON_VERSION is not installed. Versions available:" + python_versions + exit 1 + fi ;; - -*) # unsupported flags - echo "Error: Unsupported flag $1" >&2 + \:) + echo Error: Option -$OPTARG requires an argument. + echo "$USAGE" exit 1 ;; - *) # preserve positional arguments - PARAMS="$PARAMS $1" - shift + \?) + echo -e "Invalid option please look through usage: \n" + echo "$USAGE" + exit 1 ;; + esac done +shift $((OPTIND-1)) + # set positional arguments in their proper place eval set -- "$PARAMS" @@ -124,9 +139,9 @@ fi set +o nounset # Determine the virtual environment name -if [ "$1" ]; then +if [ -n "$VENV_NAME" ]; then # Use the user-provided environment name - env_name=$1 + env_name="$VENV_NAME" else # Set the environment name to the last part of the working directory. env_name=${PWD##*/} @@ -136,7 +151,7 @@ set -o nounset # List Python versions and select one interactively if [ $LIST_VERSIONS -ne 0 ]; then echo Available Python versions: - pyenv versions --bare --skip-aliases --skip-envs + python_versions read -r -p "Enter the desired Python version: " PYTHON_VERSION fi From 60cad12a2a64508c1e5c80092118747b64bb32e6 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 30 Jan 2024 14:16:52 -0600 Subject: [PATCH 144/383] Update the usage and force documentation This commit will update the usage documentation so now it will display all the new flags, how to use them, and what they do. Since the long option isn't available for the BSD version of getopt we have to use short options only. The force documentation has been updated to reflect this change. Also removed some redundant code that wasn't necessary. --- setup-env | 47 +++++++++++++++++++---------------------------- 1 file changed, 19 insertions(+), 28 deletions(-) diff --git a/setup-env b/setup-env index e097c82..4ed12d9 100755 --- a/setup-env +++ b/setup-env @@ -17,16 +17,18 @@ It does the following: - Configures git upstream remote "lineage" repositories. Usage: - setup-env [options] [virt_env_name] - setup-env (-h | --help) + setup-env [-n] [virt_env_name] + setup-env [-v] [python_version] + setup-env (-h) Options: - -f --force Delete virtual enviroment if it already exists. - -h --help Show this message. - -i --install-hooks Install hook environments for all environments in the - pre-commit config file. - -l --list-versions List available Python versions and select interactively. - -v --version Specify the Python version for the virtual environment. + -f Delete virtual enviroment if it already exists. + -h Show this message. + -i Install hook environments for all environments in the + pre-commit config file. + -l List available Python versions and select interactively. + -n Choose the name of the virtual environment. + -v Specify the Python version for the virtual environment. END_OF_LINE ) @@ -49,9 +51,9 @@ OPTS="fhilv:n:" # Parse options using BSD getopt OPTIND=1 -# Display installed python versions +# Display installed python versions python_versions() { - pyenv versions --bare --skip-aliases --skip-envs + pyenv versions --bare --skip-aliases --skip-envs } # Parse command line arguments @@ -82,21 +84,21 @@ while getopts :$OPTS opt; do exit 1 fi ;; - \:) - echo Error: Option -$OPTARG requires an argument. + :) + echo -e "Error: Option -$OPTARG requires an argument. \n" echo "$USAGE" exit 1 ;; \?) - echo -e "Invalid option please look through usage: \n" + echo -e "Invalid option please look through usage: \n" echo "$USAGE" exit 1 ;; - + esac done -shift $((OPTIND-1)) +shift $((OPTIND - 1)) # set positional arguments in their proper place eval set -- "$PARAMS" @@ -155,17 +157,6 @@ if [ $LIST_VERSIONS -ne 0 ]; then read -r -p "Enter the desired Python version: " PYTHON_VERSION fi -# Check if PYTHON_VERSION is defined. If it is defined then check that -# it is a valid value. -if [ -n "${PYTHON_VERSION+x}" ]; then - if pyenv versions --bare --skip-aliases --skip-envs | grep --fixed-strings "$PYTHON_VERSION" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - exit 1 - fi -fi - # Remove any lingering local configuration. if [ $FORCE -ne 0 ]; then rm -f .python-version @@ -173,7 +164,7 @@ if [ $FORCE -ne 0 ]; then elif [[ -f .python-version ]]; then cat << 'END_OF_LINE' An existing .python-version file was found. Either remove this file yourself - or re-run with --force option to have it deleted along with the associated + or re-run with -f (force) option to have it deleted along with the associated virtual environment. rm .python-version @@ -194,7 +185,7 @@ fi if ! pyenv virtualenv ${PYTHON_VERSION:=} "${env_name}"; then cat << END_OF_LINE An existing virtual environment named $env_name was found. Either delete this - environment yourself or re-run with --force option to have it deleted. + environment yourself or re-run with -f (force) option to have it deleted. pyenv virtualenv-delete ${env_name} From b6ab6d82fb63bece7926b9a524bbb59a96c0cb06 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 6 Feb 2024 19:58:49 -0600 Subject: [PATCH 145/383] Update usage with long options --- setup-env | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/setup-env b/setup-env index 4ed12d9..898907b 100755 --- a/setup-env +++ b/setup-env @@ -9,6 +9,8 @@ USAGE=$( Configure a development environment for this repository. It does the following: + - Allows user to specify Python version. + - Allows user to choose name for their virtual environment. - Verifies pyenv and pyenv-virtualenv are installed. - Creates a Python virtual environment. - Configures the activation of the virtual enviroment for the repo directory. @@ -17,18 +19,18 @@ It does the following: - Configures git upstream remote "lineage" repositories. Usage: - setup-env [-n] [virt_env_name] - setup-env [-v] [python_version] - setup-env (-h) + setup-env (-n | --name) [virt_env_name] + setup-env (-v | --version) [python_version] + setup-env (-h | --help) Options: - -f Delete virtual enviroment if it already exists. - -h Show this message. - -i Install hook environments for all environments in the - pre-commit config file. - -l List available Python versions and select interactively. - -n Choose the name of the virtual environment. - -v Specify the Python version for the virtual environment. + -f | --force Delete virtual enviroment if it already exists. + -h | --help Show this message. + -i | --install-hooks Install hook environments for all environments in the + pre-commit config file. + -l | --list-versions List available Python versions and select interactively. + -n | --name Choose the name of the virtual environment. + -v | --version Specify the Python version for the virtual environment. END_OF_LINE ) From d362614a13731f3884856fa2ee37ade0089fda47 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 6 Feb 2024 20:28:05 -0600 Subject: [PATCH 146/383] Add gnu-getopt functionality and error handling This commit will make it so long options are supported. It also includes some improved error handling. It will display a message if a Mac OS user doesn't have gnu-getopt installed on their system and suggest steps to take to get it installed via brew. --- setup-env | 107 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 68 insertions(+), 39 deletions(-) diff --git a/setup-env b/setup-env index 898907b..f4cdf75 100755 --- a/setup-env +++ b/setup-env @@ -35,6 +35,11 @@ Options: END_OF_LINE ) +# Display installed python versions +python_versions() { + pyenv versions --bare --skip-aliases --skip-envs +} + # Flag to force deletion and creation of virtual environment FORCE=0 @@ -44,67 +49,82 @@ LIST_VERSIONS=0 PYTHON_VERSION="" VENV_NAME="" -# Positional parameters -PARAMS="" +# Define long options +LONGOPTS="force,help,install-hooks,list-versions,name:,version:" # Define short options for getopt -OPTS="fhilv:n:" +SHORTOPTS="fhiln:v:" -# Parse options using BSD getopt -OPTIND=1 +# Check if GNU getopt is available +if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then + cat << 'END_OF_LINE' -# Display installed python versions -python_versions() { - pyenv versions --bare --skip-aliases --skip-envs -} + Gnu-getopt is not detected and is a dependency to run this script. + On the Mac, we recommend installing brew, https://brew.sh/. Then installation + is as simple as `brew install gnu-getopt` and adding this to your + profile: + + export PATH="/usr/local/opt/gnu-getopt/bin:$PATH" + +END_OF_LINE + exit 1 +fi -# Parse command line arguments -while getopts :$OPTS opt; do - case $opt in - f) +# Use GNU getopt to parse options +if ! PARSED=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS --name "$0" -- "$@"); then + echo "Error parsing options" + exit 2 +fi +eval set -- "$PARSED" + +while true; do + case "$1" in + -f | --force) FORCE=1 + shift ;; - h) + -h | --help) echo "$USAGE" exit 0 ;; - i) + -i | --install-hooks) INSTALL_HOOKS=1 + shift ;; - l) + -l | --list-versions) LIST_VERSIONS=1 + shift ;; - n) - VENV_NAME="$OPTARG" + -n | --name) + VENV_NAME="$2" + shift 2 ;; - v) - PYTHON_VERSION="$OPTARG" - # Check if Python version is valid and installed - if ! python_versions | grep --fixed-strings "$PYTHON_VERSION" > /dev/null; then - echo "Error: Python version $PYTHON_VERSION is not installed. Versions available:" - python_versions - exit 1 + -v | --version) + PYTHON_VERSION="$2" + shift 2 + # Check the Python versions being passed in. + if [ -n "${PYTHON_VERSION+x}" ]; then + if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo Using Python version "$PYTHON_VERSION" + else + echo Error: Python version "$PYTHON_VERSION" is not installed. + echo Installed Python versions are: + python_versions + exit 1 + fi fi ;; - :) - echo -e "Error: Option -$OPTARG requires an argument. \n" - echo "$USAGE" - exit 1 + --) + shift + break ;; - \?) - echo -e "Invalid option please look through usage: \n" - echo "$USAGE" - exit 1 + *) + echo "Programming error" + exit 3 ;; - esac done -shift $((OPTIND - 1)) - -# set positional arguments in their proper place -eval set -- "$PARAMS" - # Check to see if pyenv is installed if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ]; }; then echo "pyenv and pyenv-virtualenv are required." @@ -157,6 +177,15 @@ if [ $LIST_VERSIONS -ne 0 ]; then echo Available Python versions: python_versions read -r -p "Enter the desired Python version: " PYTHON_VERSION + # Check the Python versions being passed in. + if [ -n "${PYTHON_VERSION+x}" ]; then + if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo Using Python version "$PYTHON_VERSION" + else + echo Error: Python version "$PYTHON_VERSION" is not installed. + exit 1 + fi + fi fi # Remove any lingering local configuration. From f92458454394db61e8080b72b42fd340b3b64aa1 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 6 Feb 2024 20:49:34 -0600 Subject: [PATCH 147/383] Add documentation in CONTRIBUTING.md for gnu-getopt --- CONTRIBUTING.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 27bb9e7..dbbe417 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,9 +46,12 @@ There are a few ways to do this, but we prefer to use create and manage a Python virtual environment specific to this project. -If you already have `pyenv` and `pyenv-virtualenv` configured you can -take advantage of the `setup-env` tool in this repo to automate the -entire environment configuration process. +The `setup-env` tool in this repository is our recommended method +for automating the entire environment configuration process. The +dependencies required to run this tool are +[`gnu-getopt`](https://manned.org/getopt.1), `pyenv`, and +`pyenv-virtualenv`. If these tools are already configured on +your system, you can simply run the following command. ```console ./setup-env @@ -57,13 +60,14 @@ entire environment configuration process. Otherwise, follow the steps below to manually configure your environment. -#### Installing and using `pyenv` and `pyenv-virtualenv` #### +#### Installing and using `gnu-getopt`, `pyenv`, and `pyenv-virtualenv` #### On the Mac, we recommend installing [brew](https://brew.sh/). Then -installation is as simple as `brew install pyenv pyenv-virtualenv` and +installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` and adding this to your profile: ```bash +export PATH="/usr/local/opt/gnu-getopt/bin:$PATH" export PYENV_ROOT="$HOME/.pyenv" export PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init --path)" @@ -78,6 +82,8 @@ install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the [`pyenv` wiki page](https://github.com/pyenv/pyenv/wiki/common-build-problems). +`Gnu-getopt` is generally included in the core utilities of most +Linux distributions. On WSL you should treat your platform as whatever Linux distribution you've chosen to install. From ba86ead6c4f757f03610c6065df46e5ba4ad4dbd Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 7 Feb 2024 09:43:30 -0600 Subject: [PATCH 148/383] Fix grammar and capitalization errors Co-authored-by: Shane Frasier --- CONTRIBUTING.md | 2 +- setup-env | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index dbbe417..d96a0e3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -82,7 +82,7 @@ install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the [`pyenv` wiki page](https://github.com/pyenv/pyenv/wiki/common-build-problems). -`Gnu-getopt` is generally included in the core utilities of most +`gnu-getopt` is generally included in the core utilities of most Linux distributions. On WSL you should treat your platform as whatever Linux distribution diff --git a/setup-env b/setup-env index f4cdf75..1054a64 100755 --- a/setup-env +++ b/setup-env @@ -9,10 +9,10 @@ USAGE=$( Configure a development environment for this repository. It does the following: - - Allows user to specify Python version. - - Allows user to choose name for their virtual environment. + - Allows the user to specify the Python version to use for the virtual environment. + - Allows the user to specify a name for the virtual environment. - Verifies pyenv and pyenv-virtualenv are installed. - - Creates a Python virtual environment. + - Creates the Python virtual environment. - Configures the activation of the virtual enviroment for the repo directory. - Installs the requirements needed for development. - Installs git pre-commit hooks. @@ -29,7 +29,7 @@ Options: -i | --install-hooks Install hook environments for all environments in the pre-commit config file. -l | --list-versions List available Python versions and select interactively. - -n | --name Choose the name of the virtual environment. + -n | --name Specify the name of the virtual environment. -v | --version Specify the Python version for the virtual environment. END_OF_LINE @@ -195,7 +195,7 @@ if [ $FORCE -ne 0 ]; then elif [[ -f .python-version ]]; then cat << 'END_OF_LINE' An existing .python-version file was found. Either remove this file yourself - or re-run with -f (force) option to have it deleted along with the associated + or re-run with the --force option to have it deleted along with the associated virtual environment. rm .python-version @@ -216,7 +216,7 @@ fi if ! pyenv virtualenv ${PYTHON_VERSION:=} "${env_name}"; then cat << END_OF_LINE An existing virtual environment named $env_name was found. Either delete this - environment yourself or re-run with -f (force) option to have it deleted. + environment yourself or re-run with the --force option to have it deleted. pyenv virtualenv-delete ${env_name} From ba0fc19811d2b9bcb2cc043660f6dcd9d6d9c64b Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 7 Feb 2024 09:48:01 -0600 Subject: [PATCH 149/383] Combine PATH exports to single line Co-authored-by: Shane Frasier --- CONTRIBUTING.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d96a0e3..1e6cc74 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -67,9 +67,8 @@ installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` an adding this to your profile: ```bash -export PATH="/usr/local/opt/gnu-getopt/bin:$PATH" export PYENV_ROOT="$HOME/.pyenv" -export PATH="$PYENV_ROOT/bin:$PATH" +export PATH="$PYENV_ROOT/bin:/usr/local/opt/gnu-getopt/bin:$PATH" eval "$(pyenv init --path)" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" From 1240bdd98fe3523dada222782a55df8c2b258e5c Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 7 Feb 2024 09:48:39 -0600 Subject: [PATCH 150/383] Improve usage instructions Co-authored-by: Shane Frasier --- setup-env | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup-env b/setup-env index 1054a64..a0230ed 100755 --- a/setup-env +++ b/setup-env @@ -19,8 +19,7 @@ It does the following: - Configures git upstream remote "lineage" repositories. Usage: - setup-env (-n | --name) [virt_env_name] - setup-env (-v | --version) [python_version] + setup-env (-n | --name) [virt_env_name] (-v | --version) [python_version] setup-env (-h | --help) Options: From 297b5bd850f716372eb385c25ef29936b4bd6d7c Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 7 Feb 2024 11:03:35 -0600 Subject: [PATCH 151/383] Add $(brew --prefix) to PATH for getopt Co-authored-by: dav3r --- CONTRIBUTING.md | 2 +- setup-env | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1e6cc74..899f4ff 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -68,7 +68,7 @@ adding this to your profile: ```bash export PYENV_ROOT="$HOME/.pyenv" -export PATH="$PYENV_ROOT/bin:/usr/local/opt/gnu-getopt/bin:$PATH" +export PATH="$PYENV_ROOT/bin:$(brew --prefix)/opt/gnu-getopt/bin:$PATH" eval "$(pyenv init --path)" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" diff --git a/setup-env b/setup-env index a0230ed..3ddc9c9 100755 --- a/setup-env +++ b/setup-env @@ -63,7 +63,7 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then is as simple as `brew install gnu-getopt` and adding this to your profile: - export PATH="/usr/local/opt/gnu-getopt/bin:$PATH" + export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" END_OF_LINE exit 1 From 7af70f514fba159ed6e7c8ae85af7a0e14a667a1 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 7 Feb 2024 11:04:27 -0600 Subject: [PATCH 152/383] Fix confusing wording Co-authored-by: dav3r --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 3ddc9c9..1e2fd79 100755 --- a/setup-env +++ b/setup-env @@ -42,7 +42,7 @@ python_versions() { # Flag to force deletion and creation of virtual environment FORCE=0 -# Initialize the all other flags +# Initialize the other flags INSTALL_HOOKS=0 LIST_VERSIONS=0 PYTHON_VERSION="" From e5a2d14964a65c0f5b74e53e5f7e606778b5f003 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 7 Feb 2024 11:06:50 -0600 Subject: [PATCH 153/383] Replace virt_env_name w/ virtual_env_name for clarity Co-authored-by: dav3r --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 1e2fd79..ac20852 100755 --- a/setup-env +++ b/setup-env @@ -19,7 +19,7 @@ It does the following: - Configures git upstream remote "lineage" repositories. Usage: - setup-env (-n | --name) [virt_env_name] (-v | --version) [python_version] + setup-env (-n | --name) [virtual_env_name] (-v | --version) [python_version] setup-env (-h | --help) Options: From 82c70e089bfd43c84273a83228da38030d340c14 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 13 Feb 2024 14:31:35 -0600 Subject: [PATCH 154/383] Differentiate between GNU getopt and gnu-getopt brew formula This commit will clearly differentiate between GNU getopt the tool and gnu-getopt the Homebrew formula. Also updating the URL so that getopt points at the source repository and pyenv and pyenv-virtualenv point at their respective repositories. Updated the ending punctuation. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- CONTRIBUTING.md | 13 +++++++------ setup-env | 2 +- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 899f4ff..afb1ae8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -49,9 +49,10 @@ project. The `setup-env` tool in this repository is our recommended method for automating the entire environment configuration process. The dependencies required to run this tool are -[`gnu-getopt`](https://manned.org/getopt.1), `pyenv`, and -`pyenv-virtualenv`. If these tools are already configured on -your system, you can simply run the following command. +[GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc), +[`pyenv`](https://github.com/pyenv/pyenv), and [`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv). +If these tools are already configured on your system, you can simply run the +following command: ```console ./setup-env @@ -60,7 +61,7 @@ your system, you can simply run the following command. Otherwise, follow the steps below to manually configure your environment. -#### Installing and using `gnu-getopt`, `pyenv`, and `pyenv-virtualenv` #### +#### Installing and using GNU `getopt`, `pyenv`, and `pyenv-virtualenv` #### On the Mac, we recommend installing [brew](https://brew.sh/). Then installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` and @@ -81,8 +82,8 @@ install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the [`pyenv` wiki page](https://github.com/pyenv/pyenv/wiki/common-build-problems). -`gnu-getopt` is generally included in the core utilities of most -Linux distributions. +GNU `getopt` is included in most Linux distributions as part of the +[`util-linux`](https://github.com/util-linux/util-linux) package. On WSL you should treat your platform as whatever Linux distribution you've chosen to install. diff --git a/setup-env b/setup-env index ac20852..0e9598b 100755 --- a/setup-env +++ b/setup-env @@ -58,7 +58,7 @@ SHORTOPTS="fhiln:v:" if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then cat << 'END_OF_LINE' - Gnu-getopt is not detected and is a dependency to run this script. + GNU getopt is not detected and is a dependency to run this script. On the Mac, we recommend installing brew, https://brew.sh/. Then installation is as simple as `brew install gnu-getopt` and adding this to your profile: From 493a4a3e5dfe4c705998395797c75eda756c6dc4 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Tue, 13 Feb 2024 14:58:43 -0600 Subject: [PATCH 155/383] Add parenthesis over brew link Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 0e9598b..f0d4b36 100755 --- a/setup-env +++ b/setup-env @@ -59,7 +59,7 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then cat << 'END_OF_LINE' GNU getopt is not detected and is a dependency to run this script. - On the Mac, we recommend installing brew, https://brew.sh/. Then installation + On the Mac, we recommend installing brew (https://brew.sh/). Then installation is as simple as `brew install gnu-getopt` and adding this to your profile: From 3bc9aeb12fb7a270fa6bc54fcc4deceb897906bc Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 07:37:24 -0600 Subject: [PATCH 156/383] Refactor flag names for clarity and accuracy This commit will remove the previous flags -v or --version for -p or --python-version. Also it will replace -n or --name for -v or --venv-name. The usage menu has been updated to reflect these changes as well. --- setup-env | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/setup-env b/setup-env index f0d4b36..b7b08e6 100755 --- a/setup-env +++ b/setup-env @@ -19,7 +19,7 @@ It does the following: - Configures git upstream remote "lineage" repositories. Usage: - setup-env (-n | --name) [virtual_env_name] (-v | --version) [python_version] + setup-env [--venv-name virtual_env_name] [--python-version python_version] setup-env (-h | --help) Options: @@ -28,8 +28,8 @@ Options: -i | --install-hooks Install hook environments for all environments in the pre-commit config file. -l | --list-versions List available Python versions and select interactively. - -n | --name Specify the name of the virtual environment. - -v | --version Specify the Python version for the virtual environment. + -v | --venv-name Specify the name of the virtual environment. + -p | --python-version Specify the Python version for the virtual environment. END_OF_LINE ) @@ -49,10 +49,10 @@ PYTHON_VERSION="" VENV_NAME="" # Define long options -LONGOPTS="force,help,install-hooks,list-versions,name:,version:" +LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt -SHORTOPTS="fhiln:v:" +SHORTOPTS="fhilp:v:" # Check if GNU getopt is available if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then @@ -94,11 +94,7 @@ while true; do LIST_VERSIONS=1 shift ;; - -n | --name) - VENV_NAME="$2" - shift 2 - ;; - -v | --version) + -p | --python-version) PYTHON_VERSION="$2" shift 2 # Check the Python versions being passed in. @@ -113,6 +109,10 @@ while true; do fi fi ;; + -v | --venv-name) + VENV_NAME="$2" + shift 2 + ;; --) shift break From 0be1f6376dc914be4eff9ce5fde7649d085a2582 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 08:08:07 -0600 Subject: [PATCH 157/383] Elaborate on message when checking for GNU getopt --- setup-env | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index b7b08e6..6649b4d 100755 --- a/setup-env +++ b/setup-env @@ -58,7 +58,13 @@ SHORTOPTS="fhilp:v:" if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then cat << 'END_OF_LINE' - GNU getopt is not detected and is a dependency to run this script. + Please note, this script requires GNU getopt due to its enhanced + functionality and compatibility with certain script features that + are not supported by the POSIX getopt found in some systems, particularly + those with a non-GNU version of getopt. This distinction is crucial + as a system might have a non-GNU version of getopt installed by default, + which could lead to unexpected behavior or script failure. + On the Mac, we recommend installing brew (https://brew.sh/). Then installation is as simple as `brew install gnu-getopt` and adding this to your profile: From c8f0b1b996958a5fa965343fa7e6295b7160cbf4 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 08:10:21 -0600 Subject: [PATCH 158/383] Remove unnecessary nounset flipping logic --- setup-env | 2 -- 1 file changed, 2 deletions(-) diff --git a/setup-env b/setup-env index 6649b4d..05b010b 100755 --- a/setup-env +++ b/setup-env @@ -166,7 +166,6 @@ END_OF_LINE exit 1 fi -set +o nounset # Determine the virtual environment name if [ -n "$VENV_NAME" ]; then # Use the user-provided environment name @@ -175,7 +174,6 @@ else # Set the environment name to the last part of the working directory. env_name=${PWD##*/} fi -set -o nounset # List Python versions and select one interactively if [ $LIST_VERSIONS -ne 0 ]; then From 495862aeaf3430b0a69f92cf54b6415818139db2 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 08:20:56 -0600 Subject: [PATCH 159/383] Separate pyenv PATH from GNU getopt PATH --- CONTRIBUTING.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index afb1ae8..3a5e087 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -69,7 +69,8 @@ adding this to your profile: ```bash export PYENV_ROOT="$HOME/.pyenv" -export PATH="$PYENV_ROOT/bin:$(brew --prefix)/opt/gnu-getopt/bin:$PATH" +export PATH="$PYENV_ROOT/bin:$PATH" +export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" eval "$(pyenv init --path)" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" From 33582a11f73d4e5c3dc588a040e59941c381d09a Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 12:59:30 -0600 Subject: [PATCH 160/383] Add checks for semantic python versions --- setup-env | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 05b010b..44368b3 100755 --- a/setup-env +++ b/setup-env @@ -39,6 +39,14 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } +check_semantic_version() { + local version=$1 + local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" + + # Use Perl for regex matching and output true or false + echo "$version" | perl -ne "exit(!/$regex/)" +} + # Flag to force deletion and creation of virtual environment FORCE=0 @@ -103,16 +111,18 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - echo Installed Python versions are: - python_versions - exit 1 - fi + # Validate the semantic version format + if ! check_semantic_version "$PYTHON_VERSION"; then + echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo "Error: Python version $PYTHON_VERSION is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $PYTHON_VERSION" fi ;; -v | --venv-name) @@ -181,14 +191,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then python_versions read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - exit 1 - fi - fi + check_semantic_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From 94381940a9d28f87da2b85c5e1647a5a80d4a18d Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 14:29:13 -0600 Subject: [PATCH 161/383] Refactor code for the semantic check This commit will make a few changes. The orginal version of the semantic checking function was a bit more difficult to read. It is now somewhat easier to follow how the regex is structured. Also the function has been renamed to check_python_version since it has 2 functions, making sure that the version is semantically correct and the second is to make sure that it is installed on the user's machine. This makes it easier to follow the logic for the flags, -p or --python-version and -l or --list-versions --- setup-env | 54 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 44368b3..11ec170 100755 --- a/setup-env +++ b/setup-env @@ -39,12 +39,41 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } -check_semantic_version() { +check_python_version() { local version=$1 - local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" - # Use Perl for regex matching and output true or false - echo "$version" | perl -ne "exit(!/$regex/)" + # Break down the regex into readable parts major.minor.patch + local major="0|[1-9]\\d*" + local minor="0|[1-9]\\d*" + local patch="0|[1-9]\\d*" + + # Splitting the prerelease part for readability + # Start of prerelease + local prerelease="(?:-" + # Numeric or alphanumeric identifiers + local prerelease+="(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" + # Additional dot-separated identifiers + local prerelease+="(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*" + # End of prerelease, making it optional + local prerelease+=")?" + # Optional build metadata + local build="(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + + # Final regex composed of parts + local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" + + if ! echo "$version" | perl -ne "exit(!/$regex/)"; then + echo "Error: The specified Python version $version does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${version}$" > /dev/null; then + echo "Error: Python version $version is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $version" + fi } # Flag to force deletion and creation of virtual environment @@ -111,19 +140,8 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Validate the semantic version format - if ! check_semantic_version "$PYTHON_VERSION"; then - echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." - echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" - exit 1 - elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo "Error: Python version $PYTHON_VERSION is not installed." - echo "Installed Python versions are:" - python_versions - exit 1 - else - echo "Using Python version $PYTHON_VERSION" - fi + # Check the Python version being passed in. + check_python_version "$PYTHON_VERSION" ;; -v | --venv-name) VENV_NAME="$2" @@ -191,7 +209,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then python_versions read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - check_semantic_version "$PYTHON_VERSION" + check_python_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From 4752b37ec887a65e967f01a1f9b7633e02a02af8 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 21 Feb 2024 10:57:38 -0600 Subject: [PATCH 162/383] Improve verbiage in comments Co-authored-by: Shane Frasier --- CONTRIBUTING.md | 4 ++-- setup-env | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 3a5e087..9ff54e4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,8 +46,8 @@ There are a few ways to do this, but we prefer to use create and manage a Python virtual environment specific to this project. -The `setup-env` tool in this repository is our recommended method -for automating the entire environment configuration process. The +We recommend using the `setup-env` tool located in this repository, +as it automates the entire environment configuration process. The dependencies required to run this tool are [GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc), [`pyenv`](https://github.com/pyenv/pyenv), and [`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv). diff --git a/setup-env b/setup-env index 05b010b..6d9fec0 100755 --- a/setup-env +++ b/setup-env @@ -27,7 +27,7 @@ Options: -h | --help Show this message. -i | --install-hooks Install hook environments for all environments in the pre-commit config file. - -l | --list-versions List available Python versions and select interactively. + -l | --list-versions List available Python versions and select one interactively. -v | --venv-name Specify the name of the virtual environment. -p | --python-version Specify the Python version for the virtual environment. @@ -63,7 +63,7 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then are not supported by the POSIX getopt found in some systems, particularly those with a non-GNU version of getopt. This distinction is crucial as a system might have a non-GNU version of getopt installed by default, - which could lead to unexpected behavior or script failure. + which could lead to unexpected behavior. On the Mac, we recommend installing brew (https://brew.sh/). Then installation is as simple as `brew install gnu-getopt` and adding this to your From 2e389979b0b0b34a6f32443d88f8ed0ba8c647cd Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 21 Feb 2024 11:22:53 -0600 Subject: [PATCH 163/383] Clarify between pyenv and GNU getopt setup Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- CONTRIBUTING.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9ff54e4..a844f86 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -68,9 +68,12 @@ installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` an adding this to your profile: ```bash +# Enable GNU getopt since it is keg-only +export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" + +# Setup pyenv export PYENV_ROOT="$HOME/.pyenv" export PATH="$PYENV_ROOT/bin:$PATH" -export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" eval "$(pyenv init --path)" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" From f8824c8aa157cbee0ec95367b1754eeac67934c9 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 21 Feb 2024 12:14:23 -0600 Subject: [PATCH 164/383] Improve comment on conditional check for regex --- setup-env | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 6d9fec0..6d16958 100755 --- a/setup-env +++ b/setup-env @@ -54,7 +54,9 @@ LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt SHORTOPTS="fhilp:v:" -# Check if GNU getopt is available +# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") +# in its version output. This approach presumes the output format remains stable. +# Be aware that format changes could invalidate this check. if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then cat << 'END_OF_LINE' From 88724e70167a5864495eccff5532f4c59fbefc1c Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 21 Feb 2024 12:25:49 -0600 Subject: [PATCH 165/383] Add comment explaining that GNU getopt is keg-only --- setup-env | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup-env b/setup-env index 6d16958..84a8305 100755 --- a/setup-env +++ b/setup-env @@ -73,6 +73,8 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" + This will enable GNU getopt since it is keg-only. + END_OF_LINE exit 1 fi From c1870be7a16f5e88f6e6540c290f674da4861e07 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 21 Feb 2024 16:28:54 -0600 Subject: [PATCH 166/383] Improve comments to better describe `keg-only` terminology Co-authored-by: Shane Frasier --- CONTRIBUTING.md | 3 ++- setup-env | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a844f86..7bb8881 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -68,7 +68,8 @@ installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` an adding this to your profile: ```bash -# Enable GNU getopt since it is keg-only +# GNU getopt must be explicitly added to the path since it is +# keg-only export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" # Setup pyenv diff --git a/setup-env b/setup-env index 84a8305..3fa8c47 100755 --- a/setup-env +++ b/setup-env @@ -73,7 +73,8 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" - This will enable GNU getopt since it is keg-only. + GNU getopt must be explicitly added to the PATH since it + is keg-only. END_OF_LINE exit 1 From a3f69cd24e58077ee6f084bce900ed176c88cff7 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 26 Feb 2024 08:04:19 -0600 Subject: [PATCH 167/383] Change "'setup-env' tool" to "'setup-env' script" Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7bb8881..fca0cf7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,7 +46,7 @@ There are a few ways to do this, but we prefer to use create and manage a Python virtual environment specific to this project. -We recommend using the `setup-env` tool located in this repository, +We recommend using the `setup-env` script located in this repository, as it automates the entire environment configuration process. The dependencies required to run this tool are [GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc), From 8ff51796ec530e68d35362fab761608e676dcd3a Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 26 Feb 2024 08:07:16 -0600 Subject: [PATCH 168/383] Remove build-in error exit for generic error exit Exit code 2 usually relates to build-ins which does not fit what is failing here. Not sure what alternative would be best so we can just use the generic failure code Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 3fa8c47..f7ce620 100755 --- a/setup-env +++ b/setup-env @@ -83,7 +83,7 @@ fi # Use GNU getopt to parse options if ! PARSED=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS --name "$0" -- "$@"); then echo "Error parsing options" - exit 2 + exit 1 fi eval set -- "$PARSED" From 1c21e2b9839980c75410584c69d0ac0a0651f097 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 26 Feb 2024 08:08:39 -0600 Subject: [PATCH 169/383] Change verbiage from 'tool' to 'script' for clarity Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index fca0cf7..cdab589 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,7 +48,7 @@ project. We recommend using the `setup-env` script located in this repository, as it automates the entire environment configuration process. The -dependencies required to run this tool are +dependencies required to run this script are [GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc), [`pyenv`](https://github.com/pyenv/pyenv), and [`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv). If these tools are already configured on your system, you can simply run the From 3acc8d6a17360221d6c59c306db1a14a98b48b8b Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 26 Feb 2024 10:04:42 -0600 Subject: [PATCH 170/383] Check for pyenv earlier in the script Since the new function, python_versions expects pyenv to be installed it makes sense to have it checked earlier in the script. --- setup-env | 72 +++++++++++++++++++++++++++---------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/setup-env b/setup-env index f7ce620..3898ca8 100755 --- a/setup-env +++ b/setup-env @@ -80,6 +80,42 @@ END_OF_LINE exit 1 fi +# Check to see if pyenv is installed +if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ]; }; then + echo "pyenv and pyenv-virtualenv are required." + if [[ "$OSTYPE" == "darwin"* ]]; then + cat << 'END_OF_LINE' + + On the Mac, we recommend installing brew, https://brew.sh/. Then installation + is as simple as `brew install pyenv pyenv-virtualenv` and adding this to your + profile: + + eval "$(pyenv init -)" + eval "$(pyenv virtualenv-init -)" + +END_OF_LINE + + fi + cat << 'END_OF_LINE' + For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you don't want + to use "brew") you can use https://github.com/pyenv/pyenv-installer to install + the necessary tools. Before running this ensure that you have installed the + prerequisites for your platform according to the pyenv wiki page, + https://github.com/pyenv/pyenv/wiki/common-build-problems. + + On WSL you should treat your platform as whatever Linux distribution you've + chosen to install. + + Once you have installed "pyenv" you will need to add the following lines to + your ".bashrc": + + export PATH="$PATH:$HOME/.pyenv/bin" + eval "$(pyenv init -)" + eval "$(pyenv virtualenv-init -)" +END_OF_LINE + exit 1 +fi + # Use GNU getopt to parse options if ! PARSED=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS --name "$0" -- "$@"); then echo "Error parsing options" @@ -135,42 +171,6 @@ while true; do esac done -# Check to see if pyenv is installed -if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && [ ! -f "$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv" ]; }; then - echo "pyenv and pyenv-virtualenv are required." - if [[ "$OSTYPE" == "darwin"* ]]; then - cat << 'END_OF_LINE' - - On the Mac, we recommend installing brew, https://brew.sh/. Then installation - is as simple as `brew install pyenv pyenv-virtualenv` and adding this to your - profile: - - eval "$(pyenv init -)" - eval "$(pyenv virtualenv-init -)" - -END_OF_LINE - - fi - cat << 'END_OF_LINE' - For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you don't want - to use "brew") you can use https://github.com/pyenv/pyenv-installer to install - the necessary tools. Before running this ensure that you have installed the - prerequisites for your platform according to the pyenv wiki page, - https://github.com/pyenv/pyenv/wiki/common-build-problems. - - On WSL you should treat your platform as whatever Linux distribution you've - chosen to install. - - Once you have installed "pyenv" you will need to add the following lines to - your ".bashrc": - - export PATH="$PATH:$HOME/.pyenv/bin" - eval "$(pyenv init -)" - eval "$(pyenv virtualenv-init -)" -END_OF_LINE - exit 1 -fi - # Determine the virtual environment name if [ -n "$VENV_NAME" ]; then # Use the user-provided environment name From b377ce71fa3dd5f56697d415c5230f3fe18e8090 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 26 Feb 2024 11:02:39 -0600 Subject: [PATCH 171/383] Explain -r and -p in Python version prompt --- setup-env | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 3898ca8..5c2b580 100755 --- a/setup-env +++ b/setup-env @@ -180,10 +180,12 @@ else env_name=${PWD##*/} fi -# List Python versions and select one interactively +# List Python versions and select one interactively. if [ $LIST_VERSIONS -ne 0 ]; then echo Available Python versions: python_versions + # Read the user's desired Python version. + # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. if [ -n "${PYTHON_VERSION+x}" ]; then From 74838a256e134e00208a23bb6dded7012cfb8534 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 26 Feb 2024 11:58:44 -0600 Subject: [PATCH 172/383] Refine exit code to 64 with gnu-getopt note - Set exit code to 64 per sysexits.h for clarity. - Added comment on gnu-getopt handling. Aligns with Unix standards and enhances readability. --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 5c2b580..549c079 100755 --- a/setup-env +++ b/setup-env @@ -165,8 +165,9 @@ while true; do break ;; *) + # Unreachable due to gnu-getopt handling all options echo "Programming error" - exit 3 + exit 64 ;; esac done From 487126e34bd85e231b7021b70d225154694ad24d Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 06:32:35 -0600 Subject: [PATCH 173/383] Rename gnu-getopt tool to GNU getopt formula Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 549c079..d2db6e2 100755 --- a/setup-env +++ b/setup-env @@ -165,7 +165,7 @@ while true; do break ;; *) - # Unreachable due to gnu-getopt handling all options + # Unreachable due to GNU getopt handling all options echo "Programming error" exit 64 ;; From 6c82a8d1bb86a90f0e903dd2d90efdb6198fba33 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 07:49:16 -0600 Subject: [PATCH 174/383] Fix whitespace for usage menu Co-authored-by: Shane Frasier --- setup-env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup-env b/setup-env index d2db6e2..c93eb25 100755 --- a/setup-env +++ b/setup-env @@ -28,8 +28,8 @@ Options: -i | --install-hooks Install hook environments for all environments in the pre-commit config file. -l | --list-versions List available Python versions and select one interactively. - -v | --venv-name Specify the name of the virtual environment. - -p | --python-version Specify the Python version for the virtual environment. + -v | --venv-name Specify the name of the virtual environment. + -p | --python-version Specify the Python version for the virtual environment. END_OF_LINE ) From 324f6d426a149cb2c7bfc30ffcf7c1810b8ae1fa Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 11:26:24 -0600 Subject: [PATCH 175/383] Add link to brew terminology Co-authored-by: dav3r --- CONTRIBUTING.md | 2 +- setup-env | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index cdab589..bc32a55 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -69,7 +69,7 @@ adding this to your profile: ```bash # GNU getopt must be explicitly added to the path since it is -# keg-only +# keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean) export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" # Setup pyenv diff --git a/setup-env b/setup-env index c93eb25..bb689f3 100755 --- a/setup-env +++ b/setup-env @@ -74,7 +74,7 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" GNU getopt must be explicitly added to the PATH since it - is keg-only. + is keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean). END_OF_LINE exit 1 From a26d0e36f0c33a7f472b91d66697e4cecb8f9557 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 15:52:20 -0600 Subject: [PATCH 176/383] Rephrase comment to improve clarity Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index bb689f3..3fddb36 100755 --- a/setup-env +++ b/setup-env @@ -16,7 +16,7 @@ It does the following: - Configures the activation of the virtual enviroment for the repo directory. - Installs the requirements needed for development. - Installs git pre-commit hooks. - - Configures git upstream remote "lineage" repositories. + - Configures git remotes for upstream "lineage" repositories. Usage: setup-env [--venv-name virtual_env_name] [--python-version python_version] From 05108705fa4120db51f261ad59347bb01134eafc Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 15:58:43 -0600 Subject: [PATCH 177/383] Improve comment for clarity Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 3fddb36..c8680ea 100755 --- a/setup-env +++ b/setup-env @@ -34,7 +34,7 @@ Options: END_OF_LINE ) -# Display installed python versions +# Display pyenv's installed Python versions python_versions() { pyenv versions --bare --skip-aliases --skip-envs } From 01abde6f580cf549d77c81af9378d4a18812fa8f Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 16:03:47 -0600 Subject: [PATCH 178/383] Improve verbiage in comment --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index c8680ea..534d47f 100755 --- a/setup-env +++ b/setup-env @@ -217,7 +217,7 @@ fi # Create a new virtual environment for this project # -# If $PYTHON_VERSION is undefined then the system Python will be used. +# If $PYTHON_VERSION is undefined then the global version of Python will be used. # # We can't quote ${PYTHON_VERSION:=} below since if the variable is # undefined then we want nothing to appear; this is the reason for the From 0989d17f49a089e03e23b72ab638595d538add3f Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 28 Feb 2024 16:09:15 -0600 Subject: [PATCH 179/383] Change comments for macOS and venv_name --- CONTRIBUTING.md | 4 ++-- setup-env | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index bc32a55..617db85 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -63,7 +63,7 @@ environment. #### Installing and using GNU `getopt`, `pyenv`, and `pyenv-virtualenv` #### -On the Mac, we recommend installing [brew](https://brew.sh/). Then +On macOS, we recommend installing [brew](https://brew.sh/). Then installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` and adding this to your profile: @@ -80,7 +80,7 @@ eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" ``` -For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you +For Linux, Windows Subsystem for Linux (WSL), or on macOS (if you don't want to use `brew`) you can use [pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to install the necessary tools. Before running this ensure that you have diff --git a/setup-env b/setup-env index 534d47f..d2cd111 100755 --- a/setup-env +++ b/setup-env @@ -19,7 +19,7 @@ It does the following: - Configures git remotes for upstream "lineage" repositories. Usage: - setup-env [--venv-name virtual_env_name] [--python-version python_version] + setup-env [--venv-name venv_name] [--python-version python_version] setup-env (-h | --help) Options: @@ -67,7 +67,7 @@ if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then as a system might have a non-GNU version of getopt installed by default, which could lead to unexpected behavior. - On the Mac, we recommend installing brew (https://brew.sh/). Then installation + On macOS, we recommend installing brew (https://brew.sh/). Then installation is as simple as `brew install gnu-getopt` and adding this to your profile: @@ -86,7 +86,7 @@ if [ -z "$(command -v pyenv)" ] || { [ -z "$(command -v pyenv-virtualenv)" ] && if [[ "$OSTYPE" == "darwin"* ]]; then cat << 'END_OF_LINE' - On the Mac, we recommend installing brew, https://brew.sh/. Then installation + On macOS, we recommend installing brew, https://brew.sh/. Then installation is as simple as `brew install pyenv pyenv-virtualenv` and adding this to your profile: @@ -97,7 +97,7 @@ END_OF_LINE fi cat << 'END_OF_LINE' - For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you don't want + For Linux, Windows Subsystem for Linux (WSL), or on mac OS (if you don't want to use "brew") you can use https://github.com/pyenv/pyenv-installer to install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the pyenv wiki page, From a9c6ed88c3c993db890a09ece5433b33e5d5d206 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 29 Feb 2024 09:19:01 -0600 Subject: [PATCH 180/383] Improve comments for clarity Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- CONTRIBUTING.md | 2 +- setup-env | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 617db85..f9fa53a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -80,7 +80,7 @@ eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" ``` -For Linux, Windows Subsystem for Linux (WSL), or on macOS (if you +For Linux, Windows Subsystem for Linux (WSL), or macOS (if you don't want to use `brew`) you can use [pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to install the necessary tools. Before running this ensure that you have diff --git a/setup-env b/setup-env index d2cd111..3a22d43 100755 --- a/setup-env +++ b/setup-env @@ -97,7 +97,7 @@ END_OF_LINE fi cat << 'END_OF_LINE' - For Linux, Windows Subsystem for Linux (WSL), or on mac OS (if you don't want + For Linux, Windows Subsystem for Linux (WSL), or macOS (if you don't want to use "brew") you can use https://github.com/pyenv/pyenv-installer to install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the pyenv wiki page, @@ -217,7 +217,7 @@ fi # Create a new virtual environment for this project # -# If $PYTHON_VERSION is undefined then the global version of Python will be used. +# If $PYTHON_VERSION is undefined then the current pyenv Python version will be used. # # We can't quote ${PYTHON_VERSION:=} below since if the variable is # undefined then we want nothing to appear; this is the reason for the From b9c729f6159defe55490d2198390ba2ceab5924f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 4 Jan 2024 15:03:15 -0500 Subject: [PATCH 181/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. The pre-commit/mirrors-prettier was manually held back because the latest tags are for alpha releases of the next major version. --- .pre-commit-config.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 34f0253..e7f5d0a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.36.0 + rev: v0.39.0 hooks: - id: markdownlint args: @@ -41,7 +41,7 @@ repos: hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.32.0 + rev: v1.35.1 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.26.3 + rev: 0.28.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.4.0 + rev: v3.6.2 hooks: - id: validate_manifest @@ -107,44 +107,44 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.5 + rev: 1.7.7 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 23.9.1 + rev: 24.2.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 6.1.0 + rev: 7.0.0 hooks: - id: flake8 additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.12.0 + rev: 5.13.2 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.5.1 + rev: v1.8.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.10.1 + rev: v3.15.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v6.19.0 + rev: v24.2.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.83.2 + rev: v1.88.0 hooks: - id: terraform_fmt - id: terraform_validate From 4c933958bca75c291bcb3b28fa1ba821d1d1f6f5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 4 Jan 2024 15:08:30 -0500 Subject: [PATCH 182/383] Manually update the prettier hook The hook is manually updated to the last v3 tag available from the pre-commit/mirrors-prettier repository. We then add the latest release of v3 available from NPM as an additional depdency. --- .pre-commit-config.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e7f5d0a..8e3941d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,9 +37,16 @@ repos: args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.3 + # This is the last version of v3 available from the mirror. We should hold + # here until v4, which is currently in alpha, is more stable. + rev: v3.1.0 hooks: - id: prettier + # This is the latest version of v3 available from NPM. The pre-commit + # mirror does not pull tags for old major versions once a new major + # version tag is published. + additional_dependencies: + - prettier@3.2.5 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From 7169dcf65670f1d42b9498b68624a1638de08531 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 11 Nov 2023 16:20:14 -0500 Subject: [PATCH 183/383] Use Python and Go versions provided by cisagov/setup-env-github-action --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4911745..de6937d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,7 +59,7 @@ jobs: - id: setup-python uses: actions/setup-python@v5 with: - python-version: "3.11" + python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go @@ -68,7 +68,7 @@ jobs: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. cache: false - go-version: "1.20" + go-version: ${{ steps.setup-env.outputs.go-version }} - id: go-cache name: Lookup Go cache directory run: | From 035cf86cf76f40ed8b4bf67ff1b14c420701e145 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 27 Feb 2024 17:17:39 -0500 Subject: [PATCH 184/383] Switch pre-commit hooks for running shellcheck This hook bundles the binaries for shellcheck with a Python package which removes the need to ensure the tool is installed for the hook to function. It also ties the version of shellcheck used to the hook which will help guarantee consistency. --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1d12a0d..2c5b3c8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -115,10 +115,10 @@ repos: - --case-indent # Redirect operators are followed by a space - --space-redirects - - repo: https://github.com/detailyang/pre-commit-shell - rev: 1.0.5 + - repo: https://github.com/shellcheck-py/shellcheck-py + rev: v0.9.0.6 hooks: - - id: shell-lint + - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit From 935237b9b66357c8b53467877fdd552ad3025f5d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 6 Mar 2024 15:20:58 -0500 Subject: [PATCH 185/383] Add whitespace to placate Black linter/formatter --- src/example/__init__.py | 1 + src/example/_version.py | 1 + tests/conftest.py | 1 + 3 files changed, 3 insertions(+) diff --git a/src/example/__init__.py b/src/example/__init__.py index 98b5e04..556a7d2 100644 --- a/src/example/__init__.py +++ b/src/example/__init__.py @@ -1,4 +1,5 @@ """The example library.""" + # We disable a Flake8 check for "Module imported but unused (F401)" here because # although this import is not directly used, it populates the value # package_name.__version__, which is used to get version information about this diff --git a/src/example/_version.py b/src/example/_version.py index 6baaa6f..e038e39 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,2 +1,3 @@ """This file defines the version of this module.""" + __version__ = "0.2.0" diff --git a/tests/conftest.py b/tests/conftest.py index 39e2be2..ba89c85 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -2,6 +2,7 @@ https://docs.pytest.org/en/latest/writing_plugins.html#conftest-py-plugins """ + # Third-Party Libraries import pytest From cea8edc5bcdcec8a06b6b810514b0222fc03f42e Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 12:59:30 -0600 Subject: [PATCH 186/383] Add checks for semantic python versions --- setup-env | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 3a22d43..5e537bc 100755 --- a/setup-env +++ b/setup-env @@ -39,6 +39,14 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } +check_semantic_version() { + local version=$1 + local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" + + # Use Perl for regex matching and output true or false + echo "$version" | perl -ne "exit(!/$regex/)" +} + # Flag to force deletion and creation of virtual environment FORCE=0 @@ -144,16 +152,18 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - echo Installed Python versions are: - python_versions - exit 1 - fi + # Validate the semantic version format + if ! check_semantic_version "$PYTHON_VERSION"; then + echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo "Error: Python version $PYTHON_VERSION is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $PYTHON_VERSION" fi ;; -v | --venv-name) @@ -189,14 +199,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - exit 1 - fi - fi + check_semantic_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From d5c7c4a566f88f7575f06ff2e0829f257a00cb08 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 14:29:13 -0600 Subject: [PATCH 187/383] Refactor code for the semantic check This commit will make a few changes. The orginal version of the semantic checking function was a bit more difficult to read. It is now somewhat easier to follow how the regex is structured. Also the function has been renamed to check_python_version since it has 2 functions, making sure that the version is semantically correct and the second is to make sure that it is installed on the user's machine. This makes it easier to follow the logic for the flags, -p or --python-version and -l or --list-versions --- setup-env | 54 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 5e537bc..92540d1 100755 --- a/setup-env +++ b/setup-env @@ -39,12 +39,41 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } -check_semantic_version() { +check_python_version() { local version=$1 - local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" - # Use Perl for regex matching and output true or false - echo "$version" | perl -ne "exit(!/$regex/)" + # Break down the regex into readable parts major.minor.patch + local major="0|[1-9]\\d*" + local minor="0|[1-9]\\d*" + local patch="0|[1-9]\\d*" + + # Splitting the prerelease part for readability + # Start of prerelease + local prerelease="(?:-" + # Numeric or alphanumeric identifiers + local prerelease+="(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" + # Additional dot-separated identifiers + local prerelease+="(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*" + # End of prerelease, making it optional + local prerelease+=")?" + # Optional build metadata + local build="(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + + # Final regex composed of parts + local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" + + if ! echo "$version" | perl -ne "exit(!/$regex/)"; then + echo "Error: The specified Python version $version does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${version}$" > /dev/null; then + echo "Error: Python version $version is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $version" + fi } # Flag to force deletion and creation of virtual environment @@ -152,19 +181,8 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Validate the semantic version format - if ! check_semantic_version "$PYTHON_VERSION"; then - echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." - echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" - exit 1 - elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo "Error: Python version $PYTHON_VERSION is not installed." - echo "Installed Python versions are:" - python_versions - exit 1 - else - echo "Using Python version $PYTHON_VERSION" - fi + # Check the Python version being passed in. + check_python_version "$PYTHON_VERSION" ;; -v | --venv-name) VENV_NAME="$2" @@ -199,7 +217,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - check_semantic_version "$PYTHON_VERSION" + check_python_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From 327ab733aeaaad6a4916eb86b20d86618c9351e3 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 18 Mar 2024 12:36:02 -0500 Subject: [PATCH 188/383] Remove example of correct semantic version --- setup-env | 1 - 1 file changed, 1 deletion(-) diff --git a/setup-env b/setup-env index 92540d1..bacd2d5 100755 --- a/setup-env +++ b/setup-env @@ -64,7 +64,6 @@ check_python_version() { if ! echo "$version" | perl -ne "exit(!/$regex/)"; then echo "Error: The specified Python version $version does not follow the semantic versioning standard." - echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" exit 1 elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." From 4dedf50886fd47c67895deb07367fca5c36ca33f Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 20 Mar 2024 12:58:03 -0500 Subject: [PATCH 189/383] Refactor the error message for the user --- setup-env | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index bacd2d5..d7824cb 100755 --- a/setup-env +++ b/setup-env @@ -63,7 +63,9 @@ check_python_version() { local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" if ! echo "$version" | perl -ne "exit(!/$regex/)"; then - echo "Error: The specified Python version $version does not follow the semantic versioning standard." + echo "Invalid version of Python: Python follows semantic versioning, " \ + "so any version string that is not a valid semantic version is an " \ + "invalid version of Python." exit 1 elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." From e84deea5181f27471f01343113c91dc2b13e159e Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 20 Mar 2024 14:52:16 -0500 Subject: [PATCH 190/383] Improve the semantic error message --- setup-env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup-env b/setup-env index d7824cb..bba5f9e 100755 --- a/setup-env +++ b/setup-env @@ -63,8 +63,8 @@ check_python_version() { local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" if ! echo "$version" | perl -ne "exit(!/$regex/)"; then - echo "Invalid version of Python: Python follows semantic versioning, " \ - "so any version string that is not a valid semantic version is an " \ + echo "Invalid version of Python: Python follows semantic versioning," \ + "so any version string that is not a valid semantic version is an" \ "invalid version of Python." exit 1 elif ! python_versions | grep -E "^${version}$" > /dev/null; then From 5fdc7befc1d1d4811c4550ca1e4c65a711971c21 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 20 Mar 2024 15:39:07 -0500 Subject: [PATCH 191/383] Fix grammar Co-authored-by: dav3r --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index bba5f9e..b93810c 100755 --- a/setup-env +++ b/setup-env @@ -217,7 +217,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then # Read the user's desired Python version. # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION - # Check the Python versions being passed in. + # Check the Python version being passed in. check_python_version "$PYTHON_VERSION" fi From 42ef8c2d7b54cde82d4390a0050622cddfccf92a Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 21 Mar 2024 09:19:42 -0500 Subject: [PATCH 192/383] Refactor regex, add link, and improve comments --- setup-env | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/setup-env b/setup-env index b93810c..2f30021 100755 --- a/setup-env +++ b/setup-env @@ -42,31 +42,38 @@ python_versions() { check_python_version() { local version=$1 + # This is a valid regex for semantically correct Python version strings. + # For more information see here: https://regex101.com/r/vkijKf/1/. # Break down the regex into readable parts major.minor.patch - local major="0|[1-9]\\d*" - local minor="0|[1-9]\\d*" - local patch="0|[1-9]\\d*" + local major="0|[1-9]\d*" + local minor="0|[1-9]\d*" + local patch="0|[1-9]\d*" # Splitting the prerelease part for readability - # Start of prerelease + # Start of the prerelease local prerelease="(?:-" # Numeric or alphanumeric identifiers - local prerelease+="(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" + local prerelease+="(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)" # Additional dot-separated identifiers - local prerelease+="(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*" - # End of prerelease, making it optional + local prerelease+="(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*" + # End of the prerelease, making it optional local prerelease+=")?" # Optional build metadata - local build="(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + local build="(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?" # Final regex composed of parts - local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" + local regex="^($major)\.($minor)\.($patch)$prerelease$build$" + # This checks if the Python version does not match the regex pattern specified in $regex, + # using Perl for regex matching. If the pattern is not found, then prompt the user with + # the invalid version message. if ! echo "$version" | perl -ne "exit(!/$regex/)"; then echo "Invalid version of Python: Python follows semantic versioning," \ "so any version string that is not a valid semantic version is an" \ "invalid version of Python." exit 1 + # Else if the Python version isn't installed then notify the user. + # grep -E is used for searching through text lines that match the specific verison. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" From a77e5e1c9a8752a2072a6a974d4164be116069e9 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 21 Mar 2024 10:13:11 -0500 Subject: [PATCH 193/383] Update link to use semver.org over regex101.com --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 2f30021..8d7b347 100755 --- a/setup-env +++ b/setup-env @@ -43,7 +43,8 @@ check_python_version() { local version=$1 # This is a valid regex for semantically correct Python version strings. - # For more information see here: https://regex101.com/r/vkijKf/1/. + # For more information see here: + # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string. # Break down the regex into readable parts major.minor.patch local major="0|[1-9]\d*" local minor="0|[1-9]\d*" From 5fe14c7c6066d30381f6746eb313a56e4d447ac5 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 21 Mar 2024 10:29:58 -0500 Subject: [PATCH 194/383] Remove unnecessary period Co-authored-by: dav3r --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 8d7b347..059ccad 100755 --- a/setup-env +++ b/setup-env @@ -44,7 +44,7 @@ check_python_version() { # This is a valid regex for semantically correct Python version strings. # For more information see here: - # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string. + # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string # Break down the regex into readable parts major.minor.patch local major="0|[1-9]\d*" local minor="0|[1-9]\d*" From b7896a0a2790cc121842c6ac1602734bbd5dd726 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 20 Apr 2024 04:11:57 -0400 Subject: [PATCH 195/383] Add a meta hook to the pre-commit configuration Add the `check-useless-excludes` meta hook to verify that any defined `exclude` directives apply to at least one file in the repository. --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..de8c587 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,6 +4,11 @@ default_language_version: python: python3 repos: + # Check the pre-commit configuration + - repo: meta + hooks: + - id: check-useless-excludes + - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: From 260566f177520175530963c469e50d124e5bc0e4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 20 Apr 2024 04:15:52 -0400 Subject: [PATCH 196/383] Remove `exclude` directive that does not apply to any files --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index de8c587..5ec468e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,7 +24,6 @@ repos: - --allow-missing-credentials - id: detect-private-key - id: end-of-file-fixer - exclude: files/(issue|motd) - id: mixed-line-ending args: - --fix=lf From 898e9ef0a3373c942d0ca4b5cfbf83e52ad5eb17 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 6 Mar 2024 15:23:35 -0500 Subject: [PATCH 197/383] Use the Python version from setup-env This includes adding the necessary job step to use the cisagov/setup-env-github-action Action. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f709eb2..a7a5aa1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -248,10 +248,12 @@ jobs: with: egress-policy: audit - uses: actions/checkout@v4 + - id: setup-env + uses: cisagov/setup-env-github-action@develop - id: setup-python uses: actions/setup-python@v4 with: - python-version: "3.10" + python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v3 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ From 07e2b60f912ada6de4de0dcf0573bbecc0f2037c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 4 May 2024 10:09:12 -0400 Subject: [PATCH 198/383] Pin ansible-core when running the ansible-lint linter New versions of ansible-core (2.16.7 and 2.17.0) have been released that do not suffer from the bug discussed in ansible/ansible#82702. This bug broke any symlinked files in vars, tasks, etc. for any Ansible role installed via ansible-galaxy. All versions later than ansible-core 2.16.7 and 2.17.0 should function as expected. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..895384c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -155,6 +155,17 @@ repos: rev: v24.2.0 hooks: - id: ansible-lint + additional_dependencies: + # ansible-core 2.16.3 through 2.16.6 suffer from the bug + # discussed in ansible/ansible#82702, which breaks any + # symlinked files in vars, tasks, etc. for any Ansible role + # installed via ansible-galaxy. Hence we never want to + # install those versions. + # + # Note that any changes made to this dependency must also be + # made in requirements.txt in cisagov/skeleton-packer and + # requirements-test.txt in cisagov/skeleton-ansible-role. + - ansible-core>=2.16.7 # files: molecule/default/playbook.yml # Terraform hooks From c74e5db75b7e3785a3f7196365b7ba99f9a004ea Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 4 May 2024 10:11:08 -0400 Subject: [PATCH 199/383] Remove unnecessary line The line is not only unnecessary, it was commented out to boot! --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 895384c..11772d9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -166,7 +166,6 @@ repos: # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - ansible-core>=2.16.7 - # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From 2e53e0de98caa5d5a42320618d8e604c770da7d9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 May 2024 15:21:06 -0400 Subject: [PATCH 200/383] Explain why ansible may need to be added as a dependency for ansible-lint On its own ansible-lint does not pull in ansible, only ansible-core. Therefore, if an Ansible module lives in ansible instead of ansible-core, the linter will complain that the module is unknown. In these cases it is necessary to add the ansible package itself as an additional dependency, with the same pinning as is done in requirements-test.txt of cisagov/skeleton-ansible-role. --- .pre-commit-config.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 11772d9..a48e196 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -156,6 +156,14 @@ repos: hooks: - id: ansible-lint additional_dependencies: + # On its own ansible-lint does not pull in ansible, only + # ansible-core. Therefore, if an Ansible module lives in + # ansible instead of ansible-core, the linter will complain + # that the module is unknown. In these cases it is + # necessary to add the ansible package itself as an + # additional dependency, with the same pinning as is done in + # requirements-test.txt of cisagov/skeleton-ansible-role. + # - ansible>=8,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role From f51fe623bb34e68bb874cd30756fee2692d34b5a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 11 May 2024 00:38:50 -0400 Subject: [PATCH 201/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. The pre-commit/mirrors-prettier was manually held back because the latest tags are for alpha releases of the next major version. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..d315345 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.39.0 + rev: v0.41.0 hooks: - id: markdownlint args: @@ -56,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.0 + rev: 0.28.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.6.2 + rev: v3.7.1 hooks: - id: validate_manifest @@ -98,7 +98,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.7.0-4 + rev: v3.8.0-1 hooks: - id: shfmt args: @@ -116,19 +116,19 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.9.0.6 + rev: v0.10.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.7 + rev: 1.7.8 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.2.0 + rev: 24.4.2 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -142,24 +142,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.8.0 + rev: v1.10.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.15.1 + rev: v3.15.2 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.2.0 + rev: v24.6.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.90.0 hooks: - id: terraform_fmt - id: terraform_validate From 8e55b8e24e047008b1fa80bc87a76163888e4e5e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 6 Jun 2024 13:58:38 -0400 Subject: [PATCH 202/383] Manually update the prettier hook Use the latest v3 release available from NPM. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d315345..2ece2c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: # mirror does not pull tags for old major versions once a new major # version tag is published. additional_dependencies: - - prettier@3.2.5 + - prettier@3.3.1 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From c617bb92af0bd01d0ef9bb7e51c007e34f91a915 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Thu, 6 Jun 2024 16:42:24 -0400 Subject: [PATCH 203/383] Correct commented-out ansible pin The pin now agrees with what is in cisagov/skeleton-ansible-role. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a48e196..3071c44 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -163,7 +163,7 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=8,<10 + # - ansible>=9,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role From a68994d17dcc11e9b90132c50fe52732d5fda07b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 1 Jul 2024 16:19:46 -0400 Subject: [PATCH 204/383] Add a lower-bound pin for flake8-docstrings --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 386c83f..74c9c76 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -136,7 +136,7 @@ repos: hooks: - id: flake8 additional_dependencies: - - flake8-docstrings + - flake8-docstrings>=1.7.0 - repo: https://github.com/PyCQA/isort rev: 5.13.2 hooks: From 0905548fc55213de30476b5e6d4d04983af956d7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 29 Jul 2024 16:54:35 -0400 Subject: [PATCH 205/383] Match bandit pre-commit hook versions The "bandit (tests tree)" hook configuration gets updated from upstream, but the "bandit (everything else)" hook configuration does not. It must be manually updated to ensure the same version of bandit is used for both hooks. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4918fd6..6a6dacb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,7 +132,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.7.5 + rev: 1.7.8 hooks: - id: bandit name: bandit (everything else) From 2ea36cbb964f6e84c353943541825adde86dd884 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 21:24:36 +0000 Subject: [PATCH 206/383] Bump actions/upload-artifact from 3 to 4 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a7a5aa1..4d47d8e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -334,7 +334,7 @@ jobs: - name: Build artifacts run: python -m build - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: dist-${{ matrix.python-version }} path: dist From 3664329e3cb9876a09f0f82524138d87cd2d2332 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 21:25:37 +0000 Subject: [PATCH 207/383] Bump actions/download-artifact from 3 to 4 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4d47d8e..fe8fa34 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -388,7 +388,7 @@ jobs: restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: dist-${{ matrix.python-version }} path: dist From 3c741d29b708d019839e2f37220f784c232be45f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Mar 2024 06:04:24 -0400 Subject: [PATCH 208/383] Drop support for Python 3.6 Python 3.6 reached end-of-life on 2021-12-23. Since the oldest version of Debian that we use (Debian Buster) provides Python 3.7 we can safely sunset support for this version of Python. --- .github/workflows/build.yml | 21 +++------------------ setup.py | 3 +-- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a7a5aa1..05f0aad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -175,12 +175,10 @@ jobs: name: test source - py${{ matrix.python-version }} needs: - diagnostics - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest strategy: fail-fast: false matrix: - os: - - ubuntu-latest python-version: - "3.7" - "3.8" @@ -188,9 +186,6 @@ jobs: - "3.10" - "3.11" - "3.12" - include: - - os: ubuntu-20.04 - python-version: "3.6" steps: - id: harden-runner name: Harden the runner @@ -286,12 +281,10 @@ jobs: - diagnostics - lint - test - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest strategy: fail-fast: false matrix: - os: - - ubuntu-latest python-version: - "3.7" - "3.8" @@ -299,9 +292,6 @@ jobs: - "3.10" - "3.11" - "3.12" - include: - - os: ubuntu-20.04 - python-version: "3.6" steps: - id: harden-runner name: Harden the runner @@ -346,12 +336,10 @@ jobs: needs: - diagnostics - build - runs-on: ${{ matrix.os }} + runs-on: ubuntu-latest strategy: fail-fast: false matrix: - os: - - ubuntu-latest python-version: - "3.7" - "3.8" @@ -359,9 +347,6 @@ jobs: - "3.10" - "3.11" - "3.12" - include: - - os: ubuntu-20.04 - python-version: "3.6" steps: - id: harden-runner name: Harden the runner diff --git a/setup.py b/setup.py index 7aec68b..e4c19ba 100644 --- a/setup.py +++ b/setup.py @@ -75,7 +75,6 @@ def get_version(version_file): # that you indicate whether you support Python 2, Python 3 or both. "Programming Language :: Python :: 3", "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", @@ -84,7 +83,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.12", "Programming Language :: Python :: Implementation :: CPython", ], - python_requires=">=3.6", + python_requires=">=3.7", # What does your project relate to? keywords="skeleton", packages=find_packages(where="src"), From 111eac0fc6181851c2c4fb2048b591c8a98895d6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 12 Mar 2024 01:48:57 -0400 Subject: [PATCH 209/383] Bump version from 0.2.0 to 0.2.1 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index e038e39..3252c71 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,3 +1,3 @@ """This file defines the version of this module.""" -__version__ = "0.2.0" +__version__ = "0.2.1" From e7d0482acc943e1dfc415c94d617b87006d18444 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 30 Jul 2024 14:01:36 -0400 Subject: [PATCH 210/383] Bump actions/setup-python from v4 to v5 This covers all of the uses that are not automatically updated when pulling in upstream updates. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5eb64d3..e429274 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -194,7 +194,7 @@ jobs: egress-policy: audit - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v3 @@ -246,7 +246,7 @@ jobs: - id: setup-env uses: cisagov/setup-env-github-action@develop - id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v3 @@ -300,7 +300,7 @@ jobs: egress-policy: audit - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v3 @@ -355,7 +355,7 @@ jobs: egress-policy: audit - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v3 From 8da701f3985efedc3d24f492defbc907bb2deb07 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 11 Aug 2024 07:05:00 -0400 Subject: [PATCH 211/383] Enable dependabot ignore directives These dependencies are managed by cisagov/skeleton-python-library, so we should ignore them in this repository. --- .github/dependabot.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f699134..e3d24b7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -19,10 +19,10 @@ updates: - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner - # # Managed by cisagov/skeleton-python-library - # - dependency-name: actions/download-artifact - # - dependency-name: actions/upload-artifact - # - dependency-name: github/codeql-action + # Managed by cisagov/skeleton-python-library + - dependency-name: actions/download-artifact + - dependency-name: actions/upload-artifact + - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly From 0cce1404ef7b6a41d35c3b3e35188b986c623505 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 11 Aug 2024 07:06:56 -0400 Subject: [PATCH 212/383] Apply changes from the `black` pre-commit hook --- src/hash_http_content/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/hash_http_content/__init__.py b/src/hash_http_content/__init__.py index 9cb1be8..1d89731 100644 --- a/src/hash_http_content/__init__.py +++ b/src/hash_http_content/__init__.py @@ -1,4 +1,5 @@ """The hash-http-content library.""" + # Standard Python Libraries from typing import List From 43b91c74754e912172c702e20f12ba9f767ac202 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 06:24:06 -0400 Subject: [PATCH 213/383] Use the hashicorp/setup-packer GitHub Action Instead of manually installing Packer we can instead leverage the hashicorp/setup-packer Action just as we do for Terraform. --- .github/workflows/build.yml | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9bb221a..e12b842 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,7 +20,6 @@ defaults: shell: bash -Eueo pipefail -x {0} env: - CURL_CACHE_DIR: ~/.cache/curl PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit RUN_TMATE: ${{ secrets.RUN_TMATE }} @@ -97,25 +96,12 @@ jobs: path: | ${{ env.PIP_CACHE_DIR }} ${{ env.PRE_COMMIT_CACHE_DIR }} - ${{ env.CURL_CACHE_DIR }} ${{ steps.go-cache.outputs.dir }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - - name: Setup curl cache - run: mkdir -p ${{ env.CURL_CACHE_DIR }} - - name: Install Packer - env: - PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} - run: | - PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" - curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ - --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ - --location \ - "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}" - sudo unzip -d /opt/packer \ - ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" - sudo mv /usr/local/bin/packer /usr/local/bin/packer-default - sudo ln -s /opt/packer/packer /usr/local/bin/packer + - uses: hashicorp/setup-packer@v3 + with: + version: ${{ steps.setup-env.outputs.packer-version }} - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} From 8ada75d419c3ea546843fc0772d9d0b678beeea4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 23 Aug 2024 00:54:54 -0400 Subject: [PATCH 214/383] Remove @jasonodoom as a codeowner He is no longer a member of @cisagov/vm-dev. --- .github/CODEOWNERS | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 229920c..3af99ba 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,22 +3,22 @@ # These owners will be the default owners for everything in the # repo. Unless a later match takes precedence, these owners will be # requested for review when someone opens a pull request. -* @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +* @dav3r @felddy @jsf9k @mcdonnnj # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. -/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.github/ @dav3r @felddy @jsf9k @mcdonnnj # These folks own all linting configuration files. -/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.ansible-lint @dav3r @felddy @jsf9k @mcdonnnj +/.bandit.yml @dav3r @felddy @jsf9k @mcdonnnj +/.flake8 @dav3r @felddy @jsf9k @mcdonnnj +/.isort.cfg @dav3r @felddy @jsf9k @mcdonnnj +/.mdl_config.yaml @dav3r @felddy @jsf9k @mcdonnnj +/.pre-commit-config.yaml @dav3r @felddy @jsf9k @mcdonnnj +/.prettierignore @dav3r @felddy @jsf9k @mcdonnnj +/.yamllint @dav3r @felddy @jsf9k @mcdonnnj +/requirements.txt @dav3r @felddy @jsf9k @mcdonnnj +/requirements-dev.txt @dav3r @felddy @jsf9k @mcdonnnj +/requirements-test.txt @dav3r @felddy @jsf9k @mcdonnnj +/setup-env @dav3r @felddy @jsf9k @mcdonnnj From 293020830fb6830a7324b5eacb8c3122979d9882 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 26 Aug 2024 09:27:58 -0400 Subject: [PATCH 215/383] Pin to a specific version Previously we only provided a lower bound for the version, but pinning to a specific version aligns with what has been done with the prettier hook and how pre-commit hooks are pinned in general. The flake8-docstrings package is rarely updated, so there is no real downside to pinning to a specific version. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 74c9c76..236eeda 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -136,7 +136,7 @@ repos: hooks: - id: flake8 additional_dependencies: - - flake8-docstrings>=1.7.0 + - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort rev: 5.13.2 hooks: From d703a2054cbc15155a8bb6847c9a17ece3030ced Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 24 Sep 2024 13:39:36 -0400 Subject: [PATCH 216/383] Add the --non-interactive flag when installing type stubs via mypy This flag forces mypy to hide the errors about missing stubs and instead simply install stubs without asking for confirmation. It also does not return an error code, which it does without this flag even if you opt to let it install the missing type stubs. --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index ac7ecfc..b3554cb 100755 --- a/setup-env +++ b/setup-env @@ -251,7 +251,7 @@ for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt done # Install all necessary mypy type stubs -mypy --install-types src/ +mypy --install-types --non-interactive src/ # Install git pre-commit hooks now or later. pre-commit install ${INSTALL_HOOKS:+"--install-hooks"} From 46e055367c1e34711ed0980b2934b9df54bf33fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 18:23:01 +0000 Subject: [PATCH 217/383] Bump actions/cache from 3 to 4 Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9bb221a..a403ea9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,7 +76,7 @@ jobs: name: Lookup Go cache directory run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - - uses: actions/cache@v3 + - uses: actions/cache@v4 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ From 3167421109abf3fe94dc801203587e1bf3ce33a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 18:23:14 +0000 Subject: [PATCH 218/383] Bump crazy-max/ghaction-github-status from 3 to 4 Bumps [crazy-max/ghaction-github-status](https://github.com/crazy-max/ghaction-github-status) from 3 to 4. - [Release notes](https://github.com/crazy-max/ghaction-github-status/releases) - [Commits](https://github.com/crazy-max/ghaction-github-status/compare/v3...v4) --- updated-dependencies: - dependency-name: crazy-max/ghaction-github-status dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 5a20438..e83bd41 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -24,7 +24,7 @@ jobs: egress-policy: audit - id: github-status name: Check GitHub status - uses: crazy-max/ghaction-github-status@v3 + uses: crazy-max/ghaction-github-status@v4 - id: dump-context name: Dump context uses: crazy-max/ghaction-dump-context@v2 From 2d2feab1c4c3be70c7a8060236d31bdfa719866a Mon Sep 17 00:00:00 2001 From: dav3r Date: Tue, 24 Sep 2024 16:34:13 -0400 Subject: [PATCH 219/383] Improve pytest configuration * Use long flag names when possible * Enable debug logging * Add a helpful explanatory comment Co-authored-by: felddy --- pytest.ini | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pytest.ini b/pytest.ini index ed958e0..a1c266e 100644 --- a/pytest.ini +++ b/pytest.ini @@ -1,2 +1,4 @@ [pytest] -addopts = -v -ra --cov +# Increase verbosity, display extra test summary info for tests that did not pass, +# display code coverage results, and enable debug logging +addopts = --verbose -ra --cov --log-cli-level=DEBUG From 6a58c2c24ef1eb15c7a69a44f16c63964f1c7f82 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 16:23:58 -0400 Subject: [PATCH 220/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. The pre-commit/mirrors-prettier hook was manually held back because the latest tags are for alpha releases of the next major version. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 386c83f..81f3276 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.41.0 + rev: v0.42.0 hooks: - id: markdownlint args: @@ -56,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.4 + rev: 0.29.2 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.7.1 + rev: v3.8.0 hooks: - id: validate_manifest @@ -98,7 +98,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.8.0-1 + rev: v3.9.0-1 hooks: - id: shfmt args: @@ -122,17 +122,17 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.8 + rev: 1.7.10 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.4.2 + rev: 24.8.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.0.0 + rev: 7.1.1 hooks: - id: flake8 additional_dependencies: @@ -142,17 +142,17 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.10.0 + rev: v1.11.2 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.15.2 + rev: v3.17.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.6.0 + rev: v24.9.2 hooks: - id: ansible-lint additional_dependencies: @@ -177,7 +177,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.90.0 + rev: v1.96.1 hooks: - id: terraform_fmt - id: terraform_validate @@ -190,7 +190,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.0.2 + rev: v0.1.0 hooks: - id: packer_validate - id: packer_fmt From 553efcb0d4e755ebd47abb49c865367ed6d0a236 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 16:30:49 -0400 Subject: [PATCH 221/383] Manually update the prettier hook Use the latest v3 release available from NPM. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 81f3276..2104775 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: # mirror does not pull tags for old major versions once a new major # version tag is published. additional_dependencies: - - prettier@3.3.1 + - prettier@3.3.3 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From 045a998dcf14dc7e3de9301ba7ee2103272b0ac4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:11:15 -0500 Subject: [PATCH 222/383] Add a pre-commit hook to run pip-audit The pip-audit tool will audit any supplied pip requirements files for vulnerable packages. --- .pre-commit-config.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..78140ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -145,6 +145,18 @@ repos: rev: v1.8.0 hooks: - id: mypy + - repo: https://github.com/pypa/pip-audit + rev: v2.7.3 + hooks: + - id: pip-audit + args: + # Add any pip requirements files to scan + - --requirement + - requirements-dev.txt + - --requirement + - requirements-test.txt + - --requirement + - requirements.txt - repo: https://github.com/asottile/pyupgrade rev: v3.15.1 hooks: From c502f1ab7cca8bd383a34360ce456b50fd6e8b21 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 16:32:02 -0400 Subject: [PATCH 223/383] Use the rbubley/mirrors-prettier hook for prettier This replaces the now archived pre-commit/mirrors-prettier hook. --- .pre-commit-config.yaml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ca59d6f..3cb1f85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,17 +40,10 @@ repos: - id: markdownlint args: - --config=.mdl_config.yaml - - repo: https://github.com/pre-commit/mirrors-prettier - # This is the last version of v3 available from the mirror. We should hold - # here until v4, which is currently in alpha, is more stable. - rev: v3.1.0 + - repo: https://github.com/rbubley/mirrors-prettier + rev: v3.3.3 hooks: - id: prettier - # This is the latest version of v3 available from NPM. The pre-commit - # mirror does not pull tags for old major versions once a new major - # version tag is published. - additional_dependencies: - - prettier@3.3.3 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From 4d765d02313412183554b3361dd5bf6c8dc27198 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 25 Sep 2024 14:50:45 -0400 Subject: [PATCH 224/383] Add types-docopt to mypy pre-commit hook additional dependencies This project uses the docopt library, so mypy needs this type information. --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6a6dacb..c5cc040 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -156,6 +156,7 @@ repos: hooks: - id: mypy additional_dependencies: + - types-docopt - types-setuptools - repo: https://github.com/asottile/pyupgrade rev: v3.15.2 From 6c2a022a0190fe587c466b0e0b8c848fcb6ac3fb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 25 Sep 2024 14:51:53 -0400 Subject: [PATCH 225/383] Add dev "extras" section with type stubs --- .pre-commit-config.yaml | 4 ++++ requirements-dev.txt | 1 + setup.py | 12 +++++++++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5cc040..9b01733 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -155,6 +155,10 @@ repos: rev: v1.10.0 hooks: - id: mypy + # IMPORTANT: Keep type hinting-related dependencies of the + # mypy pre-commit hook additional_dependencies in sync with + # the dev section of setup.py to avoid discrepancies in type + # checking between environments. additional_dependencies: - types-docopt - types-setuptools diff --git a/requirements-dev.txt b/requirements-dev.txt index 1d7e302..6398c44 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,3 +1,4 @@ +--editable .[dev] --requirement requirements-test.txt ipython mypy diff --git a/setup.py b/setup.py index e4c19ba..76dd101 100644 --- a/setup.py +++ b/setup.py @@ -93,6 +93,16 @@ def get_version(version_file): include_package_data=True, install_requires=["docopt", "schema", "setuptools >= 24.2.0"], extras_require={ + # IMPORTANT: Keep type hinting-related dependencies of the dev section + # in sync with the mypy pre-commit hook configuration (see + # .pre-commit-config.yaml). Any changes to type hinting-related + # dependencies here should be reflected in the additional_dependencies + # field of the mypy pre-commit hook to avoid discrepancies in type + # checking between environments. + "dev": [ + "types-docopt", + "types-setuptools", + ], "test": [ "coverage", # coveralls 1.11.0 added a service number for calls from @@ -105,7 +115,7 @@ def get_version(version_file): "pre-commit", "pytest-cov", "pytest", - ] + ], }, # Conveniently allows one to run the CLI tool as `example` entry_points={"console_scripts": ["example = example.example:main"]}, From b03458d7a875d68b9a1b2c6d7b5de8db080fb933 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 25 Sep 2024 15:17:36 -0400 Subject: [PATCH 226/383] Add a type: ignore hint to the end of the schema import line No type stubs exist for the schema library. --- src/example/example.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/example/example.py b/src/example/example.py index d3eda19..54e8cc1 100644 --- a/src/example/example.py +++ b/src/example/example.py @@ -28,7 +28,10 @@ # Third-Party Libraries import docopt import pkg_resources -from schema import And, Schema, SchemaError, Use + +# There are no type stubs for the schema library, so mypy requires the type: +# ignore hint. +from schema import And, Schema, SchemaError, Use # type: ignore from ._version import __version__ From 942c0dc98f605282fdf3c0ac6b9a549647f89f41 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:17:33 -0400 Subject: [PATCH 227/383] Add a new trigger for the sync-labels GitHub Actions workflow Add a `workflow_dispatch` trigger so we can manually run the workflow if needed. --- .github/workflows/sync-labels.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd41..59aefe4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -6,6 +6,7 @@ on: paths: - '.github/labels.yml' - '.github/workflows/sync-labels.yml' + workflow_dispatch: permissions: contents: read From a267662455c30986086d4ca14173cc20af7161d4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:19:38 -0400 Subject: [PATCH 228/383] Remove unnecessary quotes in the sync-labels workflow --- .github/workflows/sync-labels.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 59aefe4..5d5ab41 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -4,8 +4,8 @@ name: sync-labels on: push: paths: - - '.github/labels.yml' - - '.github/workflows/sync-labels.yml' + - .github/labels.yml + - .github/workflows/sync-labels.yml workflow_dispatch: permissions: From dc7f09e29b8466af0fa2f788761e22dd2fcbd0ce Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 14 Sep 2024 18:44:01 -0400 Subject: [PATCH 229/383] Add four new hooks from pre-commit/pre-commit-hooks --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f85..c98ded8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,9 +16,13 @@ repos: - id: check-executables-have-shebangs - id: check-json - id: check-merge-conflict + - id: check-shebang-scripts-are-executable + - id: check-symlinks - id: check-toml + - id: check-vcs-permalinks - id: check-xml - id: debug-statements + - id: destroyed-symlinks - id: detect-aws-credentials args: - --allow-missing-credentials From 48d3b4f913657570e43dbaffbc80bbd604bfc5ad Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 11 Oct 2024 16:50:21 -0400 Subject: [PATCH 230/383] Move mypy command toward the end of the script This allows all the other good things to happen even if the mypy command fails. --- setup-env | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup-env b/setup-env index b3554cb..3d37812 100755 --- a/setup-env +++ b/setup-env @@ -250,9 +250,6 @@ for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt fi done -# Install all necessary mypy type stubs -mypy --install-types --non-interactive src/ - # Install git pre-commit hooks now or later. pre-commit install ${INSTALL_HOOKS:+"--install-hooks"} @@ -285,5 +282,8 @@ else: END_OF_LINE )" +# Install all necessary mypy type stubs +mypy --install-types --non-interactive src/ + # Qapla' echo "Success!" From a78f49a9b58bc6a09461829e1b368c5613e9cbb7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 11 Oct 2024 16:57:39 -0400 Subject: [PATCH 231/383] Remove two unnecessary pins - The setuptools pin was enforcing a version newer than a version from 2016, which seems unnecessary since we are only supporting Python 3.7 and up. - The coveralls pin was enforcing that we not install a particular version from 2020. This again seems unnecessary as we are only supporting Python 3.7 and up. --- setup.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/setup.py b/setup.py index e4c19ba..bb2fb00 100644 --- a/setup.py +++ b/setup.py @@ -91,17 +91,11 @@ def get_version(version_file): package_data={"example": ["data/*.txt"]}, py_modules=[splitext(basename(path))[0] for path in glob("src/*.py")], include_package_data=True, - install_requires=["docopt", "schema", "setuptools >= 24.2.0"], + install_requires=["docopt", "schema", "setuptools"], extras_require={ "test": [ "coverage", - # coveralls 1.11.0 added a service number for calls from - # GitHub Actions. This caused a regression which resulted in a 422 - # response from the coveralls API with the message: - # Unprocessable Entity for url: https://coveralls.io/api/v1/jobs - # 1.11.1 fixed this issue, but to ensure expected behavior we'll pin - # to never grab the regression version. - "coveralls != 1.11.0", + "coveralls", "pre-commit", "pytest-cov", "pytest", From 34c6b7cffd7d2fed085dc0f8ead5cf5b60d9e52e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 11 Oct 2024 17:25:41 -0400 Subject: [PATCH 232/383] Support Python 13 --- .github/workflows/build.yml | 3 +++ setup.py | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e429274..8a59d42 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -186,6 +186,7 @@ jobs: - "3.10" - "3.11" - "3.12" + - "3.13" steps: - id: harden-runner name: Harden the runner @@ -292,6 +293,7 @@ jobs: - "3.10" - "3.11" - "3.12" + - "3.13" steps: - id: harden-runner name: Harden the runner @@ -347,6 +349,7 @@ jobs: - "3.10" - "3.11" - "3.12" + - "3.13" steps: - id: harden-runner name: Harden the runner diff --git a/setup.py b/setup.py index e4c19ba..2a390ef 100644 --- a/setup.py +++ b/setup.py @@ -81,6 +81,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", "Programming Language :: Python :: Implementation :: CPython", ], python_requires=">=3.7", From d50245a6b5ea7746a12aa99d8b6fa0e3a3175833 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 12 Oct 2024 11:27:20 -0400 Subject: [PATCH 233/383] Remove support for Python 3.7 Python 3.7 is no longer supported: https://www.python.org/downloads/release/python-370/ --- .github/workflows/build.yml | 3 --- setup.py | 1 - 2 files changed, 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e429274..84c98cc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -180,7 +180,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.7" - "3.8" - "3.9" - "3.10" @@ -286,7 +285,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.7" - "3.8" - "3.9" - "3.10" @@ -341,7 +339,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.7" - "3.8" - "3.9" - "3.10" diff --git a/setup.py b/setup.py index e4c19ba..b4ab3ad 100644 --- a/setup.py +++ b/setup.py @@ -75,7 +75,6 @@ def get_version(version_file): # that you indicate whether you support Python 2, Python 3 or both. "Programming Language :: Python :: 3", "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", From d84af0a5a69ec71be62ffabdfe2bc4280451cad0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 15 Oct 2024 10:34:13 -0400 Subject: [PATCH 234/383] Update python_requires to >=3.8 This is necessary since we have dropped support for Python 3.7. Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com> --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index b4ab3ad..9e9412b 100644 --- a/setup.py +++ b/setup.py @@ -82,7 +82,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.12", "Programming Language :: Python :: Implementation :: CPython", ], - python_requires=">=3.7", + python_requires=">=3.8", # What does your project relate to? keywords="skeleton", packages=find_packages(where="src"), From 9ee2ce916440416a27690e7453971e267724d5d0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 15 Oct 2024 10:53:59 -0400 Subject: [PATCH 235/383] Remove support for Python 3.8 Python 3.8 is no longer supported: https://www.python.org/downloads/release/python-380/ Co-authored-by: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 3 --- setup.py | 3 +-- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 84c98cc..0606065 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -180,7 +180,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.8" - "3.9" - "3.10" - "3.11" @@ -285,7 +284,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.8" - "3.9" - "3.10" - "3.11" @@ -339,7 +337,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.8" - "3.9" - "3.10" - "3.11" diff --git a/setup.py b/setup.py index 9e9412b..7bf5258 100644 --- a/setup.py +++ b/setup.py @@ -75,14 +75,13 @@ def get_version(version_file): # that you indicate whether you support Python 2, Python 3 or both. "Programming Language :: Python :: 3", "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: Implementation :: CPython", ], - python_requires=">=3.8", + python_requires=">=3.9", # What does your project relate to? keywords="skeleton", packages=find_packages(where="src"), From 343d2ccbd1cd983374235e5d3bfcecd3187c00d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:47:53 -0400 Subject: [PATCH 236/383] Add the GitHubSecurityLab/actions-permissions/monitor Action This Action will provide information about the usage of GITHUB_TOKEN in the workflow. It should be added to _every_ job in _any_ workflow to provide information for analysis. --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 10 ++++++++++ .github/workflows/sync-labels.yml | 10 ++++++++++ 3 files changed, 21 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 17220c6..4a6667f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status + # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7a60b2..2cdd921 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -50,6 +56,10 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd41..d2458d1 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -17,6 +17,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -38,6 +44,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 8a77a8b77a7d5e5247e8ff563d93a14510e09b9a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:09:15 -0400 Subject: [PATCH 237/383] Restrict permissions of GITHUB_TOKEN This changes the default permissions for the GITHUB_TOKEN used in our GitHub Actions configuration to the minimum required to successfully run. --- .github/workflows/build.yml | 5 +++++ .github/workflows/sync-labels.yml | 2 ++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7a60b2..d4340af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,6 +30,8 @@ env: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of @@ -48,6 +50,9 @@ jobs: lint: needs: - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest steps: - id: harden-runner diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd41..39e7379 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -13,6 +13,8 @@ permissions: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of From 3b1d4ef0fae08e6444e9b414ce1315841e681322 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 16 Oct 2024 12:53:42 -0400 Subject: [PATCH 238/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f85..26b399d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -53,14 +53,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.2 + rev: 0.29.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.8.0 + rev: v4.0.1 hooks: - id: validate_manifest @@ -95,7 +95,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.9.0-1 + rev: v3.10.0-1 hooks: - id: shfmt args: @@ -125,7 +125,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.8.0 + rev: 24.10.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -139,7 +139,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.11.2 + rev: v1.13.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -155,7 +155,7 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.17.0 + rev: v3.19.0 hooks: - id: pyupgrade @@ -199,7 +199,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.1.0 + rev: v0.3.0 hooks: - id: packer_validate - id: packer_fmt From 1d285f2d851926effdbfbdcf58853ce70d1bf016 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 29 Oct 2024 16:36:27 -0400 Subject: [PATCH 239/383] Sort hook ids in each pre-commit hook entry Ensure that all hook ids are sorted alphabetically in each hook entry in our pre-commit configuration. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f85..0fd3234 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -68,25 +68,25 @@ repos: - repo: https://github.com/TekWizely/pre-commit-golang rev: v1.0.0-rc.1 hooks: - # Style Checkers - - id: go-critic - # StaticCheck - - id: go-staticcheck-repo-mod # Go Build - id: go-build-repo-mod + # Style Checkers + - id: go-critic + # goimports + - id: go-imports-repo + args: + # Write changes to files + - -w # Go Mod Tidy - id: go-mod-tidy-repo + # GoSec + - id: go-sec-repo-mod + # StaticCheck + - id: go-staticcheck-repo-mod # Go Test - id: go-test-repo-mod # Go Vet - id: go-vet-repo-mod - # GoSec - - id: go-sec-repo-mod - # goimports - - id: go-imports-repo - args: - # Write changes to files - - -w # Nix hooks - repo: https://github.com/nix-community/nixpkgs-fmt rev: v1.3.0 @@ -201,5 +201,5 @@ repos: - repo: https://github.com/cisagov/pre-commit-packer rev: v0.1.0 hooks: - - id: packer_validate - id: packer_fmt + - id: packer_validate From fa665c8d25e8fe84af29cd55bde2c19a44cab7d3 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 13:07:07 -0400 Subject: [PATCH 240/383] Upgrade bandit to 1.7.10 We should use the same version of bandit throughout the pre-commit configuration. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bce9680..8dc060a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -133,7 +133,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.7.8 + rev: 1.7.10 hooks: - id: bandit name: bandit (everything else) From ed10220013d4bf81f83a25c7b89292dcef0db1d9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 13:08:49 -0400 Subject: [PATCH 241/383] Add types-docopt dependency to mypy pre-commit hook This Python library is used in this project, so we should include it. --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8dc060a..360640d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -157,6 +157,7 @@ repos: hooks: - id: mypy additional_dependencies: + - types-docopt - types-setuptools - repo: https://github.com/pypa/pip-audit rev: v2.7.3 From 8b6267d2dc99f1456362441670124105b145ca24 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 13:10:10 -0400 Subject: [PATCH 242/383] Uncomment Dependabot ignore directive from upstream --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 19f62df..b665db0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,7 +16,7 @@ updates: - dependency-name: crazy-max/ghaction-dump-context - dependency-name: crazy-max/ghaction-github-labeler - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions + - dependency-name: GitHubSecurityLab/actions-permissions - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner From 53a67a22a78dacdd7cd8fbc5c3ae013fd83fe1ba Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 13:19:31 -0400 Subject: [PATCH 243/383] Add explicit permissions and GitHubSecurityLab/actions-permissions/monitor task for jobs that lack them --- .github/workflows/build.yml | 36 +++++++++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 18 +++++++++++++- 2 files changed, 53 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f4bdd84..f328c33 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -176,6 +176,9 @@ jobs: name: test source - py${{ matrix.python-version }} needs: - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -188,6 +191,12 @@ jobs: - "3.11" - "3.12" steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -233,11 +242,20 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE coveralls-finish: + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest needs: - diagnostics - test steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -282,6 +300,9 @@ jobs: - diagnostics - lint - test + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -294,6 +315,12 @@ jobs: - "3.11" - "3.12" steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -337,6 +364,9 @@ jobs: needs: - diagnostics - build + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -349,6 +379,12 @@ jobs: - "3.11" - "3.12" steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d097360..120e3c4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -22,10 +22,18 @@ on: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -41,10 +49,12 @@ jobs: name: Analyze needs: - diagnostics - runs-on: ubuntu-latest permissions: + # actions/checkout needs this to fetch code + contents: read # required for all workflows security-events: write + runs-on: ubuntu-latest strategy: fail-fast: false matrix: @@ -56,6 +66,12 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 0777dc91989feae51ac46a165c782b68fcb01776 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 13:22:43 -0400 Subject: [PATCH 244/383] Upgrade to actions/cache v4 --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f328c33..20c4bea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -207,7 +207,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - - uses: actions/cache@v3 + - uses: actions/cache@v4 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-" @@ -268,7 +268,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v3 + - uses: actions/cache@v4 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-" @@ -331,7 +331,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - - uses: actions/cache@v3 + - uses: actions/cache@v4 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-" @@ -395,7 +395,7 @@ jobs: uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - - uses: actions/cache@v3 + - uses: actions/cache@v4 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-" From efb9279cf8da6415bd4e7c26342eeca05424574b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 13:35:16 -0400 Subject: [PATCH 245/383] Remove needless shebang --- tests/test_example.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/test_example.py b/tests/test_example.py index f8dea67..96f4560 100644 --- a/tests/test_example.py +++ b/tests/test_example.py @@ -1,4 +1,3 @@ -#!/usr/bin/env pytest -vs """Tests for example.""" # Standard Python Libraries From 59756cc653826ca2f8f38e4d5ea712a8397c811b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 31 Oct 2024 14:24:59 -0400 Subject: [PATCH 246/383] Remove repeated comment --- .github/workflows/build.yml | 8 -------- .github/workflows/codeql-analysis.yml | 2 -- 2 files changed, 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 20c4bea..1b00efb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -191,8 +191,6 @@ jobs: - "3.11" - "3.12" steps: - # Note that a duplicate of this step must be added at the top of - # each job. - uses: GitHubSecurityLab/actions-permissions/monitor@v1 with: # Uses the organization variable unless overridden @@ -250,8 +248,6 @@ jobs: - diagnostics - test steps: - # Note that a duplicate of this step must be added at the top of - # each job. - uses: GitHubSecurityLab/actions-permissions/monitor@v1 with: # Uses the organization variable unless overridden @@ -315,8 +311,6 @@ jobs: - "3.11" - "3.12" steps: - # Note that a duplicate of this step must be added at the top of - # each job. - uses: GitHubSecurityLab/actions-permissions/monitor@v1 with: # Uses the organization variable unless overridden @@ -379,8 +373,6 @@ jobs: - "3.11" - "3.12" steps: - # Note that a duplicate of this step must be added at the top of - # each job. - uses: GitHubSecurityLab/actions-permissions/monitor@v1 with: # Uses the organization variable unless overridden diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 120e3c4..6f00a64 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -66,8 +66,6 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - # Note that a duplicate of this step must be added at the top of - # each job. - uses: GitHubSecurityLab/actions-permissions/monitor@v1 with: # Uses the organization variable unless overridden From 8824475dfadd1a9cbc9ce9bd1c9f31e4a688994b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Nov 2024 12:25:35 -0400 Subject: [PATCH 247/383] Update the commented out dependabot ignore directives Add a directive for hashicorp/setup-packer that was missed when it was added to the `build` workflow. Add a directive for cisagov/setup-env-github-action that is not strictly necessary since we currently just pull from the `develop` branch, but is good to have in case we were to change that in the future. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4a6667f..81cd6bd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,10 +13,12 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: GitHubSecurityLab/actions-permissions + # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner From 34b8efed29c51f0e1dcb1e877c81d498c61bfa35 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 6 Nov 2024 10:07:09 -0500 Subject: [PATCH 248/383] Resolve conflict from follow-on Lineage update --- .github/dependabot.yml | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 65e6858..0a3acd0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,17 +7,18 @@ updates: - directory: / -<<<<<<< HEAD ignore: # Managed by cisagov/skeleton-generic - dependency-name: actions/cache - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python + # - dependency-name: cisagov/setup-env-github-action - dependency-name: crazy-max/ghaction-dump-context - dependency-name: crazy-max/ghaction-github-labeler - dependency-name: crazy-max/ghaction-github-status - dependency-name: GitHubSecurityLab/actions-permissions + # - dependency-name: hashicorp/setup-packer - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner @@ -25,23 +26,6 @@ updates: # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact # - dependency-name: github/codeql-action -======= - # ignore: - # # Managed by cisagov/skeleton-generic - # - dependency-name: actions/cache - # - dependency-name: actions/checkout - # - dependency-name: actions/setup-go - # - dependency-name: actions/setup-python - # - dependency-name: cisagov/setup-env-github-action - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions - # - dependency-name: hashicorp/setup-packer - # - dependency-name: hashicorp/setup-terraform - # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner ->>>>>>> e6afb68083e4b6e1ec38f036dee2f5e294b5cc96 package-ecosystem: github-actions schedule: interval: weekly From 3ef4f2f84621b30a82d88601be4476d821a05f1b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 6 Nov 2024 10:08:04 -0500 Subject: [PATCH 249/383] Uncomment new Dependabot directives from upstream --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0a3acd0..dc8d14f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,12 +13,12 @@ updates: - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python - # - dependency-name: cisagov/setup-env-github-action + - dependency-name: cisagov/setup-env-github-action - dependency-name: crazy-max/ghaction-dump-context - dependency-name: crazy-max/ghaction-github-labeler - dependency-name: crazy-max/ghaction-github-status - dependency-name: GitHubSecurityLab/actions-permissions - # - dependency-name: hashicorp/setup-packer + - dependency-name: hashicorp/setup-packer - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner From 12a91ad97e76cd2f221fffaef4f66956533f6540 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 8 Nov 2024 13:40:44 -0500 Subject: [PATCH 250/383] Bump up the lower bound on ansible-core This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up ansible to version 10 since all versions of ansible 9 have a dependency on ~=2.16.X. --- .pre-commit-config.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5e1096..8b402fb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -176,17 +176,25 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=9,<10 + # + # Version 10 is required because the pip-audit pre-commit + # hook identifies a vulnerability in ansible-core 2.16.13, + # but all versions of ansible 9 have a dependency on + # ~=2.16.X. + # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role # installed via ansible-galaxy. Hence we never want to # install those versions. # + # Note that the pip-audit pre-commit hook identifies a + # vulnerability in ansible-core 2.16.13. + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.16.7 + - ansible-core>2.16.13 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From b9f798d03afb72f33ffa625982dd5b548dea5132 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 10:29:42 -0500 Subject: [PATCH 251/383] Update the version of the ansible-lint pre-commit hook Version 24.10.0 is the first version that supports Fedora 41 as a valid platform. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5e1096..ebd6138 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -165,7 +165,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.9.2 + rev: v24.10.0 hooks: - id: ansible-lint additional_dependencies: From cca133a2710c5ed99e4c0ce3d06a57ec118bcf13 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 21:33:32 -0500 Subject: [PATCH 252/383] Adjust pin for ansible-core The pin of ansible-core was originally put in place because the pip-audit pre-commit hook identifies a vulnerability in ansible-core 2.16.13. Normally we would pin ansible-core to >2.16.13, but in the spirit of the earlier, optional pin of ansible>=10 we pin ansible-core to >=2.17. This effectively also pins ansible to >=10. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8b402fb..b61a8f5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -189,12 +189,14 @@ repos: # install those versions. # # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. + # vulnerability in ansible-core 2.16.13. The pin of + # ansible-core to >=2.17 effectively also pins ansible to + # >=10. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>2.16.13 + - ansible-core>=2.17 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From bd852610595fdd2eee77f489d4b184f88d90643b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 12:21:14 -0500 Subject: [PATCH 253/383] Add comments about looming EOL issues for ansible and ansible-core This adds even more evidence for why it is a good idea to go ahead and upgrade ansible and ansible-core, in addition to the vulnerability that pip-audit turned up. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b61a8f5..97fbf1c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -181,6 +181,10 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. + # + # It is also a good idea to go ahead and upgrade to version + # 10 since version 9 is going EOL at the end of November: + # https://endoflife.date/ansible # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any @@ -193,6 +197,11 @@ repos: # ansible-core to >=2.17 effectively also pins ansible to # >=10. # + # It is also a good idea to go ahead and upgrade to + # ansible-core 2.17 since security support for ansible-core + # 2.16 ends this month: + # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. From 162e2c2459cbf565584686a04cc59fab81101843 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 14:40:23 -0500 Subject: [PATCH 254/383] Fix spelling error in comment --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 059ccad..f3304d9 100755 --- a/setup-env +++ b/setup-env @@ -74,7 +74,8 @@ check_python_version() { "invalid version of Python." exit 1 # Else if the Python version isn't installed then notify the user. - # grep -E is used for searching through text lines that match the specific verison. + # grep -E is used for searching through text lines that match the + # specific version. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" From 5a3ac91d11700566e7df2bb926a13301e5912096 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:47:49 -0500 Subject: [PATCH 255/383] Adjust the indentation rule for yamllint Use a specific number of spaces instead of the default of only caring if the number of spaces used is consistent within a file. Ensure that block sequences inside of mappings are indented. --- .yamllint | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.yamllint b/.yamllint index 2a119a6..56e6d6e 100644 --- a/.yamllint +++ b/.yamllint @@ -8,6 +8,12 @@ rules: # this behavior. comments-indentation: disable + indentation: + # Ensure that block sequences inside of a mapping are indented + indent-sequences: true + # Enforce a specific number of spaces + spaces: 2 + # yamllint does not allow inline mappings that exceed the line length by # default. There are many scenarios where the inline mapping may be a key, # hash, or other long value that would exceed the line length but cannot From ac080edea412b521cc37c732e6817a0d6ed26694 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:55:41 -0500 Subject: [PATCH 256/383] Update yamllint to disallow non-empty flow collection styles The use of flow sequences and mappings is not as readable as block collections and so should be discouraged. Since it is a cleaner representation for empty collections we will allow those, but if an application otherwise requires flow collections they can be explicitly enabled by disabling the checks per https://yamllint.readthedocs.io/en/stable/disable_with_comments.html --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 56e6d6e..59fd2e9 100644 --- a/.yamllint +++ b/.yamllint @@ -2,6 +2,14 @@ extends: default rules: + braces: + # Do not allow non-empty flow mappings + forbid: non-empty + + brackets: + # Do not allow non-empty flow sequences + forbid: non-empty + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of From 66cdbf548778a40b321d8142ab481e8c43202995 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:12:04 -0500 Subject: [PATCH 257/383] Add yamllint configuration settings to appease ansible-lint When running ansible-lint it will throw the following warning with our current configuration: WARNING Found incompatible custom yamllint configuration (.yamllint), please either remove the file or edit it to comply with: - comments.min-spaces-from-content must be 1 - braces.max-spaces-inside must be 1 - octal-values.forbid-implicit-octal must be true - octal-values.forbid-explicit-octal must be true. Thus we implement these configuration rules. --- .yamllint | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.yamllint b/.yamllint index 59fd2e9..0a2af51 100644 --- a/.yamllint +++ b/.yamllint @@ -5,11 +5,18 @@ rules: braces: # Do not allow non-empty flow mappings forbid: non-empty + # Allow up to one space inside braces. This is required for Ansible compatibility. + max-spaces-inside: 1 brackets: # Do not allow non-empty flow sequences forbid: non-empty + comments: + # Ensure that inline comments have at least one space before the preceding content. + # This is required for Ansible compatibility. + min-spaces-from-content: 1 + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of @@ -32,6 +39,17 @@ rules: # Allows a 10% overage from the default limit of 80 max: 88 + # Using anything other than strings to express octal values can lead to unexpected + # and potentially unsafe behavior. Ansible strongly recommends against such practices + # and these rules are needed for Ansible compatibility. Please see the following for + # more information: + # https://ansible.readthedocs.io/projects/lint/rules/risky-octal/ + octal-values: + # Do not allow explicit octal values (those beginning with a leading 0o). + forbid-explicit-octal: true + # Do not allow implicit octal values (those beginning with a leading 0). + forbid-implicit-octal: true + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From dd102fe0adb490098968509c79530bd13af52a86 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:28:15 -0500 Subject: [PATCH 258/383] Re-enable the yamllint truthy rule Previously we disabled the `truthy` rule due to Ansible's use of `yes`/`no` for boolean values. That is no longer the case and the default configuration used by ansible-lint now has this rule enabled. The use of `on` as a key in GitHub Actions workflow syntax means we needed to add disable-line comments for the truthy rule. --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- .yamllint | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 15a004c..082f150 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,7 @@ --- name: build -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0005147..b8ecfa6 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -1,7 +1,7 @@ --- name: sync-labels -on: +on: # yamllint disable-line rule:truthy push: paths: - .github/labels.yml diff --git a/.yamllint b/.yamllint index 0a2af51..de2e183 100644 --- a/.yamllint +++ b/.yamllint @@ -49,7 +49,3 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true - - # yamllint doesn't like when we use yes and no for true and false, - # but that's pretty standard in Ansible. - truthy: disable From dc891af40f7c0e8d69a8e57c6bc32f8c16c340e5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 16:12:32 -0500 Subject: [PATCH 259/383] Configure quoted strings rule for yamllint Add a configuration for the `quoted-strings` rule that matches our best practices. Other files are updated to comply with these new settings. --- .github/labels.yml | 40 ++++++++++++++++++------------------- .github/workflows/build.yml | 8 ++++---- .mdl_config.yaml | 14 ++++++------- .yamllint | 11 ++++++++++ 4 files changed, 42 insertions(+), 31 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 5b16492..fe9a53e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,69 +2,69 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "eb6420" +- color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked - color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses broken functionality name: bug -- color: "07648d" +- color: 07648d description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "0366d6" +- color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: "5319e7" +- color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation -- color: "cfd3d7" +- color: cfd3d7 description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "b005bc" +- color: b005bc description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic - color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "0e8a16" +- color: 0e8a16 description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "ff7518" +- color: ff7518 description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "a2eeef" +- color: a2eeef description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "fef2c0" +- color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "ce099a" +- color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "a4fc5d" +- color: a4fc5d description: This issue or pull request requires further information name: need info -- color: "fcdb45" +- color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "ef476c" +- color: ef476c description: This issue is a request for information or needs discussion name: question -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses a security issue name: security -- color: "00008b" +- color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: "1d76db" +- color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update -- color: "d4c5f9" +- color: d4c5f9 description: This issue or pull request increments the version number name: version bump -- color: "ffffff" +- color: ffffff description: This issue will not be incorporated name: wontfix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 082f150..98a9ebc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -92,16 +92,16 @@ jobs: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}-" + tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" + ${{ hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 4a650c1..1b48994 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -6,12 +6,12 @@ default: true # MD003/heading-style/header-style - Heading style MD003: # Enforce the ATX-closed style of header - style: "atx_closed" + style: atx_closed # MD004/ul-style - Unordered list style MD004: # Enforce dashes for unordered lists - style: "dash" + style: dash # MD013/line-length - Line length MD013: @@ -30,7 +30,7 @@ MD024: # MD029/ol-prefix - Ordered list item prefix MD029: # Enforce the `1.` style for ordered lists - style: "one" + style: one # MD033/no-inline-html - Inline HTML MD033: @@ -42,19 +42,19 @@ MD033: # MD035/hr-style - Horizontal rule style MD035: # Enforce dashes for horizontal rules - style: "---" + style: --- # MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks - style: "fenced" + style: fenced # MD049/emphasis-style - Emphasis style should be consistent MD049: # Enforce asterisks as the style to use for emphasis - style: "asterisk" + style: asterisk # MD050/strong-style - Strong style should be consistent MD050: # Enforce asterisks as the style to use for strong - style: "asterisk" + style: asterisk diff --git a/.yamllint b/.yamllint index de2e183..00e85a6 100644 --- a/.yamllint +++ b/.yamllint @@ -49,3 +49,14 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true + + quoted-strings: + # Allow disallowed quotes (single quotes) for strings that contain allowed quotes + # (double quotes). + allow-quoted-quotes: true + # Apply these rules to keys in mappings as well + check-keys: true + # We prefer double quotes for strings when they are needed + quote-type: double + # Only require quotes when they are necessary for proper processing + required: only-when-needed From 72532d1dd366a13a07586368b50c22728069a419 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 7 Feb 2025 10:52:42 -0500 Subject: [PATCH 260/383] Upgrade GH Action in CodeQL workflow We are using crazy-max/ghaction-github-status@v4 in our other workflows, so we should use it here too. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6f00a64..bb8d9fa 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - id: github-status name: Check GitHub status - uses: crazy-max/ghaction-github-status@v3 + uses: crazy-max/ghaction-github-status@v4 - id: dump-context name: Dump context uses: crazy-max/ghaction-dump-context@v2 From 03933fe233e5a6e41f8adf452e7e7b3e548236e4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:14:59 -0400 Subject: [PATCH 261/383] Add version file and bump_version script Also add semver as a dev requirement. I'd like to start versioning descendants of skeleton-ansible-role (in anticipation of pinning Ansible role versions at a future date), and I thought it would make sense to go ahead and implement this at the skeleton-generic level to force us to start versioning all repositories. Repositories that already version can ignore these changes when they flow down via Lineage, since they will already have their own version files and version-bumping script. --- bump-version | 172 +++++++++++++++++++++++++++++++++++++++++++ requirements-dev.txt | 2 + version.txt | 1 + 3 files changed, 175 insertions(+) create mode 100755 bump-version create mode 100644 version.txt diff --git a/bump-version b/bump-version new file mode 100755 index 0000000..15b4af1 --- /dev/null +++ b/bump-version @@ -0,0 +1,172 @@ +#!/usr/bin/env bash + +# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) +# bump-version --list-files + +set -o nounset +set -o errexit +set -o pipefail + +# Stores the canonical version for the project. +VERSION_FILE=version.txt +# Files that should be updated with the new version. +VERSION_FILES=("$VERSION_FILE") + +USAGE=$( + cat << END_OF_LINE +Update the version of the project. + +Usage: + ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) + ${0##*/} --list-files + ${0##*/} (-h | --help) + +Options: + -h | --help Show this message. + --push Perform a \`git push\` after updating the version. + --label LABEL Specify the label to use when updating the build or prerelease version. + --list-files List the files that will be updated when the version is bumped. +END_OF_LINE +) + +old_version=$(< "$VERSION_FILE") +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} +new_version="$old_version" + +bump_part="" +label="" +commit_prefix="Bump" +with_push=false +commands_with_label=("build" "prerelease") +commands_with_prerelease=("major" "minor" "patch") +with_prerelease=false + +####################################### +# Display an error message, the help information, and exit with a non-zero status. +# Arguments: +# Error message. +####################################### +function invalid_option() { + echo "$1" + echo "$USAGE" + exit 1 +} + +####################################### +# Bump the version using the provided command. +# Arguments: +# The version to bump. +# The command to bump the version. +# Returns: +# The new version. +####################################### +function bump_version() { + local temp_version + temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})") + echo "$temp_version" +} + +if [ $# -eq 0 ]; then + echo "$USAGE" + exit 1 +else + while [ $# -gt 0 ]; do + case $1 in + --push) + if [ "$with_push" = true ]; then + invalid_option "Push has already been set." + fi + + with_push=true + shift + ;; + --label) + if [ -n "$label" ]; then + invalid_option "Label has already been set." + fi + + label="$2" + shift 2 + ;; + build | finalize | major | minor | patch) + if [ -n "$bump_part" ]; then + invalid_option "Only one version part should be bumped at a time." + fi + + bump_part="$1" + shift + ;; + prerelease) + with_prerelease=true + shift + ;; + show) + echo "$old_version" + exit 0 + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + --list-files) + printf '%s\n' "${VERSION_FILES[@]}" + exit 0 + ;; + *) + invalid_option "Invalid option: $1" + ;; + esac + done +fi + +if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}" +fi + +if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}" +fi + +label_option="" +if [ -n "$label" ]; then + label_option="token='$label'" +fi + +if [ -n "$bump_part" ]; then + if [ "$bump_part" = "finalize" ]; then + commit_prefix="Finalize" + bump_command="finalize_version()" + elif [ "$bump_part" = "build" ]; then + bump_command="bump_${bump_part}($label_option)" + else + bump_command="bump_${bump_part}()" + fi + new_version=$(bump_version "$old_version" "$bump_command") + echo Changing version from "$old_version" to "$new_version" +fi + +if [ "$with_prerelease" = true ]; then + bump_command="bump_prerelease($label_option)" + temp_version=$(bump_version "$new_version" "$bump_command") + echo Changing version from "$new_version" to "$temp_version" + new_version="$temp_version" +fi + +tmp_file=/tmp/version.$$ +for version_file in "${VERSION_FILES[@]}"; do + if [ ! -f "$version_file" ]; then + echo Missing expected file: "$version_file" + exit 1 + fi + sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file + mv $tmp_file "$version_file" +done + +git add "${VERSION_FILES[@]}" +git commit --message "$commit_prefix version from $old_version to $new_version" + +if [ "$with_push" = true ]; then + git push +fi diff --git a/requirements-dev.txt b/requirements-dev.txt index d84ee68..23d5741 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,4 @@ --requirement requirements-test.txt ipython +# The bump-version script requires at least version 3 of semver. +semver>=3 diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..8acdd82 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +0.0.1 From 3401551afa5a894f9a0f82c86d3fd9e1b8cadf0f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:24:29 -0400 Subject: [PATCH 262/383] Bump version from 0.0.1 to 0.0.1-rc.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 8acdd82..871d40b 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1 +0.0.1-rc.1 From 5b5a52684119ae107f2b1fedf9e4fb0b7757047a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:34:09 -0500 Subject: [PATCH 263/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 144df31..c165bde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,17 +39,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.42.0 + rev: v0.44.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.3.3 + rev: v3.5.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.37.0 hooks: - id: yamllint args: @@ -57,14 +57,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.32.1 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.0.1 + rev: v4.2.0 hooks: - id: validate_manifest @@ -99,7 +99,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.10.0-1 + rev: v3.11.0-1 hooks: - id: shfmt args: @@ -123,31 +123,31 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.1 + rev: 7.1.2 hooks: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 5.13.2 + rev: 6.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.13.0 + rev: v1.15.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.7.3 + rev: v2.8.0 hooks: - id: pip-audit args: @@ -159,13 +159,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.19.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.10.0 + rev: v25.1.3 hooks: - id: ansible-lint additional_dependencies: @@ -209,7 +209,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.98.0 hooks: - id: terraform_fmt - id: terraform_validate From da028eae03932a532ee61901b3dc8eea12f3728e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:16:38 -0500 Subject: [PATCH 264/383] Apply our standard job preamble via cisagov/action-job-preamble This new action simply applies our standard permissions monitoring and runner hardening. Using it allows us to DRY out the GH Actions workflows in our skeleton repositories a bit. --- .github/workflows/build.yml | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98a9ebc..ac74007 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,17 +36,7 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -61,15 +51,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 0e93632ab21c50598e2cbf88ab5327705c1d8d7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:43:45 -0500 Subject: [PATCH 265/383] Set actions_permissions_config input --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac74007..4d5f1cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,6 +37,8 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -52,6 +54,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 8b2ac55da906e27c05fea416d06129c7f8b98324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:58:45 -0500 Subject: [PATCH 266/383] Add a friendly name to the cisagov/action-job-preamble steps --- .github/workflows/build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4d5f1cb..b37436d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,8 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -53,7 +54,8 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env From 864b5af7d95f396956972948484eec0cdbd6647b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 22:26:44 -0500 Subject: [PATCH 267/383] Add a Dependabot ignore directive for cisagov/action-job-preamble Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 81cd6bd..3521754 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler From 8cdce2a0185d082b3896eedae10d7cfb363df2e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:39:04 -0500 Subject: [PATCH 268/383] Update input name for cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b37436d..21ee0f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,7 +39,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -57,7 +57,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 17b93ec6464a2e44a950889fb9e5e5456819a77f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:45:41 -0500 Subject: [PATCH 269/383] Remove two Dependabot ignore directives GitHubSecurityLab/actions-permissions and step-security/harden-runner are no longer direct dependencies since we are now using cisagov/action-job-preamble. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3521754..3df3371 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,11 +18,9 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly From 6a9e3314d8aebe6a1be685d32b0af092d6dc8324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:50:22 -0500 Subject: [PATCH 270/383] Use cisagov/action-job-preamble in sync-labels.yml workflow Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/sync-labels.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index b8ecfa6..0683eed 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -20,17 +20,10 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -47,15 +40,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels if: success() From b5b3b9d0dd04767342997795bc4a288b222762c8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sun, 23 Feb 2025 08:35:09 -0500 Subject: [PATCH 271/383] Use v1 tag of cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- .github/workflows/sync-labels.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 21ee0f1..e0546d2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0683eed..9442a1c 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -21,7 +21,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 From 3ec1b1f19ef6bbc7f698a36b40ec0bba7d7eb5bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 13:28:48 -0500 Subject: [PATCH 272/383] Re-add comment explaining where the org var comes from Flesh out the comment a little so its meaning is clearer. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++++ .github/workflows/sync-labels.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e0546d2..fcd740b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -57,6 +59,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 9442a1c..0a27b59 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -43,6 +45,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From 764df0c1797700b585577850b96ca41f6ceb80d6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Feb 2025 14:43:59 -0500 Subject: [PATCH 273/383] Flesh out org var comment even more Make sure to mention that the permissions monitoring config can be changed by creating a repo-level variable; there is no need to modify the workflow. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 30 ++++++++++++++++++++++++++---- .github/workflows/sync-labels.yml | 30 ++++++++++++++++++++++++++---- 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcd740b..d9ca254 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,8 +39,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -59,8 +70,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0a27b59..351d33b 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,8 +23,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -45,8 +56,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From c271b40846324b48f6c511209925f00a5a48264d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Mar 2025 11:34:33 -0400 Subject: [PATCH 274/383] Subsume GH status checks and context dumping into cisagov/action-job-preamble This action supports this functionality now, so we may as well take advantage of it. Also disable GH permissions monitoring, since that functionality is poorly implemented and has been causing a lot of problems due to the MITM implementation hogging or leaking memory. --- .github/dependabot.yml | 2 -- .github/workflows/build.yml | 16 ++++++++++------ .github/workflows/sync-labels.yml | 16 ++++++++++------ 3 files changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3df3371..7aa2f06 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,9 +15,7 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action - # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d9ca254..9ffe432 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -53,12 +59,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics @@ -70,6 +70,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 351d33b..56859f2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -37,12 +43,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 labeler: needs: - diagnostics @@ -56,6 +56,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From c4b192b6b0465f460127884aeedc19727e0bf311 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:06:00 -0500 Subject: [PATCH 275/383] Add a CodeQL workflow to this repository CodeQL now supports GitHub Actions as a language, so it makes sense to add such a workflow to this repository. See this link for more details: https://github.blog/changelog/2024-12-17-find-and-fix-actions-workflows-vulnerabilities-with-codeql-public-preview/ --- .github/workflows/codeql-analysis.yml | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..0136466 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,112 @@ +--- +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: CodeQL + +on: + merge_group: + types: + - checks_requested + push: + # Dependabot triggered push events have read-only access, but uploading code + # scanning requires write access. + branches-ignore: + - dependabot/** + pull_request: + # The branches below must be a subset of the branches above + branches: + - develop + schedule: + - cron: '0 2 * * 6' + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + analyze: + name: Analyze + needs: + - diagnostics + runs-on: ubuntu-latest + permissions: + # actions/checkout needs this to fetch code + contents: read + # required for all workflows + security-events: write + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below + # list + # + # Supported options are actions, c-cpp, csharp, go, + # java-kotlin, javascript-typescript, python, ruby, and swift. + language: + - actions + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Java). If this step fails, then you should remove it and run the build + # manually (see below). + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language + + # - run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 0032cc2df6db1a1a472679933df3e95f8612a540 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 3 Mar 2025 15:19:29 -0500 Subject: [PATCH 276/383] Update comment to match what is in cisagov/skeleton-docker Also correctly sort YAML keys. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0136466..595f058 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,15 +10,15 @@ on: merge_group: types: - checks_requested + pull_request: + # The branches here must be a subset of the ones in the push key + branches: + - develop push: - # Dependabot triggered push events have read-only access, but uploading code + # Dependabot-triggered push events have read-only access, but uploading code # scanning requires write access. branches-ignore: - dependabot/** - pull_request: - # The branches below must be a subset of the branches above - branches: - - develop schedule: - cron: '0 2 * * 6' From 0534337d4724f53447f0c47c345ef4cb14c64d0d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:19:04 -0500 Subject: [PATCH 277/383] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 50 +++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 595f058..152bac6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,17 +31,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -72,15 +78,23 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository uses: actions/checkout@v4 From adea10cc6ecd71e2a71720e839510548b8c2a87b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:20:35 -0500 Subject: [PATCH 278/383] Add the CodeQL action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..899db5b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: github/codeql-action # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 5dfe5dfd7d544deb9bc6934c70ba5269b1baf750 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 14:47:02 -0400 Subject: [PATCH 279/383] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. --- .github/workflows/codeql-analysis.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 152bac6..9329fdc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,8 @@ # or to provide custom queries or build logic. name: CodeQL +# The use of on here as a key is part of the GitHub actions syntax. +# yamllint disable-line rule:truthy on: merge_group: types: @@ -20,7 +22,7 @@ on: branches-ignore: - dependabot/** schedule: - - cron: '0 2 * * 6' + - cron: 0 2 * * 6 jobs: diagnostics: @@ -34,6 +36,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -48,12 +56,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 analyze: name: Analyze needs: @@ -81,6 +83,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From d740ee83c2eac243c3a53447316935766042b7cf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:52:48 -0500 Subject: [PATCH 280/383] Add a workflow to run actions/dependency-review-action This action reviews dependency changes for vulnerabilities and license changes. --- .github/workflows/dependency-review.yml | 67 +++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..90549f6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,67 @@ +--- +name: Dependency review + +on: + merge_group: + types: + - checks_requested + pull_request: + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + dependency-review: + name: Dependency review + needs: + - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: checkout-repo + name: Checkout the repository + uses: actions/checkout@v4 + - id: dependency-review + name: Review dependency changes for vulnerabilities and license changes + uses: actions/dependency-review-action@v4 From a446dde01d1aaef7db62f6a7c49a8bc9f54a1460 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 10:52:34 -0500 Subject: [PATCH 281/383] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 50 ++++++++++++++++--------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 90549f6..848feb5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,17 +24,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -50,15 +56,23 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository uses: actions/checkout@v4 From 494e11663dd2fad7b19f2861de772d55ee8410bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:00:43 -0500 Subject: [PATCH 282/383] Add the dependency review action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..6554d39 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,7 @@ updates: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout + # - dependency-name: actions/dependency-review-action # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble From 3679b7d004c0c16f09530e7ca38101d566b6ab2a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:06:36 -0400 Subject: [PATCH 283/383] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. Also disable permissions monitoring since it is poorly implemented and has been causing a lot of problems due to hogging or leaking memory. --- .github/workflows/dependency-review.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 848feb5..1b05dff 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,7 +1,7 @@ --- name: Dependency review -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested @@ -27,6 +27,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -41,12 +47,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 dependency-review: name: Dependency review needs: @@ -59,6 +59,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 028f652f68762a12dc7465c881ce221d3031e8c1 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:59:26 -0400 Subject: [PATCH 284/383] Do not disable GitHub permissions monitoring by default But do leave a commented-out line that can be uncommented to do so. The idea is that we should only comment out this functionality where we really must. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 14 ++++++++------ .github/workflows/codeql-analysis.yml | 14 ++++++++------ .github/workflows/dependency-review.yml | 14 ++++++++------ .github/workflows/sync-labels.yml | 14 ++++++++------ 4 files changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ffe432..eeebb23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,9 +41,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -71,9 +72,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9329fdc..d1590e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,9 +38,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -84,9 +85,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1b05dff..9901352 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,9 +29,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -60,9 +61,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 56859f2..07c0acf 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -25,9 +25,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -57,9 +58,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 779ebd3ea88e22c2ec6c201fa79db6cee56fe380 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 19:37:15 -0400 Subject: [PATCH 285/383] Remove redundant version file This skeleton already supported versioning. --- version.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 version.txt diff --git a/version.txt b/version.txt deleted file mode 100644 index 871d40b..0000000 --- a/version.txt +++ /dev/null @@ -1 +0,0 @@ -0.0.1-rc.1 From a7c04351d14240983bee3cee2198c2b506b04127 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 19:39:27 -0400 Subject: [PATCH 286/383] Remove old bump_version.sh file Also correct the version file in the new bump-version.sh. --- bump-version | 2 +- bump_version.sh | 53 ------------------------------------------------- 2 files changed, 1 insertion(+), 54 deletions(-) delete mode 100755 bump_version.sh diff --git a/bump-version b/bump-version index 15b4af1..3011d79 100755 --- a/bump-version +++ b/bump-version @@ -8,7 +8,7 @@ set -o errexit set -o pipefail # Stores the canonical version for the project. -VERSION_FILE=version.txt +VERSION_FILE=src/example/_version.py # Files that should be updated with the new version. VERSION_FILES=("$VERSION_FILE") diff --git a/bump_version.sh b/bump_version.sh deleted file mode 100755 index bd520bd..0000000 --- a/bump_version.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env bash - -# bump_version.sh (show|major|minor|patch|prerelease|build) - -set -o nounset -set -o errexit -set -o pipefail - -VERSION_FILE=src/example/_version.py - -HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|finalize)" - -old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) -# Comment out periods so they are interpreted as periods and don't -# just match any character -old_version_regex=${old_version//\./\\\.} - -if [ $# -ne 1 ]; then - echo "$HELP_INFORMATION" -else - case $1 in - major | minor | patch | prerelease | build) - new_version=$(python -c "import semver; print(semver.bump_$1('$old_version'))") - echo Changing version from "$old_version" to "$new_version" - # A temp file is used to provide compatability with macOS development - # as a result of macOS using the BSD version of sed - tmp_file=/tmp/version.$$ - sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file - mv $tmp_file $VERSION_FILE - git add $VERSION_FILE - git commit -m"Bump version from $old_version to $new_version" - git push - ;; - finalize) - new_version=$(python -c "import semver; print(semver.finalize_version('$old_version'))") - echo Changing version from "$old_version" to "$new_version" - # A temp file is used to provide compatability with macOS development - # as a result of macOS using the BSD version of sed - tmp_file=/tmp/version.$$ - sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file - mv $tmp_file $VERSION_FILE - git add $VERSION_FILE - git commit -m"Finalize version from $old_version to $new_version" - git push - ;; - show) - echo "$old_version" - ;; - *) - echo "$HELP_INFORMATION" - ;; - esac -fi From 186c4956c70253197bd94500f78a2c3658714dd9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 19:58:12 -0400 Subject: [PATCH 287/383] Prefer double quotes to single quotes where possible --- .github/lineage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/lineage.yml b/.github/lineage.yml index 49f9c4f..46d3224 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -2,4 +2,4 @@ lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-generic.git -version: '1' +version: "1" From 86ea40cc6204539db0a8a8cf329a2f7c7083f3be Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 21:36:21 -0400 Subject: [PATCH 288/383] Use the cisagov/action-job-preamble action wherever possible --- .github/workflows/build.yml | 116 ++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c9b15ae..2beacc7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -210,15 +210,28 @@ jobs: - "3.12" - "3.13" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 @@ -267,15 +280,28 @@ jobs: - diagnostics - test steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-env uses: cisagov/setup-env-github-action@develop @@ -329,15 +355,28 @@ jobs: - "3.12" - "3.13" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 @@ -390,15 +429,28 @@ jobs: - "3.12" - "3.13" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 From 9b8dd5863c6c9e0d004ba2a3d8a7375264d36ad0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 21:39:05 -0400 Subject: [PATCH 289/383] Remove unnecessary quotes This gets rid of some errors from the yamllint pre-commit hook. --- .github/workflows/build.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2beacc7..802a32b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -239,17 +239,17 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies @@ -263,7 +263,7 @@ jobs: - name: Upload coverage report run: coveralls env: - COVERALLS_FLAG_NAME: "py${{ matrix.python-version }}" + COVERALLS_FLAG_NAME: py${{ matrix.python-version }} COVERALLS_PARALLEL: true COVERALLS_SERVICE_NAME: github GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -311,17 +311,17 @@ jobs: python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies @@ -384,16 +384,16 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install build dependencies @@ -458,16 +458,16 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel From 4e3fa5afc850c066f3d5b0afeaa989e92dd58014 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 21:44:54 -0400 Subject: [PATCH 290/383] Use the same version of bandit everywhere --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a90bea2..8312ba0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -133,7 +133,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit name: bandit (everything else) From 3b9b37added94feab534dc3f5c4b01dac183bd24 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 1 Apr 2025 11:19:08 -0400 Subject: [PATCH 291/383] Correct code that extracts the version from the version file The version file is not a simple text file that only contains the version in this case. --- bump-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bump-version b/bump-version index 3011d79..4fc1452 100755 --- a/bump-version +++ b/bump-version @@ -29,7 +29,7 @@ Options: END_OF_LINE ) -old_version=$(< "$VERSION_FILE") +old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) # Comment out periods so they are interpreted as periods and don't # just match any character old_version_regex=${old_version//\./\\\.} From 65f9c3012bed807253f1c91aa9ee79234cdd517a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 11:39:47 -0400 Subject: [PATCH 292/383] Disable GH permissions monitoring everywhere This functionality (https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor) is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. This functionality should be re-enabled when practical. See cisagov/skeleton-generic#207 for more details. --- .github/workflows/build.yml | 20 ++++++++++++++------ .github/workflows/codeql-analysis.yml | 20 ++++++++++++++------ .github/workflows/dependency-review.yml | 20 ++++++++++++++------ .github/workflows/sync-labels.yml | 20 ++++++++++++++------ 4 files changed, 56 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eeebb23..130ec8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -73,9 +77,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d1590e9..382999a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,9 +39,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -86,9 +90,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9901352..52a3ee9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -30,9 +30,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -62,9 +66,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 07c0acf..04503e2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -26,9 +26,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -59,9 +63,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 2cfc534f2a4cb11d5bd310f6cfe5832565399885 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 12:57:31 -0400 Subject: [PATCH 293/383] Fix typo that was copied and pasted all over the show Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 130ec8c..7fe4f16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -81,7 +81,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 382999a..dd59d04 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,7 +43,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -94,7 +94,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 52a3ee9..f98c687 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -70,7 +70,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 04503e2..fa6f772 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -30,7 +30,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -67,7 +67,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring From ac2813c3ee5fa87f680cbab6c0e365d45f9c292b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 15:23:07 -0400 Subject: [PATCH 294/383] Disable GH permissions monitoring in build.yml workflow This functionality is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. --- .github/workflows/build.yml | 40 ++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 107270c..eae23ec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -223,9 +223,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -293,9 +297,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -368,9 +376,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -442,9 +454,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From e0bf15782d8220a1886693bef704489df1df17cb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 9 Apr 2025 09:48:38 -0400 Subject: [PATCH 295/383] Fix typo --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f98c687..ee87e04 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -34,7 +34,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" From ab359547e23707825e4c34fd1e9fd59b5766bcba Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 7 May 2025 14:10:21 -0400 Subject: [PATCH 296/383] Upgrade to the latest version of the ansible-lint pre-commit hook Version 25.4.0 is the first version to support Fedora 42 in the Ansible YAML metadata schema. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c165bde..0760b36 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -165,7 +165,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.1.3 + rev: v25.4.0 hooks: - id: ansible-lint additional_dependencies: From 9c6e2636811dd5c592cafe3c86392643b1a57f82 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 14 May 2025 15:20:27 -0400 Subject: [PATCH 297/383] Remove now-duplicated GH action dependency Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 10d9c81..d4822fe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -24,7 +24,6 @@ updates: # # Managed by cisagov/skeleton-python-library # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact - # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly From b1f760e45dd783f02ea50d4004e8cdc8a537edf6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 19 May 2025 15:30:16 -0400 Subject: [PATCH 298/383] Prefer importlib to pkg_resources The latter is deprecated and is not included in the most recent version of types-setuptools. This leads to an error from the mypy pre-commit hook. --- src/example/example.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/example/example.py b/src/example/example.py index 54e8cc1..7df5bac 100644 --- a/src/example/example.py +++ b/src/example/example.py @@ -20,6 +20,7 @@ """ # Standard Python Libraries +from importlib.resources import files import logging import os import sys @@ -27,7 +28,6 @@ # Third-Party Libraries import docopt -import pkg_resources # There are no type stubs for the schema library, so mypy requires the type: # ignore hint. @@ -96,9 +96,7 @@ def main() -> None: # Access some data from our package data (see the setup.py) secret_message: str = ( - pkg_resources.resource_string("example", "data/secret.txt") - .decode("utf-8") - .strip() + files(f"{__package__}.data").joinpath("secret.txt").read_text().strip() ) logging.info('Secret="%s"', secret_message) From 2b8de19f2710983d46b0c758f415e966e94ef3b5 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 20 May 2025 10:44:41 -0400 Subject: [PATCH 299/383] Add an __init__.py to the data subpackage This is necessary for the secret_message line using importlib to correctly work with Python 3.9. See here for more details: https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support Co-authored-by: felddy --- src/example/data/__init__.py | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 src/example/data/__init__.py diff --git a/src/example/data/__init__.py b/src/example/data/__init__.py new file mode 100644 index 0000000..7f11534 --- /dev/null +++ b/src/example/data/__init__.py @@ -0,0 +1,5 @@ +"""The example.data package.""" + +# This is necessary for the secret_message line using importlib to correctly +# work with Python 3.9. See here for more details: +# https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support From b65198e6ae69dba0071a086233cfef48e307fbbe Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 26 Mar 2025 09:56:13 -0400 Subject: [PATCH 300/383] Use the coveralls/github-action action Instead of installing coveralls and running it we will use the Coveralls GitHub action to upload test coverage reports. --- .github/workflows/build.yml | 41 +++++++------------------------------ 1 file changed, 7 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eae23ec..ecf0742 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -273,12 +273,10 @@ jobs: RELEASE_TAG: ${{ github.event.release.tag_name }} run: pytest - name: Upload coverage report - run: coveralls - env: - COVERALLS_FLAG_NAME: py${{ matrix.python-version }} - COVERALLS_PARALLEL: true - COVERALLS_SERVICE_NAME: github - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: coverallsapp/github-action@v2 + with: + flag-name: "py${{ matrix.python-version }}" + parallel: true if: success() - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 @@ -319,35 +317,10 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - - id: setup-env - uses: cisagov/setup-env-github-action@develop - - id: setup-python - uses: actions/setup-python@v5 - with: - python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v4 - env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}- - with: - path: ${{ env.PIP_CACHE_DIR }} - # We do not use '**/setup.py' in the cache key so only the 'setup.py' - # file in the root of the repository is used. This is in case a Python - # package were to have a 'setup.py' as part of its internal codebase. - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }} - restore-keys: | - ${{ env.BASE_CACHE_KEY }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install --upgrade --requirement requirements-test.txt - name: Finished coveralls reports - run: coveralls --finish - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: coverallsapp/github-action@v2 + with: + parallel-finished: true - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE From 02995095f02aed5a15a4673ae42beda2db450259 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 20 May 2025 13:02:57 -0400 Subject: [PATCH 301/383] Remove unnecessary quotes around YAML string --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ecf0742..f8c4c62 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -275,7 +275,7 @@ jobs: - name: Upload coverage report uses: coverallsapp/github-action@v2 with: - flag-name: "py${{ matrix.python-version }}" + flag-name: py${{ matrix.python-version }} parallel: true if: success() - name: Setup tmate debug session From 4d88c8b10852e057d0d95cf36f0ef74c1b509162 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 May 2025 11:15:29 -0400 Subject: [PATCH 302/383] Add a configuration block for pre-commit.ci This adds a `ci` block to the pre-commit configurations to control the behavior of the pre-commit.ci GitHub app. --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0760b36..9273b18 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,10 @@ --- +ci: + # Do not commit changes from running pre-commit for pull requests. + autofix_prs: false + # Autoupdate hooks weekly (this is the default). + autoupdate_schedule: weekly + default_language_version: # force all unspecified python hooks to run python3 python: python3 From 3b584271602c8b0a39e83522119e728882f5b481 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 15 May 2025 14:57:11 -0400 Subject: [PATCH 303/383] Use a version tag for cisagov/setup-env-github-action We currently use the `develop` branch as our reference for the cisagov/setup-env-github-action action in the build workflow. We will instead use the major version tag which puts our usage of this action in line with how we use other actions in our workflows. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..2e5c1e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,7 +99,7 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@v1 - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 From 4abc8aba31deb0cd334fb0df9887776174b43480 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 23 May 2025 10:28:05 -0400 Subject: [PATCH 304/383] Test across more platforms Update the two testing jobs in the build workflow to test across these additional platforms (we are currently limited to only free offerings): - Linux on ARM64 - macOS on ARM64 - Windows on AMD64 --- .github/workflows/build.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f8c4c62..5d2bd15 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -201,16 +201,21 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: - name: test source - py${{ matrix.python-version }} + name: test source - py${{ matrix.python-version }} - ${{ matrix.platform }} needs: - diagnostics permissions: # actions/checkout needs this to fetch code contents: read - runs-on: ubuntu-latest + runs-on: ${{ matrix.platform }} strategy: fail-fast: false matrix: + platform: + - macos-latest + - ubuntu-24.04-arm + - ubuntu-latest + - windows-latest python-version: - "3.9" - "3.10" @@ -251,7 +256,8 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-\ + ${{ runner.os }}-${{ runner.arch }}-\ py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} @@ -404,17 +410,22 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test-build: - name: test built wheel - py${{ matrix.python-version }} + name: test built wheel - py${{ matrix.python-version }} - ${{ matrix.platform }} needs: - diagnostics - build permissions: # actions/checkout needs this to fetch code contents: read - runs-on: ubuntu-latest + runs-on: ${{ matrix.platform }} strategy: fail-fast: false matrix: + platform: + - macos-latest + - ubuntu-24.04-arm + - ubuntu-latest + - windows-latest python-version: - "3.9" - "3.10" @@ -455,7 +466,8 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-\ + ${{ runner.os }}-${{ runner.arch }}-\ py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} From 7221c7f252d17e0c77a90293585b5653a9246d0e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 13 Jun 2025 19:09:43 -0400 Subject: [PATCH 305/383] Explain platform selection in the `build` workflow Add a short comment that explains why we use the platforms we do in the `test` and `test-build` jobs in the `build` workflow. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5d2bd15..728a0d4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -211,6 +211,8 @@ jobs: strategy: fail-fast: false matrix: + # We test on all of the latest platforms available to use with GitHub- + # hosted runners for public repositories. platform: - macos-latest - ubuntu-24.04-arm @@ -421,6 +423,8 @@ jobs: strategy: fail-fast: false matrix: + # We test on all of the latest platforms available to use with GitHub- + # hosted runners for public repositories. platform: - macos-latest - ubuntu-24.04-arm From 7d338772b4bd86706c3bc5bb0e2f430ea5302a8e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 23 May 2025 11:57:16 -0400 Subject: [PATCH 306/383] Adjust how package data is accessed Instead of creating a sub-package just to act as a file container we instead adjust the resource being accessed. This will prevent namespace cluttering while still providing access to the package data that is needed. This also follows logically with how the filesystem is organized where `data/secret.txt` is a resource of the `example` package. --- src/example/data/__init__.py | 5 ----- src/example/example.py | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 src/example/data/__init__.py diff --git a/src/example/data/__init__.py b/src/example/data/__init__.py deleted file mode 100644 index 7f11534..0000000 --- a/src/example/data/__init__.py +++ /dev/null @@ -1,5 +0,0 @@ -"""The example.data package.""" - -# This is necessary for the secret_message line using importlib to correctly -# work with Python 3.9. See here for more details: -# https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support diff --git a/src/example/example.py b/src/example/example.py index 7df5bac..d4d8af9 100644 --- a/src/example/example.py +++ b/src/example/example.py @@ -96,7 +96,7 @@ def main() -> None: # Access some data from our package data (see the setup.py) secret_message: str = ( - files(f"{__package__}.data").joinpath("secret.txt").read_text().strip() + files(__package__).joinpath("data/secret.txt").read_text().strip() ) logging.info('Secret="%s"', secret_message) From dc51c81c90e1db028c55abdb089e5036cbf88ddf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 23 May 2025 12:11:13 -0400 Subject: [PATCH 307/383] Bump version from 0.2.1 to 0.2.2 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index 3252c71..a0fb112 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,3 +1,3 @@ """This file defines the version of this module.""" -__version__ = "0.2.1" +__version__ = "0.2.2" From 9bdefe391c65f9ce94ecf8d6a783d0edb8816e99 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 23 May 2025 14:28:41 -0400 Subject: [PATCH 308/383] Separate the resource path argument to `joinpath` Breaking the resource path components into separate arguments will provide a cleaner approach to constructing the resource path. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/example/example.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/example.py b/src/example/example.py index d4d8af9..b8edfd3 100644 --- a/src/example/example.py +++ b/src/example/example.py @@ -96,7 +96,7 @@ def main() -> None: # Access some data from our package data (see the setup.py) secret_message: str = ( - files(__package__).joinpath("data/secret.txt").read_text().strip() + files(__package__).joinpath("data", "secret.txt").read_text().strip() ) logging.info('Secret="%s"', secret_message) From 8ac7776f822692638fd421b936295fb0f7ce9467 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 23:47:33 +0000 Subject: [PATCH 309/383] Bump actions/download-artifact from 4 to 5 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 728a0d4..910e2d9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -484,7 +484,7 @@ jobs: restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: dist-${{ matrix.python-version }} path: dist From f89170422e22989a8314be4d6355b2919301d9b5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 28 Aug 2025 14:04:27 -0400 Subject: [PATCH 310/383] Add a configuration to automatically label pull requests This includes updating the dependabot configuration, adding a new `label-prs.yml` GitHub Actions workflow, and adding a suitable configuration file for the actions/labeler action used by the aforementioned workflow. --- .github/dependabot.yml | 1 + .github/labeler.yml | 63 ++++++++++++++++++++++ .github/workflows/label-prs.yml | 93 +++++++++++++++++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/label-prs.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..6dc2a95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: # - dependency-name: actions/cache # - dependency-name: actions/checkout # - dependency-name: actions/dependency-review-action + # - dependency-name: actions/labeler # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..c7f044b --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,63 @@ +--- +# Each entry in this file is a label that will be applied to pull requests +# if there is a match based on the matching rules for the entry. Please see +# the actions/labeler documentation for more information: +# https://github.com/actions/labeler#match-object +# +# Note: Verify that the label you want to use is defined in the +# crazy-max/ghaction-github-labeler configuration file located at +# .github/labels.yml. + +# Enable if Ansible playbooks are used in the repository. +# ansible: +# - changed-files: +# - any-glob-to-any-file: +# - "**/ansible/**" +dependencies: + - changed-files: + - any-glob-to-any-file: + # Add any dependency files used. + - .pre-commit-config.yaml + - requirements*.txt +documentation: + - changed-files: + - any-glob-to-any-file: + - "**/*.md" +github-actions: + - changed-files: + - any-glob-to-any-file: + - .github/workflows/** +# Enable if Packer is used in the repository. +# packer: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.pkr.hcl" +# Enable if Python is used in the repository. +# python: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.py" +# Enable if Terraform is used in the repository. +# terraform: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.tf" +test: + - changed-files: + - any-glob-to-any-file: + # Add any test-related files or paths. + - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg + - .mdl_config.yaml + - .yamllint +upstream update: + - head-branch: + # Any Lineage pull requests should use this branch. + - lineage/skeleton +version bump: + - changed-files: + - any-glob-to-any-file: + # Ensure this matches your version tracking file(s). + - version.txt diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml new file mode 100644 index 0000000..a107347 --- /dev/null +++ b/.github/workflows/label-prs.yml @@ -0,0 +1,93 @@ +--- +name: Label pull requests + +on: # yamllint disable-line rule:truthy + pull_request: + types: + - edited + - opened + - synchronize + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + label: + needs: + - diagnostics + permissions: + # Permissions required by actions/labeler + contents: read + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - name: Apply suitable labels to a pull request + uses: actions/labeler@v5 From 0aba2813c7f64b7ab1cb601544bf05064f9a71f2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:44:47 -0400 Subject: [PATCH 311/383] Bump actions/labeler from 5 to 6 Bumps [actions/labeler](https://github.com/actions/labeler) from 5 to 6. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@v5...v6) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/label-prs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index a107347..9d78e39 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -90,4 +90,4 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Apply suitable labels to a pull request - uses: actions/labeler@v5 + uses: actions/labeler@v6 From 507fe983481126be7e953ccb8e9476368b378c42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:55 +0000 Subject: [PATCH 312/383] Bump actions/setup-python from 5 to 6 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..bcd9028 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -102,7 +102,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, From 428ab617f1162c6514ddd2efb575ba2f37ff4c1f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:58 +0000 Subject: [PATCH 313/383] Bump actions/setup-go from 5 to 6 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..d302901 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. From 623a983457d949be691753782997c97f50ebe9c6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:23:07 -0400 Subject: [PATCH 314/383] Adjust the labels dependabot uses Instead of using the default labels for the `github-actions` package ecosystem we specify the labels explicitly. This is done to ensure that dependabot uses our `github-actions` label instead of the default of `github_actions`. We must also explicitly specify the `dependencies` label since we are overriding the default label values. --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..d3688af 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,12 @@ updates: # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + labels: + # dependabot default we need to replicate + - dependencies + # This matches our label definition in .github/labels.yml as opposed to + # dependabot's default of `github_actions`. + - github-actions package-ecosystem: github-actions schedule: interval: weekly From 03065cdc17b57141a9fc88b7c95cd76c9c2b93d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:14:00 -0400 Subject: [PATCH 315/383] Adjust GNU getopt check logic in the `setup-env` script Change the check from looking for specific text in the version output to using the `--test` option. This will provide a more robust implementation of this check that does not have to worry about output format stability. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- setup-env | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-env b/setup-env index f3304d9..89c7603 100755 --- a/setup-env +++ b/setup-env @@ -101,10 +101,10 @@ LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt SHORTOPTS="fhilp:v:" -# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") -# in its version output. This approach presumes the output format remains stable. -# Be aware that format changes could invalidate this check. -if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then +# Check for GNU getopt by testing for long option support. GNU getopt supports +# the "--test" option and will return exit code 4 while POSIX/BSD getopt does +# not and will return exit code 0. +if getopt --test > /dev/null 2>&1; then cat << 'END_OF_LINE' Please note, this script requires GNU getopt due to its enhanced From c7e1ce848099c84bf1124f66acc93de52021bb2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 15:45:32 +0000 Subject: [PATCH 316/383] Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d62be35..c11089c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,7 +100,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dd59d04..0722fa3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ee87e04..bc859d1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index fa6f772..19e0129 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 From d070095f0a23e31fec3eab43acf1d9bdc67797b3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 4 May 2025 05:51:15 -0400 Subject: [PATCH 317/383] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9273b18..bc76d85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,7 +16,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -45,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.44.0 + rev: v0.45.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.5.3 + rev: v3.6.2 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.0 + rev: v1.37.1 hooks: - id: yamllint args: @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.32.1 + rev: 0.33.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.2.0 + rev: v4.3.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.1 + rev: v1.0.0-rc.2 hooks: # Go Build - id: go-build-repo-mod @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.11.0-1 + rev: v3.12.0-2 hooks: - id: shfmt args: @@ -123,13 +123,13 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.10.0.1 + rev: v0.11.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit args: @@ -139,7 +139,7 @@ repos: hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.2 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: @@ -149,11 +149,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.15.0 + rev: v1.18.1 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.8.0 + rev: v2.9.0 hooks: - id: pip-audit args: @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.4.0 + rev: v25.9.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.98.0 + rev: v1.100.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -228,7 +228,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.3.0 + rev: v0.3.1 hooks: - id: packer_fmt - id: packer_validate From ee20b2a6866b77f826a93dad5eaa689e18377275 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 29 Aug 2025 17:19:53 -0400 Subject: [PATCH 318/383] Conform to new markdownlint rule A new rule, `MD059/descriptive-link-text`, was added in markdownlint's 0.38.0 release, which itself is used in v0.45.0 of markdownlint-cli. As such, we must update to conform to the new rule. --- CONTRIBUTING.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f9fa53a..a631733 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -132,11 +132,10 @@ you can begin to use `pyenv`. For a list of Python versions that are already installed and ready to use with `pyenv`, use the command `pyenv versions`. To see a list of the Python versions available to be installed and used with `pyenv` -use the command `pyenv install --list`. You can read more -[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about -the many things that `pyenv` can do. See -[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the -additional capabilities that pyenv-virtualenv adds to the `pyenv` +use the command `pyenv install --list`. You can read more about +the [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md). +See the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage) +for the additional capabilities that pyenv-virtualenv adds to the `pyenv` command. #### Creating the Python virtual environment #### From 5bde44c0ead00f5c2b6c421d25a109d4cc839601 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:22:39 -0400 Subject: [PATCH 319/383] Bump version from 0.0.1-rc.1 to 1.0.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 871d40b..3eefcb9 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1-rc.1 +1.0.0 From f23025ae9eb1b5b731517f1c046de7e2973d1e8e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 11:29:58 -0400 Subject: [PATCH 320/383] Update GitHub actions to versions used upstream --- .github/workflows/build.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c9f0820..3e1f069 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -251,9 +251,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -324,7 +324,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Finished coveralls reports uses: coverallsapp/github-action@v2 with: @@ -378,9 +378,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -463,9 +463,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 From f5eb17b2f9d4a32163d619d58f0f5b8295806db0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 11:30:41 -0400 Subject: [PATCH 321/383] Sync bandit versions used in pre-commit config --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a91ce0a..df67df9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit name: bandit (everything else) From 187e76b1a72f5c27cdf6aa5d3bc6512687165f6f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:31:13 -0400 Subject: [PATCH 322/383] Add python configuration to labeler --- .github/labeler.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..224b713 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -33,10 +33,10 @@ github-actions: # - any-glob-to-any-file: # - "**/*.pkr.hcl" # Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" # Enable if Terraform is used in the repository. # terraform: # - changed-files: From 11b22549708520ebebdd4cd6a1dff193da23bc1e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:33:06 -0400 Subject: [PATCH 323/383] Add Python tests and pytest.ini to labeler test configuration --- .github/labeler.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 224b713..33bfbaf 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -52,6 +52,8 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint + - pytest.ini + - tests/**/*.py upstream update: - head-branch: # Any Lineage pull requests should use this branch. From bc0278ba6298428e4828da87eeb6852e6540f3bf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:34:35 -0400 Subject: [PATCH 324/383] Correct version file in labeler configuration --- .github/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 33bfbaf..5e6e91a 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -62,4 +62,4 @@ version bump: - changed-files: - any-glob-to-any-file: # Ensure this matches your version tracking file(s). - - version.txt + - src/**/_version.py From d18e90bfb8070d41dd539044a4e151486b627080 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:03:28 -0400 Subject: [PATCH 325/383] Add additional repository labels This adds labels that are common in downstream repositories to the core configuration. This will help ensure consistent label availability. --- .github/labels.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index fe9a53e..b1311af 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,6 +2,9 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length +- color: f15a53 + description: Pull requests that update Ansible code + name: ansible - color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked @@ -17,6 +20,9 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies +- color: 2497ed + description: Pull requests that update Docker code + name: docker - color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation @@ -50,12 +56,21 @@ - color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold +- color: 02a8ef + description: Pull requests that update Packer code + name: packer +- color: 3772a4 + description: Pull requests that update Python code + name: python - color: ef476c description: This issue is a request for information or needs discussion name: question - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 7b42bc + description: Pull requests that update Terraform code + name: terraform - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test From e875abf74fc8cd799c17430c74a1d95eddc63466 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 22 Sep 2025 01:13:44 -0400 Subject: [PATCH 326/383] Add auto-label configuration for the `docker` label Add a configuration to automatically apply the `docker` label to pull requests. --- .github/labeler.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..49b89ef 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,13 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt +# Enable if Docker is used in the repository. +# docker: +# - changed-files: +# - any-glob-to-any-file: +# - "**/compose*.yml" +# - "**/docker-compose*.yml" +# - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: From b5e805ef4c441e8d5f9dfd49bbf69935de8820d4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Sep 2025 09:10:14 -0400 Subject: [PATCH 327/383] Add setup.py as a trigger for the dependencies label Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/labeler.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 5e6e91a..945e498 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,7 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt + - setup.py documentation: - changed-files: - any-glob-to-any-file: From 4b040c118288daff49ffe4d20b62a9c528f14adb Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 8 Feb 2025 05:30:34 -0500 Subject: [PATCH 328/383] Remove the Snyk badge from the README We no longer use the Snyk service so it makes sense to remove the badge. --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 79390aa..67a35ac 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,6 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-python-library/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions) [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) -[![Known Vulnerabilities](https://snyk.io/test/github/cisagov/skeleton-python-library/develop/badge.svg)](https://snyk.io/test/github/cisagov/skeleton-python-library) This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) Python library GitHub From f0638404e07e7aa02eafcc0505e413802f0c32af Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 22 Sep 2025 01:29:56 -0400 Subject: [PATCH 329/383] Separate Coveralls build results by platform Currently we only set the flag for build results to the Python version, but since we test across platforms now we should also separate by the platform as well. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8202dc8..4f0822d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -283,7 +283,7 @@ jobs: - name: Upload coverage report uses: coverallsapp/github-action@v2 with: - flag-name: py${{ matrix.python-version }} + flag-name: py${{ matrix.python-version }} - ${{ matrix.platform }} parallel: true if: success() - name: Setup tmate debug session From 65474e25bdeb697e85653f74e7587e7f6cd42ce5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 09:36:57 -0400 Subject: [PATCH 330/383] Enable all label configuration for actions/labeler We can enable all label configurations for actions/labeler by default now that all of these labels are defined in the configuration for crazy-max/ghaction-github-labeler. --- .github/labeler.yml | 49 ++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 49b89ef..8100ae7 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -8,24 +8,22 @@ # crazy-max/ghaction-github-labeler configuration file located at # .github/labels.yml. -# Enable if Ansible playbooks are used in the repository. -# ansible: -# - changed-files: -# - any-glob-to-any-file: -# - "**/ansible/**" +ansible: + - changed-files: + - any-glob-to-any-file: + - "**/ansible/**" dependencies: - changed-files: - any-glob-to-any-file: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt -# Enable if Docker is used in the repository. -# docker: -# - changed-files: -# - any-glob-to-any-file: -# - "**/compose*.yml" -# - "**/docker-compose*.yml" -# - "**/Dockerfile*" +docker: + - changed-files: + - any-glob-to-any-file: + - "**/compose*.yml" + - "**/docker-compose*.yml" + - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: @@ -34,21 +32,18 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** -# Enable if Packer is used in the repository. -# packer: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.pkr.hcl" -# Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" -# Enable if Terraform is used in the repository. -# terraform: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.tf" +packer: + - changed-files: + - any-glob-to-any-file: + - "**/*.pkr.hcl" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" +terraform: + - changed-files: + - any-glob-to-any-file: + - "**/*.tf" test: - changed-files: - any-glob-to-any-file: From 3cf19cd3794f5d325ec0ba57ce5f8d7fe5dfdac9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:42:12 -0400 Subject: [PATCH 331/383] Add JavaScript-related labels Add labels for JavaScript and TypeScript to the configuration for crazy-max/ghaction-github-labeler. --- .github/labels.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index b1311af..650ed7c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,6 +47,9 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid +- color: f1d642 + description: Pull requests that update JavaScript code + name: javascript - color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 @@ -74,6 +77,9 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test +- color: 2b6ebf + description: Pull requests that update TypeScript code + name: typescript - color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update From e38c7f0d43b84c8b5390773eb20d3d99ff643230 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:54:50 -0400 Subject: [PATCH 332/383] Add JavaScript-related labels to the labeler configuration Add the new `javascript` and `typescript` labels with appropriate matching rules to the actions/labeler configuration. --- .github/labeler.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 8100ae7..a4e2186 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -32,6 +32,10 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** +javascript: + - changed-files: + - any-glob-to-any-file: + - "**/*.js" packer: - changed-files: - any-glob-to-any-file: @@ -54,6 +58,10 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint +typescript: + - changed-files: + - any-glob-to-any-file: + - "**/*.ts" upstream update: - head-branch: # Any Lineage pull requests should use this branch. From f5bc4493caf13f6effddf84b6a58d97923c77254 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 9 Oct 2025 16:40:11 -0400 Subject: [PATCH 333/383] Allow any changes in tests dir to trigger test label Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index cc5c3be..0826a4d 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -60,7 +60,7 @@ test: - .mdl_config.yaml - .yamllint - pytest.ini - - tests/**/*.py + - tests/** typescript: - changed-files: - any-glob-to-any-file: From 195fc251507c5f50777b7618b869247768811dda Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 10 Oct 2025 10:10:54 -0400 Subject: [PATCH 334/383] Add support for Python 3.14 --- .github/workflows/build.yml | 3 +++ setup.py | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4f0822d..922d219 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -224,6 +224,7 @@ jobs: - "3.11" - "3.12" - "3.13" + - "3.14" steps: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 @@ -351,6 +352,7 @@ jobs: - "3.11" - "3.12" - "3.13" + - "3.14" steps: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 @@ -436,6 +438,7 @@ jobs: - "3.11" - "3.12" - "3.13" + - "3.14" steps: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 diff --git a/setup.py b/setup.py index 49cc92a..16fe44c 100644 --- a/setup.py +++ b/setup.py @@ -80,6 +80,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: 3.14", "Programming Language :: Python :: Implementation :: CPython", ], python_requires=">=3.9", From 49a62ee01d1718b1cef2df793c2f04b86f5286da Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 10 Oct 2025 11:10:06 -0400 Subject: [PATCH 335/383] Bump version from 0.2.2 to 0.3.0 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index a0fb112..871cf76 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,3 +1,3 @@ """This file defines the version of this module.""" -__version__ = "0.2.2" +__version__ = "0.3.0" From 59f893b034e472e35ae79f2503a6d0cf6a65c6e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 18:01:12 +0000 Subject: [PATCH 336/383] Bump github/codeql-action from 3 to 4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0722fa3..ac19c95 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -117,7 +117,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} @@ -125,7 +125,7 @@ jobs: # Java). If this step fails, then you should remove it and run the build # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -139,4 +139,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 From a44c47daa5cc09ed51cfd9930efdb1c0d6e51f50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:26:46 -0400 Subject: [PATCH 337/383] Remove an unnecessary permission from the PR label workflow There should be no reason for the actions/labeler action to create new labels so we can remove the permission that would allow this to occur. --- .github/workflows/label-prs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 9d78e39..412cc4a 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -59,7 +59,6 @@ jobs: permissions: # Permissions required by actions/labeler contents: read - issues: write pull-requests: write runs-on: ubuntu-latest steps: From f5ede35548c3531b9478891358594169372a4673 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Oct 2025 17:15:51 +0000 Subject: [PATCH 338/383] Bump actions/download-artifact from 5 to 6 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 5 to 6. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 922d219..79dcaf3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -487,7 +487,7 @@ jobs: restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v6 with: name: dist-${{ matrix.python-version }} path: dist From 336618a8848a51ce56322e045a3955a12ee13a13 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 13:13:42 -0400 Subject: [PATCH 339/383] Add pyproject.toml and remove setup.py --- .github/labeler.yml | 2 +- pyproject.toml | 74 ++++++++++++++++++++++++++++ setup.py | 116 -------------------------------------------- 3 files changed, 75 insertions(+), 117 deletions(-) create mode 100644 pyproject.toml delete mode 100644 setup.py diff --git a/.github/labeler.yml b/.github/labeler.yml index 0826a4d..bfce97d 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -18,7 +18,7 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt - - setup.py + - pyproject.toml docker: - changed-files: - any-glob-to-any-file: diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..a9d5cf3 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,74 @@ +# For more information about configuring project metadata for the +# hatch build backend, please see +# https://hatch.pypa.io/latest/config/metadata/ +[build-system] +build-backend = "hatchling.build" +requires = ["hatchling"] + +[project] +authors = [ + { name = "Cybersecurity and Infrastructure Security Agency", email = "github@cisa.dhs.gov" } +] +classifiers = [ + # How mature is this project? Common values are + # 3 - Alpha + # 4 - Beta + # 5 - Production/Stable + "Development Status :: 3 - Alpha", + # Indicate who your project is intended for + "Intended Audience :: Developers", + # Pick your license as you wish (should match "license" above) + "License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication", + # Specify the Python versions you support here. In particular, ensure + # that you indicate whether you support Python 2, Python 3 or both. + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3 :: Only", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: 3.14", + "Programming Language :: Python :: Implementation :: CPython", +] +dependencies = [ + "docopt", + "schema", +] +description = "Example Python library" +dynamic = ["version"] +keywords = ["skeleton"] +license = " CC-BY-1.0" +name = "example" +readme = "README.md" +requires-python = ">=3.9" + +[project.optional-dependencies] +# IMPORTANT: Keep type hinting-related dependencies of the dev section +# in sync with the mypy pre-commit hook configuration (see +# .pre-commit-config.yaml). Any changes to type hinting-related +# dependencies here should be reflected in the additional_dependencies +# field of the mypy pre-commit hook to avoid discrepancies in type +# checking between environments. +dev = [ + "types-docopt", + "types-setuptools", +] +test = [ + "coverage", + "coveralls", + "pre-commit", + "pytest-cov", + "pytest", +] + +[project.scripts] +example = "example.example:main" + +[project.urls] +Mission = "https://www.cisa.gov/cybersecurity" +Source = "https://github.com/cisagov/skeleton-python-library" +Tracker = "https://github.com/cisagov/skeleton-python-library/issues" + +[tool.hatch.version] +path = "src/example/_version.py" diff --git a/setup.py b/setup.py deleted file mode 100644 index 16fe44c..0000000 --- a/setup.py +++ /dev/null @@ -1,116 +0,0 @@ -""" -This is the setup module for the example project. - -Based on: - -- https://packaging.python.org/distributing/ -- https://github.com/pypa/sampleproject/blob/master/setup.py -- https://blog.ionelmc.ro/2014/05/25/python-packaging/#the-structure -""" - -# Standard Python Libraries -import codecs -from glob import glob -from os.path import abspath, basename, dirname, join, splitext - -# Third-Party Libraries -from setuptools import find_packages, setup - - -def readme(): - """Read in and return the contents of the project's README.md file.""" - with open("README.md", encoding="utf-8") as f: - return f.read() - - -# Below two methods were pulled from: -# https://packaging.python.org/guides/single-sourcing-package-version/ -def read(rel_path): - """Open a file for reading from a given relative path.""" - here = abspath(dirname(__file__)) - with codecs.open(join(here, rel_path), "r") as fp: - return fp.read() - - -def get_version(version_file): - """Extract a version number from the given file path.""" - for line in read(version_file).splitlines(): - if line.startswith("__version__"): - delim = '"' if '"' in line else "'" - return line.split(delim)[1] - raise RuntimeError("Unable to find version string.") - - -setup( - name="example", - # Versions should comply with PEP440 - version=get_version("src/example/_version.py"), - description="Example Python library", - long_description=readme(), - long_description_content_type="text/markdown", - # Landing page for CISA's cybersecurity mission - url="https://www.cisa.gov/cybersecurity", - # Additional URLs for this project per - # https://packaging.python.org/guides/distributing-packages-using-setuptools/#project-urls - project_urls={ - "Source": "https://github.com/cisagov/skeleton-python-library", - "Tracker": "https://github.com/cisagov/skeleton-python-library/issues", - }, - # Author details - author="Cybersecurity and Infrastructure Security Agency", - author_email="github@cisa.dhs.gov", - license="License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication", - # See https://pypi.python.org/pypi?%3Aaction=list_classifiers - classifiers=[ - # How mature is this project? Common values are - # 3 - Alpha - # 4 - Beta - # 5 - Production/Stable - "Development Status :: 3 - Alpha", - # Indicate who your project is intended for - "Intended Audience :: Developers", - # Pick your license as you wish (should match "license" above) - "License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication", - # Specify the Python versions you support here. In particular, ensure - # that you indicate whether you support Python 2, Python 3 or both. - "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.9", - "Programming Language :: Python :: 3.10", - "Programming Language :: Python :: 3.11", - "Programming Language :: Python :: 3.12", - "Programming Language :: Python :: 3.13", - "Programming Language :: Python :: 3.14", - "Programming Language :: Python :: Implementation :: CPython", - ], - python_requires=">=3.9", - # What does your project relate to? - keywords="skeleton", - packages=find_packages(where="src"), - package_dir={"": "src"}, - package_data={"example": ["data/*.txt"]}, - py_modules=[splitext(basename(path))[0] for path in glob("src/*.py")], - include_package_data=True, - install_requires=["docopt", "schema", "setuptools"], - extras_require={ - # IMPORTANT: Keep type hinting-related dependencies of the dev section - # in sync with the mypy pre-commit hook configuration (see - # .pre-commit-config.yaml). Any changes to type hinting-related - # dependencies here should be reflected in the additional_dependencies - # field of the mypy pre-commit hook to avoid discrepancies in type - # checking between environments. - "dev": [ - "types-docopt", - "types-setuptools", - ], - "test": [ - "coverage", - "coveralls", - "pre-commit", - "pytest-cov", - "pytest", - ], - }, - # Conveniently allows one to run the CLI tool as `example` - entry_points={"console_scripts": ["example = example.example:main"]}, -) From c02b9d2bc5f17757b0eda718b2f9a32800c06c5a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 13:35:17 -0400 Subject: [PATCH 340/383] Move pytest config to pyproject.toml --- pyproject.toml | 6 ++++++ pytest.ini | 4 ---- 2 files changed, 6 insertions(+), 4 deletions(-) delete mode 100644 pytest.ini diff --git a/pyproject.toml b/pyproject.toml index a9d5cf3..e03e669 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -72,3 +72,9 @@ Tracker = "https://github.com/cisagov/skeleton-python-library/issues" [tool.hatch.version] path = "src/example/_version.py" + +[tool.pytest.ini_options] +# Increase verbosity, display extra test summary info for tests that +# did not pass, display code coverage results, and enable debug +# logging. +addopts = "--verbose -ra --cov --log-cli-level=DEBUG" diff --git a/pytest.ini b/pytest.ini deleted file mode 100644 index a1c266e..0000000 --- a/pytest.ini +++ /dev/null @@ -1,4 +0,0 @@ -[pytest] -# Increase verbosity, display extra test summary info for tests that did not pass, -# display code coverage results, and enable debug logging -addopts = --verbose -ra --cov --log-cli-level=DEBUG From 629a0cc616bd06540bddc3ccd39de55bab61403a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 16:11:15 -0400 Subject: [PATCH 341/383] Add a license badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index cb6c85a..4034ce6 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) +[![License](https://img.shields.io/github/license/cisagov/skeleton-generic +)](https://spdx.org/licenses/) + This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub project started. This skeleton project contains [licensing information](LICENSE), as From e1331191e7858857c72cac55107e37508e744b6a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Oct 2025 21:41:06 -0400 Subject: [PATCH 342/383] Update the color used for the `python` label This updates the existing color, which was pulled from the Python logo, to the color used in the Python website's CSS for the "Python" item in the site's top menu. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..1a8399b 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -62,7 +62,7 @@ - color: 02a8ef description: Pull requests that update Packer code name: packer -- color: 3772a4 +- color: 3776ab description: Pull requests that update Python code name: python - color: ef476c From 15771ca992f125f5e4c9516e7645b7b79908cad2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:29:59 -0400 Subject: [PATCH 343/383] Update the color used for the `javascript` label This reflects the value defined by JSConf and used in their unofficially official logo for JS. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 1a8399b..3801ada 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,7 +47,7 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: f1d642 +- color: f0db4f description: Pull requests that update JavaScript code name: javascript - color: ce099a From a7eeb15808fccae45d6010641192f341f7013f50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:40:49 -0400 Subject: [PATCH 344/383] Update the color used for the `typescript` label This reflects the color of the logo from the TypeScript branding page at https://www.typescriptlang.org/branding/. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 3801ada..6f63095 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -77,7 +77,7 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: 2b6ebf +- color: 2678c5 description: Pull requests that update TypeScript code name: typescript - color: 1d76db From fb7a73609e7d45eae2d566a39368a5ad5ea3ddb4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:51:12 -0400 Subject: [PATCH 345/383] Update the color used for the `ansible` label This mirrors the value used as a background for the mango Ansible community mark logo found in the ansible/logos repository. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 6f63095..4862f3c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,7 +2,7 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: f15a53 +- color: ff5850 description: Pull requests that update Ansible code name: ansible - color: eb6420 From 55031516e97274377694f2974d210054444c406b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:59:50 -0400 Subject: [PATCH 346/383] Update the color used for the `docker` label This is the "Moby Blue" primary color as defined in the Docker brand guidelines color section found at https://www.docker.com/company/newsroom/media-resources/. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 4862f3c..a539e6e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -20,7 +20,7 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: 2497ed +- color: 1d63ed description: Pull requests that update Docker code name: docker - color: 5319e7 From dc0d9a0be70aab4c4f47f884ec649ac4fb086fff Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 05:21:25 -0400 Subject: [PATCH 347/383] Add a label and auto-label configuration for shell scripts Since we use shell scripts throughout our projects it makes sense to have a dedicated label. --- .github/labeler.yml | 7 +++++++ .github/labels.yml | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..5ccd8fe 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -44,6 +44,13 @@ python: - changed-files: - any-glob-to-any-file: - "**/*.py" +shell script: + - changed-files: + - any-glob-to-any-file: + # Add any shell scripts that do not end in the ".sh" extension. + - "**/*.sh" + - bump-version + - setup-env terraform: - changed-files: - any-glob-to-any-file: diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..aa77db7 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -71,6 +71,9 @@ - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 4eaa25 + description: Pull requests that update shell scripts + name: shell script - color: 7b42bc description: Pull requests that update Terraform code name: terraform From 586af7c89d29858b80f9abc150204858e281b4b3 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 29 Oct 2025 08:52:57 -0400 Subject: [PATCH 348/383] Remove needless blank line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 4034ce6..22134a3 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # skeleton-generic # [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) - [![License](https://img.shields.io/github/license/cisagov/skeleton-generic )](https://spdx.org/licenses/) From 8b5f6d215931b0252a33f92899e75aea082b9f70 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 13:28:50 -0400 Subject: [PATCH 349/383] Improve a labeler configuration's explanatory comment Co-authored-by: dav3r --- .github/labeler.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 5ccd8fe..05478bd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -47,7 +47,8 @@ python: shell script: - changed-files: - any-glob-to-any-file: - # Add any shell scripts that do not end in the ".sh" extension. + # If this project has any shell scripts that do not end in the ".sh" + # extension, add them below. - "**/*.sh" - bump-version - setup-env From 8a10d11f98e14fe99d27ef6b7f443247bd204203 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 14:51:01 -0400 Subject: [PATCH 350/383] Add pyproject.toml as a trigger for the test label This is because this file now contains configurations for test tools. Also remove test tool config files that no longer exist. --- .github/labeler.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index bfce97d..5ba6c2a 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -56,10 +56,9 @@ test: - .ansible-lint - .bandit.yml - .flake8 - - .isort.cfg - .mdl_config.yaml - .yamllint - - pytest.ini + - pyproject.toml - tests/** typescript: - changed-files: From 60d3f117203387b8cec2c470774f3180beec4585 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 15:05:45 -0400 Subject: [PATCH 351/383] Add a few helpful comments These may be of use to folks who are editing pyproject.toml for a descendant of this skeleton repository. --- pyproject.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index e03e669..9c8d707 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -9,6 +9,7 @@ requires = ["hatchling"] authors = [ { name = "Cybersecurity and Infrastructure Security Agency", email = "github@cisa.dhs.gov" } ] +# See https://pypi.python.org/pypi?%3Aaction=list_classifiers classifiers = [ # How mature is this project? Common values are # 3 - Alpha @@ -66,11 +67,13 @@ test = [ example = "example.example:main" [project.urls] +# Landing page for CISA's cybersecurity mission Mission = "https://www.cisa.gov/cybersecurity" Source = "https://github.com/cisagov/skeleton-python-library" Tracker = "https://github.com/cisagov/skeleton-python-library/issues" [tool.hatch.version] +# Versions should comply with PEP440 path = "src/example/_version.py" [tool.pytest.ini_options] From 3b8d5fcc036bfd470be60d46a51d17b20d6dbcd5 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 15:37:47 -0400 Subject: [PATCH 352/383] Add a few more classifiers --- pyproject.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 9c8d707..c83342c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -16,10 +16,13 @@ classifiers = [ # 4 - Beta # 5 - Production/Stable "Development Status :: 3 - Alpha", + "Environment :: Console", # Indicate who your project is intended for "Intended Audience :: Developers", # Pick your license as you wish (should match "license" above) "License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication", + "Natural Language :: English", + "Operating System :: OS Independent", # Specify the Python versions you support here. In particular, ensure # that you indicate whether you support Python 2, Python 3 or both. "Programming Language :: Python :: 3", From 8cb395a8ca4cc3ba96ecbd3c4f02c2f056281fe0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 12:47:23 -0500 Subject: [PATCH 353/383] Correct license SPDX expression Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index c83342c..13a3955 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -42,7 +42,7 @@ dependencies = [ description = "Example Python library" dynamic = ["version"] keywords = ["skeleton"] -license = " CC-BY-1.0" +license = "CC0-1.0" name = "example" readme = "README.md" requires-python = ">=3.9" From ad708bd9fad93d23f837f71d975ddee4060a4aec Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:21:25 -0500 Subject: [PATCH 354/383] Rename .flake8 to pyproject.toml and update syntax We can configure all our Python tooling in a single pyproject.toml file. Note that using pyproject.toml to configure flake8 requires the addition of the flake8-pyproject Python library. --- .flake8 => pyproject.toml | 6 +++--- requirements-test.txt | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) rename .flake8 => pyproject.toml (92%) diff --git a/.flake8 b/pyproject.toml similarity index 92% rename from .flake8 rename to pyproject.toml index 92ff826..574223c 100644 --- a/.flake8 +++ b/pyproject.toml @@ -1,4 +1,4 @@ -[flake8] +[tool.flake8] max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - @@ -13,7 +13,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 +select = ["C", "D", "E", "F", "W", "B", "B950"] # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,4 +22,4 @@ select = C,D,E,F,W,B,B950 # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 +extend-ignore = ["E501", "W503"] diff --git a/requirements-test.txt b/requirements-test.txt index 66f74db..3fd2ff1 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,2 +1,3 @@ --requirement requirements.txt +flake8-pyproject pre-commit From 2a3bb8b44d9597078b1add4c6b649edf45955e91 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:25:57 -0500 Subject: [PATCH 355/383] Add flake8-pyproject as an additional dependency of the flake8 pre-commit hook This will ensure that, even when run as a pre-commit hook, flake8 reads its configuration from the pyproject.toml file. --- .pre-commit-config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bc76d85..2193233 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -144,6 +144,9 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 + # This is necessary to read the flake8 configuration from + # the pyproject.toml file. + - flake8-pyproject - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: From a70cf3c5a12b8dcd116867484ca76eed3e2b1c7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:32:02 -0500 Subject: [PATCH 356/383] Move isort config to pyproject.toml file --- .isort.cfg | 10 ---------- pyproject.toml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) delete mode 100644 .isort.cfg diff --git a/.isort.cfg b/.isort.cfg deleted file mode 100644 index 46d45f3..0000000 --- a/.isort.cfg +++ /dev/null @@ -1,10 +0,0 @@ -[settings] -combine_star=true -force_sort_within_sections=true - -import_heading_stdlib=Standard Python Libraries -import_heading_thirdparty=Third-Party Libraries -import_heading_firstparty=cisagov Libraries - -# Run isort under the black profile to align with our other Python linting -profile=black diff --git a/pyproject.toml b/pyproject.toml index 574223c..eec000b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,3 +23,15 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. extend-ignore = ["E501", "W503"] + +[tool.isort] +combine_star = true +force_sort_within_sections = true + +import_heading_stdlib = "Standard Python Libraries" +import_heading_thirdparty = "Third-Party Libraries" +import_heading_firstparty = "cisagov Libraries" + +# Run isort under the black profile to align with our other Python +# linting +profile = "black" From c1861e6027848854dc975180e1e44b18cee73367 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:38:38 -0500 Subject: [PATCH 357/383] Add pyproject.toml as a trigger for the test label Also remove .flake8 and .isort.cfg as triggers for the same label. --- .github/labeler.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..d6c77d0 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -54,10 +54,9 @@ test: # Add any test-related files or paths. - .ansible-lint - .bandit.yml - - .flake8 - - .isort.cfg - .mdl_config.yaml - .yamllint + - pyproject.toml typescript: - changed-files: - any-glob-to-any-file: From da7213e4f1c25bedcd52ec4267a494e85102a106 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:53:10 -0500 Subject: [PATCH 358/383] Move contents of .bandit.yml to CLI option in .pre-commit-config.yaml This gets rid of the .bandit.yml file that was being used only against the test code. --- .bandit.yml | 14 -------------- .github/labeler.yml | 1 - .pre-commit-config.yaml | 4 +++- 3 files changed, 3 insertions(+), 16 deletions(-) delete mode 100644 .bandit.yml diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index 3215b91..0000000 --- a/.bandit.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# Configuration file for the Bandit python security scanner -# https://bandit.readthedocs.io/en/latest/config.html -# This config is applied to bandit when scanning the "tests" tree - -# Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are considered included. - -tests: -# - B101 -# - B102 - -skips: - - B101 # skip "assert used" check since assertions are required in pytests diff --git a/.github/labeler.yml b/.github/labeler.yml index 5ba6c2a..e43a370 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -54,7 +54,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .bandit.yml - .flake8 - .mdl_config.yaml - .yamllint diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index df67df9..5972e8b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -136,7 +136,9 @@ repos: name: bandit (tests tree) files: tests args: - - --config=.bandit.yml + # Skip "assert used" check since assertions are used + # frequently in pytests. + - --skip=B101 # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit rev: 1.8.6 From 22c6f4019add36d3b9ff3e830f0f018be5aeedd2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:40:19 -0500 Subject: [PATCH 359/383] Remove the .bandit.yml file This file was doing nothing due to its contents. --- .bandit.yml | 13 ------------- .github/labeler.yml | 1 - .pre-commit-config.yaml | 2 -- 3 files changed, 16 deletions(-) delete mode 100644 .bandit.yml diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index ab3cb21..0000000 --- a/.bandit.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Configuration file for the Bandit python security scanner -# https://bandit.readthedocs.io/en/latest/config.html - -# Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are considered included. - -tests: -# - B101 -# - B102 - -skips: -# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/.github/labeler.yml b/.github/labeler.yml index d6c77d0..914ddd1 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -53,7 +53,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .bandit.yml - .mdl_config.yaml - .yamllint - pyproject.toml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2193233..e2e557e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,8 +132,6 @@ repos: rev: 1.8.6 hooks: - id: bandit - args: - - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 25.1.0 hooks: From 15cb60196e1a5d71c6039ec2081acbe80d4c37a0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:48:16 -0500 Subject: [PATCH 360/383] Pin the flake8-pyproject dependency in the pre-commit configuration The flake8-docstrings dependency is pinned, so this one should be too. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e2e557e..a8c71b5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -144,7 +144,7 @@ repos: - flake8-docstrings==1.7.0 # This is necessary to read the flake8 configuration from # the pyproject.toml file. - - flake8-pyproject + - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: From bc6bf8c2d3b47d56d189ece182cb0389e3b96358 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 7 Nov 2025 13:31:17 -0500 Subject: [PATCH 361/383] Remove flake8-pyproject dependency from requirements-test.txt flake8 itself isn't installed here, so this dependency shouldn't be either. This jibes with the fact that we don't install flake8-docstrings (another dependency of the flake8 pre-commit hook) into the virtual environment either. --- requirements-test.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements-test.txt b/requirements-test.txt index 3fd2ff1..66f74db 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,3 +1,2 @@ --requirement requirements.txt -flake8-pyproject pre-commit From 7b9de90b118f108a896ff6840e72c4c00b2676f0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Nov 2025 09:55:03 -0500 Subject: [PATCH 362/383] Remove deprecated license classifier See here for more details: https://packaging.python.org/en/latest/specifications/pyproject-toml/#classifiers --- pyproject.toml | 2 -- 1 file changed, 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 13a3955..eba5f59 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -19,8 +19,6 @@ classifiers = [ "Environment :: Console", # Indicate who your project is intended for "Intended Audience :: Developers", - # Pick your license as you wish (should match "license" above) - "License :: CC0 1.0 Universal (CC0 1.0) Public Domain Dedication", "Natural Language :: English", "Operating System :: OS Independent", # Specify the Python versions you support here. In particular, ensure From 13abf00d5970dd4ca175d31340ccade4ea55a58a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Nov 2025 09:57:42 -0500 Subject: [PATCH 363/383] Use well-known labels for project URL keys See here for more details: https://packaging.python.org/en/latest/specifications/well-known-project-urls/#well-known-labels --- pyproject.toml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index eba5f59..370ba01 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -68,10 +68,11 @@ test = [ example = "example.example:main" [project.urls] +homepage = "https://github.com/cisagov/skeleton-python-library" +issues = "https://github.com/cisagov/skeleton-python-library/issues" # Landing page for CISA's cybersecurity mission -Mission = "https://www.cisa.gov/cybersecurity" -Source = "https://github.com/cisagov/skeleton-python-library" -Tracker = "https://github.com/cisagov/skeleton-python-library/issues" +mission = "https://www.cisa.gov/cybersecurity" +source = "https://github.com/cisagov/skeleton-python-library" [tool.hatch.version] # Versions should comply with PEP440 From 461f87203d6c74da55f5fba2a4e876cb6cef93d2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Nov 2025 14:07:17 -0500 Subject: [PATCH 364/383] Switch to using the setuptools build backend The setuptools build backend: - Supports native extensions, in contrast with the hatchling build backend - Is the most commonly used build backend among projects on PyPI - Is an officially supported build backend from Python, in contrast with the hatchling build backend --- pyproject.toml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 370ba01..5f4e575 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,9 +1,9 @@ # For more information about configuring project metadata for the -# hatch build backend, please see -# https://hatch.pypa.io/latest/config/metadata/ +# setuptools build backend, please see +# https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html [build-system] -build-backend = "hatchling.build" -requires = ["hatchling"] +build-backend = "setuptools.build_meta" +requires = ["setuptools"] [project] authors = [ @@ -38,11 +38,10 @@ dependencies = [ "schema", ] description = "Example Python library" -dynamic = ["version"] +dynamic = ["readme", "version"] keywords = ["skeleton"] license = "CC0-1.0" name = "example" -readme = "README.md" requires-python = ">=3.9" [project.optional-dependencies] @@ -74,12 +73,12 @@ issues = "https://github.com/cisagov/skeleton-python-library/issues" mission = "https://www.cisa.gov/cybersecurity" source = "https://github.com/cisagov/skeleton-python-library" -[tool.hatch.version] -# Versions should comply with PEP440 -path = "src/example/_version.py" - [tool.pytest.ini_options] # Increase verbosity, display extra test summary info for tests that # did not pass, display code coverage results, and enable debug # logging. addopts = "--verbose -ra --cov --log-cli-level=DEBUG" + +[tool.setuptools.dynamic] +readme = {file = ["README.md"], content-type = "text/markdown"} +version = {attr = "example._version.__version__"} From da6d6a2c4fad5a3c75da626585fd654796991a0a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Nov 2025 14:27:04 -0500 Subject: [PATCH 365/383] Add package-data This ensures that the data file(s) are incorporated into the wheels that are built. --- pyproject.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index 5f4e575..cadd7da 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -82,3 +82,6 @@ addopts = "--verbose -ra --cov --log-cli-level=DEBUG" [tool.setuptools.dynamic] readme = {file = ["README.md"], content-type = "text/markdown"} version = {attr = "example._version.__version__"} + +[tool.setuptools.package-data] +example = ["data/*.txt"] From a4a51676833ec0a19ea285a65396e62e3bb07e1f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Nov 2025 14:29:57 -0500 Subject: [PATCH 366/383] Add build dir to .gitignore This directory can be created by `pip install .`. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 242b4aa..579601b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,5 @@ __pycache__ .pytest_cache .python-version *.egg-info +build dist From c7c0c0ad2acaff7d34c19fe54929f0291fc226a6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Nov 2025 10:27:14 -0500 Subject: [PATCH 367/383] Upgrade pre-commit hooks via pre-commit autoupdate --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bc76d85..316366f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.33.3 + rev: 0.35.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.3.0 + rev: v4.4.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.2 + rev: v1.0.0-rc.4 hooks: # Go Build - id: go-build-repo-mod @@ -129,13 +129,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.0 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 25.1.0 + rev: 25.11.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -145,11 +145,11 @@ repos: additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 6.0.1 + rev: 7.0.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.18.1 + rev: v1.18.2 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.20.0 + rev: v3.21.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.9.0 + rev: v25.11.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.100.0 + rev: v1.103.0 hooks: - id: terraform_fmt - id: terraform_validate From 2d88e72d0f403e64d43d8d1c240ad561475dce51 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 12:50:32 -0400 Subject: [PATCH 368/383] Add a CodeQL badge to the README We added a CodeQL configuration in #202 but did not add a badge. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 22134a3..33fc585 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) [![License](https://img.shields.io/github/license/cisagov/skeleton-generic )](https://spdx.org/licenses/) +[![CodeQL](https://github.com/cisagov/skeleton-generic/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-generic/actions/workflows/codeql-analysis.yml) This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub project started. From 2759cc5e4110bb170f5a2661b93b7b634265bb89 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Nov 2025 22:16:49 -0500 Subject: [PATCH 369/383] Update Bandit pre-commit hook The 1.9.0 release of Bandit was flawed due to a failure of the GHA workflows that publish to PyPI and Test PyPI. The 1.9.1 release resolved the issue. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f3570eb..93493c9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -129,7 +129,7 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.9.0 + rev: 1.9.1 hooks: - id: bandit - repo: https://github.com/psf/black-pre-commit-mirror From 12101f04dca8475fd566b6ba40322fec219d0e64 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Tue, 18 Nov 2025 14:35:18 -0500 Subject: [PATCH 370/383] Revert "Move all Python tool configs to `pyproject.toml`" --- .bandit.yml | 13 +++++++++++++ pyproject.toml => .flake8 | 18 +++--------------- .github/labeler.yml | 4 +++- .isort.cfg | 10 ++++++++++ .pre-commit-config.yaml | 5 ++--- 5 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 .bandit.yml rename pyproject.toml => .flake8 (75%) create mode 100644 .isort.cfg diff --git a/.bandit.yml b/.bandit.yml new file mode 100644 index 0000000..ab3cb21 --- /dev/null +++ b/.bandit.yml @@ -0,0 +1,13 @@ +--- +# Configuration file for the Bandit python security scanner +# https://bandit.readthedocs.io/en/latest/config.html + +# Tests are first included by `tests`, and then excluded by `skips`. +# If `tests` is empty, all tests are considered included. + +tests: +# - B101 +# - B102 + +skips: +# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/pyproject.toml b/.flake8 similarity index 75% rename from pyproject.toml rename to .flake8 index eec000b..92ff826 100644 --- a/pyproject.toml +++ b/.flake8 @@ -1,4 +1,4 @@ -[tool.flake8] +[flake8] max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - @@ -13,7 +13,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = ["C", "D", "E", "F", "W", "B", "B950"] +select = C,D,E,F,W,B,B950 # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,16 +22,4 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -extend-ignore = ["E501", "W503"] - -[tool.isort] -combine_star = true -force_sort_within_sections = true - -import_heading_stdlib = "Standard Python Libraries" -import_heading_thirdparty = "Third-Party Libraries" -import_heading_firstparty = "cisagov Libraries" - -# Run isort under the black profile to align with our other Python -# linting -profile = "black" +ignore = E501,W503 diff --git a/.github/labeler.yml b/.github/labeler.yml index ff74248..05478bd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -61,9 +61,11 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg - .mdl_config.yaml - .yamllint - - pyproject.toml typescript: - changed-files: - any-glob-to-any-file: diff --git a/.isort.cfg b/.isort.cfg new file mode 100644 index 0000000..46d45f3 --- /dev/null +++ b/.isort.cfg @@ -0,0 +1,10 @@ +[settings] +combine_star=true +force_sort_within_sections=true + +import_heading_stdlib=Standard Python Libraries +import_heading_thirdparty=Third-Party Libraries +import_heading_firstparty=cisagov Libraries + +# Run isort under the black profile to align with our other Python linting +profile=black diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 93493c9..471cdc3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,6 +132,8 @@ repos: rev: 1.9.1 hooks: - id: bandit + args: + - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 25.11.0 hooks: @@ -142,9 +144,6 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - # This is necessary to read the flake8 configuration from - # the pyproject.toml file. - - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 7.0.0 hooks: From b598b704d44dee9045ca7ae8e3c83ff02c8f329a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Nov 2025 14:45:57 -0500 Subject: [PATCH 371/383] Move flake8 configuration to pyproject.toml Note that using pyproject.toml to configure flake8 requires the addition of the flake8-pyproject Python library. --- .flake8 | 25 ------------------------- .pre-commit-config.yaml | 3 +++ pyproject.toml | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 25 deletions(-) delete mode 100644 .flake8 diff --git a/.flake8 b/.flake8 deleted file mode 100644 index 92ff826..0000000 --- a/.flake8 +++ /dev/null @@ -1,25 +0,0 @@ -[flake8] -max-line-length = 80 -# Select (turn on) -# * Complexity violations reported by mccabe (C) - -# http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes -# * Documentation conventions compliance reported by pydocstyle (D) - -# http://www.pydocstyle.org/en/stable/error_codes.html -# * Default errors and warnings reported by pycodestyle (E and W) - -# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes -# * Default errors reported by pyflakes (F) - -# http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes -# * Default warnings reported by flake8-bugbear (B) - -# https://github.com/PyCQA/flake8-bugbear#list-of-warnings -# * The B950 flake8-bugbear opinionated warning - -# https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 -# Ignore flake8's default warning about maximum line length, which has -# a hard stop at the configured value. Instead we use -# flake8-bugbear's B950, which allows up to 10% overage. -# -# Also ignore flake8's warning about line breaks before binary -# operators. It no longer agrees with PEP8. See, for example, here: -# https://github.com/ambv/black/issues/21. Guido agrees here: -# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5972e8b..fe35bfb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -156,6 +156,9 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 + # This is necessary to read the flake8 configuration from + # the pyproject.toml file. + - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: diff --git a/pyproject.toml b/pyproject.toml index cadd7da..7d3880b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -73,6 +73,32 @@ issues = "https://github.com/cisagov/skeleton-python-library/issues" mission = "https://www.cisa.gov/cybersecurity" source = "https://github.com/cisagov/skeleton-python-library" +[tool.flake8] +max-line-length = 80 +# Select (turn on) +# * Complexity violations reported by mccabe (C) - +# http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes +# * Documentation conventions compliance reported by pydocstyle (D) - +# http://www.pydocstyle.org/en/stable/error_codes.html +# * Default errors and warnings reported by pycodestyle (E and W) - +# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes +# * Default errors reported by pyflakes (F) - +# http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes +# * Default warnings reported by flake8-bugbear (B) - +# https://github.com/PyCQA/flake8-bugbear#list-of-warnings +# * The B950 flake8-bugbear opinionated warning - +# https://github.com/PyCQA/flake8-bugbear#opinionated-warnings +select = ["C", "D", "E", "F", "W", "B", "B950"] +# Ignore flake8's default warning about maximum line length, which has +# a hard stop at the configured value. Instead we use +# flake8-bugbear's B950, which allows up to 10% overage. +# +# Also ignore flake8's warning about line breaks before binary +# operators. It no longer agrees with PEP8. See, for example, here: +# https://github.com/ambv/black/issues/21. Guido agrees here: +# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. +extend-ignore = ["E501", "W503"] + [tool.pytest.ini_options] # Increase verbosity, display extra test summary info for tests that # did not pass, display code coverage results, and enable debug From 077d3a241274f96ead02efe570735756d3a916ef Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Nov 2025 14:55:25 -0500 Subject: [PATCH 372/383] Move isort config to pyproject.toml file --- .isort.cfg | 10 ---------- pyproject.toml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) delete mode 100644 .isort.cfg diff --git a/.isort.cfg b/.isort.cfg deleted file mode 100644 index 46d45f3..0000000 --- a/.isort.cfg +++ /dev/null @@ -1,10 +0,0 @@ -[settings] -combine_star=true -force_sort_within_sections=true - -import_heading_stdlib=Standard Python Libraries -import_heading_thirdparty=Third-Party Libraries -import_heading_firstparty=cisagov Libraries - -# Run isort under the black profile to align with our other Python linting -profile=black diff --git a/pyproject.toml b/pyproject.toml index 7d3880b..bbd6892 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -99,6 +99,18 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. extend-ignore = ["E501", "W503"] +[tool.isort] +combine_star = true +force_sort_within_sections = true + +import_heading_stdlib = "Standard Python Libraries" +import_heading_thirdparty = "Third-Party Libraries" +import_heading_firstparty = "cisagov Libraries" + +# Run isort under the black profile to align with our other Python +# linting +profile = "black" + [tool.pytest.ini_options] # Increase verbosity, display extra test summary info for tests that # did not pass, display code coverage results, and enable debug From 447db4b76792f737d19398d87e1a099f5118d9d6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Nov 2025 15:27:53 -0500 Subject: [PATCH 373/383] Remove .flake8 as a trigger for the test label --- .github/labeler.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index e43a370..7ba9520 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -54,7 +54,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .flake8 - .mdl_config.yaml - .yamllint - pyproject.toml From 5090de1d6491650324ceefad06ffb06c0be89113 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 19 Nov 2025 11:11:27 -0500 Subject: [PATCH 374/383] Keep two Bandit blocks in sync wrt version --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 044047d..14d0e20 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.1 hooks: - id: bandit name: bandit (everything else) From 0b0f62ff037e7ee3f0245a8ae5cceac85493ccd3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 14:03:25 +0000 Subject: [PATCH 375/383] Bump actions/upload-artifact from 4 to 5 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 79dcaf3..315a73e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -406,7 +406,7 @@ jobs: - name: Build artifacts run: python -m build - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: dist-${{ matrix.python-version }} path: dist From 6ffe32396035dd7339e07e7dc2f2319c0d550f84 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 16:05:18 -0400 Subject: [PATCH 376/383] Add a code style badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 67a35ac..6872211 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,9 @@ [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) +[![Code Style](https://img.shields.io/badge/Code%20Style-Black-black +)](https://github.com/psf/black) + This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) Python library GitHub project started. This skeleton project contains [licensing From 702dab0cdf6e79e164c5b51373d85b0b4272512b Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 29 Oct 2025 08:49:33 -0400 Subject: [PATCH 377/383] Use lower case for the code style badge This agrees with what is done in the code style badge for the black project. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6872211..e58767c 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) -[![Code Style](https://img.shields.io/badge/Code%20Style-Black-black +[![Code Style](https://img.shields.io/badge/Code%20Style-black-black )](https://github.com/psf/black) This is a generic skeleton project that can be used to quickly get a From fa5dec32964710716dff2f602770d38445274f0d Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 29 Oct 2025 08:55:31 -0400 Subject: [PATCH 378/383] Remove needless blank line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index e58767c..94ccf63 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,6 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-python-library/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions) [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) - [![Code Style](https://img.shields.io/badge/Code%20Style-black-black )](https://github.com/psf/black) From b75e60bb65a60b5495338121102ca4f682f2c7a4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 20 Nov 2025 09:40:55 -0500 Subject: [PATCH 379/383] Remove needless carriage return --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index df17f94..6ffe1c3 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,7 @@ [![License](https://img.shields.io/github/license/cisagov/skeleton-python-library)](https://spdx.org/licenses/) [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) -[![Code Style](https://img.shields.io/badge/Code%20Style-black-black -)](https://github.com/psf/black) +[![Code Style](https://img.shields.io/badge/Code%20Style-black-black)](https://github.com/psf/black) This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) Python library GitHub From 5b4e6e77648a3b3e0155f4be033cf022f3fa361b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 20 Nov 2025 10:50:06 -0500 Subject: [PATCH 380/383] Drop support for Python 3.9 Python 3.9 reached its EOL on October 31, 2025: https://devguide.python.org/versions/ --- .github/workflows/build.yml | 3 --- pyproject.toml | 3 +-- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 315a73e..5c4477b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -219,7 +219,6 @@ jobs: - ubuntu-latest - windows-latest python-version: - - "3.9" - "3.10" - "3.11" - "3.12" @@ -347,7 +346,6 @@ jobs: fail-fast: false matrix: python-version: - - "3.9" - "3.10" - "3.11" - "3.12" @@ -433,7 +431,6 @@ jobs: - ubuntu-latest - windows-latest python-version: - - "3.9" - "3.10" - "3.11" - "3.12" diff --git a/pyproject.toml b/pyproject.toml index bbd6892..0b89569 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -25,7 +25,6 @@ classifiers = [ # that you indicate whether you support Python 2, Python 3 or both. "Programming Language :: Python :: 3", "Programming Language :: Python :: 3 :: Only", - "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", @@ -42,7 +41,7 @@ dynamic = ["readme", "version"] keywords = ["skeleton"] license = "CC0-1.0" name = "example" -requires-python = ">=3.9" +requires-python = ">=3.10" [project.optional-dependencies] # IMPORTANT: Keep type hinting-related dependencies of the dev section From a785305514c9867c381977e3aa9fa4c31a3cae7a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 20 Nov 2025 11:19:56 -0500 Subject: [PATCH 381/383] Bump version from 0.3.0 to 1.0.0 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index 871cf76..f8d70f6 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,3 +1,3 @@ """This file defines the version of this module.""" -__version__ = "0.3.0" +__version__ = "1.0.0" From 2d0498b0e7453a82dc5ac396bd1b13828a40ae0e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 20 Nov 2025 11:23:16 -0500 Subject: [PATCH 382/383] Bump version from 1.0.0 to 1.0.0-rc.1 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index f8d70f6..f65a4df 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,3 +1,3 @@ """This file defines the version of this module.""" -__version__ = "1.0.0" +__version__ = "1.0.0-rc.1" From 3d57f51af84993428d6d6246f7f4c690423d2bbe Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 20 Nov 2025 13:52:32 -0500 Subject: [PATCH 383/383] Finalize version from 1.0.0-rc.1 to 1.0.0 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index f65a4df..f8d70f6 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,3 +1,3 @@ """This file defines the version of this module.""" -__version__ = "1.0.0-rc.1" +__version__ = "1.0.0"