Merge pull request #55 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

.bandit.yml

@@ -4,7 +4,7 @@
 # This config is applied to bandit when scanning the "tests" tree
 
 # Tests are first included by `tests`, and then excluded by `skips`.
-# If `tests` is empty, all tests are are considered included.
+# If `tests` is empty, all tests are considered included.
 
 tests:
 # - B101

.github/dependabot.yml

@@ -5,30 +5,37 @@
 # these updates when the pull request(s) in the appropriate skeleton are merged
 # and Lineage processes these changes.
 
-version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
+  - directory: /
     ignore:
       # Managed by cisagov/skeleton-generic
       - dependency-name: actions/cache
       - dependency-name: actions/checkout
       - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
+      - dependency-name: crazy-max/ghaction-dump-context
+      - dependency-name: crazy-max/ghaction-github-labeler
+      - dependency-name: crazy-max/ghaction-github-status
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
+      - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-python-library
       - dependency-name: actions/download-artifact
       - dependency-name: actions/upload-artifact
+      - dependency-name: github/codeql-action/analyze
+      - dependency-name: github/codeql-action/autobuild
+      - dependency-name: github/codeql-action/init
+    package-ecosystem: github-actions
+    schedule:
+      interval: weekly
 
-  - package-ecosystem: "pip"
-    directory: "/"
+  - directory: /
+    package-ecosystem: pip
     schedule:
-      interval: "weekly"
+      interval: weekly
 
-  - package-ecosystem: "terraform"
-    directory: "/"
+  - directory: /
+    package-ecosystem: terraform
     schedule:
-      interval: "weekly"
+      interval: weekly
+version: 2

.github/workflows/build.yml

@@ -14,12 +14,36 @@ env:
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
 
 jobs:
+  diagnostics:
+    name: Run diagnostics
+    runs-on: ubuntu-latest
+    steps:
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: github-status
+        name: Check GitHub status
+        uses: crazy-max/ghaction-github-status@v3
+      - id: dump-context
+        name: Dump context
+        uses: crazy-max/ghaction-dump-context@v2
   lint:
+    needs:
+      - diagnostics
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - id: setup-env
         uses: cisagov/setup-env-github-action@develop
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:
@@ -84,11 +108,26 @@ jobs:
       - uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
+      - name: Install go-critic
+        env:
+          PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
+      - name: Install gosec
+        env:
+          PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install shfmt
         env:
           PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
+      - name: Install staticcheck
+        env:
+          PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install Terraform-docs
         env:
           PACKAGE_URL: github.com/terraform-docs/terraform-docs
@@ -107,23 +146,31 @@ jobs:
         if: env.RUN_TMATE
   test:
     name: test source - py${{ matrix.python-version }}
+    needs:
+      - diagnostics
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os:
           - ubuntu-latest
         python-version:
-          - "3.7"
           - "3.8"
           - "3.9"
           - "3.10"
           - "3.11"
-        include:
-          - os: ubuntu-20.04
-            python-version: "3.6"
+          # gophish-tools cannot support Python 3.12 until the gophish
+          # Python package supports a newer version of the urllib3
+          # library.  The reason is identical to what is discussed
+          # here: https://bugzilla.mozilla.org/show_bug.cgi?id=1857492
+          # - "3.12"
     steps:
-      - uses: actions/checkout@v3
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:
@@ -165,9 +212,15 @@ jobs:
   coveralls-finish:
     runs-on: ubuntu-latest
     needs:
+      - diagnostics
       - test
     steps:
-      - uses: actions/checkout@v3
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:
@@ -201,6 +254,7 @@ jobs:
   build:
     name: build wheel - py${{ matrix.python-version }}
     needs:
+      - diagnostics
       - lint
       - test
     runs-on: ${{ matrix.os }}
@@ -210,16 +264,22 @@ jobs:
         os:
           - ubuntu-latest
         python-version:
-          - "3.7"
           - "3.8"
           - "3.9"
           - "3.10"
           - "3.11"
-        include:
-          - os: ubuntu-20.04
-            python-version: "3.6"
+          # gophish-tools cannot support Python 3.12 until the gophish
+          # Python package supports a newer version of the urllib3
+          # library.  The reason is identical to what is discussed
+          # here: https://bugzilla.mozilla.org/show_bug.cgi?id=1857492
+          # - "3.12"
     steps:
-      - uses: actions/checkout@v3
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:
@@ -255,6 +315,7 @@ jobs:
   test-build:
     name: test built wheel - py${{ matrix.python-version }}
     needs:
+      - diagnostics
       - build
     runs-on: ${{ matrix.os }}
     strategy:
@@ -263,16 +324,22 @@ jobs:
         os:
           - ubuntu-latest
         python-version:
-          - "3.7"
           - "3.8"
           - "3.9"
           - "3.10"
           - "3.11"
-        include:
-          - os: ubuntu-20.04
-            python-version: "3.6"
+          # gophish-tools cannot support Python 3.12 until the gophish
+          # Python package supports a newer version of the urllib3
+          # library.  The reason is identical to what is discussed
+          # here: https://bugzilla.mozilla.org/show_bug.cgi?id=1857492
+          # - "3.12"
     steps:
-      - uses: actions/checkout@v3
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:

.github/workflows/codeql-analysis.yml

@@ -4,7 +4,7 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -20,8 +20,27 @@ on:
     - cron: '0 14 * * 6'
 
 jobs:
+  diagnostics:
+    name: Run diagnostics
+    runs-on: ubuntu-latest
+    steps:
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: github-status
+        name: Check GitHub status
+        uses: crazy-max/ghaction-github-status@v3
+      - id: dump-context
+        name: Dump context
+        uses: crazy-max/ghaction-dump-context@v2
   analyze:
     name: Analyze
+    needs:
+      - diagnostics
     runs-on: ubuntu-latest
     permissions:
       # required for all workflows
@@ -37,8 +56,14 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/sync-labels.yml

@@ -19,10 +19,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Sync repository labels
         if: success()
-        uses: crazy-max/ghaction-github-labeler@v4
+        uses: crazy-max/ghaction-github-labeler@v5
         with:
           # This is a hideous ternary equivalent so we only do a dry run unless
           # this workflow is triggered by the develop branch.