From 4d88c8b10852e057d0d95cf36f0ef74c1b509162 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 May 2025 11:15:29 -0400 Subject: [PATCH 01/31] Add a configuration block for pre-commit.ci This adds a `ci` block to the pre-commit configurations to control the behavior of the pre-commit.ci GitHub app. --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0760b36..9273b18 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,10 @@ --- +ci: + # Do not commit changes from running pre-commit for pull requests. + autofix_prs: false + # Autoupdate hooks weekly (this is the default). + autoupdate_schedule: weekly + default_language_version: # force all unspecified python hooks to run python3 python: python3 From 3b584271602c8b0a39e83522119e728882f5b481 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 15 May 2025 14:57:11 -0400 Subject: [PATCH 02/31] Use a version tag for cisagov/setup-env-github-action We currently use the `develop` branch as our reference for the cisagov/setup-env-github-action action in the build workflow. We will instead use the major version tag which puts our usage of this action in line with how we use other actions in our workflows. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..2e5c1e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,7 +99,7 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@v1 - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 From f89170422e22989a8314be4d6355b2919301d9b5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 28 Aug 2025 14:04:27 -0400 Subject: [PATCH 03/31] Add a configuration to automatically label pull requests This includes updating the dependabot configuration, adding a new `label-prs.yml` GitHub Actions workflow, and adding a suitable configuration file for the actions/labeler action used by the aforementioned workflow. --- .github/dependabot.yml | 1 + .github/labeler.yml | 63 ++++++++++++++++++++++ .github/workflows/label-prs.yml | 93 +++++++++++++++++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/label-prs.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..6dc2a95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: # - dependency-name: actions/cache # - dependency-name: actions/checkout # - dependency-name: actions/dependency-review-action + # - dependency-name: actions/labeler # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..c7f044b --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,63 @@ +--- +# Each entry in this file is a label that will be applied to pull requests +# if there is a match based on the matching rules for the entry. Please see +# the actions/labeler documentation for more information: +# https://github.com/actions/labeler#match-object +# +# Note: Verify that the label you want to use is defined in the +# crazy-max/ghaction-github-labeler configuration file located at +# .github/labels.yml. + +# Enable if Ansible playbooks are used in the repository. +# ansible: +# - changed-files: +# - any-glob-to-any-file: +# - "**/ansible/**" +dependencies: + - changed-files: + - any-glob-to-any-file: + # Add any dependency files used. + - .pre-commit-config.yaml + - requirements*.txt +documentation: + - changed-files: + - any-glob-to-any-file: + - "**/*.md" +github-actions: + - changed-files: + - any-glob-to-any-file: + - .github/workflows/** +# Enable if Packer is used in the repository. +# packer: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.pkr.hcl" +# Enable if Python is used in the repository. +# python: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.py" +# Enable if Terraform is used in the repository. +# terraform: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.tf" +test: + - changed-files: + - any-glob-to-any-file: + # Add any test-related files or paths. + - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg + - .mdl_config.yaml + - .yamllint +upstream update: + - head-branch: + # Any Lineage pull requests should use this branch. + - lineage/skeleton +version bump: + - changed-files: + - any-glob-to-any-file: + # Ensure this matches your version tracking file(s). + - version.txt diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml new file mode 100644 index 0000000..a107347 --- /dev/null +++ b/.github/workflows/label-prs.yml @@ -0,0 +1,93 @@ +--- +name: Label pull requests + +on: # yamllint disable-line rule:truthy + pull_request: + types: + - edited + - opened + - synchronize + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + label: + needs: + - diagnostics + permissions: + # Permissions required by actions/labeler + contents: read + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - name: Apply suitable labels to a pull request + uses: actions/labeler@v5 From b6c32f267bff759e883c3975aa451d080102d5ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Sep 2025 21:55:52 +0000 Subject: [PATCH 04/31] Bump library/python from 3.13.5-alpine3.22 to 3.13.7-alpine3.22 Bumps library/python from 3.13.5-alpine3.22 to 3.13.7-alpine3.22. --- updated-dependencies: - dependency-name: library/python dependency-version: 3.13.7-alpine3.22 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 65b3964..34a6946 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.13.5-alpine3.22 AS compile-stage +FROM docker.io/library/python:3.13.7-alpine3.22 AS compile-stage ### # Unprivileged user variables @@ -51,7 +51,7 @@ RUN pipenv install --clear --deploy --extra-pip-args "--no-cache-dir" --verbose # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.13.5-alpine3.22 AS build-stage +FROM docker.io/library/python:3.13.7-alpine3.22 AS build-stage ### # For a list of pre-defined annotation keys and value types see: From 0aba2813c7f64b7ab1cb601544bf05064f9a71f2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:44:47 -0400 Subject: [PATCH 05/31] Bump actions/labeler from 5 to 6 Bumps [actions/labeler](https://github.com/actions/labeler) from 5 to 6. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@v5...v6) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/label-prs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index a107347..9d78e39 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -90,4 +90,4 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Apply suitable labels to a pull request - uses: actions/labeler@v5 + uses: actions/labeler@v6 From 35bac1f90891a875ae5c9878568c10768a06103b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 17:14:24 +0000 Subject: [PATCH 06/31] Bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.33.0 to 0.33.1. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/0.33.0...0.33.1) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.33.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 71b6924..88004fd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -407,7 +407,7 @@ jobs: - name: Load Docker image run: docker load < dist/image.tar.gz - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.33.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: ${{ needs.repo-metadata.outputs.image-name }}:latest test: From 507fe983481126be7e953ccb8e9476368b378c42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:55 +0000 Subject: [PATCH 07/31] Bump actions/setup-python from 5 to 6 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..bcd9028 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -102,7 +102,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, From 428ab617f1162c6514ddd2efb575ba2f37ff4c1f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:58 +0000 Subject: [PATCH 08/31] Bump actions/setup-go from 5 to 6 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..d302901 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. From 623a983457d949be691753782997c97f50ebe9c6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:23:07 -0400 Subject: [PATCH 09/31] Adjust the labels dependabot uses Instead of using the default labels for the `github-actions` package ecosystem we specify the labels explicitly. This is done to ensure that dependabot uses our `github-actions` label instead of the default of `github_actions`. We must also explicitly specify the `dependencies` label since we are overriding the default label values. --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..d3688af 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,12 @@ updates: # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + labels: + # dependabot default we need to replicate + - dependencies + # This matches our label definition in .github/labels.yml as opposed to + # dependabot's default of `github_actions`. + - github-actions package-ecosystem: github-actions schedule: interval: weekly From 50c0ad88522d13439bcb60985504796e09b97d94 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 11 Sep 2025 11:53:27 -0400 Subject: [PATCH 10/31] Add a dependabot configuration for Docker Compose This should produce dependabot PRs for Docker images defined in the Docker composition in this project. --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index da91421..3bb033f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,11 @@ updates: schedule: interval: weekly + - directory: / + package-ecosystem: docker-compose + schedule: + interval: weekly + - directory: / ignore: # Managed by cisagov/skeleton-generic From 03065cdc17b57141a9fc88b7c95cd76c9c2b93d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:14:00 -0400 Subject: [PATCH 11/31] Adjust GNU getopt check logic in the `setup-env` script Change the check from looking for specific text in the version output to using the `--test` option. This will provide a more robust implementation of this check that does not have to worry about output format stability. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- setup-env | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-env b/setup-env index f3304d9..89c7603 100755 --- a/setup-env +++ b/setup-env @@ -101,10 +101,10 @@ LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt SHORTOPTS="fhilp:v:" -# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") -# in its version output. This approach presumes the output format remains stable. -# Be aware that format changes could invalidate this check. -if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then +# Check for GNU getopt by testing for long option support. GNU getopt supports +# the "--test" option and will return exit code 4 while POSIX/BSD getopt does +# not and will return exit code 0. +if getopt --test > /dev/null 2>&1; then cat << 'END_OF_LINE' Please note, this script requires GNU getopt due to its enhanced From c7e1ce848099c84bf1124f66acc93de52021bb2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 15:45:32 +0000 Subject: [PATCH 12/31] Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d62be35..c11089c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,7 +100,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dd59d04..0722fa3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ee87e04..bc859d1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index fa6f772..19e0129 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 From d070095f0a23e31fec3eab43acf1d9bdc67797b3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 4 May 2025 05:51:15 -0400 Subject: [PATCH 13/31] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9273b18..bc76d85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,7 +16,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -45,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.44.0 + rev: v0.45.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.5.3 + rev: v3.6.2 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.0 + rev: v1.37.1 hooks: - id: yamllint args: @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.32.1 + rev: 0.33.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.2.0 + rev: v4.3.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.1 + rev: v1.0.0-rc.2 hooks: # Go Build - id: go-build-repo-mod @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.11.0-1 + rev: v3.12.0-2 hooks: - id: shfmt args: @@ -123,13 +123,13 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.10.0.1 + rev: v0.11.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit args: @@ -139,7 +139,7 @@ repos: hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.2 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: @@ -149,11 +149,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.15.0 + rev: v1.18.1 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.8.0 + rev: v2.9.0 hooks: - id: pip-audit args: @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.4.0 + rev: v25.9.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.98.0 + rev: v1.100.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -228,7 +228,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.3.0 + rev: v0.3.1 hooks: - id: packer_fmt - id: packer_validate From ee20b2a6866b77f826a93dad5eaa689e18377275 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 29 Aug 2025 17:19:53 -0400 Subject: [PATCH 14/31] Conform to new markdownlint rule A new rule, `MD059/descriptive-link-text`, was added in markdownlint's 0.38.0 release, which itself is used in v0.45.0 of markdownlint-cli. As such, we must update to conform to the new rule. --- CONTRIBUTING.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f9fa53a..a631733 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -132,11 +132,10 @@ you can begin to use `pyenv`. For a list of Python versions that are already installed and ready to use with `pyenv`, use the command `pyenv versions`. To see a list of the Python versions available to be installed and used with `pyenv` -use the command `pyenv install --list`. You can read more -[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about -the many things that `pyenv` can do. See -[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the -additional capabilities that pyenv-virtualenv adds to the `pyenv` +use the command `pyenv install --list`. You can read more about +the [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md). +See the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage) +for the additional capabilities that pyenv-virtualenv adds to the `pyenv` command. #### Creating the Python virtual environment #### From 5bde44c0ead00f5c2b6c421d25a109d4cc839601 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:22:39 -0400 Subject: [PATCH 15/31] Bump version from 0.0.1-rc.1 to 1.0.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 871d40b..3eefcb9 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1-rc.1 +1.0.0 From ca3226e97c8ab8542a27c02218f6bc76eaa39211 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 13:49:03 -0400 Subject: [PATCH 16/31] Sync bandit versions used in pre-commit config --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 088560e..f766d69 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit name: bandit (everything else) From d946283d297538fbf400b63c64284e8be7fe0052 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 13:51:29 -0400 Subject: [PATCH 17/31] Update GitHub actions to versions used upstream --- .github/workflows/build.yml | 8 ++++---- .github/workflows/update-dockerhub-description.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 064f165..23be262 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -264,7 +264,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: generate-metadata name: Generate Docker image metadata uses: docker/metadata-action@v5 @@ -448,10 +448,10 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v4 + uses: cisagov/setup-env-github-action@v1 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - name: Cache testing environments diff --git a/.github/workflows/update-dockerhub-description.yml b/.github/workflows/update-dockerhub-description.yml index bf120a8..e2feae0 100644 --- a/.github/workflows/update-dockerhub-description.yml +++ b/.github/workflows/update-dockerhub-description.yml @@ -92,7 +92,7 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Update the Docker Hub description uses: peter-evans/dockerhub-description@v4 with: From f2a328078b9af4cb3a257f9027dac4f761e44603 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:40:43 -0400 Subject: [PATCH 18/31] Add python configuration to labeler --- .github/labeler.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..224b713 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -33,10 +33,10 @@ github-actions: # - any-glob-to-any-file: # - "**/*.pkr.hcl" # Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" # Enable if Terraform is used in the repository. # terraform: # - changed-files: From a197a7a6e78c8f8b8c61112ab673b63232e150c3 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:41:20 -0400 Subject: [PATCH 19/31] Add test code to labeler configuration --- .github/labeler.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 224b713..0a0df0c 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -52,6 +52,7 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint + - tests/** upstream update: - head-branch: # Any Lineage pull requests should use this branch. From 0f356738fd5c658d5aa4fb63fd21c737c6aa6e65 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:42:01 -0400 Subject: [PATCH 20/31] Correct version file location in labeler configuration --- .github/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 0a0df0c..24d578b 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -61,4 +61,4 @@ version bump: - changed-files: - any-glob-to-any-file: # Ensure this matches your version tracking file(s). - - version.txt + - src/version.txt From d18e90bfb8070d41dd539044a4e151486b627080 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:03:28 -0400 Subject: [PATCH 21/31] Add additional repository labels This adds labels that are common in downstream repositories to the core configuration. This will help ensure consistent label availability. --- .github/labels.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index fe9a53e..b1311af 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,6 +2,9 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length +- color: f15a53 + description: Pull requests that update Ansible code + name: ansible - color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked @@ -17,6 +20,9 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies +- color: 2497ed + description: Pull requests that update Docker code + name: docker - color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation @@ -50,12 +56,21 @@ - color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold +- color: 02a8ef + description: Pull requests that update Packer code + name: packer +- color: 3772a4 + description: Pull requests that update Python code + name: python - color: ef476c description: This issue is a request for information or needs discussion name: question - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 7b42bc + description: Pull requests that update Terraform code + name: terraform - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test From e875abf74fc8cd799c17430c74a1d95eddc63466 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 22 Sep 2025 01:13:44 -0400 Subject: [PATCH 22/31] Add auto-label configuration for the `docker` label Add a configuration to automatically apply the `docker` label to pull requests. --- .github/labeler.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..49b89ef 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,13 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt +# Enable if Docker is used in the repository. +# docker: +# - changed-files: +# - any-glob-to-any-file: +# - "**/compose*.yml" +# - "**/docker-compose*.yml" +# - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: From bf938b8d735bc4a6b4757c56c49561ff2e1f71a7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 24 Sep 2025 13:02:50 -0400 Subject: [PATCH 23/31] Use lowercase for the protocol in EXPOSE statement This gets rid of a warning from docker/build-push-action. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 65b3964..900a75f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -103,7 +103,7 @@ ENV PATH="${VIRTUAL_ENV}/bin:$PATH" ENV ECHO_MESSAGE="Hello World from Dockerfile" WORKDIR ${CISA_HOME} USER ${CISA_USER}:${CISA_GROUP} -EXPOSE 8080/TCP +EXPOSE 8080/tcp VOLUME ["/var/log"] ENTRYPOINT ["example"] CMD ["--log-level", "DEBUG", "8", "2"] From bc0d88f53b064491a1e2a8285b97409c240e9e3c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 24 Sep 2025 15:13:20 -0400 Subject: [PATCH 24/31] Add a section to trigger the "docker" label --- .github/labeler.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 24d578b..922a04b 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,10 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt +docker: + - changed-files: + - any-glob-to-any-file: + - Dockerfile documentation: - changed-files: - any-glob-to-any-file: From ce6e5eb9f1ee5e9bfd3680bd5b174b923a43a786 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 24 Sep 2025 15:14:18 -0400 Subject: [PATCH 25/31] Allow the test composition and pytest config to trigger the test label --- .github/labeler.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 922a04b..63e6ea2 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -56,6 +56,8 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint + - compose.yml + - pytest.ini - tests/** upstream update: - head-branch: From 0a33d376c958966097413a384f6ed5166d6a54f8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 24 Sep 2025 17:12:26 -0400 Subject: [PATCH 26/31] Mirror the "docker" configuration in cisagov/skeleton-generic#222 Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/labeler.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 63e6ea2..08ad467 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -22,7 +22,9 @@ dependencies: docker: - changed-files: - any-glob-to-any-file: - - Dockerfile + - "**/compose*.yml" + - "**/docker-compose*.yml" + - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: From ce7e5728d4cac869da50e639f4c7df0196b17906 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 24 Sep 2025 20:36:26 -0400 Subject: [PATCH 27/31] Include comment from cisagov/skeleton-generic#222 This also resolves a conflict from the follow-on merge of cisagov/skeleton-generic#222. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/labeler.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index d14be15..1d4be90 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,22 +19,13 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt -<<<<<<< HEAD +# Enable if Docker is used in the repository. docker: - changed-files: - any-glob-to-any-file: - "**/compose*.yml" - "**/docker-compose*.yml" - "**/Dockerfile*" -======= -# Enable if Docker is used in the repository. -# docker: -# - changed-files: -# - any-glob-to-any-file: -# - "**/compose*.yml" -# - "**/docker-compose*.yml" -# - "**/Dockerfile*" ->>>>>>> e447508101ff8a9afeae0894a25d6adb6416c854 documentation: - changed-files: - any-glob-to-any-file: From 65474e25bdeb697e85653f74e7587e7f6cd42ce5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 09:36:57 -0400 Subject: [PATCH 28/31] Enable all label configuration for actions/labeler We can enable all label configurations for actions/labeler by default now that all of these labels are defined in the configuration for crazy-max/ghaction-github-labeler. --- .github/labeler.yml | 49 ++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 49b89ef..8100ae7 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -8,24 +8,22 @@ # crazy-max/ghaction-github-labeler configuration file located at # .github/labels.yml. -# Enable if Ansible playbooks are used in the repository. -# ansible: -# - changed-files: -# - any-glob-to-any-file: -# - "**/ansible/**" +ansible: + - changed-files: + - any-glob-to-any-file: + - "**/ansible/**" dependencies: - changed-files: - any-glob-to-any-file: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt -# Enable if Docker is used in the repository. -# docker: -# - changed-files: -# - any-glob-to-any-file: -# - "**/compose*.yml" -# - "**/docker-compose*.yml" -# - "**/Dockerfile*" +docker: + - changed-files: + - any-glob-to-any-file: + - "**/compose*.yml" + - "**/docker-compose*.yml" + - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: @@ -34,21 +32,18 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** -# Enable if Packer is used in the repository. -# packer: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.pkr.hcl" -# Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" -# Enable if Terraform is used in the repository. -# terraform: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.tf" +packer: + - changed-files: + - any-glob-to-any-file: + - "**/*.pkr.hcl" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" +terraform: + - changed-files: + - any-glob-to-any-file: + - "**/*.tf" test: - changed-files: - any-glob-to-any-file: From 2a7792e9712ced389541ae5452a01d5aa2b75cb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 17:01:19 +0000 Subject: [PATCH 29/31] Bump peter-evans/dockerhub-description from 4 to 5 Bumps [peter-evans/dockerhub-description](https://github.com/peter-evans/dockerhub-description) from 4 to 5. - [Release notes](https://github.com/peter-evans/dockerhub-description/releases) - [Commits](https://github.com/peter-evans/dockerhub-description/compare/v4...v5) --- updated-dependencies: - dependency-name: peter-evans/dockerhub-description dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/update-dockerhub-description.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-dockerhub-description.yml b/.github/workflows/update-dockerhub-description.yml index e2feae0..ff72119 100644 --- a/.github/workflows/update-dockerhub-description.yml +++ b/.github/workflows/update-dockerhub-description.yml @@ -94,7 +94,7 @@ jobs: - name: Checkout the repository uses: actions/checkout@v5 - name: Update the Docker Hub description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@v5 with: password: ${{ secrets.DOCKER_PASSWORD }} readme-filepath: README.md From 3cf19cd3794f5d325ec0ba57ce5f8d7fe5dfdac9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:42:12 -0400 Subject: [PATCH 30/31] Add JavaScript-related labels Add labels for JavaScript and TypeScript to the configuration for crazy-max/ghaction-github-labeler. --- .github/labels.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index b1311af..650ed7c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,6 +47,9 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid +- color: f1d642 + description: Pull requests that update JavaScript code + name: javascript - color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 @@ -74,6 +77,9 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test +- color: 2b6ebf + description: Pull requests that update TypeScript code + name: typescript - color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update From e38c7f0d43b84c8b5390773eb20d3d99ff643230 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:54:50 -0400 Subject: [PATCH 31/31] Add JavaScript-related labels to the labeler configuration Add the new `javascript` and `typescript` labels with appropriate matching rules to the actions/labeler configuration. --- .github/labeler.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 8100ae7..a4e2186 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -32,6 +32,10 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** +javascript: + - changed-files: + - any-glob-to-any-file: + - "**/*.js" packer: - changed-files: - any-glob-to-any-file: @@ -54,6 +58,10 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint +typescript: + - changed-files: + - any-glob-to-any-file: + - "**/*.ts" upstream update: - head-branch: # Any Lineage pull requests should use this branch.