From 33582a11f73d4e5c3dc588a040e59941c381d09a Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 12:59:30 -0600 Subject: [PATCH 001/107] Add checks for semantic python versions --- setup-env | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 05b010b..44368b3 100755 --- a/setup-env +++ b/setup-env @@ -39,6 +39,14 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } +check_semantic_version() { + local version=$1 + local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" + + # Use Perl for regex matching and output true or false + echo "$version" | perl -ne "exit(!/$regex/)" +} + # Flag to force deletion and creation of virtual environment FORCE=0 @@ -103,16 +111,18 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - echo Installed Python versions are: - python_versions - exit 1 - fi + # Validate the semantic version format + if ! check_semantic_version "$PYTHON_VERSION"; then + echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo "Error: Python version $PYTHON_VERSION is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $PYTHON_VERSION" fi ;; -v | --venv-name) @@ -181,14 +191,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then python_versions read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - exit 1 - fi - fi + check_semantic_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From 94381940a9d28f87da2b85c5e1647a5a80d4a18d Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 14:29:13 -0600 Subject: [PATCH 002/107] Refactor code for the semantic check This commit will make a few changes. The orginal version of the semantic checking function was a bit more difficult to read. It is now somewhat easier to follow how the regex is structured. Also the function has been renamed to check_python_version since it has 2 functions, making sure that the version is semantically correct and the second is to make sure that it is installed on the user's machine. This makes it easier to follow the logic for the flags, -p or --python-version and -l or --list-versions --- setup-env | 54 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 44368b3..11ec170 100755 --- a/setup-env +++ b/setup-env @@ -39,12 +39,41 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } -check_semantic_version() { +check_python_version() { local version=$1 - local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" - # Use Perl for regex matching and output true or false - echo "$version" | perl -ne "exit(!/$regex/)" + # Break down the regex into readable parts major.minor.patch + local major="0|[1-9]\\d*" + local minor="0|[1-9]\\d*" + local patch="0|[1-9]\\d*" + + # Splitting the prerelease part for readability + # Start of prerelease + local prerelease="(?:-" + # Numeric or alphanumeric identifiers + local prerelease+="(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" + # Additional dot-separated identifiers + local prerelease+="(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*" + # End of prerelease, making it optional + local prerelease+=")?" + # Optional build metadata + local build="(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + + # Final regex composed of parts + local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" + + if ! echo "$version" | perl -ne "exit(!/$regex/)"; then + echo "Error: The specified Python version $version does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${version}$" > /dev/null; then + echo "Error: Python version $version is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $version" + fi } # Flag to force deletion and creation of virtual environment @@ -111,19 +140,8 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Validate the semantic version format - if ! check_semantic_version "$PYTHON_VERSION"; then - echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." - echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" - exit 1 - elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo "Error: Python version $PYTHON_VERSION is not installed." - echo "Installed Python versions are:" - python_versions - exit 1 - else - echo "Using Python version $PYTHON_VERSION" - fi + # Check the Python version being passed in. + check_python_version "$PYTHON_VERSION" ;; -v | --venv-name) VENV_NAME="$2" @@ -191,7 +209,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then python_versions read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - check_semantic_version "$PYTHON_VERSION" + check_python_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From cea8edc5bcdcec8a06b6b810514b0222fc03f42e Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 12:59:30 -0600 Subject: [PATCH 003/107] Add checks for semantic python versions --- setup-env | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 3a22d43..5e537bc 100755 --- a/setup-env +++ b/setup-env @@ -39,6 +39,14 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } +check_semantic_version() { + local version=$1 + local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" + + # Use Perl for regex matching and output true or false + echo "$version" | perl -ne "exit(!/$regex/)" +} + # Flag to force deletion and creation of virtual environment FORCE=0 @@ -144,16 +152,18 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - echo Installed Python versions are: - python_versions - exit 1 - fi + # Validate the semantic version format + if ! check_semantic_version "$PYTHON_VERSION"; then + echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then + echo "Error: Python version $PYTHON_VERSION is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $PYTHON_VERSION" fi ;; -v | --venv-name) @@ -189,14 +199,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - if [ -n "${PYTHON_VERSION+x}" ]; then - if python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo Using Python version "$PYTHON_VERSION" - else - echo Error: Python version "$PYTHON_VERSION" is not installed. - exit 1 - fi - fi + check_semantic_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From d5c7c4a566f88f7575f06ff2e0829f257a00cb08 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 14 Feb 2024 14:29:13 -0600 Subject: [PATCH 004/107] Refactor code for the semantic check This commit will make a few changes. The orginal version of the semantic checking function was a bit more difficult to read. It is now somewhat easier to follow how the regex is structured. Also the function has been renamed to check_python_version since it has 2 functions, making sure that the version is semantically correct and the second is to make sure that it is installed on the user's machine. This makes it easier to follow the logic for the flags, -p or --python-version and -l or --list-versions --- setup-env | 54 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/setup-env b/setup-env index 5e537bc..92540d1 100755 --- a/setup-env +++ b/setup-env @@ -39,12 +39,41 @@ python_versions() { pyenv versions --bare --skip-aliases --skip-envs } -check_semantic_version() { +check_python_version() { local version=$1 - local regex="^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\$" - # Use Perl for regex matching and output true or false - echo "$version" | perl -ne "exit(!/$regex/)" + # Break down the regex into readable parts major.minor.patch + local major="0|[1-9]\\d*" + local minor="0|[1-9]\\d*" + local patch="0|[1-9]\\d*" + + # Splitting the prerelease part for readability + # Start of prerelease + local prerelease="(?:-" + # Numeric or alphanumeric identifiers + local prerelease+="(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" + # Additional dot-separated identifiers + local prerelease+="(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*" + # End of prerelease, making it optional + local prerelease+=")?" + # Optional build metadata + local build="(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + + # Final regex composed of parts + local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" + + if ! echo "$version" | perl -ne "exit(!/$regex/)"; then + echo "Error: The specified Python version $version does not follow the semantic versioning standard." + echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" + exit 1 + elif ! python_versions | grep -E "^${version}$" > /dev/null; then + echo "Error: Python version $version is not installed." + echo "Installed Python versions are:" + python_versions + exit 1 + else + echo "Using Python version $version" + fi } # Flag to force deletion and creation of virtual environment @@ -152,19 +181,8 @@ while true; do -p | --python-version) PYTHON_VERSION="$2" shift 2 - # Validate the semantic version format - if ! check_semantic_version "$PYTHON_VERSION"; then - echo "Error: The specified Python version $PYTHON_VERSION does not follow the semantic versioning standard." - echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" - exit 1 - elif ! python_versions | grep -E "^${PYTHON_VERSION}$" > /dev/null; then - echo "Error: Python version $PYTHON_VERSION is not installed." - echo "Installed Python versions are:" - python_versions - exit 1 - else - echo "Using Python version $PYTHON_VERSION" - fi + # Check the Python version being passed in. + check_python_version "$PYTHON_VERSION" ;; -v | --venv-name) VENV_NAME="$2" @@ -199,7 +217,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION # Check the Python versions being passed in. - check_semantic_version "$PYTHON_VERSION" + check_python_version "$PYTHON_VERSION" fi # Remove any lingering local configuration. From 327ab733aeaaad6a4916eb86b20d86618c9351e3 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 18 Mar 2024 12:36:02 -0500 Subject: [PATCH 005/107] Remove example of correct semantic version --- setup-env | 1 - 1 file changed, 1 deletion(-) diff --git a/setup-env b/setup-env index 92540d1..bacd2d5 100755 --- a/setup-env +++ b/setup-env @@ -64,7 +64,6 @@ check_python_version() { if ! echo "$version" | perl -ne "exit(!/$regex/)"; then echo "Error: The specified Python version $version does not follow the semantic versioning standard." - echo "Example of a valid version: 3.8.1, 3.8.1-alpha.1, or 3.8.1+20130313144700" exit 1 elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." From 4dedf50886fd47c67895deb07367fca5c36ca33f Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 20 Mar 2024 12:58:03 -0500 Subject: [PATCH 006/107] Refactor the error message for the user --- setup-env | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index bacd2d5..d7824cb 100755 --- a/setup-env +++ b/setup-env @@ -63,7 +63,9 @@ check_python_version() { local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" if ! echo "$version" | perl -ne "exit(!/$regex/)"; then - echo "Error: The specified Python version $version does not follow the semantic versioning standard." + echo "Invalid version of Python: Python follows semantic versioning, " \ + "so any version string that is not a valid semantic version is an " \ + "invalid version of Python." exit 1 elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." From e84deea5181f27471f01343113c91dc2b13e159e Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 20 Mar 2024 14:52:16 -0500 Subject: [PATCH 007/107] Improve the semantic error message --- setup-env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup-env b/setup-env index d7824cb..bba5f9e 100755 --- a/setup-env +++ b/setup-env @@ -63,8 +63,8 @@ check_python_version() { local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" if ! echo "$version" | perl -ne "exit(!/$regex/)"; then - echo "Invalid version of Python: Python follows semantic versioning, " \ - "so any version string that is not a valid semantic version is an " \ + echo "Invalid version of Python: Python follows semantic versioning," \ + "so any version string that is not a valid semantic version is an" \ "invalid version of Python." exit 1 elif ! python_versions | grep -E "^${version}$" > /dev/null; then From 5fdc7befc1d1d4811c4550ca1e4c65a711971c21 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Wed, 20 Mar 2024 15:39:07 -0500 Subject: [PATCH 008/107] Fix grammar Co-authored-by: dav3r --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index bba5f9e..b93810c 100755 --- a/setup-env +++ b/setup-env @@ -217,7 +217,7 @@ if [ $LIST_VERSIONS -ne 0 ]; then # Read the user's desired Python version. # -r: treat backslashes as literal, -p: display prompt before input. read -r -p "Enter the desired Python version: " PYTHON_VERSION - # Check the Python versions being passed in. + # Check the Python version being passed in. check_python_version "$PYTHON_VERSION" fi From 42ef8c2d7b54cde82d4390a0050622cddfccf92a Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 21 Mar 2024 09:19:42 -0500 Subject: [PATCH 009/107] Refactor regex, add link, and improve comments --- setup-env | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/setup-env b/setup-env index b93810c..2f30021 100755 --- a/setup-env +++ b/setup-env @@ -42,31 +42,38 @@ python_versions() { check_python_version() { local version=$1 + # This is a valid regex for semantically correct Python version strings. + # For more information see here: https://regex101.com/r/vkijKf/1/. # Break down the regex into readable parts major.minor.patch - local major="0|[1-9]\\d*" - local minor="0|[1-9]\\d*" - local patch="0|[1-9]\\d*" + local major="0|[1-9]\d*" + local minor="0|[1-9]\d*" + local patch="0|[1-9]\d*" # Splitting the prerelease part for readability - # Start of prerelease + # Start of the prerelease local prerelease="(?:-" # Numeric or alphanumeric identifiers - local prerelease+="(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" + local prerelease+="(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)" # Additional dot-separated identifiers - local prerelease+="(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*" - # End of prerelease, making it optional + local prerelease+="(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*" + # End of the prerelease, making it optional local prerelease+=")?" # Optional build metadata - local build="(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?" + local build="(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?" # Final regex composed of parts - local regex="^($major)\\.($minor)\\.($patch)$prerelease$build\$" + local regex="^($major)\.($minor)\.($patch)$prerelease$build$" + # This checks if the Python version does not match the regex pattern specified in $regex, + # using Perl for regex matching. If the pattern is not found, then prompt the user with + # the invalid version message. if ! echo "$version" | perl -ne "exit(!/$regex/)"; then echo "Invalid version of Python: Python follows semantic versioning," \ "so any version string that is not a valid semantic version is an" \ "invalid version of Python." exit 1 + # Else if the Python version isn't installed then notify the user. + # grep -E is used for searching through text lines that match the specific verison. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" From a77e5e1c9a8752a2072a6a974d4164be116069e9 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 21 Mar 2024 10:13:11 -0500 Subject: [PATCH 010/107] Update link to use semver.org over regex101.com --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 2f30021..8d7b347 100755 --- a/setup-env +++ b/setup-env @@ -43,7 +43,8 @@ check_python_version() { local version=$1 # This is a valid regex for semantically correct Python version strings. - # For more information see here: https://regex101.com/r/vkijKf/1/. + # For more information see here: + # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string. # Break down the regex into readable parts major.minor.patch local major="0|[1-9]\d*" local minor="0|[1-9]\d*" From 5fe14c7c6066d30381f6746eb313a56e4d447ac5 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Thu, 21 Mar 2024 10:29:58 -0500 Subject: [PATCH 011/107] Remove unnecessary period Co-authored-by: dav3r --- setup-env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 8d7b347..059ccad 100755 --- a/setup-env +++ b/setup-env @@ -44,7 +44,7 @@ check_python_version() { # This is a valid regex for semantically correct Python version strings. # For more information see here: - # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string. + # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string # Break down the regex into readable parts major.minor.patch local major="0|[1-9]\d*" local minor="0|[1-9]\d*" From b7896a0a2790cc121842c6ac1602734bbd5dd726 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 20 Apr 2024 04:11:57 -0400 Subject: [PATCH 012/107] Add a meta hook to the pre-commit configuration Add the `check-useless-excludes` meta hook to verify that any defined `exclude` directives apply to at least one file in the repository. --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..de8c587 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,6 +4,11 @@ default_language_version: python: python3 repos: + # Check the pre-commit configuration + - repo: meta + hooks: + - id: check-useless-excludes + - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: From 260566f177520175530963c469e50d124e5bc0e4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 20 Apr 2024 04:15:52 -0400 Subject: [PATCH 013/107] Remove `exclude` directive that does not apply to any files --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index de8c587..5ec468e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,7 +24,6 @@ repos: - --allow-missing-credentials - id: detect-private-key - id: end-of-file-fixer - exclude: files/(issue|motd) - id: mixed-line-ending args: - --fix=lf From 07e2b60f912ada6de4de0dcf0573bbecc0f2037c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 4 May 2024 10:09:12 -0400 Subject: [PATCH 014/107] Pin ansible-core when running the ansible-lint linter New versions of ansible-core (2.16.7 and 2.17.0) have been released that do not suffer from the bug discussed in ansible/ansible#82702. This bug broke any symlinked files in vars, tasks, etc. for any Ansible role installed via ansible-galaxy. All versions later than ansible-core 2.16.7 and 2.17.0 should function as expected. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..895384c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -155,6 +155,17 @@ repos: rev: v24.2.0 hooks: - id: ansible-lint + additional_dependencies: + # ansible-core 2.16.3 through 2.16.6 suffer from the bug + # discussed in ansible/ansible#82702, which breaks any + # symlinked files in vars, tasks, etc. for any Ansible role + # installed via ansible-galaxy. Hence we never want to + # install those versions. + # + # Note that any changes made to this dependency must also be + # made in requirements.txt in cisagov/skeleton-packer and + # requirements-test.txt in cisagov/skeleton-ansible-role. + - ansible-core>=2.16.7 # files: molecule/default/playbook.yml # Terraform hooks From c74e5db75b7e3785a3f7196365b7ba99f9a004ea Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 4 May 2024 10:11:08 -0400 Subject: [PATCH 015/107] Remove unnecessary line The line is not only unnecessary, it was commented out to boot! --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 895384c..11772d9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -166,7 +166,6 @@ repos: # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - ansible-core>=2.16.7 - # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From 2e53e0de98caa5d5a42320618d8e604c770da7d9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 May 2024 15:21:06 -0400 Subject: [PATCH 016/107] Explain why ansible may need to be added as a dependency for ansible-lint On its own ansible-lint does not pull in ansible, only ansible-core. Therefore, if an Ansible module lives in ansible instead of ansible-core, the linter will complain that the module is unknown. In these cases it is necessary to add the ansible package itself as an additional dependency, with the same pinning as is done in requirements-test.txt of cisagov/skeleton-ansible-role. --- .pre-commit-config.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 11772d9..a48e196 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -156,6 +156,14 @@ repos: hooks: - id: ansible-lint additional_dependencies: + # On its own ansible-lint does not pull in ansible, only + # ansible-core. Therefore, if an Ansible module lives in + # ansible instead of ansible-core, the linter will complain + # that the module is unknown. In these cases it is + # necessary to add the ansible package itself as an + # additional dependency, with the same pinning as is done in + # requirements-test.txt of cisagov/skeleton-ansible-role. + # - ansible>=8,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role From f51fe623bb34e68bb874cd30756fee2692d34b5a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 11 May 2024 00:38:50 -0400 Subject: [PATCH 017/107] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. The pre-commit/mirrors-prettier was manually held back because the latest tags are for alpha releases of the next major version. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..d315345 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.39.0 + rev: v0.41.0 hooks: - id: markdownlint args: @@ -56,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.0 + rev: 0.28.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.6.2 + rev: v3.7.1 hooks: - id: validate_manifest @@ -98,7 +98,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.7.0-4 + rev: v3.8.0-1 hooks: - id: shfmt args: @@ -116,19 +116,19 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.9.0.6 + rev: v0.10.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.7 + rev: 1.7.8 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.2.0 + rev: 24.4.2 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -142,24 +142,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.8.0 + rev: v1.10.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.15.1 + rev: v3.15.2 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.2.0 + rev: v24.6.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.90.0 hooks: - id: terraform_fmt - id: terraform_validate From 8e55b8e24e047008b1fa80bc87a76163888e4e5e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 6 Jun 2024 13:58:38 -0400 Subject: [PATCH 018/107] Manually update the prettier hook Use the latest v3 release available from NPM. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d315345..2ece2c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: # mirror does not pull tags for old major versions once a new major # version tag is published. additional_dependencies: - - prettier@3.2.5 + - prettier@3.3.1 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From c617bb92af0bd01d0ef9bb7e51c007e34f91a915 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Thu, 6 Jun 2024 16:42:24 -0400 Subject: [PATCH 019/107] Correct commented-out ansible pin The pin now agrees with what is in cisagov/skeleton-ansible-role. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a48e196..3071c44 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -163,7 +163,7 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=8,<10 + # - ansible>=9,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role From a68994d17dcc11e9b90132c50fe52732d5fda07b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 1 Jul 2024 16:19:46 -0400 Subject: [PATCH 020/107] Add a lower-bound pin for flake8-docstrings --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 386c83f..74c9c76 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -136,7 +136,7 @@ repos: hooks: - id: flake8 additional_dependencies: - - flake8-docstrings + - flake8-docstrings>=1.7.0 - repo: https://github.com/PyCQA/isort rev: 5.13.2 hooks: From 43b91c74754e912172c702e20f12ba9f767ac202 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 06:24:06 -0400 Subject: [PATCH 021/107] Use the hashicorp/setup-packer GitHub Action Instead of manually installing Packer we can instead leverage the hashicorp/setup-packer Action just as we do for Terraform. --- .github/workflows/build.yml | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9bb221a..e12b842 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,7 +20,6 @@ defaults: shell: bash -Eueo pipefail -x {0} env: - CURL_CACHE_DIR: ~/.cache/curl PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit RUN_TMATE: ${{ secrets.RUN_TMATE }} @@ -97,25 +96,12 @@ jobs: path: | ${{ env.PIP_CACHE_DIR }} ${{ env.PRE_COMMIT_CACHE_DIR }} - ${{ env.CURL_CACHE_DIR }} ${{ steps.go-cache.outputs.dir }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - - name: Setup curl cache - run: mkdir -p ${{ env.CURL_CACHE_DIR }} - - name: Install Packer - env: - PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} - run: | - PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" - curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ - --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ - --location \ - "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}" - sudo unzip -d /opt/packer \ - ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" - sudo mv /usr/local/bin/packer /usr/local/bin/packer-default - sudo ln -s /opt/packer/packer /usr/local/bin/packer + - uses: hashicorp/setup-packer@v3 + with: + version: ${{ steps.setup-env.outputs.packer-version }} - uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} From 8ada75d419c3ea546843fc0772d9d0b678beeea4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 23 Aug 2024 00:54:54 -0400 Subject: [PATCH 022/107] Remove @jasonodoom as a codeowner He is no longer a member of @cisagov/vm-dev. --- .github/CODEOWNERS | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 229920c..3af99ba 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,22 +3,22 @@ # These owners will be the default owners for everything in the # repo. Unless a later match takes precedence, these owners will be # requested for review when someone opens a pull request. -* @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +* @dav3r @felddy @jsf9k @mcdonnnj # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. -/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.github/ @dav3r @felddy @jsf9k @mcdonnnj # These folks own all linting configuration files. -/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj -/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj +/.ansible-lint @dav3r @felddy @jsf9k @mcdonnnj +/.bandit.yml @dav3r @felddy @jsf9k @mcdonnnj +/.flake8 @dav3r @felddy @jsf9k @mcdonnnj +/.isort.cfg @dav3r @felddy @jsf9k @mcdonnnj +/.mdl_config.yaml @dav3r @felddy @jsf9k @mcdonnnj +/.pre-commit-config.yaml @dav3r @felddy @jsf9k @mcdonnnj +/.prettierignore @dav3r @felddy @jsf9k @mcdonnnj +/.yamllint @dav3r @felddy @jsf9k @mcdonnnj +/requirements.txt @dav3r @felddy @jsf9k @mcdonnnj +/requirements-dev.txt @dav3r @felddy @jsf9k @mcdonnnj +/requirements-test.txt @dav3r @felddy @jsf9k @mcdonnnj +/setup-env @dav3r @felddy @jsf9k @mcdonnnj From 293020830fb6830a7324b5eacb8c3122979d9882 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 26 Aug 2024 09:27:58 -0400 Subject: [PATCH 023/107] Pin to a specific version Previously we only provided a lower bound for the version, but pinning to a specific version aligns with what has been done with the prettier hook and how pre-commit hooks are pinned in general. The flake8-docstrings package is rarely updated, so there is no real downside to pinning to a specific version. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 74c9c76..236eeda 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -136,7 +136,7 @@ repos: hooks: - id: flake8 additional_dependencies: - - flake8-docstrings>=1.7.0 + - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort rev: 5.13.2 hooks: From 46e055367c1e34711ed0980b2934b9df54bf33fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 18:23:01 +0000 Subject: [PATCH 024/107] Bump actions/cache from 3 to 4 Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9bb221a..a403ea9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -76,7 +76,7 @@ jobs: name: Lookup Go cache directory run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - - uses: actions/cache@v3 + - uses: actions/cache@v4 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ From 3167421109abf3fe94dc801203587e1bf3ce33a3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 18:23:14 +0000 Subject: [PATCH 025/107] Bump crazy-max/ghaction-github-status from 3 to 4 Bumps [crazy-max/ghaction-github-status](https://github.com/crazy-max/ghaction-github-status) from 3 to 4. - [Release notes](https://github.com/crazy-max/ghaction-github-status/releases) - [Commits](https://github.com/crazy-max/ghaction-github-status/compare/v3...v4) --- updated-dependencies: - dependency-name: crazy-max/ghaction-github-status dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 5a20438..e83bd41 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -24,7 +24,7 @@ jobs: egress-policy: audit - id: github-status name: Check GitHub status - uses: crazy-max/ghaction-github-status@v3 + uses: crazy-max/ghaction-github-status@v4 - id: dump-context name: Dump context uses: crazy-max/ghaction-dump-context@v2 From 6a58c2c24ef1eb15c7a69a44f16c63964f1c7f82 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 16:23:58 -0400 Subject: [PATCH 026/107] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. The pre-commit/mirrors-prettier hook was manually held back because the latest tags are for alpha releases of the next major version. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 386c83f..81f3276 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.41.0 + rev: v0.42.0 hooks: - id: markdownlint args: @@ -56,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.4 + rev: 0.29.2 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.7.1 + rev: v3.8.0 hooks: - id: validate_manifest @@ -98,7 +98,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.8.0-1 + rev: v3.9.0-1 hooks: - id: shfmt args: @@ -122,17 +122,17 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.8 + rev: 1.7.10 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.4.2 + rev: 24.8.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.0.0 + rev: 7.1.1 hooks: - id: flake8 additional_dependencies: @@ -142,17 +142,17 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.10.0 + rev: v1.11.2 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.15.2 + rev: v3.17.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.6.0 + rev: v24.9.2 hooks: - id: ansible-lint additional_dependencies: @@ -177,7 +177,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.90.0 + rev: v1.96.1 hooks: - id: terraform_fmt - id: terraform_validate @@ -190,7 +190,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.0.2 + rev: v0.1.0 hooks: - id: packer_validate - id: packer_fmt From 553efcb0d4e755ebd47abb49c865367ed6d0a236 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 16:30:49 -0400 Subject: [PATCH 027/107] Manually update the prettier hook Use the latest v3 release available from NPM. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 81f3276..2104775 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: # mirror does not pull tags for old major versions once a new major # version tag is published. additional_dependencies: - - prettier@3.3.1 + - prettier@3.3.3 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From 045a998dcf14dc7e3de9301ba7ee2103272b0ac4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 18 Jan 2024 16:11:15 -0500 Subject: [PATCH 028/107] Add a pre-commit hook to run pip-audit The pip-audit tool will audit any supplied pip requirements files for vulnerable packages. --- .pre-commit-config.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..78140ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -145,6 +145,18 @@ repos: rev: v1.8.0 hooks: - id: mypy + - repo: https://github.com/pypa/pip-audit + rev: v2.7.3 + hooks: + - id: pip-audit + args: + # Add any pip requirements files to scan + - --requirement + - requirements-dev.txt + - --requirement + - requirements-test.txt + - --requirement + - requirements.txt - repo: https://github.com/asottile/pyupgrade rev: v3.15.1 hooks: From c502f1ab7cca8bd383a34360ce456b50fd6e8b21 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 12 Aug 2024 16:32:02 -0400 Subject: [PATCH 029/107] Use the rbubley/mirrors-prettier hook for prettier This replaces the now archived pre-commit/mirrors-prettier hook. --- .pre-commit-config.yaml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ca59d6f..3cb1f85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,17 +40,10 @@ repos: - id: markdownlint args: - --config=.mdl_config.yaml - - repo: https://github.com/pre-commit/mirrors-prettier - # This is the last version of v3 available from the mirror. We should hold - # here until v4, which is currently in alpha, is more stable. - rev: v3.1.0 + - repo: https://github.com/rbubley/mirrors-prettier + rev: v3.3.3 hooks: - id: prettier - # This is the latest version of v3 available from NPM. The pre-commit - # mirror does not pull tags for old major versions once a new major - # version tag is published. - additional_dependencies: - - prettier@3.3.3 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From 942c0dc98f605282fdf3c0ac6b9a549647f89f41 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:17:33 -0400 Subject: [PATCH 030/107] Add a new trigger for the sync-labels GitHub Actions workflow Add a `workflow_dispatch` trigger so we can manually run the workflow if needed. --- .github/workflows/sync-labels.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd41..59aefe4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -6,6 +6,7 @@ on: paths: - '.github/labels.yml' - '.github/workflows/sync-labels.yml' + workflow_dispatch: permissions: contents: read From a267662455c30986086d4ca14173cc20af7161d4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:19:38 -0400 Subject: [PATCH 031/107] Remove unnecessary quotes in the sync-labels workflow --- .github/workflows/sync-labels.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 59aefe4..5d5ab41 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -4,8 +4,8 @@ name: sync-labels on: push: paths: - - '.github/labels.yml' - - '.github/workflows/sync-labels.yml' + - .github/labels.yml + - .github/workflows/sync-labels.yml workflow_dispatch: permissions: From dc7f09e29b8466af0fa2f788761e22dd2fcbd0ce Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 14 Sep 2024 18:44:01 -0400 Subject: [PATCH 032/107] Add four new hooks from pre-commit/pre-commit-hooks --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f85..c98ded8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,9 +16,13 @@ repos: - id: check-executables-have-shebangs - id: check-json - id: check-merge-conflict + - id: check-shebang-scripts-are-executable + - id: check-symlinks - id: check-toml + - id: check-vcs-permalinks - id: check-xml - id: debug-statements + - id: destroyed-symlinks - id: detect-aws-credentials args: - --allow-missing-credentials From 343d2ccbd1cd983374235e5d3bfcecd3187c00d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:47:53 -0400 Subject: [PATCH 033/107] Add the GitHubSecurityLab/actions-permissions/monitor Action This Action will provide information about the usage of GITHUB_TOKEN in the workflow. It should be added to _every_ job in _any_ workflow to provide information for analysis. --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 10 ++++++++++ .github/workflows/sync-labels.yml | 10 ++++++++++ 3 files changed, 21 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 17220c6..4a6667f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status + # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7a60b2..2cdd921 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -50,6 +56,10 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd41..d2458d1 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -17,6 +17,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -38,6 +44,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 8a77a8b77a7d5e5247e8ff563d93a14510e09b9a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:09:15 -0400 Subject: [PATCH 034/107] Restrict permissions of GITHUB_TOKEN This changes the default permissions for the GITHUB_TOKEN used in our GitHub Actions configuration to the minimum required to successfully run. --- .github/workflows/build.yml | 5 +++++ .github/workflows/sync-labels.yml | 2 ++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7a60b2..d4340af 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,6 +30,8 @@ env: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of @@ -48,6 +50,9 @@ jobs: lint: needs: - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest steps: - id: harden-runner diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd41..39e7379 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -13,6 +13,8 @@ permissions: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of From 3b1d4ef0fae08e6444e9b414ce1315841e681322 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 16 Oct 2024 12:53:42 -0400 Subject: [PATCH 035/107] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f85..26b399d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -53,14 +53,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.2 + rev: 0.29.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.8.0 + rev: v4.0.1 hooks: - id: validate_manifest @@ -95,7 +95,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.9.0-1 + rev: v3.10.0-1 hooks: - id: shfmt args: @@ -125,7 +125,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.8.0 + rev: 24.10.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -139,7 +139,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.11.2 + rev: v1.13.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -155,7 +155,7 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.17.0 + rev: v3.19.0 hooks: - id: pyupgrade @@ -199,7 +199,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.1.0 + rev: v0.3.0 hooks: - id: packer_validate - id: packer_fmt From 1d285f2d851926effdbfbdcf58853ce70d1bf016 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 29 Oct 2024 16:36:27 -0400 Subject: [PATCH 036/107] Sort hook ids in each pre-commit hook entry Ensure that all hook ids are sorted alphabetically in each hook entry in our pre-commit configuration. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f85..0fd3234 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -68,25 +68,25 @@ repos: - repo: https://github.com/TekWizely/pre-commit-golang rev: v1.0.0-rc.1 hooks: - # Style Checkers - - id: go-critic - # StaticCheck - - id: go-staticcheck-repo-mod # Go Build - id: go-build-repo-mod + # Style Checkers + - id: go-critic + # goimports + - id: go-imports-repo + args: + # Write changes to files + - -w # Go Mod Tidy - id: go-mod-tidy-repo + # GoSec + - id: go-sec-repo-mod + # StaticCheck + - id: go-staticcheck-repo-mod # Go Test - id: go-test-repo-mod # Go Vet - id: go-vet-repo-mod - # GoSec - - id: go-sec-repo-mod - # goimports - - id: go-imports-repo - args: - # Write changes to files - - -w # Nix hooks - repo: https://github.com/nix-community/nixpkgs-fmt rev: v1.3.0 @@ -201,5 +201,5 @@ repos: - repo: https://github.com/cisagov/pre-commit-packer rev: v0.1.0 hooks: - - id: packer_validate - id: packer_fmt + - id: packer_validate From 8824475dfadd1a9cbc9ce9bd1c9f31e4a688994b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Nov 2024 12:25:35 -0400 Subject: [PATCH 037/107] Update the commented out dependabot ignore directives Add a directive for hashicorp/setup-packer that was missed when it was added to the `build` workflow. Add a directive for cisagov/setup-env-github-action that is not strictly necessary since we currently just pull from the `develop` branch, but is good to have in case we were to change that in the future. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4a6667f..81cd6bd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,10 +13,12 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: GitHubSecurityLab/actions-permissions + # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner From 12a91ad97e76cd2f221fffaef4f66956533f6540 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 8 Nov 2024 13:40:44 -0500 Subject: [PATCH 038/107] Bump up the lower bound on ansible-core This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up ansible to version 10 since all versions of ansible 9 have a dependency on ~=2.16.X. --- .pre-commit-config.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5e1096..8b402fb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -176,17 +176,25 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=9,<10 + # + # Version 10 is required because the pip-audit pre-commit + # hook identifies a vulnerability in ansible-core 2.16.13, + # but all versions of ansible 9 have a dependency on + # ~=2.16.X. + # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role # installed via ansible-galaxy. Hence we never want to # install those versions. # + # Note that the pip-audit pre-commit hook identifies a + # vulnerability in ansible-core 2.16.13. + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.16.7 + - ansible-core>2.16.13 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From b9f798d03afb72f33ffa625982dd5b548dea5132 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 10:29:42 -0500 Subject: [PATCH 039/107] Update the version of the ansible-lint pre-commit hook Version 24.10.0 is the first version that supports Fedora 41 as a valid platform. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5e1096..ebd6138 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -165,7 +165,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.9.2 + rev: v24.10.0 hooks: - id: ansible-lint additional_dependencies: From cca133a2710c5ed99e4c0ce3d06a57ec118bcf13 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 21:33:32 -0500 Subject: [PATCH 040/107] Adjust pin for ansible-core The pin of ansible-core was originally put in place because the pip-audit pre-commit hook identifies a vulnerability in ansible-core 2.16.13. Normally we would pin ansible-core to >2.16.13, but in the spirit of the earlier, optional pin of ansible>=10 we pin ansible-core to >=2.17. This effectively also pins ansible to >=10. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8b402fb..b61a8f5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -189,12 +189,14 @@ repos: # install those versions. # # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. + # vulnerability in ansible-core 2.16.13. The pin of + # ansible-core to >=2.17 effectively also pins ansible to + # >=10. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>2.16.13 + - ansible-core>=2.17 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From bd852610595fdd2eee77f489d4b184f88d90643b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 12:21:14 -0500 Subject: [PATCH 041/107] Add comments about looming EOL issues for ansible and ansible-core This adds even more evidence for why it is a good idea to go ahead and upgrade ansible and ansible-core, in addition to the vulnerability that pip-audit turned up. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b61a8f5..97fbf1c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -181,6 +181,10 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. + # + # It is also a good idea to go ahead and upgrade to version + # 10 since version 9 is going EOL at the end of November: + # https://endoflife.date/ansible # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any @@ -193,6 +197,11 @@ repos: # ansible-core to >=2.17 effectively also pins ansible to # >=10. # + # It is also a good idea to go ahead and upgrade to + # ansible-core 2.17 since security support for ansible-core + # 2.16 ends this month: + # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. From 162e2c2459cbf565584686a04cc59fab81101843 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 14:40:23 -0500 Subject: [PATCH 042/107] Fix spelling error in comment --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 059ccad..f3304d9 100755 --- a/setup-env +++ b/setup-env @@ -74,7 +74,8 @@ check_python_version() { "invalid version of Python." exit 1 # Else if the Python version isn't installed then notify the user. - # grep -E is used for searching through text lines that match the specific verison. + # grep -E is used for searching through text lines that match the + # specific version. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" From 5a3ac91d11700566e7df2bb926a13301e5912096 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:47:49 -0500 Subject: [PATCH 043/107] Adjust the indentation rule for yamllint Use a specific number of spaces instead of the default of only caring if the number of spaces used is consistent within a file. Ensure that block sequences inside of mappings are indented. --- .yamllint | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.yamllint b/.yamllint index 2a119a6..56e6d6e 100644 --- a/.yamllint +++ b/.yamllint @@ -8,6 +8,12 @@ rules: # this behavior. comments-indentation: disable + indentation: + # Ensure that block sequences inside of a mapping are indented + indent-sequences: true + # Enforce a specific number of spaces + spaces: 2 + # yamllint does not allow inline mappings that exceed the line length by # default. There are many scenarios where the inline mapping may be a key, # hash, or other long value that would exceed the line length but cannot From ac080edea412b521cc37c732e6817a0d6ed26694 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:55:41 -0500 Subject: [PATCH 044/107] Update yamllint to disallow non-empty flow collection styles The use of flow sequences and mappings is not as readable as block collections and so should be discouraged. Since it is a cleaner representation for empty collections we will allow those, but if an application otherwise requires flow collections they can be explicitly enabled by disabling the checks per https://yamllint.readthedocs.io/en/stable/disable_with_comments.html --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 56e6d6e..59fd2e9 100644 --- a/.yamllint +++ b/.yamllint @@ -2,6 +2,14 @@ extends: default rules: + braces: + # Do not allow non-empty flow mappings + forbid: non-empty + + brackets: + # Do not allow non-empty flow sequences + forbid: non-empty + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of From 66cdbf548778a40b321d8142ab481e8c43202995 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:12:04 -0500 Subject: [PATCH 045/107] Add yamllint configuration settings to appease ansible-lint When running ansible-lint it will throw the following warning with our current configuration: WARNING Found incompatible custom yamllint configuration (.yamllint), please either remove the file or edit it to comply with: - comments.min-spaces-from-content must be 1 - braces.max-spaces-inside must be 1 - octal-values.forbid-implicit-octal must be true - octal-values.forbid-explicit-octal must be true. Thus we implement these configuration rules. --- .yamllint | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.yamllint b/.yamllint index 59fd2e9..0a2af51 100644 --- a/.yamllint +++ b/.yamllint @@ -5,11 +5,18 @@ rules: braces: # Do not allow non-empty flow mappings forbid: non-empty + # Allow up to one space inside braces. This is required for Ansible compatibility. + max-spaces-inside: 1 brackets: # Do not allow non-empty flow sequences forbid: non-empty + comments: + # Ensure that inline comments have at least one space before the preceding content. + # This is required for Ansible compatibility. + min-spaces-from-content: 1 + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of @@ -32,6 +39,17 @@ rules: # Allows a 10% overage from the default limit of 80 max: 88 + # Using anything other than strings to express octal values can lead to unexpected + # and potentially unsafe behavior. Ansible strongly recommends against such practices + # and these rules are needed for Ansible compatibility. Please see the following for + # more information: + # https://ansible.readthedocs.io/projects/lint/rules/risky-octal/ + octal-values: + # Do not allow explicit octal values (those beginning with a leading 0o). + forbid-explicit-octal: true + # Do not allow implicit octal values (those beginning with a leading 0). + forbid-implicit-octal: true + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From dd102fe0adb490098968509c79530bd13af52a86 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:28:15 -0500 Subject: [PATCH 046/107] Re-enable the yamllint truthy rule Previously we disabled the `truthy` rule due to Ansible's use of `yes`/`no` for boolean values. That is no longer the case and the default configuration used by ansible-lint now has this rule enabled. The use of `on` as a key in GitHub Actions workflow syntax means we needed to add disable-line comments for the truthy rule. --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- .yamllint | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 15a004c..082f150 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,7 @@ --- name: build -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0005147..b8ecfa6 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -1,7 +1,7 @@ --- name: sync-labels -on: +on: # yamllint disable-line rule:truthy push: paths: - .github/labels.yml diff --git a/.yamllint b/.yamllint index 0a2af51..de2e183 100644 --- a/.yamllint +++ b/.yamllint @@ -49,7 +49,3 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true - - # yamllint doesn't like when we use yes and no for true and false, - # but that's pretty standard in Ansible. - truthy: disable From dc891af40f7c0e8d69a8e57c6bc32f8c16c340e5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 16:12:32 -0500 Subject: [PATCH 047/107] Configure quoted strings rule for yamllint Add a configuration for the `quoted-strings` rule that matches our best practices. Other files are updated to comply with these new settings. --- .github/labels.yml | 40 ++++++++++++++++++------------------- .github/workflows/build.yml | 8 ++++---- .mdl_config.yaml | 14 ++++++------- .yamllint | 11 ++++++++++ 4 files changed, 42 insertions(+), 31 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 5b16492..fe9a53e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,69 +2,69 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "eb6420" +- color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked - color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses broken functionality name: bug -- color: "07648d" +- color: 07648d description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "0366d6" +- color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: "5319e7" +- color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation -- color: "cfd3d7" +- color: cfd3d7 description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "b005bc" +- color: b005bc description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic - color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "0e8a16" +- color: 0e8a16 description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "ff7518" +- color: ff7518 description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "a2eeef" +- color: a2eeef description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "fef2c0" +- color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "ce099a" +- color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "a4fc5d" +- color: a4fc5d description: This issue or pull request requires further information name: need info -- color: "fcdb45" +- color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "ef476c" +- color: ef476c description: This issue is a request for information or needs discussion name: question -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses a security issue name: security -- color: "00008b" +- color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: "1d76db" +- color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update -- color: "d4c5f9" +- color: d4c5f9 description: This issue or pull request increments the version number name: version bump -- color: "ffffff" +- color: ffffff description: This issue will not be incorporated name: wontfix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 082f150..98a9ebc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -92,16 +92,16 @@ jobs: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}-" + tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" + ${{ hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 4a650c1..1b48994 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -6,12 +6,12 @@ default: true # MD003/heading-style/header-style - Heading style MD003: # Enforce the ATX-closed style of header - style: "atx_closed" + style: atx_closed # MD004/ul-style - Unordered list style MD004: # Enforce dashes for unordered lists - style: "dash" + style: dash # MD013/line-length - Line length MD013: @@ -30,7 +30,7 @@ MD024: # MD029/ol-prefix - Ordered list item prefix MD029: # Enforce the `1.` style for ordered lists - style: "one" + style: one # MD033/no-inline-html - Inline HTML MD033: @@ -42,19 +42,19 @@ MD033: # MD035/hr-style - Horizontal rule style MD035: # Enforce dashes for horizontal rules - style: "---" + style: --- # MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks - style: "fenced" + style: fenced # MD049/emphasis-style - Emphasis style should be consistent MD049: # Enforce asterisks as the style to use for emphasis - style: "asterisk" + style: asterisk # MD050/strong-style - Strong style should be consistent MD050: # Enforce asterisks as the style to use for strong - style: "asterisk" + style: asterisk diff --git a/.yamllint b/.yamllint index de2e183..00e85a6 100644 --- a/.yamllint +++ b/.yamllint @@ -49,3 +49,14 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true + + quoted-strings: + # Allow disallowed quotes (single quotes) for strings that contain allowed quotes + # (double quotes). + allow-quoted-quotes: true + # Apply these rules to keys in mappings as well + check-keys: true + # We prefer double quotes for strings when they are needed + quote-type: double + # Only require quotes when they are necessary for proper processing + required: only-when-needed From 03933fe233e5a6e41f8adf452e7e7b3e548236e4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:14:59 -0400 Subject: [PATCH 048/107] Add version file and bump_version script Also add semver as a dev requirement. I'd like to start versioning descendants of skeleton-ansible-role (in anticipation of pinning Ansible role versions at a future date), and I thought it would make sense to go ahead and implement this at the skeleton-generic level to force us to start versioning all repositories. Repositories that already version can ignore these changes when they flow down via Lineage, since they will already have their own version files and version-bumping script. --- bump-version | 172 +++++++++++++++++++++++++++++++++++++++++++ requirements-dev.txt | 2 + version.txt | 1 + 3 files changed, 175 insertions(+) create mode 100755 bump-version create mode 100644 version.txt diff --git a/bump-version b/bump-version new file mode 100755 index 0000000..15b4af1 --- /dev/null +++ b/bump-version @@ -0,0 +1,172 @@ +#!/usr/bin/env bash + +# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) +# bump-version --list-files + +set -o nounset +set -o errexit +set -o pipefail + +# Stores the canonical version for the project. +VERSION_FILE=version.txt +# Files that should be updated with the new version. +VERSION_FILES=("$VERSION_FILE") + +USAGE=$( + cat << END_OF_LINE +Update the version of the project. + +Usage: + ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) + ${0##*/} --list-files + ${0##*/} (-h | --help) + +Options: + -h | --help Show this message. + --push Perform a \`git push\` after updating the version. + --label LABEL Specify the label to use when updating the build or prerelease version. + --list-files List the files that will be updated when the version is bumped. +END_OF_LINE +) + +old_version=$(< "$VERSION_FILE") +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} +new_version="$old_version" + +bump_part="" +label="" +commit_prefix="Bump" +with_push=false +commands_with_label=("build" "prerelease") +commands_with_prerelease=("major" "minor" "patch") +with_prerelease=false + +####################################### +# Display an error message, the help information, and exit with a non-zero status. +# Arguments: +# Error message. +####################################### +function invalid_option() { + echo "$1" + echo "$USAGE" + exit 1 +} + +####################################### +# Bump the version using the provided command. +# Arguments: +# The version to bump. +# The command to bump the version. +# Returns: +# The new version. +####################################### +function bump_version() { + local temp_version + temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})") + echo "$temp_version" +} + +if [ $# -eq 0 ]; then + echo "$USAGE" + exit 1 +else + while [ $# -gt 0 ]; do + case $1 in + --push) + if [ "$with_push" = true ]; then + invalid_option "Push has already been set." + fi + + with_push=true + shift + ;; + --label) + if [ -n "$label" ]; then + invalid_option "Label has already been set." + fi + + label="$2" + shift 2 + ;; + build | finalize | major | minor | patch) + if [ -n "$bump_part" ]; then + invalid_option "Only one version part should be bumped at a time." + fi + + bump_part="$1" + shift + ;; + prerelease) + with_prerelease=true + shift + ;; + show) + echo "$old_version" + exit 0 + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + --list-files) + printf '%s\n' "${VERSION_FILES[@]}" + exit 0 + ;; + *) + invalid_option "Invalid option: $1" + ;; + esac + done +fi + +if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}" +fi + +if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}" +fi + +label_option="" +if [ -n "$label" ]; then + label_option="token='$label'" +fi + +if [ -n "$bump_part" ]; then + if [ "$bump_part" = "finalize" ]; then + commit_prefix="Finalize" + bump_command="finalize_version()" + elif [ "$bump_part" = "build" ]; then + bump_command="bump_${bump_part}($label_option)" + else + bump_command="bump_${bump_part}()" + fi + new_version=$(bump_version "$old_version" "$bump_command") + echo Changing version from "$old_version" to "$new_version" +fi + +if [ "$with_prerelease" = true ]; then + bump_command="bump_prerelease($label_option)" + temp_version=$(bump_version "$new_version" "$bump_command") + echo Changing version from "$new_version" to "$temp_version" + new_version="$temp_version" +fi + +tmp_file=/tmp/version.$$ +for version_file in "${VERSION_FILES[@]}"; do + if [ ! -f "$version_file" ]; then + echo Missing expected file: "$version_file" + exit 1 + fi + sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file + mv $tmp_file "$version_file" +done + +git add "${VERSION_FILES[@]}" +git commit --message "$commit_prefix version from $old_version to $new_version" + +if [ "$with_push" = true ]; then + git push +fi diff --git a/requirements-dev.txt b/requirements-dev.txt index d84ee68..23d5741 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,4 @@ --requirement requirements-test.txt ipython +# The bump-version script requires at least version 3 of semver. +semver>=3 diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..8acdd82 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +0.0.1 From 3401551afa5a894f9a0f82c86d3fd9e1b8cadf0f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:24:29 -0400 Subject: [PATCH 049/107] Bump version from 0.0.1 to 0.0.1-rc.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 8acdd82..871d40b 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1 +0.0.1-rc.1 From 5b5a52684119ae107f2b1fedf9e4fb0b7757047a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:34:09 -0500 Subject: [PATCH 050/107] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 144df31..c165bde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,17 +39,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.42.0 + rev: v0.44.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.3.3 + rev: v3.5.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.37.0 hooks: - id: yamllint args: @@ -57,14 +57,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.32.1 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.0.1 + rev: v4.2.0 hooks: - id: validate_manifest @@ -99,7 +99,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.10.0-1 + rev: v3.11.0-1 hooks: - id: shfmt args: @@ -123,31 +123,31 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.1 + rev: 7.1.2 hooks: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 5.13.2 + rev: 6.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.13.0 + rev: v1.15.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.7.3 + rev: v2.8.0 hooks: - id: pip-audit args: @@ -159,13 +159,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.19.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.10.0 + rev: v25.1.3 hooks: - id: ansible-lint additional_dependencies: @@ -209,7 +209,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.98.0 hooks: - id: terraform_fmt - id: terraform_validate From da028eae03932a532ee61901b3dc8eea12f3728e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:16:38 -0500 Subject: [PATCH 051/107] Apply our standard job preamble via cisagov/action-job-preamble This new action simply applies our standard permissions monitoring and runner hardening. Using it allows us to DRY out the GH Actions workflows in our skeleton repositories a bit. --- .github/workflows/build.yml | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98a9ebc..ac74007 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,17 +36,7 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -61,15 +51,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 0e93632ab21c50598e2cbf88ab5327705c1d8d7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:43:45 -0500 Subject: [PATCH 052/107] Set actions_permissions_config input --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac74007..4d5f1cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,6 +37,8 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -52,6 +54,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 8b2ac55da906e27c05fea416d06129c7f8b98324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:58:45 -0500 Subject: [PATCH 053/107] Add a friendly name to the cisagov/action-job-preamble steps --- .github/workflows/build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4d5f1cb..b37436d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,8 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -53,7 +54,8 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env From 864b5af7d95f396956972948484eec0cdbd6647b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 22:26:44 -0500 Subject: [PATCH 054/107] Add a Dependabot ignore directive for cisagov/action-job-preamble Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 81cd6bd..3521754 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler From 8cdce2a0185d082b3896eedae10d7cfb363df2e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:39:04 -0500 Subject: [PATCH 055/107] Update input name for cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b37436d..21ee0f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,7 +39,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -57,7 +57,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 17b93ec6464a2e44a950889fb9e5e5456819a77f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:45:41 -0500 Subject: [PATCH 056/107] Remove two Dependabot ignore directives GitHubSecurityLab/actions-permissions and step-security/harden-runner are no longer direct dependencies since we are now using cisagov/action-job-preamble. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3521754..3df3371 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,11 +18,9 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly From 6a9e3314d8aebe6a1be685d32b0af092d6dc8324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:50:22 -0500 Subject: [PATCH 057/107] Use cisagov/action-job-preamble in sync-labels.yml workflow Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/sync-labels.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index b8ecfa6..0683eed 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -20,17 +20,10 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -47,15 +40,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels if: success() From b5b3b9d0dd04767342997795bc4a288b222762c8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sun, 23 Feb 2025 08:35:09 -0500 Subject: [PATCH 058/107] Use v1 tag of cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- .github/workflows/sync-labels.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 21ee0f1..e0546d2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0683eed..9442a1c 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -21,7 +21,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 From 3ec1b1f19ef6bbc7f698a36b40ec0bba7d7eb5bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 13:28:48 -0500 Subject: [PATCH 059/107] Re-add comment explaining where the org var comes from Flesh out the comment a little so its meaning is clearer. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++++ .github/workflows/sync-labels.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e0546d2..fcd740b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -57,6 +59,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 9442a1c..0a27b59 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -43,6 +45,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From 764df0c1797700b585577850b96ca41f6ceb80d6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Feb 2025 14:43:59 -0500 Subject: [PATCH 060/107] Flesh out org var comment even more Make sure to mention that the permissions monitoring config can be changed by creating a repo-level variable; there is no need to modify the workflow. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 30 ++++++++++++++++++++++++++---- .github/workflows/sync-labels.yml | 30 ++++++++++++++++++++++++++---- 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcd740b..d9ca254 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,8 +39,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -59,8 +70,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0a27b59..351d33b 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,8 +23,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -45,8 +56,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From c271b40846324b48f6c511209925f00a5a48264d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Mar 2025 11:34:33 -0400 Subject: [PATCH 061/107] Subsume GH status checks and context dumping into cisagov/action-job-preamble This action supports this functionality now, so we may as well take advantage of it. Also disable GH permissions monitoring, since that functionality is poorly implemented and has been causing a lot of problems due to the MITM implementation hogging or leaking memory. --- .github/dependabot.yml | 2 -- .github/workflows/build.yml | 16 ++++++++++------ .github/workflows/sync-labels.yml | 16 ++++++++++------ 3 files changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3df3371..7aa2f06 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,9 +15,7 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action - # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d9ca254..9ffe432 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -53,12 +59,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics @@ -70,6 +70,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 351d33b..56859f2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -37,12 +43,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 labeler: needs: - diagnostics @@ -56,6 +56,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From c4b192b6b0465f460127884aeedc19727e0bf311 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:06:00 -0500 Subject: [PATCH 062/107] Add a CodeQL workflow to this repository CodeQL now supports GitHub Actions as a language, so it makes sense to add such a workflow to this repository. See this link for more details: https://github.blog/changelog/2024-12-17-find-and-fix-actions-workflows-vulnerabilities-with-codeql-public-preview/ --- .github/workflows/codeql-analysis.yml | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..0136466 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,112 @@ +--- +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: CodeQL + +on: + merge_group: + types: + - checks_requested + push: + # Dependabot triggered push events have read-only access, but uploading code + # scanning requires write access. + branches-ignore: + - dependabot/** + pull_request: + # The branches below must be a subset of the branches above + branches: + - develop + schedule: + - cron: '0 2 * * 6' + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + analyze: + name: Analyze + needs: + - diagnostics + runs-on: ubuntu-latest + permissions: + # actions/checkout needs this to fetch code + contents: read + # required for all workflows + security-events: write + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below + # list + # + # Supported options are actions, c-cpp, csharp, go, + # java-kotlin, javascript-typescript, python, ruby, and swift. + language: + - actions + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Java). If this step fails, then you should remove it and run the build + # manually (see below). + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language + + # - run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 0032cc2df6db1a1a472679933df3e95f8612a540 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 3 Mar 2025 15:19:29 -0500 Subject: [PATCH 063/107] Update comment to match what is in cisagov/skeleton-docker Also correctly sort YAML keys. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0136466..595f058 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,15 +10,15 @@ on: merge_group: types: - checks_requested + pull_request: + # The branches here must be a subset of the ones in the push key + branches: + - develop push: - # Dependabot triggered push events have read-only access, but uploading code + # Dependabot-triggered push events have read-only access, but uploading code # scanning requires write access. branches-ignore: - dependabot/** - pull_request: - # The branches below must be a subset of the branches above - branches: - - develop schedule: - cron: '0 2 * * 6' From 0534337d4724f53447f0c47c345ef4cb14c64d0d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:19:04 -0500 Subject: [PATCH 064/107] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 50 +++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 595f058..152bac6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,17 +31,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -72,15 +78,23 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository uses: actions/checkout@v4 From adea10cc6ecd71e2a71720e839510548b8c2a87b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:20:35 -0500 Subject: [PATCH 065/107] Add the CodeQL action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..899db5b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: github/codeql-action # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 5dfe5dfd7d544deb9bc6934c70ba5269b1baf750 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 14:47:02 -0400 Subject: [PATCH 066/107] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. --- .github/workflows/codeql-analysis.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 152bac6..9329fdc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,8 @@ # or to provide custom queries or build logic. name: CodeQL +# The use of on here as a key is part of the GitHub actions syntax. +# yamllint disable-line rule:truthy on: merge_group: types: @@ -20,7 +22,7 @@ on: branches-ignore: - dependabot/** schedule: - - cron: '0 2 * * 6' + - cron: 0 2 * * 6 jobs: diagnostics: @@ -34,6 +36,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -48,12 +56,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 analyze: name: Analyze needs: @@ -81,6 +83,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From d740ee83c2eac243c3a53447316935766042b7cf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:52:48 -0500 Subject: [PATCH 067/107] Add a workflow to run actions/dependency-review-action This action reviews dependency changes for vulnerabilities and license changes. --- .github/workflows/dependency-review.yml | 67 +++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..90549f6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,67 @@ +--- +name: Dependency review + +on: + merge_group: + types: + - checks_requested + pull_request: + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + dependency-review: + name: Dependency review + needs: + - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: checkout-repo + name: Checkout the repository + uses: actions/checkout@v4 + - id: dependency-review + name: Review dependency changes for vulnerabilities and license changes + uses: actions/dependency-review-action@v4 From a446dde01d1aaef7db62f6a7c49a8bc9f54a1460 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 10:52:34 -0500 Subject: [PATCH 068/107] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 50 ++++++++++++++++--------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 90549f6..848feb5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,17 +24,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -50,15 +56,23 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository uses: actions/checkout@v4 From 494e11663dd2fad7b19f2861de772d55ee8410bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:00:43 -0500 Subject: [PATCH 069/107] Add the dependency review action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..6554d39 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,7 @@ updates: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout + # - dependency-name: actions/dependency-review-action # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble From 3679b7d004c0c16f09530e7ca38101d566b6ab2a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:06:36 -0400 Subject: [PATCH 070/107] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. Also disable permissions monitoring since it is poorly implemented and has been causing a lot of problems due to hogging or leaking memory. --- .github/workflows/dependency-review.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 848feb5..1b05dff 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,7 +1,7 @@ --- name: Dependency review -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested @@ -27,6 +27,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -41,12 +47,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 dependency-review: name: Dependency review needs: @@ -59,6 +59,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 028f652f68762a12dc7465c881ce221d3031e8c1 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:59:26 -0400 Subject: [PATCH 071/107] Do not disable GitHub permissions monitoring by default But do leave a commented-out line that can be uncommented to do so. The idea is that we should only comment out this functionality where we really must. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 14 ++++++++------ .github/workflows/codeql-analysis.yml | 14 ++++++++------ .github/workflows/dependency-review.yml | 14 ++++++++------ .github/workflows/sync-labels.yml | 14 ++++++++------ 4 files changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ffe432..eeebb23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,9 +41,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -71,9 +72,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9329fdc..d1590e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,9 +38,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -84,9 +85,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1b05dff..9901352 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,9 +29,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -60,9 +61,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 56859f2..07c0acf 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -25,9 +25,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -57,9 +58,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 65f9c3012bed807253f1c91aa9ee79234cdd517a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 11:39:47 -0400 Subject: [PATCH 072/107] Disable GH permissions monitoring everywhere This functionality (https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor) is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. This functionality should be re-enabled when practical. See cisagov/skeleton-generic#207 for more details. --- .github/workflows/build.yml | 20 ++++++++++++++------ .github/workflows/codeql-analysis.yml | 20 ++++++++++++++------ .github/workflows/dependency-review.yml | 20 ++++++++++++++------ .github/workflows/sync-labels.yml | 20 ++++++++++++++------ 4 files changed, 56 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eeebb23..130ec8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -73,9 +77,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d1590e9..382999a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,9 +39,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -86,9 +90,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9901352..52a3ee9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -30,9 +30,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -62,9 +66,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 07c0acf..04503e2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -26,9 +26,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -59,9 +63,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 2cfc534f2a4cb11d5bd310f6cfe5832565399885 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 12:57:31 -0400 Subject: [PATCH 073/107] Fix typo that was copied and pasted all over the show Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 130ec8c..7fe4f16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -81,7 +81,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 382999a..dd59d04 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,7 +43,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -94,7 +94,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 52a3ee9..f98c687 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -70,7 +70,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 04503e2..fa6f772 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -30,7 +30,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -67,7 +67,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring From e0bf15782d8220a1886693bef704489df1df17cb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 9 Apr 2025 09:48:38 -0400 Subject: [PATCH 074/107] Fix typo --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f98c687..ee87e04 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -34,7 +34,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" From ab359547e23707825e4c34fd1e9fd59b5766bcba Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 7 May 2025 14:10:21 -0400 Subject: [PATCH 075/107] Upgrade to the latest version of the ansible-lint pre-commit hook Version 25.4.0 is the first version to support Fedora 42 in the Ansible YAML metadata schema. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c165bde..0760b36 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -165,7 +165,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.1.3 + rev: v25.4.0 hooks: - id: ansible-lint additional_dependencies: From 4d88c8b10852e057d0d95cf36f0ef74c1b509162 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 May 2025 11:15:29 -0400 Subject: [PATCH 076/107] Add a configuration block for pre-commit.ci This adds a `ci` block to the pre-commit configurations to control the behavior of the pre-commit.ci GitHub app. --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0760b36..9273b18 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,10 @@ --- +ci: + # Do not commit changes from running pre-commit for pull requests. + autofix_prs: false + # Autoupdate hooks weekly (this is the default). + autoupdate_schedule: weekly + default_language_version: # force all unspecified python hooks to run python3 python: python3 From 3b584271602c8b0a39e83522119e728882f5b481 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 15 May 2025 14:57:11 -0400 Subject: [PATCH 077/107] Use a version tag for cisagov/setup-env-github-action We currently use the `develop` branch as our reference for the cisagov/setup-env-github-action action in the build workflow. We will instead use the major version tag which puts our usage of this action in line with how we use other actions in our workflows. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..2e5c1e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,7 +99,7 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@v1 - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 From f89170422e22989a8314be4d6355b2919301d9b5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 28 Aug 2025 14:04:27 -0400 Subject: [PATCH 078/107] Add a configuration to automatically label pull requests This includes updating the dependabot configuration, adding a new `label-prs.yml` GitHub Actions workflow, and adding a suitable configuration file for the actions/labeler action used by the aforementioned workflow. --- .github/dependabot.yml | 1 + .github/labeler.yml | 63 ++++++++++++++++++++++ .github/workflows/label-prs.yml | 93 +++++++++++++++++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/label-prs.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..6dc2a95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: # - dependency-name: actions/cache # - dependency-name: actions/checkout # - dependency-name: actions/dependency-review-action + # - dependency-name: actions/labeler # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..c7f044b --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,63 @@ +--- +# Each entry in this file is a label that will be applied to pull requests +# if there is a match based on the matching rules for the entry. Please see +# the actions/labeler documentation for more information: +# https://github.com/actions/labeler#match-object +# +# Note: Verify that the label you want to use is defined in the +# crazy-max/ghaction-github-labeler configuration file located at +# .github/labels.yml. + +# Enable if Ansible playbooks are used in the repository. +# ansible: +# - changed-files: +# - any-glob-to-any-file: +# - "**/ansible/**" +dependencies: + - changed-files: + - any-glob-to-any-file: + # Add any dependency files used. + - .pre-commit-config.yaml + - requirements*.txt +documentation: + - changed-files: + - any-glob-to-any-file: + - "**/*.md" +github-actions: + - changed-files: + - any-glob-to-any-file: + - .github/workflows/** +# Enable if Packer is used in the repository. +# packer: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.pkr.hcl" +# Enable if Python is used in the repository. +# python: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.py" +# Enable if Terraform is used in the repository. +# terraform: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.tf" +test: + - changed-files: + - any-glob-to-any-file: + # Add any test-related files or paths. + - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg + - .mdl_config.yaml + - .yamllint +upstream update: + - head-branch: + # Any Lineage pull requests should use this branch. + - lineage/skeleton +version bump: + - changed-files: + - any-glob-to-any-file: + # Ensure this matches your version tracking file(s). + - version.txt diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml new file mode 100644 index 0000000..a107347 --- /dev/null +++ b/.github/workflows/label-prs.yml @@ -0,0 +1,93 @@ +--- +name: Label pull requests + +on: # yamllint disable-line rule:truthy + pull_request: + types: + - edited + - opened + - synchronize + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + label: + needs: + - diagnostics + permissions: + # Permissions required by actions/labeler + contents: read + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - name: Apply suitable labels to a pull request + uses: actions/labeler@v5 From 0aba2813c7f64b7ab1cb601544bf05064f9a71f2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:44:47 -0400 Subject: [PATCH 079/107] Bump actions/labeler from 5 to 6 Bumps [actions/labeler](https://github.com/actions/labeler) from 5 to 6. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@v5...v6) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/label-prs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index a107347..9d78e39 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -90,4 +90,4 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Apply suitable labels to a pull request - uses: actions/labeler@v5 + uses: actions/labeler@v6 From 507fe983481126be7e953ccb8e9476368b378c42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:55 +0000 Subject: [PATCH 080/107] Bump actions/setup-python from 5 to 6 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..bcd9028 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -102,7 +102,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, From 428ab617f1162c6514ddd2efb575ba2f37ff4c1f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:58 +0000 Subject: [PATCH 081/107] Bump actions/setup-go from 5 to 6 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..d302901 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. From 623a983457d949be691753782997c97f50ebe9c6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:23:07 -0400 Subject: [PATCH 082/107] Adjust the labels dependabot uses Instead of using the default labels for the `github-actions` package ecosystem we specify the labels explicitly. This is done to ensure that dependabot uses our `github-actions` label instead of the default of `github_actions`. We must also explicitly specify the `dependencies` label since we are overriding the default label values. --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..d3688af 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,12 @@ updates: # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + labels: + # dependabot default we need to replicate + - dependencies + # This matches our label definition in .github/labels.yml as opposed to + # dependabot's default of `github_actions`. + - github-actions package-ecosystem: github-actions schedule: interval: weekly From 03065cdc17b57141a9fc88b7c95cd76c9c2b93d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:14:00 -0400 Subject: [PATCH 083/107] Adjust GNU getopt check logic in the `setup-env` script Change the check from looking for specific text in the version output to using the `--test` option. This will provide a more robust implementation of this check that does not have to worry about output format stability. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- setup-env | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-env b/setup-env index f3304d9..89c7603 100755 --- a/setup-env +++ b/setup-env @@ -101,10 +101,10 @@ LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt SHORTOPTS="fhilp:v:" -# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") -# in its version output. This approach presumes the output format remains stable. -# Be aware that format changes could invalidate this check. -if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then +# Check for GNU getopt by testing for long option support. GNU getopt supports +# the "--test" option and will return exit code 4 while POSIX/BSD getopt does +# not and will return exit code 0. +if getopt --test > /dev/null 2>&1; then cat << 'END_OF_LINE' Please note, this script requires GNU getopt due to its enhanced From c7e1ce848099c84bf1124f66acc93de52021bb2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 15:45:32 +0000 Subject: [PATCH 084/107] Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d62be35..c11089c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,7 +100,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dd59d04..0722fa3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ee87e04..bc859d1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index fa6f772..19e0129 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 From d070095f0a23e31fec3eab43acf1d9bdc67797b3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 4 May 2025 05:51:15 -0400 Subject: [PATCH 085/107] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9273b18..bc76d85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,7 +16,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -45,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.44.0 + rev: v0.45.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.5.3 + rev: v3.6.2 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.0 + rev: v1.37.1 hooks: - id: yamllint args: @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.32.1 + rev: 0.33.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.2.0 + rev: v4.3.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.1 + rev: v1.0.0-rc.2 hooks: # Go Build - id: go-build-repo-mod @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.11.0-1 + rev: v3.12.0-2 hooks: - id: shfmt args: @@ -123,13 +123,13 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.10.0.1 + rev: v0.11.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit args: @@ -139,7 +139,7 @@ repos: hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.2 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: @@ -149,11 +149,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.15.0 + rev: v1.18.1 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.8.0 + rev: v2.9.0 hooks: - id: pip-audit args: @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.4.0 + rev: v25.9.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.98.0 + rev: v1.100.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -228,7 +228,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.3.0 + rev: v0.3.1 hooks: - id: packer_fmt - id: packer_validate From ee20b2a6866b77f826a93dad5eaa689e18377275 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 29 Aug 2025 17:19:53 -0400 Subject: [PATCH 086/107] Conform to new markdownlint rule A new rule, `MD059/descriptive-link-text`, was added in markdownlint's 0.38.0 release, which itself is used in v0.45.0 of markdownlint-cli. As such, we must update to conform to the new rule. --- CONTRIBUTING.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f9fa53a..a631733 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -132,11 +132,10 @@ you can begin to use `pyenv`. For a list of Python versions that are already installed and ready to use with `pyenv`, use the command `pyenv versions`. To see a list of the Python versions available to be installed and used with `pyenv` -use the command `pyenv install --list`. You can read more -[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about -the many things that `pyenv` can do. See -[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the -additional capabilities that pyenv-virtualenv adds to the `pyenv` +use the command `pyenv install --list`. You can read more about +the [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md). +See the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage) +for the additional capabilities that pyenv-virtualenv adds to the `pyenv` command. #### Creating the Python virtual environment #### From 5bde44c0ead00f5c2b6c421d25a109d4cc839601 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:22:39 -0400 Subject: [PATCH 087/107] Bump version from 0.0.1-rc.1 to 1.0.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 871d40b..3eefcb9 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1-rc.1 +1.0.0 From d18e90bfb8070d41dd539044a4e151486b627080 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:03:28 -0400 Subject: [PATCH 088/107] Add additional repository labels This adds labels that are common in downstream repositories to the core configuration. This will help ensure consistent label availability. --- .github/labels.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index fe9a53e..b1311af 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,6 +2,9 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length +- color: f15a53 + description: Pull requests that update Ansible code + name: ansible - color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked @@ -17,6 +20,9 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies +- color: 2497ed + description: Pull requests that update Docker code + name: docker - color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation @@ -50,12 +56,21 @@ - color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold +- color: 02a8ef + description: Pull requests that update Packer code + name: packer +- color: 3772a4 + description: Pull requests that update Python code + name: python - color: ef476c description: This issue is a request for information or needs discussion name: question - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 7b42bc + description: Pull requests that update Terraform code + name: terraform - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test From e875abf74fc8cd799c17430c74a1d95eddc63466 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 22 Sep 2025 01:13:44 -0400 Subject: [PATCH 089/107] Add auto-label configuration for the `docker` label Add a configuration to automatically apply the `docker` label to pull requests. --- .github/labeler.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..49b89ef 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,13 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt +# Enable if Docker is used in the repository. +# docker: +# - changed-files: +# - any-glob-to-any-file: +# - "**/compose*.yml" +# - "**/docker-compose*.yml" +# - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: From 65474e25bdeb697e85653f74e7587e7f6cd42ce5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 09:36:57 -0400 Subject: [PATCH 090/107] Enable all label configuration for actions/labeler We can enable all label configurations for actions/labeler by default now that all of these labels are defined in the configuration for crazy-max/ghaction-github-labeler. --- .github/labeler.yml | 49 ++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 49b89ef..8100ae7 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -8,24 +8,22 @@ # crazy-max/ghaction-github-labeler configuration file located at # .github/labels.yml. -# Enable if Ansible playbooks are used in the repository. -# ansible: -# - changed-files: -# - any-glob-to-any-file: -# - "**/ansible/**" +ansible: + - changed-files: + - any-glob-to-any-file: + - "**/ansible/**" dependencies: - changed-files: - any-glob-to-any-file: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt -# Enable if Docker is used in the repository. -# docker: -# - changed-files: -# - any-glob-to-any-file: -# - "**/compose*.yml" -# - "**/docker-compose*.yml" -# - "**/Dockerfile*" +docker: + - changed-files: + - any-glob-to-any-file: + - "**/compose*.yml" + - "**/docker-compose*.yml" + - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: @@ -34,21 +32,18 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** -# Enable if Packer is used in the repository. -# packer: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.pkr.hcl" -# Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" -# Enable if Terraform is used in the repository. -# terraform: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.tf" +packer: + - changed-files: + - any-glob-to-any-file: + - "**/*.pkr.hcl" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" +terraform: + - changed-files: + - any-glob-to-any-file: + - "**/*.tf" test: - changed-files: - any-glob-to-any-file: From 3cf19cd3794f5d325ec0ba57ce5f8d7fe5dfdac9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:42:12 -0400 Subject: [PATCH 091/107] Add JavaScript-related labels Add labels for JavaScript and TypeScript to the configuration for crazy-max/ghaction-github-labeler. --- .github/labels.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index b1311af..650ed7c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,6 +47,9 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid +- color: f1d642 + description: Pull requests that update JavaScript code + name: javascript - color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 @@ -74,6 +77,9 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test +- color: 2b6ebf + description: Pull requests that update TypeScript code + name: typescript - color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update From e38c7f0d43b84c8b5390773eb20d3d99ff643230 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:54:50 -0400 Subject: [PATCH 092/107] Add JavaScript-related labels to the labeler configuration Add the new `javascript` and `typescript` labels with appropriate matching rules to the actions/labeler configuration. --- .github/labeler.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 8100ae7..a4e2186 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -32,6 +32,10 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** +javascript: + - changed-files: + - any-glob-to-any-file: + - "**/*.js" packer: - changed-files: - any-glob-to-any-file: @@ -54,6 +58,10 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint +typescript: + - changed-files: + - any-glob-to-any-file: + - "**/*.ts" upstream update: - head-branch: # Any Lineage pull requests should use this branch. From 01af46d286566e88795bf078f60a110488efb073 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 11:46:24 -0400 Subject: [PATCH 093/107] Remove redundant quotes This gets rid of an error from our yamllint pre-commit linter. --- .github/workflows/build.yml | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 136084f..c109e2d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -274,7 +274,7 @@ jobs: name: "${{ github.event.repository.name }}-\ py${{ matrix.python-version }}-\ ${{ env.GH_SHORT_SHA }}" - path: "${{ env.DEFAULT_ARTIFACT_NAME }}" + path: ${{ env.DEFAULT_ARTIFACT_NAME }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE diff --git a/docker-compose.yml b/docker-compose.yml index 6e46434..2dab8dc 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,4 +21,4 @@ services: # the invoking environment but falls back to a default value. image: cisagov/example_lambda:${LAMBDA_TAG:-latest} ports: - - "9000:8080" + - 9000:8080 From 8d47a6401fa98ce338d45f6e0a8f166bffd9765a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 11:49:09 -0400 Subject: [PATCH 094/107] Prefer double quotes This gets rid of an error from our yamllint pre-commit linter. --- .github/lineage.yml | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/lineage.yml b/.github/lineage.yml index 49f9c4f..46d3224 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -2,4 +2,4 @@ lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-generic.git -version: '1' +version: "1" diff --git a/docker-compose.yml b/docker-compose.yml index 2dab8dc..0f91d02 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,5 @@ --- -version: '3.2' +version: "3.2" services: build_deployment_package: From f231ef7fad54bab6d80db7b279c1ace0fb5429b0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 11:53:07 -0400 Subject: [PATCH 095/107] Remove shebang from pytest file This gets rid of an error from our pre-commit linters. --- tests/test_version.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/test_version.py b/tests/test_version.py index b9f8251..65fe5db 100644 --- a/tests/test_version.py +++ b/tests/test_version.py @@ -1,4 +1,3 @@ -#!/usr/bin/env pytest -vs """Version tests for AWS Lambda Python skeleton project.""" # Standard Python Libraries From 53ca45483ee1da8eea4720a4d1f3a36ccf58d723 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 11:56:16 -0400 Subject: [PATCH 096/107] Make Markdown lint more descriptive This gets rid of an error from our markdownlint pre-commit linter. --- README.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 02ae4a4..94b279b 100644 --- a/README.md +++ b/README.md @@ -59,13 +59,15 @@ docker compose down ## How to update Python dependencies ## -The Python dependencies are maintained using a [Pipenv](https://github.com/pypa/pipenv) -configuration for each supported Python version. Changes to requirements -should be made to the respective `src/py/Pipfile`. More -information about the `Pipfile` format can be found [here](https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock). -The accompanying `Pipfile.lock` files contain the specific dependency versions -that will be installed. These files can be updated like so (using the Python -3.9 configuration as an example): +The Python dependencies are maintained using a +[Pipenv](https://github.com/pypa/pipenv) configuration for each +supported Python version. Changes to requirements should be made to +the respective `src/py/Pipfile`. More information +about the `Pipfile` format can be found in the [`pipenv` +documentation](https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock). +The accompanying `Pipfile.lock` files contain the specific dependency +versions that will be installed. These files can be updated like so +(using the Python 3.9 configuration as an example): ```console cd src/py3.9 From 221f099fa0eae0726df17027aad25cd69fc88abe Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 12:00:10 -0400 Subject: [PATCH 097/107] Use the same version of bandit throughout the pre-commit config --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ed74df3..630f743 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything but the tests directory - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 + rev: 1.8.6 hooks: - id: bandit name: bandit (everything but the tests directory) From 8ec4b3aa1351c9990a1c7e6862930841159fba59 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:18:42 -0400 Subject: [PATCH 098/107] Update the bump-version script to point to src/version.txt Also modify src/version.txt to simply contain the version. --- bump-version | 2 +- src/version.txt | 2 +- version.txt | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) delete mode 100644 version.txt diff --git a/bump-version b/bump-version index 15b4af1..e6e6fa7 100755 --- a/bump-version +++ b/bump-version @@ -8,7 +8,7 @@ set -o errexit set -o pipefail # Stores the canonical version for the project. -VERSION_FILE=version.txt +VERSION_FILE=src/version.txt # Files that should be updated with the new version. VERSION_FILES=("$VERSION_FILE") diff --git a/src/version.txt b/src/version.txt index 3b93d0b..4e379d2 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -__version__ = "0.0.2" +0.0.2 diff --git a/version.txt b/version.txt deleted file mode 100644 index 3eefcb9..0000000 --- a/version.txt +++ /dev/null @@ -1 +0,0 @@ -1.0.0 From 35152ec13a03738676dfc73840b873a5d5959962 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:25:02 -0400 Subject: [PATCH 099/107] Consistently use cisagov/action-job-preamble Update the `test` and `build` jobs to also use the cisagov/action-job-preamble action. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 58 ++++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c109e2d..3c6eaea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -203,11 +203,32 @@ jobs: - diagnostics - lint steps: - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 @@ -252,11 +273,32 @@ jobs: - "3.8" - "3.9" steps: - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Get the short SHA for the commit being used run: | From bdc7373e54fb0c810f446eacaade83069a0e4ef4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:27:48 -0400 Subject: [PATCH 100/107] Adjust artifact name in build workflow This is necessary to have a valid artifact name for upload. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3c6eaea..6bd30f2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -313,9 +313,8 @@ jobs: - name: Upload the generated Lambda deployment package as an artifact uses: actions/upload-artifact@v4 with: - name: "${{ github.event.repository.name }}-\ - py${{ matrix.python-version }}-\ - ${{ env.GH_SHORT_SHA }}" + name: ${{ github.event.repository.name }}-py${{ + matrix.python-version }}-${{ env.GH_SHORT_SHA }} path: ${{ env.DEFAULT_ARTIFACT_NAME }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 From d71e39e7e85f89d3e87c7d4df5641164506499f9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:31:04 -0400 Subject: [PATCH 101/107] Update GH actions versions to match upstream In particular, update - cisagov/setup-env-github-action to v1 - actions/checkout to v5 - actions/setup-python to v6 --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6bd30f2..1dbf140 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -230,10 +230,10 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v4 + uses: cisagov/setup-env-github-action@v1 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v3 @@ -299,7 +299,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Get the short SHA for the commit being used run: | echo "GH_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV From 72b45aba6a56c5b9c1b3baee7b1c143e34402a0f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:49:12 -0400 Subject: [PATCH 102/107] Update labeler.yml to point to the correct version file --- .github/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..82d2a3a 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -70,4 +70,4 @@ version bump: - changed-files: - any-glob-to-any-file: # Ensure this matches your version tracking file(s). - - version.txt + - src/version.txt From 2e8c107ce3486d19ec1c43508f94fe9c23aa5a6a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:50:53 -0400 Subject: [PATCH 103/107] Allow changes to pytest code to trigger "test" label --- .github/labeler.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 82d2a3a..bd953ae 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -58,6 +58,7 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint + - tests/*.py typescript: - changed-files: - any-glob-to-any-file: From fc6f92aeacde59450f3d3de01686afbbb355ba27 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 Oct 2025 13:53:28 -0400 Subject: [PATCH 104/107] Allow changes to pytest config to trigger "test" label --- .github/labeler.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index bd953ae..62a5f37 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -58,6 +58,7 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint + - pytest.ini - tests/*.py typescript: - changed-files: From 6b79073654a1dd2ad0c3c95d09401d5ba29dd4d5 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 8 Oct 2025 10:37:00 -0400 Subject: [PATCH 105/107] Allow any files changed in the tests dir to trigger the test label Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 62a5f37..b67a39d 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -59,7 +59,7 @@ test: - .mdl_config.yaml - .yamllint - pytest.ini - - tests/*.py + - tests/** typescript: - changed-files: - any-glob-to-any-file: From fead28fac09e4aeb7745ea4bbb25cbc49bcf621d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 8 Oct 2025 12:32:45 -0400 Subject: [PATCH 106/107] Adjust version test for new format in version file The new code matches what is done in cisagov/skeleton-docker: - https://github.com/cisagov/skeleton-docker/blob/722507bd51e06538f1f85b659df616ca7ca7fcbd/tests/conftest.py#L41-L46 - https://github.com/cisagov/skeleton-docker/blob/722507bd51e06538f1f85b659df616ca7ca7fcbd/tests/container_test.py#L61-L68 Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- tests/test_version.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/test_version.py b/tests/test_version.py index 65fe5db..77a2533 100644 --- a/tests/test_version.py +++ b/tests/test_version.py @@ -10,16 +10,20 @@ VERSION_FILE = "src/version.txt" +@pytest.fixture(scope="session") +def project_version(): + """Return the version of the project.""" + with open(VERSION_FILE) as f: + project_version = f.read().strip() + return project_version + + @pytest.mark.skipif( GITHUB_RELEASE_TAG in [None, ""], reason="this is not a release (GITHUB_RELEASE_TAG not set)", ) -def test_release_version(): +def test_release_version(project_version): """Verify that release tag version agrees with the module version.""" - pkg_vars = {} - with open(VERSION_FILE) as f: - exec(f.read(), pkg_vars) # nosec - project_version = pkg_vars["__version__"] assert ( GITHUB_RELEASE_TAG == f"v{project_version}" ), "GITHUB_RELEASE_TAG does not match the project version" From b1b34956bfcc6304f65007ebd28018f3b715d20a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 9 Oct 2025 08:58:11 -0400 Subject: [PATCH 107/107] Move test fixture to conftest.py This fixture has session scope, so this is a better home for it. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- tests/conftest.py | 10 ++++++++++ tests/test_version.py | 9 --------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index cb1cac7..428b0d4 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -6,6 +6,16 @@ # Third-Party Libraries import pytest +VERSION_FILE = "src/version.txt" + + +@pytest.fixture(scope="session") +def project_version(): + """Return the version of the project.""" + with open(VERSION_FILE) as f: + project_version = f.read().strip() + return project_version + def pytest_addoption(parser): """Add new commandline options to pytest.""" diff --git a/tests/test_version.py b/tests/test_version.py index 77a2533..bed07f6 100644 --- a/tests/test_version.py +++ b/tests/test_version.py @@ -7,15 +7,6 @@ import pytest GITHUB_RELEASE_TAG = os.getenv("GITHUB_RELEASE_TAG") -VERSION_FILE = "src/version.txt" - - -@pytest.fixture(scope="session") -def project_version(): - """Return the version of the project.""" - with open(VERSION_FILE) as f: - project_version = f.read().strip() - return project_version @pytest.mark.skipif(