From 59f893b034e472e35ae79f2503a6d0cf6a65c6e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 18:01:12 +0000 Subject: [PATCH 01/32] Bump github/codeql-action from 3 to 4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0722fa3..ac19c95 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -117,7 +117,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} @@ -125,7 +125,7 @@ jobs: # Java). If this step fails, then you should remove it and run the build # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -139,4 +139,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 From a44c47daa5cc09ed51cfd9930efdb1c0d6e51f50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:26:46 -0400 Subject: [PATCH 02/32] Remove an unnecessary permission from the PR label workflow There should be no reason for the actions/labeler action to create new labels so we can remove the permission that would allow this to occur. --- .github/workflows/label-prs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 9d78e39..412cc4a 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -59,7 +59,6 @@ jobs: permissions: # Permissions required by actions/labeler contents: read - issues: write pull-requests: write runs-on: ubuntu-latest steps: From 629a0cc616bd06540bddc3ccd39de55bab61403a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 16:11:15 -0400 Subject: [PATCH 03/32] Add a license badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index cb6c85a..4034ce6 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) +[![License](https://img.shields.io/github/license/cisagov/skeleton-generic +)](https://spdx.org/licenses/) + This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub project started. This skeleton project contains [licensing information](LICENSE), as From e1331191e7858857c72cac55107e37508e744b6a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Oct 2025 21:41:06 -0400 Subject: [PATCH 04/32] Update the color used for the `python` label This updates the existing color, which was pulled from the Python logo, to the color used in the Python website's CSS for the "Python" item in the site's top menu. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..1a8399b 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -62,7 +62,7 @@ - color: 02a8ef description: Pull requests that update Packer code name: packer -- color: 3772a4 +- color: 3776ab description: Pull requests that update Python code name: python - color: ef476c From 15771ca992f125f5e4c9516e7645b7b79908cad2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:29:59 -0400 Subject: [PATCH 05/32] Update the color used for the `javascript` label This reflects the value defined by JSConf and used in their unofficially official logo for JS. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 1a8399b..3801ada 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,7 +47,7 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: f1d642 +- color: f0db4f description: Pull requests that update JavaScript code name: javascript - color: ce099a From a7eeb15808fccae45d6010641192f341f7013f50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:40:49 -0400 Subject: [PATCH 06/32] Update the color used for the `typescript` label This reflects the color of the logo from the TypeScript branding page at https://www.typescriptlang.org/branding/. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 3801ada..6f63095 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -77,7 +77,7 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: 2b6ebf +- color: 2678c5 description: Pull requests that update TypeScript code name: typescript - color: 1d76db From fb7a73609e7d45eae2d566a39368a5ad5ea3ddb4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:51:12 -0400 Subject: [PATCH 07/32] Update the color used for the `ansible` label This mirrors the value used as a background for the mango Ansible community mark logo found in the ansible/logos repository. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 6f63095..4862f3c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,7 +2,7 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: f15a53 +- color: ff5850 description: Pull requests that update Ansible code name: ansible - color: eb6420 From 55031516e97274377694f2974d210054444c406b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:59:50 -0400 Subject: [PATCH 08/32] Update the color used for the `docker` label This is the "Moby Blue" primary color as defined in the Docker brand guidelines color section found at https://www.docker.com/company/newsroom/media-resources/. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 4862f3c..a539e6e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -20,7 +20,7 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: 2497ed +- color: 1d63ed description: Pull requests that update Docker code name: docker - color: 5319e7 From dc0d9a0be70aab4c4f47f884ec649ac4fb086fff Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 05:21:25 -0400 Subject: [PATCH 09/32] Add a label and auto-label configuration for shell scripts Since we use shell scripts throughout our projects it makes sense to have a dedicated label. --- .github/labeler.yml | 7 +++++++ .github/labels.yml | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..5ccd8fe 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -44,6 +44,13 @@ python: - changed-files: - any-glob-to-any-file: - "**/*.py" +shell script: + - changed-files: + - any-glob-to-any-file: + # Add any shell scripts that do not end in the ".sh" extension. + - "**/*.sh" + - bump-version + - setup-env terraform: - changed-files: - any-glob-to-any-file: diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..aa77db7 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -71,6 +71,9 @@ - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 4eaa25 + description: Pull requests that update shell scripts + name: shell script - color: 7b42bc description: Pull requests that update Terraform code name: terraform From 586af7c89d29858b80f9abc150204858e281b4b3 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 29 Oct 2025 08:52:57 -0400 Subject: [PATCH 10/32] Remove needless blank line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 4034ce6..22134a3 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # skeleton-generic # [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) - [![License](https://img.shields.io/github/license/cisagov/skeleton-generic )](https://spdx.org/licenses/) From 8b5f6d215931b0252a33f92899e75aea082b9f70 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 13:28:50 -0400 Subject: [PATCH 11/32] Improve a labeler configuration's explanatory comment Co-authored-by: dav3r --- .github/labeler.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 5ccd8fe..05478bd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -47,7 +47,8 @@ python: shell script: - changed-files: - any-glob-to-any-file: - # Add any shell scripts that do not end in the ".sh" extension. + # If this project has any shell scripts that do not end in the ".sh" + # extension, add them below. - "**/*.sh" - bump-version - setup-env From ad708bd9fad93d23f837f71d975ddee4060a4aec Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:21:25 -0500 Subject: [PATCH 12/32] Rename .flake8 to pyproject.toml and update syntax We can configure all our Python tooling in a single pyproject.toml file. Note that using pyproject.toml to configure flake8 requires the addition of the flake8-pyproject Python library. --- .flake8 => pyproject.toml | 6 +++--- requirements-test.txt | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) rename .flake8 => pyproject.toml (92%) diff --git a/.flake8 b/pyproject.toml similarity index 92% rename from .flake8 rename to pyproject.toml index 92ff826..574223c 100644 --- a/.flake8 +++ b/pyproject.toml @@ -1,4 +1,4 @@ -[flake8] +[tool.flake8] max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - @@ -13,7 +13,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 +select = ["C", "D", "E", "F", "W", "B", "B950"] # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,4 +22,4 @@ select = C,D,E,F,W,B,B950 # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 +extend-ignore = ["E501", "W503"] diff --git a/requirements-test.txt b/requirements-test.txt index 66f74db..3fd2ff1 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,2 +1,3 @@ --requirement requirements.txt +flake8-pyproject pre-commit From 2a3bb8b44d9597078b1add4c6b649edf45955e91 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:25:57 -0500 Subject: [PATCH 13/32] Add flake8-pyproject as an additional dependency of the flake8 pre-commit hook This will ensure that, even when run as a pre-commit hook, flake8 reads its configuration from the pyproject.toml file. --- .pre-commit-config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bc76d85..2193233 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -144,6 +144,9 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 + # This is necessary to read the flake8 configuration from + # the pyproject.toml file. + - flake8-pyproject - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: From a70cf3c5a12b8dcd116867484ca76eed3e2b1c7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:32:02 -0500 Subject: [PATCH 14/32] Move isort config to pyproject.toml file --- .isort.cfg | 10 ---------- pyproject.toml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) delete mode 100644 .isort.cfg diff --git a/.isort.cfg b/.isort.cfg deleted file mode 100644 index 46d45f3..0000000 --- a/.isort.cfg +++ /dev/null @@ -1,10 +0,0 @@ -[settings] -combine_star=true -force_sort_within_sections=true - -import_heading_stdlib=Standard Python Libraries -import_heading_thirdparty=Third-Party Libraries -import_heading_firstparty=cisagov Libraries - -# Run isort under the black profile to align with our other Python linting -profile=black diff --git a/pyproject.toml b/pyproject.toml index 574223c..eec000b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,3 +23,15 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. extend-ignore = ["E501", "W503"] + +[tool.isort] +combine_star = true +force_sort_within_sections = true + +import_heading_stdlib = "Standard Python Libraries" +import_heading_thirdparty = "Third-Party Libraries" +import_heading_firstparty = "cisagov Libraries" + +# Run isort under the black profile to align with our other Python +# linting +profile = "black" From c1861e6027848854dc975180e1e44b18cee73367 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:38:38 -0500 Subject: [PATCH 15/32] Add pyproject.toml as a trigger for the test label Also remove .flake8 and .isort.cfg as triggers for the same label. --- .github/labeler.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..d6c77d0 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -54,10 +54,9 @@ test: # Add any test-related files or paths. - .ansible-lint - .bandit.yml - - .flake8 - - .isort.cfg - .mdl_config.yaml - .yamllint + - pyproject.toml typescript: - changed-files: - any-glob-to-any-file: From 22c6f4019add36d3b9ff3e830f0f018be5aeedd2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:40:19 -0500 Subject: [PATCH 16/32] Remove the .bandit.yml file This file was doing nothing due to its contents. --- .bandit.yml | 13 ------------- .github/labeler.yml | 1 - .pre-commit-config.yaml | 2 -- 3 files changed, 16 deletions(-) delete mode 100644 .bandit.yml diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index ab3cb21..0000000 --- a/.bandit.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Configuration file for the Bandit python security scanner -# https://bandit.readthedocs.io/en/latest/config.html - -# Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are considered included. - -tests: -# - B101 -# - B102 - -skips: -# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/.github/labeler.yml b/.github/labeler.yml index d6c77d0..914ddd1 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -53,7 +53,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .bandit.yml - .mdl_config.yaml - .yamllint - pyproject.toml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2193233..e2e557e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,8 +132,6 @@ repos: rev: 1.8.6 hooks: - id: bandit - args: - - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 25.1.0 hooks: From 15cb60196e1a5d71c6039ec2081acbe80d4c37a0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:48:16 -0500 Subject: [PATCH 17/32] Pin the flake8-pyproject dependency in the pre-commit configuration The flake8-docstrings dependency is pinned, so this one should be too. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e2e557e..a8c71b5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -144,7 +144,7 @@ repos: - flake8-docstrings==1.7.0 # This is necessary to read the flake8 configuration from # the pyproject.toml file. - - flake8-pyproject + - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: From bc6bf8c2d3b47d56d189ece182cb0389e3b96358 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 7 Nov 2025 13:31:17 -0500 Subject: [PATCH 18/32] Remove flake8-pyproject dependency from requirements-test.txt flake8 itself isn't installed here, so this dependency shouldn't be either. This jibes with the fact that we don't install flake8-docstrings (another dependency of the flake8 pre-commit hook) into the virtual environment either. --- requirements-test.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements-test.txt b/requirements-test.txt index 3fd2ff1..66f74db 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,3 +1,2 @@ --requirement requirements.txt -flake8-pyproject pre-commit From c7c0c0ad2acaff7d34c19fe54929f0291fc226a6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Nov 2025 10:27:14 -0500 Subject: [PATCH 19/32] Upgrade pre-commit hooks via pre-commit autoupdate --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bc76d85..316366f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.33.3 + rev: 0.35.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.3.0 + rev: v4.4.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.2 + rev: v1.0.0-rc.4 hooks: # Go Build - id: go-build-repo-mod @@ -129,13 +129,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.0 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 25.1.0 + rev: 25.11.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -145,11 +145,11 @@ repos: additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 6.0.1 + rev: 7.0.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.18.1 + rev: v1.18.2 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.20.0 + rev: v3.21.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.9.0 + rev: v25.11.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.100.0 + rev: v1.103.0 hooks: - id: terraform_fmt - id: terraform_validate From 2d88e72d0f403e64d43d8d1c240ad561475dce51 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 12:50:32 -0400 Subject: [PATCH 20/32] Add a CodeQL badge to the README We added a CodeQL configuration in #202 but did not add a badge. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 22134a3..33fc585 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) [![License](https://img.shields.io/github/license/cisagov/skeleton-generic )](https://spdx.org/licenses/) +[![CodeQL](https://github.com/cisagov/skeleton-generic/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-generic/actions/workflows/codeql-analysis.yml) This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub project started. From 2759cc5e4110bb170f5a2661b93b7b634265bb89 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Nov 2025 22:16:49 -0500 Subject: [PATCH 21/32] Update Bandit pre-commit hook The 1.9.0 release of Bandit was flawed due to a failure of the GHA workflows that publish to PyPI and Test PyPI. The 1.9.1 release resolved the issue. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f3570eb..93493c9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -129,7 +129,7 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.9.0 + rev: 1.9.1 hooks: - id: bandit - repo: https://github.com/psf/black-pre-commit-mirror From 12101f04dca8475fd566b6ba40322fec219d0e64 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Tue, 18 Nov 2025 14:35:18 -0500 Subject: [PATCH 22/32] Revert "Move all Python tool configs to `pyproject.toml`" --- .bandit.yml | 13 +++++++++++++ pyproject.toml => .flake8 | 18 +++--------------- .github/labeler.yml | 4 +++- .isort.cfg | 10 ++++++++++ .pre-commit-config.yaml | 5 ++--- 5 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 .bandit.yml rename pyproject.toml => .flake8 (75%) create mode 100644 .isort.cfg diff --git a/.bandit.yml b/.bandit.yml new file mode 100644 index 0000000..ab3cb21 --- /dev/null +++ b/.bandit.yml @@ -0,0 +1,13 @@ +--- +# Configuration file for the Bandit python security scanner +# https://bandit.readthedocs.io/en/latest/config.html + +# Tests are first included by `tests`, and then excluded by `skips`. +# If `tests` is empty, all tests are considered included. + +tests: +# - B101 +# - B102 + +skips: +# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/pyproject.toml b/.flake8 similarity index 75% rename from pyproject.toml rename to .flake8 index eec000b..92ff826 100644 --- a/pyproject.toml +++ b/.flake8 @@ -1,4 +1,4 @@ -[tool.flake8] +[flake8] max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - @@ -13,7 +13,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = ["C", "D", "E", "F", "W", "B", "B950"] +select = C,D,E,F,W,B,B950 # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,16 +22,4 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -extend-ignore = ["E501", "W503"] - -[tool.isort] -combine_star = true -force_sort_within_sections = true - -import_heading_stdlib = "Standard Python Libraries" -import_heading_thirdparty = "Third-Party Libraries" -import_heading_firstparty = "cisagov Libraries" - -# Run isort under the black profile to align with our other Python -# linting -profile = "black" +ignore = E501,W503 diff --git a/.github/labeler.yml b/.github/labeler.yml index ff74248..05478bd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -61,9 +61,11 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg - .mdl_config.yaml - .yamllint - - pyproject.toml typescript: - changed-files: - any-glob-to-any-file: diff --git a/.isort.cfg b/.isort.cfg new file mode 100644 index 0000000..46d45f3 --- /dev/null +++ b/.isort.cfg @@ -0,0 +1,10 @@ +[settings] +combine_star=true +force_sort_within_sections=true + +import_heading_stdlib=Standard Python Libraries +import_heading_thirdparty=Third-Party Libraries +import_heading_firstparty=cisagov Libraries + +# Run isort under the black profile to align with our other Python linting +profile=black diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 93493c9..471cdc3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,6 +132,8 @@ repos: rev: 1.9.1 hooks: - id: bandit + args: + - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 25.11.0 hooks: @@ -142,9 +144,6 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - # This is necessary to read the flake8 configuration from - # the pyproject.toml file. - - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 7.0.0 hooks: From ffab6a2c8ffa266da93bf7712448282f9c237617 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 19 Nov 2025 13:26:31 -0500 Subject: [PATCH 23/32] Keep two Bandit blocks in sync wrt version --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9416616..76d5cb3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything but the tests directory - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.1 hooks: - id: bandit name: bandit (everything but the tests directory) From 03c018974b04540e7af2c300d15ea13e0f3f0a6a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 18:37:26 +0000 Subject: [PATCH 24/32] Bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c11089c..471a494 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,7 +100,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ac19c95..5458e86 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bc859d1..580fa9c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 19e0129..f60bc84 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 From 504da27763e85e4cb0c5fb67452036736c330619 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Nov 2025 21:55:42 -0500 Subject: [PATCH 25/32] Upgrade the ansible-line pre-commit hook This is necessary for cisagov/skeleton-ansible-role#243 (Fedora 43 support). See here for more details about this release: https://github.com/ansible/ansible-lint/releases/tag/v25.11.1 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 471cdc3..af07afc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -171,7 +171,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.11.0 + rev: v25.11.1 hooks: - id: ansible-lint additional_dependencies: From 951238c7eda7eb3bbef82290b5202841b54d881f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Nov 2025 09:30:21 -0500 Subject: [PATCH 26/32] Add --py310-plus argument to pyupgrade Python 3.10 is currently the oldest non-EOL version of Python, so we want to apply all rules that apply to this version or later. See here for more details: https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/ --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 471cdc3..c43ef99 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -168,6 +168,12 @@ repos: rev: v3.21.1 hooks: - id: pyupgrade + args: + # Python 3.10 is currently the oldest non-EOL version of + # Python, so we want to apply all rules that apply to this + # version or later. See here for more details: + # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/ + - --py310-plus # Ansible hooks - repo: https://github.com/ansible/ansible-lint From d2fb5c3d3261468cbc3a9619b1d476dfffcabf65 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 12:19:20 -0500 Subject: [PATCH 27/32] Remove comments that are no longer relevant --- .pre-commit-config.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 471cdc3..5eff6a8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -187,22 +187,7 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. - # - # It is also a good idea to go ahead and upgrade to version - # 10 since version 9 is going EOL at the end of November: - # https://endoflife.date/ansible # - ansible>=10,<11 - # ansible-core 2.16.3 through 2.16.6 suffer from the bug - # discussed in ansible/ansible#82702, which breaks any - # symlinked files in vars, tasks, etc. for any Ansible role - # installed via ansible-galaxy. Hence we never want to - # install those versions. - # - # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. The pin of - # ansible-core to >=2.17 effectively also pins ansible to - # >=10. - # # It is also a good idea to go ahead and upgrade to # ansible-core 2.17 since security support for ansible-core # 2.16 ends this month: From 538a953fec49769c2cc51b84d0bef2cdc1635400 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 12:20:29 -0500 Subject: [PATCH 28/32] Pin ansible-core to 2.17.7 or later ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. --- .pre-commit-config.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5eff6a8..71e816f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -188,15 +188,12 @@ repos: # but all versions of ansible 9 have a dependency on # ~=2.16.X. # - ansible>=10,<11 - # It is also a good idea to go ahead and upgrade to - # ansible-core 2.17 since security support for ansible-core - # 2.16 ends this month: - # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.17 + - ansible-core>=2.17.7 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From 4a19d04d26ce0d7f9673e57855407e91bd41285a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 16 Jan 2026 14:54:55 -0500 Subject: [PATCH 29/32] Update actions/checkout to v6 in two more places --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 56cc72f..fbef599 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -231,7 +231,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: @@ -292,7 +292,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Get the short SHA for the commit being used run: | echo "GH_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV From 3abb5efd54aee43faf0f136bb6b987449ebab84b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 16 Jan 2026 14:57:21 -0500 Subject: [PATCH 30/32] Update type hints This gets rid of some errors from our pyupgrade pre-commit hook. --- src/lambda_handler.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/lambda_handler.py b/src/lambda_handler.py index 74ca692..6975086 100644 --- a/src/lambda_handler.py +++ b/src/lambda_handler.py @@ -4,7 +4,7 @@ from datetime import datetime, timezone import logging import os -from typing import Any, Optional, Union +from typing import Any # Third-Party Libraries import cowsay @@ -36,9 +36,9 @@ def task_default(event): return result -def task_cowsay(event) -> dict[str, Union[Optional[str], bool]]: +def task_cowsay(event) -> dict[str, str | None | bool]: """Generate an output message using the provided information.""" - result: dict[str, Union[Optional[str], bool]] = {"message": None, "success": True} + result: dict[str, str | None | bool] = {"message": None, "success": True} character: str = event.get("character", "tux") if character not in cowsay.characters.CHARS.keys(): @@ -55,9 +55,9 @@ def task_cowsay(event) -> dict[str, Union[Optional[str], bool]]: return result -def task_divide(event) -> dict[str, Union[Optional[float], bool]]: +def task_divide(event) -> dict[str, float | None | bool]: """Divide one number by another and provide the result.""" - result: dict[str, Union[Optional[float], bool]] = {"result": None, "success": True} + result: dict[str, float | None | bool] = {"result": None, "success": True} numerator: str = event.get("numerator", None) denominator: str = event.get("denominator", None) @@ -83,7 +83,7 @@ def task_divide(event) -> dict[str, Union[Optional[float], bool]]: return result -def handler(event, context) -> dict[str, Optional[str]]: +def handler(event, context) -> dict[str, str | None]: """Process the event and generate a response. The event should have a task member that is one of the supported tasks. @@ -94,7 +94,7 @@ def handler(event, context) -> dict[str, Optional[str]]: :return: The result of the action. """ old_log_level = None - response: dict[str, Optional[str]] = {"timestamp": str(datetime.now(timezone.utc))} + response: dict[str, str | None] = {"timestamp": str(datetime.now(timezone.utc))} # Update the logging level if necessary new_log_level = os.environ.get("log_level", default_log_level).upper() From 5474af864db3221997c36c36f15c71bd4982e3e0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 16 Jan 2026 15:16:02 -0500 Subject: [PATCH 31/32] Rename Docker composition config compose.yml is now preferred over docker-compose.yml. --- docker-compose.yml => compose.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docker-compose.yml => compose.yml (100%) diff --git a/docker-compose.yml b/compose.yml similarity index 100% rename from docker-compose.yml rename to compose.yml From 5edcf53d65333fc7550c120edaf721235860d5eb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 16 Jan 2026 15:21:53 -0500 Subject: [PATCH 32/32] Fully specify the base Docker images being used This aligns with what is being done in cisagov/skeleton-docker. --- Dockerfile | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 505b296..3ec57d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,9 @@ -# The runtime tag must match the version of Python specified in the Pipfile. -FROM amazon/aws-lambda-python:3.9 AS install-stage +# The runtime tag must match the version of Python specified in the +# Pipfile. +# +# Official Docker images are in the form library/ while +# non-official images are in the form /. +FROM docker.io/amazon/aws-lambda-python:3.9 AS install-stage # Install the Python packages necessary to install the Lambda dependencies. RUN python3 -m pip install --no-cache-dir \ @@ -21,8 +25,12 @@ COPY build/Pipfile build/Pipfile.lock ./ # underlying pip calls. RUN pipenv sync --system --extra-pip-args="--no-cache-dir --target ${LAMBDA_TASK_ROOT}" -# The runtime tag must match the version of Python specified in the Pipfile. -FROM amazon/aws-lambda-python:3.9 AS build-stage +# The runtime tag must match the version of Python specified in the +# Pipfile. +# +# Official Docker images are in the form library/ while +# non-official images are in the form /. +FROM docker.io/amazon/aws-lambda-python:3.9 AS build-stage ### # For a list of pre-defined annotation keys and value types see: