diff --git a/.flake8 b/.flake8 index 92ff826..e9271ff 100644 --- a/.flake8 +++ b/.flake8 @@ -1,25 +1,40 @@ [flake8] max-line-length = 80 + # Select (turn on) -# * Complexity violations reported by mccabe (C) - -# http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes -# * Documentation conventions compliance reported by pydocstyle (D) - -# http://www.pydocstyle.org/en/stable/error_codes.html -# * Default errors and warnings reported by pycodestyle (E and W) - +# * C: Complexity violations reported by mccabe - +# https://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes +# * C4: Default errors and warnings reported by flake8-comprehensions - +# https://github.com/adamchainz/flake8-comprehensions#rules +# * D: Documentation conventions compliance reported by pydocstyle - +# https://github.com/PyCQA/pydocstyle/blob/master/docs/error_codes.rst +# * DUO: Default errors and warnings reported by dlint - +# https://github.com/dlint-py/dlint/tree/master/docs +# * E: Default errors reported by pycodestyle - # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes -# * Default errors reported by pyflakes (F) - -# http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes -# * Default warnings reported by flake8-bugbear (B) - +# * F: Default errors reported by pyflakes - +# https://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes +# * N: Default errors and warnings reported by pep8-naming - +# https://github.com/PyCQA/pep8-naming#error-codes +# * NQA: Default errors and warnings reported by flake8-noqa - +# https://github.com/plinss/flake8-noqa#error-codes +# * W: Default warnings reported by pycodestyle - +# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes +# * B: Default warnings reported by flake8-bugbear - # https://github.com/PyCQA/flake8-bugbear#list-of-warnings -# * The B950 flake8-bugbear opinionated warning - +# * B950: Bugbear opinionated warning for line too long - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 -# Ignore flake8's default warning about maximum line length, which has -# a hard stop at the configured value. Instead we use -# flake8-bugbear's B950, which allows up to 10% overage. -# -# Also ignore flake8's warning about line breaks before binary -# operators. It no longer agrees with PEP8. See, for example, here: -# https://github.com/ambv/black/issues/21. Guido agrees here: -# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 +select = C,C4,D,DUO,E,F,N,NQA,W,B,B950 + +# Ignore +# * E203: pycodestyle's default warning about whitespace before ':' because Black enforces +# an equal amount of whitespace around slice operators (':'). +# * E501: pycodestyle's default warning about maximum line length, which has a hard stop +# at the configured value. Instead we use flake8-bugbear's B950, which +# allows up to 10% overage. +# * W503: pycodestyle's warning about line breaks before binary operators. It no longer +# agrees with PEP8. See, for example, here: +# https://github.com/ambv/black/issues/21 +# Guido agrees here: +# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b +ignore = E203,E501,W503 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fbef599..b1a30b8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,8 @@ on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: push: repository_dispatch: @@ -24,7 +26,7 @@ env: PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit RUN_TMATE: ${{ secrets.RUN_TMATE }} - TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers + TERRAFORM_DOCS_REPO_BRANCH_NAME: cisagov TERRAFORM_DOCS_REPO_DEPTH: 1 TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git @@ -119,18 +121,20 @@ jobs: name: Lookup Go cache directory run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-\ - go${{ steps.setup-go.outputs.go-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ runner.os + }}-py${{ steps.setup-python.outputs.python-version + }}-go${{ steps.setup-go.outputs.go-version + }}-packer${{ steps.setup-env.outputs.packer-version + }}-tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('**/requirements-test.txt') }}-${{ + hashFiles('**/requirements.txt') }}-${{ + hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the @@ -146,12 +150,12 @@ jobs: - uses: hashicorp/setup-packer@v3 with: version: ${{ steps.setup-env.outputs.packer-version }} - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install go-critic env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_URL: github.com/go-critic/go-critic/cmd/go-critic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install goimports @@ -170,10 +174,13 @@ jobs: PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} # TODO: https://github.com/cisagov/skeleton-generic/issues/165 - # We are temporarily using @mcdonnnj's forked branch of terraform-docs - # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 - # is approved. This temporary fix will allow for ATX header support when - # terraform-docs is run during linting. + # We are temporarily using a branch of @mcdonnnj's fork of terraform-docs that + # groups changes from his PRs until they are approved and merged: + # https://github.com/terraform-docs/terraform-docs/pull/745 + # https://github.com/terraform-docs/terraform-docs/pull/901 + # This temporary fix will allow for ATX header support when terraform-docs is run + # during linting and output delimiter rows with cell spacing that passes + # Markdownlint's MD060/table-column-style rule. - name: Clone ATX headers branch from terraform-docs fork run: | git clone \ @@ -188,7 +195,7 @@ jobs: -o $(go env GOPATH)/bin/terraform-docs - name: Install dependencies run: | - python -m pip install --upgrade pip setuptools wheel + python -m pip install --upgrade pip setuptools pip install --upgrade --requirement requirements-test.txt - name: Set up pre-commit hook environments run: pre-commit install-hooks @@ -236,7 +243,7 @@ jobs: uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v3 + - uses: actions/cache@v5 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 91c62d7..05ae48b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,6 +12,8 @@ on: merge_group: types: - checks_requested + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: # The branches here must be a subset of the ones in the push key branches: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 580fa9c..2b71638 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -5,6 +5,8 @@ on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 412cc4a..45d317b 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -2,11 +2,9 @@ name: Label pull requests on: # yamllint disable-line rule:truthy + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: - types: - - edited - - opened - - synchronize # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, # nounset, errexit, and pipefail. The `-x` will print all commands as they are diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index f60bc84..a8d01be 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -87,7 +87,7 @@ jobs: - uses: actions/checkout@v6 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v5 + uses: crazy-max/ghaction-github-labeler@v6 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1c8d0e3..f8a83de 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.45.0 + rev: v0.48.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.6.2 + rev: v3.8.1 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.1 + rev: v1.38.0 hooks: - id: yamllint args: @@ -63,14 +63,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.35.0 + rev: 0.37.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.4.0 + rev: v4.5.1 hooks: - id: validate_manifest @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.12.0-2 + rev: v3.13.0-1 hooks: - id: shfmt args: @@ -130,7 +130,7 @@ repos: # Python hooks # Run bandit on the tests directory with a custom configuration - repo: https://github.com/PyCQA/bandit - rev: 1.9.1 + rev: 1.9.4 hooks: - id: bandit name: bandit (tests directory) @@ -139,13 +139,13 @@ repos: - --config=.bandit.yml # Run bandit on everything but the tests directory - repo: https://github.com/PyCQA/bandit - rev: 1.9.1 + rev: 1.9.4 hooks: - id: bandit name: bandit (everything but the tests directory) exclude: tests - repo: https://github.com/psf/black-pre-commit-mirror - rev: 25.11.0 + rev: 26.3.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -153,20 +153,41 @@ repos: hooks: - id: flake8 additional_dependencies: + - dlint==0.16.0 + - flake8-bugbear==25.11.29 + - flake8-comprehensions==3.17.0 - flake8-docstrings==1.7.0 + - flake8-noqa==1.5.0 + - pep8-naming==0.15.1 - repo: https://github.com/PyCQA/isort - rev: 7.0.0 + rev: 8.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.18.2 + rev: v1.19.1 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.9.0 + rev: v2.10.0 hooks: - id: pip-audit args: + # We have to ignore this vulnerability for now since an + # update for pygments has not yet been released. + # + # In any event, this vulnerability is unlikely to cause us + # any problems since we don't feed any regexes to pygments + # directly. pygments is pulled in as a dependency of + # pytest. + # + # See also: + # - https://nvd.nist.gov/vuln/detail/CVE-2026-4539 + # - https://github.com/pygments/pygments/issues/3058 + # + # TODO: Remove this when it becomes possible. See + # cisagov/skeleton-generic#257 for more details. + - --ignore-vuln + - CVE-2026-4539 # Add any pip requirements files to scan - --requirement - requirements-dev.txt @@ -175,7 +196,7 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.21.1 + rev: v3.21.2 hooks: - id: pyupgrade args: @@ -187,7 +208,10 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.11.1 + # We need to stay on this version because we are still using Python 3.13 in + # our GitHub Actions configuration. Later versions require Python 3.14 for + # the hook to run. + rev: v26.1.1 hooks: - id: ansible-lint additional_dependencies: @@ -213,10 +237,19 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.103.0 + rev: v1.105.0 hooks: - id: terraform_fmt - id: terraform_validate + # This needs to run after the terraform_validate hook so that any Terraform + # configurations are initialized. + - id: terraform_providers_lock + args: + - --args=-platform=darwin_amd64 + - --args=-platform=darwin_arm64 + - --args=-platform=linux_amd64 + - --args=-platform=linux_arm64 + - --hook-config=--mode=always-regenerate-lockfile # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit diff --git a/Dockerfile b/Dockerfile index 3ec57d7..bc8ff4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,6 @@ FROM docker.io/amazon/aws-lambda-python:3.9 AS install-stage RUN python3 -m pip install --no-cache-dir \ pip \ setuptools \ - wheel \ # This version of pipenv is the minimum version to allow passing arguments # to pip with the --extra-pip-args option. && python3 -m pip install --no-cache-dir "pipenv>=2022.9.8" diff --git a/requirements.txt b/requirements.txt index 0a8547b..68cbeeb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1 @@ -setuptools -wheel +setuptools>=70.1 diff --git a/setup-env b/setup-env index 89c7603..d3d003c 100755 --- a/setup-env +++ b/setup-env @@ -271,7 +271,7 @@ fi pyenv local "${env_name}" # Upgrade pip and friends -python3 -m pip install --upgrade pip setuptools wheel +python3 -m pip install --upgrade pip setuptools # Find a requirements file (if possible) and install for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt"; do