Lineage pull request for: skeleton

.flake8

@@ -1,25 +1,40 @@
 [flake8]
 max-line-length = 80
+
 # Select (turn on)
-# * Complexity violations reported by mccabe (C) -
-#   http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes
-# * Documentation conventions compliance reported by pydocstyle (D) -
-#   http://www.pydocstyle.org/en/stable/error_codes.html
-# * Default errors and warnings reported by pycodestyle (E and W) -
+# * C: Complexity violations reported by mccabe -
+#   https://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes
+# * C4: Default errors and warnings reported by flake8-comprehensions -
+#   https://github.com/adamchainz/flake8-comprehensions#rules
+# * D: Documentation conventions compliance reported by pydocstyle -
+#   https://github.com/PyCQA/pydocstyle/blob/master/docs/error_codes.rst
+# * DUO: Default errors and warnings reported by dlint -
+#   https://github.com/dlint-py/dlint/tree/master/docs
+# * E: Default errors reported by pycodestyle -
 #   https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes
-# * Default errors reported by pyflakes (F) -
-#   http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes
-# * Default warnings reported by flake8-bugbear (B) -
+# * F: Default errors reported by pyflakes -
+#   https://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes
+# * N: Default errors and warnings reported by pep8-naming -
+#   https://github.com/PyCQA/pep8-naming#error-codes
+# * NQA: Default errors and warnings reported by flake8-noqa -
+#   https://github.com/plinss/flake8-noqa#error-codes
+# * W: Default warnings reported by pycodestyle -
+#   https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes
+# * B: Default warnings reported by flake8-bugbear -
 #   https://github.com/PyCQA/flake8-bugbear#list-of-warnings
-# * The B950 flake8-bugbear opinionated warning -
+# * B950: Bugbear opinionated warning for line too long -
 #   https://github.com/PyCQA/flake8-bugbear#opinionated-warnings
-select = C,D,E,F,W,B,B950
-# Ignore flake8's default warning about maximum line length, which has
-# a hard stop at the configured value.  Instead we use
-# flake8-bugbear's B950, which allows up to 10% overage.
-#
-# Also ignore flake8's warning about line breaks before binary
-# operators.  It no longer agrees with PEP8.  See, for example, here:
-# https://github.com/ambv/black/issues/21. Guido agrees here:
-# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b.
-ignore = E501,W503
+select = C,C4,D,DUO,E,F,N,NQA,W,B,B950
+
+# Ignore
+# * E203: pycodestyle's default warning about whitespace before ':' because Black enforces
+#   an equal amount of whitespace around slice operators (':').
+# * E501: pycodestyle's default warning about maximum line length, which has a hard stop
+#   at the configured value.  Instead we use flake8-bugbear's B950, which
+#   allows up to 10% overage.
+# * W503: pycodestyle's warning about line breaks before binary operators.  It no longer
+#   agrees with PEP8.  See, for example, here:
+#   https://github.com/ambv/black/issues/21
+#   Guido agrees here:
+#   https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b
+ignore = E203,E501,W503

.github/workflows/build.yml

@@ -5,6 +5,8 @@ on:  # yamllint disable-line rule:truthy
   merge_group:
     types:
       - checks_requested
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
   push:
   repository_dispatch:
@@ -24,7 +26,7 @@ env:
   PIP_CACHE_DIR: ~/.cache/pip
   PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
-  TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
+  TERRAFORM_DOCS_REPO_BRANCH_NAME: cisagov
   TERRAFORM_DOCS_REPO_DEPTH: 1
   TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git
 
@@ -119,18 +121,20 @@ jobs:
         name: Lookup Go cache directory
         run: |
           echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         env:
-          BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\
-            py${{ steps.setup-python.outputs.python-version }}-\
-            go${{ steps.setup-go.outputs.go-version }}-\
-            packer${{ steps.setup-env.outputs.packer-version }}-\
-            tf${{ steps.setup-env.outputs.terraform-version }}-
+          BASE_CACHE_KEY: >-
+            ${{ github.job }}-${{ runner.os
+            }}-py${{ steps.setup-python.outputs.python-version
+            }}-go${{ steps.setup-go.outputs.go-version
+            }}-packer${{ steps.setup-env.outputs.packer-version
+            }}-tf${{ steps.setup-env.outputs.terraform-version }}-
         with:
-          key: ${{ env.BASE_CACHE_KEY }}\
-            ${{ hashFiles('**/requirements-test.txt') }}-\
-            ${{ hashFiles('**/requirements.txt') }}-\
-            ${{ hashFiles('**/.pre-commit-config.yaml') }}
+          key: >-
+            ${{ env.BASE_CACHE_KEY }}${{
+            hashFiles('**/requirements-test.txt') }}-${{
+            hashFiles('**/requirements.txt') }}-${{
+            hashFiles('**/.pre-commit-config.yaml') }}
           # Note that the .terraform directory IS NOT included in the
           # cache because if we were caching, then we would need to use
           # the `-upgrade=true` option. This option blindly pulls down the
@@ -146,12 +150,12 @@ jobs:
       - uses: hashicorp/setup-packer@v3
         with:
           version: ${{ steps.setup-env.outputs.packer-version }}
-      - uses: hashicorp/setup-terraform@v3
+      - uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
       - name: Install go-critic
         env:
-          PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
+          PACKAGE_URL: github.com/go-critic/go-critic/cmd/go-critic
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install goimports
@@ -170,10 +174,13 @@ jobs:
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       # TODO: https://github.com/cisagov/skeleton-generic/issues/165
-      # We are temporarily using @mcdonnnj's forked branch of terraform-docs
-      # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
-      # is approved. This temporary fix will allow for ATX header support when
-      # terraform-docs is run during linting.
+      # We are temporarily using a branch of @mcdonnnj's fork of terraform-docs that
+      # groups changes from his PRs until they are approved and merged:
+      # https://github.com/terraform-docs/terraform-docs/pull/745
+      # https://github.com/terraform-docs/terraform-docs/pull/901
+      # This temporary fix will allow for ATX header support when terraform-docs is run
+      # during linting and output delimiter rows with cell spacing that passes
+      # Markdownlint's MD060/table-column-style rule.
       - name: Clone ATX headers branch from terraform-docs fork
         run: |
           git clone \
@@ -188,7 +195,7 @@ jobs:
           -o $(go env GOPATH)/bin/terraform-docs
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip setuptools wheel
+          python -m pip install --upgrade pip setuptools
           pip install --upgrade --requirement requirements-test.txt
       - name: Set up pre-commit hook environments
         run: pre-commit install-hooks
@@ -236,7 +243,7 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ steps.setup-env.outputs.python-version }}
-      - uses: actions/cache@v3
+      - uses: actions/cache@v5
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
             py${{ steps.setup-python.outputs.python-version }}-"

.github/workflows/codeql-analysis.yml

@@ -12,6 +12,8 @@ on:
   merge_group:
     types:
       - checks_requested
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
     # The branches here must be a subset of the ones in the push key
     branches:

.github/workflows/dependency-review.yml

@@ -5,6 +5,8 @@ on:  # yamllint disable-line rule:truthy
   merge_group:
     types:
       - checks_requested
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
 
 # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,

.github/workflows/label-prs.yml

@@ -2,11 +2,9 @@
 name: Label pull requests
 
 on:  # yamllint disable-line rule:truthy
+  # We use the default activity types for the pull_request event as specified here:
+  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
   pull_request:
-    types:
-      - edited
-      - opened
-      - synchronize
 
 # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
 # nounset, errexit, and pipefail. The `-x` will print all commands as they are

.github/workflows/sync-labels.yml

@@ -87,7 +87,7 @@ jobs:
       - uses: actions/checkout@v6
       - name: Sync repository labels
         if: success()
-        uses: crazy-max/ghaction-github-labeler@v5
+        uses: crazy-max/ghaction-github-labeler@v6
         with:
           # This is a hideous ternary equivalent so we only do a dry run unless
           # this workflow is triggered by the develop branch.

.pre-commit-config.yaml

@@ -45,32 +45,32 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.45.0
+    rev: v0.48.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/rbubley/mirrors-prettier
-    rev: v3.6.2
+    rev: v3.8.1
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.37.1
+    rev: v1.38.0
     hooks:
       - id: yamllint
         args:
           - --strict
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.35.0
+    rev: 0.37.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v4.4.0
+    rev: v4.5.1
     hooks:
       - id: validate_manifest
 
@@ -105,7 +105,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.12.0-2
+    rev: v3.13.0-1
     hooks:
       - id: shfmt
         args:
@@ -130,7 +130,7 @@ repos:
   # Python hooks
   # Run bandit on the tests directory with a custom configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.9.1
+    rev: 1.9.4
     hooks:
       - id: bandit
         name: bandit (tests directory)
@@ -139,34 +139,55 @@ repos:
           - --config=.bandit.yml
   # Run bandit on everything but the tests directory
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.9.1
+    rev: 1.9.4
     hooks:
       - id: bandit
         name: bandit (everything but the tests directory)
         exclude: tests
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.11.0
+    rev: 26.3.1
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
     rev: 7.3.0
     hooks:
       - id: flake8
         additional_dependencies:
+          - dlint==0.16.0
+          - flake8-bugbear==25.11.29
+          - flake8-comprehensions==3.17.0
           - flake8-docstrings==1.7.0
+          - flake8-noqa==1.5.0
+          - pep8-naming==0.15.1
   - repo: https://github.com/PyCQA/isort
-    rev: 7.0.0
+    rev: 8.0.1
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.18.2
+    rev: v1.19.1
     hooks:
       - id: mypy
   - repo: https://github.com/pypa/pip-audit
-    rev: v2.9.0
+    rev: v2.10.0
     hooks:
       - id: pip-audit
         args:
+          # We have to ignore this vulnerability for now since an
+          # update for pygments has not yet been released.
+          #
+          # In any event, this vulnerability is unlikely to cause us
+          # any problems since we don't feed any regexes to pygments
+          # directly.  pygments is pulled in as a dependency of
+          # pytest.
+          #
+          # See also:
+          # - https://nvd.nist.gov/vuln/detail/CVE-2026-4539
+          # - https://github.com/pygments/pygments/issues/3058
+          #
+          # TODO: Remove this when it becomes possible.  See
+          # cisagov/skeleton-generic#257 for more details.
+          - --ignore-vuln
+          - CVE-2026-4539
           # Add any pip requirements files to scan
           - --requirement
           - requirements-dev.txt
@@ -175,7 +196,7 @@ repos:
           - --requirement
           - requirements.txt
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.21.1
+    rev: v3.21.2
     hooks:
       - id: pyupgrade
         args:
@@ -187,7 +208,10 @@ repos:
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.11.1
+    # We need to stay on this version because we are still using Python 3.13 in
+    # our GitHub Actions configuration. Later versions require Python 3.14 for
+    # the hook to run.
+    rev: v26.1.1
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -213,10 +237,19 @@ repos:
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.103.0
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
+      # This needs to run after the terraform_validate hook so that any Terraform
+      # configurations are initialized.
+      - id: terraform_providers_lock
+        args:
+          - --args=-platform=darwin_amd64
+          - --args=-platform=darwin_arm64
+          - --args=-platform=linux_amd64
+          - --args=-platform=linux_arm64
+          - --hook-config=--mode=always-regenerate-lockfile
 
   # Docker hooks
   - repo: https://github.com/IamTheFij/docker-pre-commit

Dockerfile

@@ -9,7 +9,6 @@ FROM docker.io/amazon/aws-lambda-python:3.9 AS install-stage
 RUN python3 -m pip install --no-cache-dir \
     pip \
     setuptools \
-    wheel \
   # This version of pipenv is the minimum version to allow passing arguments
   # to pip with the --extra-pip-args option.
   && python3 -m pip install --no-cache-dir "pipenv>=2022.9.8"

requirements.txt

@@ -1,2 +1 @@
-setuptools
-wheel
+setuptools>=70.1

setup-env

@@ -271,7 +271,7 @@ fi
 pyenv local "${env_name}"
 
 # Upgrade pip and friends
-python3 -m pip install --upgrade pip setuptools wheel
+python3 -m pip install --upgrade pip setuptools
 
 # Find a requirements file (if possible) and install
 for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt"; do