⚠️ CONFLICT! Lineage pull request for: skeleton #6

Additionally as of v3.1.0 of actions/setup-go there is a go-version output value to retrieve the version of Go installed by the Action. This allows us to remove the step to manually retrieve this information from the Go executable.

Go 1.16 is no longer supported as of the release of 1.18 so it makes sense to update to the latest version available.

Go 1.19 was released while this branch was in the wings and it makes sense to bump to the latest Go release.

Update Go installation in the `build.yml` workflow

Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 1 to 2. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](hashicorp/setup-terraform@v1...v2) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

…orp/setup-terraform-2 Bump hashicorp/setup-terraform from 1 to 2

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v3...v4) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

…s/setup-python-4 Bump actions/setup-python from 3 to 4

Add a comment that states that the commented out ignore directives are managed by cisagov/skeleton-generic.

This adds the other versioned Actions that should be managed by cisagov/skeleton-generic to the list of commented out dependencies to ignore.

…nores Update Dependabot ignore directives

GitHub has deprecated the set-output command per: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ This updates the GitHub Actions workflow to use the newly preferred method to set the output for a job's step.

Remove usage of `set-output` from our GitHub Actions workflow

Increase the line length maximum from the default of 80 to 88. This 10% increase mirrors the line length allowed in other linter configurations such as black.

…-length_rules Update the `line-length` configuration for `yamllint`

Per PyCQA/flake8#1290 this hook moved from GitLab to GitHub. The version we use is bumped to the latest tag on GitHub as well.

Update the `flake8` pre-commit hook configuration

Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back due to issues with upgrading to v6.

Update pre-commit hooks

This configuration file stores information about the labels expected in this repository.

This adds a workflow to ensure that the repository labels are updated to reflect changes to the label configuration file .github/labels.yml.

Add workflow to manage repository labels

Update the configuration for repository labels to remove the leading `#` from color values. With a `#` leading the values they are seen as invalid by the GitHub API.

There was a missing empty line in the `.yamllint` file between two rule definitions.

Update two configuration files

…skeleton

Bump actions/setup-python from v3 to v4 and use Python 3.10 to mirror the `lint` job.

Remove the remaining uses of the `set-output` command since it has been deprecated per: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

⚠️ CONFLICT! Lineage pull request for: skeleton

The `bandit (everything else)` hook was not updated in sync with the `bandit (tests tree)` hook and is using an older version of bandit.

Co-authored-by: dav3r <[email protected]>

…configuration Update the version of the second `bandit` hook

Pull in the CodeQL workflow from cisagov/skeleton-python-library to update the CodeQL configuration for this repository. We also add github/codeql-action to the dependencies managed by this repository in the dependabot configuration.

Update the CodeQL configuration

This argument references a file that is no longer found in the repository. The configuration also no longer uses any such files so it is safe to remove this as opposed to updating it instead.

Add all requirements*.txt files in the configuration to this file. This ensures that all requirements in use are being used for scanning.

Until we completely remove LGTM from our repositories we should keep at least the minimum badging. This project does not directly use any Python, JavaScript, etc. so I am enabling the "Total alerts" badge. Other possibilities are commented out to make it easier for downstream repositories to enable what suits their configurations.

…rations Update some outdated items in the project

Bumps [actions/github-script](https://github.com/actions/github-script) from 5 to 6. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v5...v6) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

…/github-script-6 Bump actions/github-script from 5 to 6

We saw in cisagov/postfix-docker#47 that the sed commands in the bump_version.sh script could inadvertently match the CC0 version in the README.md file. This change escapes the periods in the version before passing it on to sed so that they only match periods and not just any character.

…script Fix overly eager sed commands

Also add a section to update pip and setuptools via pip.

Improve Dockerfile

LGTM.com is shutting down 2022-12-16 so we should remove all LGTM-related items to prepare for disabling the LGTM.com integration in the organization.

Remove LGTM from the repository

I accidentally clobbered these changes when I was updating cisagov/skeleton-docker#135 for merge. This restores the changes made during review as well as fixing a missed reference to the CISA_USER argument. Co-authored-by: Shane Frasier <[email protected]>

Restore Dockerfile changes from review

Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back to be updated independently to v6.

Update `pre-commit` hooks

Add a security label

Lineage pull request for: skeleton

When Dependabot creates a PR it requires this permission in order to push Docker images to ghcr.io.

Add package write permission to workflow

Co-authored-by: Nick <[email protected]>

Update wheel along with pip and setuptools

In this case it doesn't matter because we are starting from a Python3-specific base container, but other projects that use this skeleton may not be. Specifying pip3 ensures that the Python 2 version of pip is not called by mistake.

Specify pip3

Specify the default group to run under in the Dockerfile

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3 to 4. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v3...v4) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

…/build-push-action-4 Bump docker/build-push-action from 3 to 4

Specify pip3 in the file where it got blown away by a rebase

@jasonodoom

Add @jasonodoom as a default codeowner

This is the latest minor release of Python so it makes sense to use it as the default for this job.

…n_for_lint_job Use Python 3.11 for the `lint` job in the `build` workflow

This is done automatically with the `pre-commit autoupdate` command. However the `ansible-lint` hook is manually kept back as we have not tested functionality to confirm that our roles will generally pass with the new version.

Update `pre-commit` hooks

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

…s/setup-go-4 Bump actions/setup-go from 3 to 4

When wheel gets installed alongside other packages, it may not get used when those other packages are installed. When that happens I see warnings like this: DEPRECATION: ansible-core is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559 This change should get rid of these warnings. Nota bene: This is the practice we follow in the Dockerfile in cisagov/skeleton-docker, but for some reason we never started using it in our workflows.

…nd-wheel-with-pip Install/upgrade setuptools and wheel when upgrading pip

Co-authored-by: Shane Frasier <[email protected]>

The golang/lint tool was archived on May 9th, 2021 and based on golang/go#38968 no future work is planned. Coupled with the fact that it is not available from brew we are removing this hook as local development may be hindered by trying to satisfy running this hook. Co-authored-by: Shane Frasier <[email protected]> Co-authored-by: dav3r <[email protected]>

This is done automatically with the `pre-commit autoupdate` command.

Resolves cisagov/skeleton-generic#131.

The cache key used relies on the existence of a go.sum file. Since we have no expectation for Go source code, including that file, and since we already include the Go cache in our job caching, we can safely disable caching in the Action.

Bump the version of Go used in our GitHub Actions configuration to the latest stable Go release.

Add Go hooks

Co-authored-by: Nick <[email protected]>

This is being done for testing purposes, and this commit can be reverted (or removed) once cisagov/setup-env-github-action#65 is merged.

Co-authored-by: Nick <[email protected]>

The repo name we were using redirects to the correct place, but we may as well cut out the middle man.

@mcdonnnj

…orrect staticcheck package URL Co-Authored By: @mcdonnnj <[email protected]>

Co-authored-by: Shane Frasier <[email protected]>

We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value.

Our standard practice for YAML files is to sort keys alphabetically.

This is the latest minor release of Python so it makes sense to use it as the default for this job.

This is done automatically with the `pre-commit autoupdate` command. However the `ansible-lint` hook is manually kept back as we have not tested functionality to confirm that our roles will generally pass with the new version.

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

When wheel gets installed alongside other packages, it may not get used when those other packages are installed. When that happens I see warnings like this: DEPRECATION: ansible-core is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at pypa/pip#8559 This change should get rid of these warnings. Nota bene: This is the practice we follow in the Dockerfile in cisagov/skeleton-docker, but for some reason we never started using it in our workflows.

Co-authored-by: Shane Frasier <[email protected]>

The golang/lint tool was archived on May 9th, 2021 and based on golang/go#38968 no future work is planned. Coupled with the fact that it is not available from brew we are removing this hook as local development may be hindered by trying to satisfy running this hook. Co-authored-by: Shane Frasier <[email protected]> Co-authored-by: dav3r <[email protected]>

This is done automatically with the `pre-commit autoupdate` command.

Resolves cisagov/skeleton-generic#131.

The cache key used relies on the existence of a go.sum file. Since we have no expectation for Go source code, including that file, and since we already include the Go cache in our job caching, we can safely disable caching in the Action.

Bump the version of Go used in our GitHub Actions configuration to the latest stable Go release.

The version of Python used in the `lint` job of the build workflow for GitHub Actions was updated to 3.11 so we should update the `test` job to match.

The `setuptools` and `wheel` packages were added to the `lint` job in GitHub Actions and it should be duplicated for the `test` job.

Bumps python from 3.10.1-alpine to 3.11.4-alpine. --- updated-dependencies: - dependency-name: python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Lineage pull request for: skeleton

Co-authored-by: David Harris <[email protected]>

The pytest-dockerc plug is unmaintained and there is now a dependency issues with PyYAML because of the release of Cython v3 (which is itself a build dependency for PyYAML). After some research this seemed like the most similar package in terms of functionality to the package we are replacing. Although it is not a pytest plugin it still provides similar access and uses the Docker composition defined in the repository.

Switch packages used to test the configuration

The "stopped" parameter is no longer present now that we are using python-on-whales. Co-authored-by: dav3r <[email protected]>

The token is optionally used for the build and prerelease actions to override the default values used by the semver Python package.

Since the replacement and commit of version change information is almost identical across the different logic flows it makes sense to DRY out the code.

Only retrieve the existing version information if the input to the bump_version.sh script isn't immediately invalid (if the script does not get 1-2 arguments).

The team has come to the consensus that the `git push` should be at the discretion of the user. This both prevents needless GitHub Actions runs and ensures that the repository is updated when the user feels it is in an appropriate state. Co-authored-by: Shane Frasier <[email protected]>

Co-authored-by: Nick <[email protected]>

…b-action" This reverts commit ddbf6f7. This can be done now that cisagov/setup-env-github-action#65 has been merged.

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Add crazy-max/ghaction-github-labeler as a commented out dependency to ignore in the dependabot configuration file. This should be enabled in downstream projects to consolidate updating this Action to the cisagov/skeleton-generic repository.

Add go packages for pre-commit

Use the correct repo name for the ansible-lint pre-commit hook

…nfiguration Update the Dependabot configuration

Delete duplicate word "are"

Add nixfmt pre-commit hook

…s/checkout-4 Bump actions/checkout from 3 to 4

Update the version of the `crazy-max/ghaction-github-labeler` Action and add a dependabot ignore directive

This is done automatically with the `pre-commit autoupdate` command.

This mirror was created to leverage performance optimizations from mypyc wheels that are available if black is installed from PyPI. These wheels are not available if black is installed from source as it would be using the old URL. Please see psf/black#3828 and psf/black#3405 for more information.

This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen <[email protected]> Co-authored-by: Nick <[email protected]>

Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <[email protected]>

This can be useful when debugging why a GH Action failed. Co-authored-by: felddy <[email protected]>

This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy <[email protected]>

This task can only provide coverage for the job that contains it.

We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <[email protected]>

Update `pre-commit` hooks

Change the source repository for the `black` hook

Add a job that runs diagnostics

Enable the new dependabot ignore directives that were added in cisagov/skeleton-generic.

We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic.

Our standard practice for YAML files is to sort keys alphabetically. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic.

This updates the remaining declarations to match what was pulled down from cisagov/skeleton-generic.

Add the `diagnostics` job as a dependency for the other jobs. Reformat the dependencies for those jobs to match the formatting of the `lint` job. This aligns with what was pulled down from cisagov/skeleton-generic.

Ensure that top-level keys except for `steps` are alphabetically sorted.

We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic.

This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic.

We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic.

Bumps [docker/login-action](https://github.com/docker/login-action) from 2 to 3. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v2...v3) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2 to 3. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v2...v3) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 2 to 3. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@v2...v3) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps python from 3.11.4-alpine to 3.12.0-alpine. --- updated-dependencies: - dependency-name: python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

It's good to agree everywhere with the changes we made to the build.yml workflow in cisagov/skeleton-generic#144.

⚠️ CONFLICT! Lineage pull request for: skeleton

…alpine Bump python from 3.11.4-alpine to 3.12.0-alpine

…for-codeql-workflow Add a diagnostics job to the CodeQL workflow

Modify comment referencing "stopped" parameter

…_script Enhance the functionality of the `bump_version.sh` script

…/login-action-3 Bump docker/login-action from 2 to 3

…/setup-buildx-action-3 Bump docker/setup-buildx-action from 2 to 3

…/setup-qemu-action-3 Bump docker/setup-qemu-action from 2 to 3

# Conflicts: # .github/dependabot.yml

Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v6...v7) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4 to 5. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v4...v5) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

There is currently a potential incompatibility with the default behavior of the version of buildx being used. A default image generated is built with provenance, which is something we would like to have, but these default images can run on neither Google Cloud Run nor AWS Lambda. Please see docker/buildx#1533 for mroe information. Since we want to retain support for creating AWS Lambda images we add a commented out disabling of this functionality that can be enabled in a downstream repository if needed.

…s/github-script-7 Bump actions/github-script from 6 to 7

…/build-push-action-5 Bump docker/build-push-action from 4 to 5

Commits on Mar 24, 2023

Add @jasonodoom as a default codeowner

jsf9k committed Mar 24, 2023

Configuration menu

View commit details

Copy full SHA for 744f07e

Browse repository at this point

Copy the full SHA

744f07e View commit details

Browse the repository at this point in the history

Commits on Aug 28, 2023

Add nixfmt pre-commit hook

jasonodoom committed Aug 28, 2023

Configuration menu

View commit details

Copy full SHA for 82db36a

Browse repository at this point

Copy the full SHA

82db36a View commit details

Browse the repository at this point in the history

⚠️ CONFLICT! Lineage pull request for: skeleton #6

Are you sure you want to change the base?

⚠️ CONFLICT! Lineage pull request for: skeleton #6

Commits on May 27, 2022

Commits on Nov 8, 2022

Commits on Nov 9, 2022

Commits on Nov 14, 2022

Commits on Nov 15, 2022

Commits on Nov 21, 2022

Commits on Nov 22, 2022

Commits on Jan 31, 2023

Commits on Feb 2, 2023

Commits on Feb 10, 2023

Commits on Feb 11, 2023

Commits on Mar 2, 2023

Commits on Mar 24, 2023

Commits on Mar 26, 2023

Commits on Apr 19, 2023

Commits on Apr 20, 2023

Commits on May 5, 2023

Commits on May 8, 2023

Commits on Jun 7, 2023

Commits on Jun 8, 2023

Commits on Jul 10, 2023

Commits on Jul 11, 2023

Commits on Jul 12, 2023

Commits on Jul 13, 2023

Commits on Jul 14, 2023

Commits on Jul 18, 2023

Commits on Jul 20, 2023

Commits on Jul 28, 2023

Commits on Aug 9, 2023

Commits on Aug 15, 2023

Commits on Aug 16, 2023

Commits on Aug 22, 2023

Commits on Aug 28, 2023

Commits on Sep 4, 2023

Commits on Sep 11, 2023

Commits on Sep 13, 2023

Commits on Sep 18, 2023

Commits on Oct 9, 2023

Commits on Oct 11, 2023

Commits on Dec 6, 2023

Commits on Dec 7, 2023