Merge pull request #838 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

.github/dependabot.yml

@@ -13,9 +13,12 @@ updates:
       - dependency-name: actions/checkout
       - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
+      - dependency-name: cisagov/setup-env-github-action
       - dependency-name: crazy-max/ghaction-dump-context
       - dependency-name: crazy-max/ghaction-github-labeler
       - dependency-name: crazy-max/ghaction-github-status
+      - dependency-name: GitHubSecurityLab/actions-permissions
+      - dependency-name: hashicorp/setup-packer
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner

.github/workflows/build.yml

@@ -30,10 +30,18 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -48,8 +56,15 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

.github/workflows/codeql-analysis.yml

@@ -26,14 +26,20 @@ jobs:
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
         with:
           egress-policy: audit
       - id: github-status
         name: Check GitHub status
-        uses: crazy-max/ghaction-github-status@v3
+        uses: crazy-max/ghaction-github-status@v4
       - id: dump-context
         name: Dump context
         uses: crazy-max/ghaction-dump-context@v2
@@ -56,6 +62,10 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

.github/workflows/sync-labels.yml

@@ -4,19 +4,28 @@ name: sync-labels
 on:
   push:
     paths:
-      - '.github/labels.yml'
-      - '.github/workflows/sync-labels.yml'
+      - .github/labels.yml
+      - .github/workflows/sync-labels.yml
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -38,6 +47,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

.pre-commit-config.yaml

@@ -10,15 +10,19 @@ repos:
       - id: check-useless-excludes
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
       - id: check-json
       - id: check-merge-conflict
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
       - id: check-toml
+      - id: check-vcs-permalinks
       - id: check-xml
       - id: debug-statements
+      - id: destroyed-symlinks
       - id: detect-aws-credentials
         args:
           - --allow-missing-credentials
@@ -53,40 +57,40 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.29.2
+    rev: 0.29.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.8.0
+    rev: v4.0.1
     hooks:
       - id: validate_manifest
 
   # Go hooks
   - repo: https://github.com/TekWizely/pre-commit-golang
     rev: v1.0.0-rc.1
     hooks:
-      # Style Checkers
-      - id: go-critic
-      # StaticCheck
-      - id: go-staticcheck-repo-mod
       # Go Build
       - id: go-build-repo-mod
+      # Style Checkers
+      - id: go-critic
+      # goimports
+      - id: go-imports-repo
+        args:
+          # Write changes to files
+          - -w
       # Go Mod Tidy
       - id: go-mod-tidy-repo
+      # GoSec
+      - id: go-sec-repo-mod
+      # StaticCheck
+      - id: go-staticcheck-repo-mod
       # Go Test
       - id: go-test-repo-mod
       # Go Vet
       - id: go-vet-repo-mod
-      # GoSec
-      - id: go-sec-repo-mod
-      # goimports
-      - id: go-imports-repo
-        args:
-          # Write changes to files
-          - -w
   # Nix hooks
   - repo: https://github.com/nix-community/nixpkgs-fmt
     rev: v1.3.0
@@ -95,7 +99,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.9.0-1
+    rev: v3.10.0-1
     hooks:
       - id: shfmt
         args:
@@ -127,7 +131,7 @@ repos:
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.8.0
+    rev: 24.10.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -141,7 +145,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.11.2
+    rev: v1.13.0
     hooks:
       - id: mypy
         additional_dependencies:
@@ -152,6 +156,11 @@ repos:
     hooks:
       - id: pip-audit
         args:
+          # We have to ignore this particular vulnerability in
+          # ansible-core>=2.11 as there is currently no fix.  See
+          # cisagov/cyhy_amis#842 for more details.
+          - --ignore-vuln
+          - GHSA-99w6-3xph-cx78
           # Add any pip requirements files to scan
           - --requirement
           - requirements-dev.txt
@@ -160,13 +169,13 @@ repos:
           - --requirement
           - requirements.txt
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.17.0
+    rev: v3.19.0
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.9.2
+    rev: v24.10.0
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -177,17 +186,36 @@ repos:
           # necessary to add the ansible package itself as an
           # additional dependency, with the same pinning as is done in
           # requirements-test.txt of cisagov/skeleton-ansible-role.
-          # - ansible>=9,<10
+          #
+          # Version 10 is required because the pip-audit pre-commit
+          # hook identifies a vulnerability in ansible-core 2.16.13,
+          # but all versions of ansible 9 have a dependency on
+          # ~=2.16.X.
+          #
+          # It is also a good idea to go ahead and upgrade to version
+          # 10 since version 9 is going EOL at the end of November:
+          # https://endoflife.date/ansible
+          # - ansible>=10,<11
           # ansible-core 2.16.3 through 2.16.6 suffer from the bug
           # discussed in ansible/ansible#82702, which breaks any
           # symlinked files in vars, tasks, etc. for any Ansible role
           # installed via ansible-galaxy.  Hence we never want to
           # install those versions.
           #
+          # Note that the pip-audit pre-commit hook identifies a
+          # vulnerability in ansible-core 2.16.13.  The pin of
+          # ansible-core to >=2.17 effectively also pins ansible to
+          # >=10.
+          #
+          # It is also a good idea to go ahead and upgrade to
+          # ansible-core 2.17 since security support for ansible-core
+          # 2.16 ends this month:
+          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+          #
           # Note that any changes made to this dependency must also be
           # made in requirements.txt in cisagov/skeleton-packer and
           # requirements-test.txt in cisagov/skeleton-ansible-role.
-          - ansible-core>=2.16.7
+          - ansible-core>=2.17
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
@@ -204,7 +232,7 @@ repos:
 
   # Packer hooks
   - repo: https://github.com/cisagov/pre-commit-packer
-    rev: v0.1.0
+    rev: v0.3.0
     hooks:
-      - id: packer_validate
       - id: packer_fmt
+      - id: packer_validate

requirements.txt

@@ -8,24 +8,29 @@
 # as using the dnf package manager, and version 8 is currently the
 # oldest supported version.
 #
-# We have tested against version 9.  We want to avoid automatically
+# Version 10 is required because the pip-audit pre-commit hook
+# identifies a vulnerability in ansible-core 2.16.13, but all versions
+# of ansible 9 have a dependency on ~=2.16.X.
+#
+# We have tested against version 10.  We want to avoid automatically
 # jumping to another major version without testing, since there are
 # often breaking changes across major versions.  This is the reason
 # for the upper bound.
-#
-# Note that this dependency should be kept in sync with the version
-# pin found in the requirements-test.txt file in
-# cisagov/skeleton-ansible-role.
-ansible>=9,<10
+ansible>=10,<11
 # ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
 # ansible/ansible#82702, which breaks any symlinked files in vars,
 # tasks, etc. for any Ansible role installed via ansible-galaxy.
 # Hence we never want to install those versions.
 #
-# Note that this dependency should be kept in sync with the version
-# pin found in the requirements-test.txt file in
-# cisagov/skeleton-ansible-role.
-ansible-core>=2.16.7
+# Note that the pip-audit pre-commit hook identifies a vulnerability
+# in ansible-core 2.16.13.  Normally we would pin ansible-core
+# accordingly (>2.16.13), but the above pin of ansible>=10 effectively
+# pins ansible-core to >=2.17 so that's what we do here.
+#
+# Note that any changes made to this dependency must also be made in
+# requirements.txt in cisagov/skeleton-packer and
+# .pre-commit-config.yaml in cisagov/skeleton-generic.
+ansible-core>=2.17
 boto3
 setuptools
 wheel