⚠️ CONFLICT! Lineage pull request for: skeleton

.github/CODEOWNERS

@@ -3,11 +3,11 @@
 # These owners will be the default owners for everything in the
 # repo. Unless a later match takes precedence, these owners will be
 # requested for review when someone opens a pull request.
-* @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
+* @dav3r @felddy @jsf9k @mcdonnnj
 
 # These folks own any files in the .github directory at the root of
 # the repository and any of its subdirectories.
-/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
+/.github/ @dav3r @felddy @jsf9k @mcdonnnj
 
 # Let jsf9k own the sometimes-touchy AWS and Python playbooks, as well
 # as the packer.pkr.hcl file.
@@ -16,15 +16,15 @@
 /src/python.yml @jsf9k
 
 # These folks own all linting configuration files.
-/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
-/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
+/.ansible-lint @dav3r @felddy @jsf9k @mcdonnnj
+/.bandit.yml @dav3r @felddy @jsf9k @mcdonnnj
+/.flake8 @dav3r @felddy @jsf9k @mcdonnnj
+/.isort.cfg @dav3r @felddy @jsf9k @mcdonnnj
+/.mdl_config.yaml @dav3r @felddy @jsf9k @mcdonnnj
+/.pre-commit-config.yaml @dav3r @felddy @jsf9k @mcdonnnj
+/.prettierignore @dav3r @felddy @jsf9k @mcdonnnj
+/.yamllint @dav3r @felddy @jsf9k @mcdonnnj
+/requirements.txt @dav3r @felddy @jsf9k @mcdonnnj
+/requirements-dev.txt @dav3r @felddy @jsf9k @mcdonnnj
+/requirements-test.txt @dav3r @felddy @jsf9k @mcdonnnj
+/setup-env @dav3r @felddy @jsf9k @mcdonnnj

.github/dependabot.yml

@@ -13,9 +13,12 @@ updates:
       - dependency-name: actions/checkout
       - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
+      - dependency-name: cisagov/setup-env-github-action
       - dependency-name: crazy-max/ghaction-dump-context
       - dependency-name: crazy-max/ghaction-github-labeler
       - dependency-name: crazy-max/ghaction-github-status
+      - dependency-name: GitHubSecurityLab/actions-permissions
+      - dependency-name: hashicorp/setup-packer
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner

.github/workflows/build.yml

@@ -21,7 +21,6 @@ defaults:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
-  CURL_CACHE_DIR: ~/.cache/curl
   PIP_CACHE_DIR: ~/.cache/pip
   PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
@@ -32,10 +31,18 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -50,8 +57,15 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -77,7 +91,7 @@ jobs:
         name: Lookup Go cache directory
         run: |
           echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
             py${{ steps.setup-python.outputs.python-version }}-\
@@ -98,25 +112,12 @@ jobs:
           path: |
             ${{ env.PIP_CACHE_DIR }}
             ${{ env.PRE_COMMIT_CACHE_DIR }}
-            ${{ env.CURL_CACHE_DIR }}
             ${{ steps.go-cache.outputs.dir }}
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
-      - name: Setup curl cache
-        run: mkdir -p ${{ env.CURL_CACHE_DIR }}
-      - name: Install Packer
-        env:
-          PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
-        run: |
-          PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
-          curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --location \
-            "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
-          sudo unzip -d /opt/packer \
-            ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
-          sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
-          sudo ln -s /opt/packer/packer /usr/local/bin/packer
+      - uses: hashicorp/setup-packer@v3
+        with:
+          version: ${{ steps.setup-env.outputs.packer-version }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
@@ -177,8 +178,15 @@ jobs:
   test:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -191,35 +199,22 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ steps.setup-env.outputs.python-version }}
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
             py${{ steps.setup-python.outputs.python-version }}-\
             packer${{ steps.setup-env.outputs.packer-version }}-"
         with:
           path: |
             ${{ env.PIP_CACHE_DIR }}
-            ${{ env.CURL_CACHE_DIR }}
           key: "${{ env.BASE_CACHE_KEY }}\
             ${{ hashFiles('**/requirements-test.txt') }}-\
             ${{ hashFiles('**/requirements.txt') }}"
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
-      - name: Setup curl cache
-        run: mkdir -p ${{ env.CURL_CACHE_DIR }}
-      - name: Install Packer
-        env:
-          PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
-        run: |
-          PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
-          curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --location \
-            "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
-          sudo unzip -d /opt/packer \
-            ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
-          sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
-          sudo ln -s /opt/packer/packer /usr/local/bin/packer
+      - uses: hashicorp/setup-packer@v3
+        with:
+          version: ${{ steps.setup-env.outputs.packer-version }}
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -237,6 +232,9 @@ jobs:
     needs:
       - lint
       - test
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -245,6 +243,10 @@ jobs:
           - arm64
           - x86_64
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -257,7 +259,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ steps.setup-env.outputs.python-version }}
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
             py${{ steps.setup-python.outputs.python-version }}-\
@@ -266,26 +268,13 @@ jobs:
         with:
           path: |
             ${{ env.PIP_CACHE_DIR }}
-            ${{ env.CURL_CACHE_DIR }}
           key: "${{ env.BASE_CACHE_KEY }}\
             ${{ hashFiles('**/requirements.txt') }}"
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
-      - name: Setup curl cache
-        run: mkdir -p ${{ env.CURL_CACHE_DIR }}
-      - name: Install Packer
-        env:
-          PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
-        run: |
-          PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
-          curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --location \
-            "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
-          sudo unzip -d /opt/packer \
-            ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
-          sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
-          sudo ln -s /opt/packer/packer /usr/local/bin/packer
+      - uses: hashicorp/setup-packer@v3
+        with:
+          version: ${{ steps.setup-env.outputs.packer-version }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}

.github/workflows/prerelease.yml

@@ -7,17 +7,24 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
-  CURL_CACHE_DIR: ~/.cache/curl
   PIP_CACHE_DIR: ~/.cache/pip
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
 
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -32,6 +39,9 @@ jobs:
   prerelease:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -40,6 +50,10 @@ jobs:
           - arm64
           - x86_64
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -52,7 +66,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ steps.setup-env.outputs.python-version }}
-      - uses: actions/cache@v3
+      - uses: actions/cache@v4
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
             py${{ steps.setup-python.outputs.python-version }}-\
@@ -61,26 +75,13 @@ jobs:
         with:
           path: |
             ${{ env.PIP_CACHE_DIR }}
-            ${{ env.CURL_CACHE_DIR }}
           key: "${{ env.BASE_CACHE_KEY }}\
             ${{ hashFiles('**/requirements.txt') }}"
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
-      - name: Setup curl cache
-        run: mkdir -p ${{ env.CURL_CACHE_DIR }}
-      - name: Install Packer
-        env:
-          PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
-        run: |
-          PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
-          curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
-            --location \
-            "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
-          sudo unzip -d /opt/packer \
-            ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
-          sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
-          sudo ln -s /opt/packer/packer /usr/local/bin/packer
+      - uses: hashicorp/setup-packer@v3
+        with:
+          version: ${{ steps.setup-env.outputs.packer-version }}
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}