From 4cb9a4b5863abc317de4daa8fa72487ac930c3d0 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 12:52:36 -0400 Subject: [PATCH 01/42] Add steps to setup go packages for pre-commit --- .github/workflows/build.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..f07c640 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,6 +33,22 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" + - id: setup-go-critic + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + - id: setup staticheck + uses: actions/checkout@v2 + with: + fetch-depth: 1 + - name: Run staticcheck + uses: dominikh/staticcheck-action@v1.3.0 + with: + version: "2022.1.3" + - id: setup-go-sec + uses: actions/checkout@v3 + env: + GO111MODULE: on + - name: Run Gosec Security Scanner + uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | From 53f56b01103783ba2d71c7ad64dc5c4c390c8388 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:01:24 -0400 Subject: [PATCH 02/42] Update action/checkout to use same version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f07c640..4731169 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: - id: setup-go-critic run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest - id: setup staticheck - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 1 - name: Run staticcheck From f2610994eacc942a8b4a3771c0c0d8d69fb286c1 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:17:46 -0400 Subject: [PATCH 03/42] Set specific gocritic version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4731169..cfbc847 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: cache: false go-version: "1.20" - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - id: setup staticheck uses: actions/checkout@v3 with: From 097b573a1eba564d2aeb260f676f01776ff10aba Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 19:34:48 -0400 Subject: [PATCH 04/42] Update build workflow with package installtion --- .github/workflows/build.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cfbc847..3cab3fb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,22 +33,6 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" - - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - - id: setup staticheck - uses: actions/checkout@v3 - with: - fetch-depth: 1 - - name: Run staticcheck - uses: dominikh/staticcheck-action@v1.3.0 - with: - version: "2022.1.3" - - id: setup-go-sec - uses: actions/checkout@v3 - env: - GO111MODULE: on - - name: Run Gosec Security Scanner - uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | @@ -80,6 +64,16 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -101,6 +95,11 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 254282a5f9c5c55c2e95459f929e41a1d85e9ae2 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 15:06:07 -0400 Subject: [PATCH 05/42] Group go tools together with comment --- .github/workflows/build.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3cab3fb..a3c90ea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,6 +64,7 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + # Install GoCrtitic, GoSec and Staticcheck Go tools - name: Install GoCritic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic @@ -74,6 +75,11 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -95,11 +101,6 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From ecf329956ac7e2428e2226e2ac0c9c3c0cea94bf Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:38:13 -0400 Subject: [PATCH 06/42] Update staticcheck id Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3c90ea..f54946c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,7 +78,7 @@ jobs: - name: Install Staticcheck env: PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: From 1eaedf57d23227522f0f302e6055ded6eb888a7a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:40:06 -0400 Subject: [PATCH 07/42] Update tool names to match author stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f54946c..db696ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,8 +64,8 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install GoCrtitic, GoSec and Staticcheck Go tools - - name: Install GoCritic + # Install go-critic, GoSec and staticcheck Go tools + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From fd04757b3339ed91a085e3028b2b88f9bf60e080 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:42:09 -0400 Subject: [PATCH 08/42] Update statcicheck stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db696ad..fee1ebe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -75,7 +75,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 12 Jul 2023 09:09:32 -0400 Subject: [PATCH 09/42] Temporarily use a different branch of cisagov/setup-env-github-action This is being done for testing purposes, and this commit can be reverted (or removed) once cisagov/setup-env-github-action#65 is merged. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fee1ebe..b7c0910 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 @@ -64,18 +64,18 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools + # Install go-critic, GoSec and staticcheck Go tools - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install GoSec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From a8af336b975def35f947694d61828ab633d8bc6d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 10:11:28 -0400 Subject: [PATCH 10/42] Move go packages install to separate section --- .github/workflows/build.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7c0910..4f0b8cd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,22 +64,6 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools - - name: Install go-critic - env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec - env: - PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec - PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -96,6 +80,22 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} + # Begin Go packages install below + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt From 1675b127e5ba645e36726d3f1858a974e7612998 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:32 -0400 Subject: [PATCH 11/42] Update go-critic name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4f0b8cd..faafd2f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -81,7 +81,7 @@ jobs: with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} # Begin Go packages install below - - name: Install GoCritic + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From c6ab22ea25d5608ab794542c96139bd5d65dac47 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:50 -0400 Subject: [PATCH 12/42] Update staticcheck name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index faafd2f..a799374 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,7 +91,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} From 29de03457f4ec4092d0dd98465d18a83a2193719 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 13 Jul 2023 10:05:20 -0400 Subject: [PATCH 13/42] Use the correct repo name for the ansible-lint pre-commit hook The repo name we were using redirects to the correct place, but we may as well cut out the middle man. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..9dc41ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -130,7 +130,7 @@ repos: - id: pyupgrade # Ansible hooks - - repo: https://github.com/ansible-community/ansible-lint + - repo: https://github.com/ansible/ansible-lint rev: v6.17.0 hooks: - id: ansible-lint From 1e7cb4f721542b260680ee51d4cd75126da0a979 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:53:34 -0400 Subject: [PATCH 14/42] Correct staticcheck reference to setup-env, sort alphabetically and correct staticcheck package URL Co-Authored By: @mcdonnnj --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a799374..7435881 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,16 +91,16 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install staticcheck + env: + PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 5f3bc132490dcdfcc7431133ed38c293eeeffaf5 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Thu, 13 Jul 2023 11:03:03 -0400 Subject: [PATCH 15/42] Remove Go section coment Co-authored-by: Shane Frasier --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7435881..00c5cdf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,6 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - # Begin Go packages install below - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic From d31182550a11db54cff212171bb9cc0dac8bb636 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:30:33 -0400 Subject: [PATCH 16/42] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..60f04c0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,10 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -20,12 +20,12 @@ updates: # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - - package-ecosystem: "pip" - directory: "/" + - package-ecosystem: pip + directory: / schedule: - interval: "weekly" + interval: weekly - - package-ecosystem: "terraform" - directory: "/" + - package-ecosystem: terraform + directory: / schedule: - interval: "weekly" + interval: weekly From 2294d4970596551c7c2c794b869d186dcda49921 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:41:38 -0400 Subject: [PATCH 17/42] Sort the keys in the Dependabot configuration Our standard practice for YAML files is to sort keys alphabetically. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 60f04c0..da2c02c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,8 @@ # these updates when the pull request(s) in the appropriate skeleton are merged # and Lineage processes these changes. -version: 2 updates: - - package-ecosystem: github-actions - directory: / - schedule: - interval: weekly + - directory: / # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -19,13 +15,17 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + package-ecosystem: github-actions + schedule: + interval: weekly - - package-ecosystem: pip - directory: / + - directory: / + package-ecosystem: pip schedule: interval: weekly - - package-ecosystem: terraform - directory: / + - directory: / + package-ecosystem: terraform schedule: interval: weekly +version: 2 From e678502adb77650dbd722134c469f20b5b46d32d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Jul 2023 15:06:13 -0400 Subject: [PATCH 18/42] Delete duplicate word "are" Co-authored-by: David Harris --- .bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bandit.yml b/.bandit.yml index 8ba42d1..ab3cb21 100644 --- a/.bandit.yml +++ b/.bandit.yml @@ -3,7 +3,7 @@ # https://bandit.readthedocs.io/en/latest/config.html # Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are are considered included. +# If `tests` is empty, all tests are considered included. tests: # - B101 From 948ebdeee11f77759311f85d256f19b5c4d7204d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 16 Aug 2023 10:20:21 -0400 Subject: [PATCH 19/42] Fix gosec stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00c5cdf..ec15b7d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,7 +85,7 @@ jobs: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install gosec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} From 98d3d3f6914b4601cf9d194ed7d750224a4fb401 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 22 Aug 2023 10:18:25 -0400 Subject: [PATCH 20/42] Revert "Temporarily use a different branch of cisagov/setup-env-github-action" This reverts commit ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7. This can be done now that cisagov/setup-env-github-action#65 has been merged. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec15b7d..34c3c6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton + uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 From 82db36a453deda26c99ee231879486b9e2d9ac1a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 28 Aug 2023 11:06:36 -0400 Subject: [PATCH 21/42] Add nixfmt pre-commit hook --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..e7262f6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -79,6 +79,12 @@ repos: # GoSec - id: go-sec-repo-mod + # Nix hooks + - repo: https://github.com/nix-community/nixpkgs-fmt + rev: v1.3.0 + hooks: + - id: nixpkgs-fmt + # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt rev: v0.0.2 From c0b5d5bb6cb644bf85171a8f5c89dfc3c770662f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 18:19:17 +0000 Subject: [PATCH 22/42] Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..3b38f76 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..b6f2024 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -19,7 +19,7 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v4 From b04654e922ec4eef978022b67374a2ab3cffab4c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:57:49 -0400 Subject: [PATCH 23/42] Bump crazy-max/ghaction-github-labeler from 4 to 5 --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..1c107e4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v3 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v4 + uses: crazy-max/ghaction-github-labeler@v5 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. From 49ac8c505181e79caefc12cfc2f8e906c1e88ab2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:59:09 -0400 Subject: [PATCH 24/42] Update the dependabot ignore configuration Add crazy-max/ghaction-github-labeler as a commented out dependency to ignore in the dependabot configuration file. This should be enabled in downstream projects to consolidate updating this Action to the cisagov/skeleton-generic repository. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..e1f2f34 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 94d753d10d8106be1e4634bac6a27c0fbfb51c40 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 3 Aug 2023 19:10:29 -0400 Subject: [PATCH 25/42] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5b7035..dad86ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,13 +31,13 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.34.0 + rev: v0.36.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.9-for-vscode + rev: v3.0.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.23.1 + rev: 0.26.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.3.2 + rev: v3.4.0 hooks: - id: validate_manifest @@ -113,11 +113,11 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.9.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 6.0.0 + rev: 6.1.0 hooks: - id: flake8 additional_dependencies: @@ -127,24 +127,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.3.0 + rev: v1.5.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.4.0 + rev: v3.10.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v6.17.0 + rev: v6.19.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.80.0 + rev: v1.83.2 hooks: - id: terraform_fmt - id: terraform_validate From 1bc2056836e544c813d944150932075bb7251e33 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 17:50:36 -0400 Subject: [PATCH 26/42] Switch to the pre-commit mirror for black This mirror was created to leverage performance optimizations from mypyc wheels that are available if black is installed from PyPI. These wheels are not available if black is installed from source as it would be using the old URL. Please see psf/black#3828 and psf/black#3405 for more information. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dad86ae..34f0253 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -112,7 +112,7 @@ repos: - id: bandit args: - --config=.bandit.yml - - repo: https://github.com/psf/black + - repo: https://github.com/psf/black-pre-commit-mirror rev: 23.9.1 hooks: - id: black From a62ebe79e749b4e66b1f2122b3f866fd6ab8c23e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 29 Aug 2023 17:10:03 -0400 Subject: [PATCH 27/42] Add the crazy-max/ghaction-github-status GitHub action This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9ab2270..2fdd39d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,6 +14,7 @@ updates: # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate package-ecosystem: github-actions diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c08880f..9382c48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,12 @@ env: RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: + diagnostics: + runs-on: ubuntu-latest + steps: + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 lint: runs-on: ubuntu-latest steps: From 3619c455e6bb559ed74f7f320026badcaa603ad9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 09:48:01 -0400 Subject: [PATCH 28/42] Make the lint job depend on the diagnostics job Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9382c48..1049da9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,8 @@ jobs: name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 lint: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env From f4370660795e7d97f3e5ef0d582ed5754b2c267f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:35:45 -0400 Subject: [PATCH 29/42] Add a GH Action to dump the context This can be useful when debugging why a GH Action failed. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fdd39d..dbb9b73 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1049da9..346fd81 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,6 +20,9 @@ jobs: - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics From c5e56a21c70e033b2093355b630dd172f85614f2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:36:31 -0400 Subject: [PATCH 30/42] Give the diagnostics job a descriptive name --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 346fd81..53c76f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ env: jobs: diagnostics: + name: Run diagnostics runs-on: ubuntu-latest steps: - id: github-status From 9afb516c20153c850088cfcc8318d7df3e68da92 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:47:40 -0400 Subject: [PATCH 31/42] Add the step-security/harden-runner GH Action This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dbb9b73..17220c6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,6 +18,7 @@ updates: # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 53c76f7..2fda8f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,11 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 From 9dc773cae76fcb144a8fde5b26118e915dea1a03 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 12:44:35 -0400 Subject: [PATCH 32/42] Add a harden-runner task to the lint job as well This task can only provide coverage for the job that contains it. --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fda8f7..3fbeff2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From bb81ec3a0418359c28fc495524959f9f897557b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 15:15:16 -0400 Subject: [PATCH 33/42] Add a reminder We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3fbeff2..e7b75a4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,8 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 730485747b7df3f325b8949ffeeac1a4493d3607 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:47:26 -0400 Subject: [PATCH 34/42] Enable dependabot ignore directives Enable the new dependabot ignore directives that were added in cisagov/skeleton-generic. --- .github/dependabot.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 633713c..ac4c7a2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,12 +18,12 @@ updates: - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status + - dependency-name: crazy-max/ghaction-dump-context + - dependency-name: crazy-max/ghaction-github-labeler + - dependency-name: crazy-max/ghaction-github-status - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner + - dependency-name: step-security/harden-runner # Managed by cisagov/skeleton-docker # - dependency-name: actions/download-artifact # - dependency-name: actions/github-script From d86ac5b31a735d399dda9f5d1bf665d4995a7408 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:47:55 -0400 Subject: [PATCH 35/42] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ac4c7a2..6594ea3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,10 +6,10 @@ # and Lineage processes these changes. updates: - - package-ecosystem: "docker" - directory: "/" + - package-ecosystem: docker + directory: / schedule: - interval: "weekly" + interval: weekly - directory: / ignore: From 4186c1a39deae02ee9a6a2f5a016d9d81094cb77 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:48:33 -0400 Subject: [PATCH 36/42] Sort the keys in the Dependabot configuration Our standard practice for YAML files is to sort keys alphabetically. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6594ea3..336eaec 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,8 +6,8 @@ # and Lineage processes these changes. updates: - - package-ecosystem: docker - directory: / + - directory: / + package-ecosystem: docker schedule: interval: weekly From 95cb00540a72411011b593dde0d0142f7af38cfb Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:49:56 -0400 Subject: [PATCH 37/42] Bump actions/checkout from 3 to 4 This updates the remaining declarations to match what was pulled down from cisagov/skeleton-generic. --- .github/workflows/build.yml | 8 ++++---- .github/workflows/codeql-analysis.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f16c18..2a11aed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -213,7 +213,7 @@ jobs: source_version: ${{ steps.prep.outputs.source_version }} tags: ${{ steps.prep.outputs.tags }} steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Gather repository metadata id: repo uses: actions/github-script@v6 @@ -272,7 +272,7 @@ jobs: needs: [prepare] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx @@ -341,7 +341,7 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: @@ -404,7 +404,7 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bf0d148..05364ee 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From c9f43e4a04c102eb4eace787579a3e628ccbc2fb Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:54:02 -0400 Subject: [PATCH 38/42] Update job dependencies for the build.yml workflow Add the `diagnostics` job as a dependency for the other jobs. Reformat the dependencies for those jobs to match the formatting of the `lint` job. This aligns with what was pulled down from cisagov/skeleton-generic. --- .github/workflows/build.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2a11aed..dd6674b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -206,6 +206,8 @@ jobs: # # Scheduled builds are tagged with `:nightly`. name: "Prepare build variables" + needs: + - diagnostics runs-on: ubuntu-latest outputs: created: ${{ steps.prep.outputs.created }} @@ -269,7 +271,9 @@ jobs: # as an artifact and loaded by the test job. name: "Build test image" runs-on: ubuntu-latest - needs: [prepare] + needs: + - diagnostics + - prepare steps: - name: Checkout uses: actions/checkout@v4 @@ -339,7 +343,9 @@ jobs: # Executes tests on the single-platform image created in the "build" job. name: "Test image" runs-on: ubuntu-latest - needs: [build] + needs: + - diagnostics + - build steps: - uses: actions/checkout@v4 - id: setup-python @@ -385,7 +391,11 @@ jobs: # triggering event is a pull request. name: "Build and push all platforms" runs-on: ubuntu-latest - needs: [lint, prepare, test] + needs: + - diagnostics + - lint + - prepare + - test if: github.event_name != 'pull_request' # When Dependabot creates a PR it requires this permission in # order to push Docker images to ghcr.io. From 138fc0f77abde1ae3d012a3d4f974ab5fce134c4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:56:49 -0400 Subject: [PATCH 39/42] Adjust key ordering for jobs in the build.yml workflow Ensure that top-level keys except for `steps` are alphabetically sorted. --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dd6674b..843798c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -208,12 +208,12 @@ jobs: name: "Prepare build variables" needs: - diagnostics - runs-on: ubuntu-latest outputs: created: ${{ steps.prep.outputs.created }} repometa: ${{ steps.repo.outputs.result }} source_version: ${{ steps.prep.outputs.source_version }} tags: ${{ steps.prep.outputs.tags }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Gather repository metadata @@ -270,10 +270,10 @@ jobs: # Builds a single test image for the native platform. This image is saved # as an artifact and loaded by the test job. name: "Build test image" - runs-on: ubuntu-latest needs: - diagnostics - prepare + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -342,10 +342,10 @@ jobs: test: # Executes tests on the single-platform image created in the "build" job. name: "Test image" - runs-on: ubuntu-latest needs: - diagnostics - build + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - id: setup-python @@ -389,18 +389,18 @@ jobs: # GitHub Container Registry. The contents of README.md are pushed as the # image's description to Docker Hub. This job is skipped when the # triggering event is a pull request. + if: github.event_name != 'pull_request' name: "Build and push all platforms" - runs-on: ubuntu-latest needs: - diagnostics - lint - prepare - test - if: github.event_name != 'pull_request' # When Dependabot creates a PR it requires this permission in # order to push Docker images to ghcr.io. permissions: packages: write + runs-on: ubuntu-latest steps: - name: Login to Docker Hub uses: docker/login-action@v2 From 7eefae068b22a3c0ee2ea116073f5a60dc8c7f93 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 15:58:11 -0400 Subject: [PATCH 40/42] Remove unnecessary quotes in the build.yml workflow We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 843798c..91ab0d4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,7 +55,7 @@ jobs: lint: # Checks out the source and runs pre-commit hooks. Detects coding errors # and style deviations. - name: "Lint sources" + name: Lint sources needs: - diagnostics runs-on: ubuntu-latest @@ -205,7 +205,7 @@ jobs: # with the value specified by the user. # # Scheduled builds are tagged with `:nightly`. - name: "Prepare build variables" + name: Prepare build variables needs: - diagnostics outputs: @@ -269,7 +269,7 @@ jobs: build: # Builds a single test image for the native platform. This image is saved # as an artifact and loaded by the test job. - name: "Build test image" + name: Build test image needs: - diagnostics - prepare @@ -341,7 +341,7 @@ jobs: if: env.RUN_TMATE test: # Executes tests on the single-platform image created in the "build" job. - name: "Test image" + name: Test image needs: - diagnostics - build @@ -390,7 +390,7 @@ jobs: # image's description to Docker Hub. This job is skipped when the # triggering event is a pull request. if: github.event_name != 'pull_request' - name: "Build and push all platforms" + name: Build and push all platforms needs: - diagnostics - lint From 4380bec4127a2bcec24a4da54c8d595afb62b4ad Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 16:31:44 -0400 Subject: [PATCH 41/42] Add runner hardening to all jobs in our workflows This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic. --- .github/workflows/build.yml | 20 ++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 91ab0d4..fd30a13 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -215,6 +215,11 @@ jobs: tags: ${{ steps.prep.outputs.tags }} runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - name: Gather repository metadata id: repo @@ -275,6 +280,11 @@ jobs: - prepare runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checkout uses: actions/checkout@v4 - name: Set up QEMU @@ -347,6 +357,11 @@ jobs: - build runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 @@ -402,6 +417,11 @@ jobs: packages: write runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Login to Docker Hub uses: docker/login-action@v2 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 05364ee..ef6bfb7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,6 +37,12 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v4 From f0f3e1105babf9b6595b3b54a899e6b545315e92 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 16:35:34 -0400 Subject: [PATCH 42/42] Remove unnecessary quotes in the codeql-analysis.yml workflow We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ef6bfb7..41309ce 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -4,7 +4,7 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -name: "CodeQL" +name: CodeQL on: push: