⚠️ CONFLICT! Lineage pull request for: skeleton

.github/CODEOWNERS

@@ -3,8 +3,8 @@
 # These owners will be the default owners for everything in the
 # repo. Unless a later match takes precedence, these owners will be
 # requested for review when someone opens a pull request.
-* @dav3r @felddy @hillaryj @jsf9k @mcdonnnj
+* @dav3r @felddy @jsf9k @mcdonnnj
 
 # These folks own any files in the .github directory at the root of
 # the repository and any of its subdirectories.
-/.github/ @dav3r @felddy @hillaryj @jsf9k @mcdonnnj
+/.github/ @dav3r @felddy @jsf9k @mcdonnnj

.github/lineage.yml

@@ -1,6 +1,5 @@
 ---
-version: "1"
-
 lineage:
   skeleton:
     remote-url: https://github.com/cisagov/skeleton-docker.git
+version: '1'

.github/workflows/build.yml

@@ -26,11 +26,13 @@ on:
 
 env:
   BUILDX_CACHE_DIR: ~/.cache/buildx
+  CURL_CACHE_DIR: ~/.cache/curl
   IMAGE_NAME: cisagov/certboto
   PIP_CACHE_DIR: ~/.cache/pip
   PLATFORMS: "linux/amd64,linux/arm/v6,linux/arm/v7,\
   linux/arm64,linux/ppc64le,linux/s390x"
   PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
+  RUN_TMATE: ${{ secrets.RUN_TMATE }}
 
 jobs:
   lint:
@@ -39,25 +41,88 @@ jobs:
     name: "Lint sources"
     runs-on: ubuntu-latest
     steps:
+      - uses: cisagov/setup-env-github-action@develop
       - uses: actions/checkout@v2
       - id: setup-python
         uses: actions/setup-python@v2
         with:
           python-version: 3.9
+      # GO_VERSION and GOCACHE are used by the cache task, so the Go
+      # installation must happen before that.
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '1.16'
+      - name: Store installed Go version
+        run: |
+          echo "GO_VERSION="\
+          "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \
+          >> $GITHUB_ENV
+      - name: Lookup Go cache directory
+        id: go-cache
+        run: |
+          echo "::set-output name=dir::$(go env GOCACHE)"
       - uses: actions/cache@v2
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
-            py${{ steps.setup-python.outputs.python-version }}-"
+            py${{ steps.setup-python.outputs.python-version }}-\
+            go${{ env.GO_VERSION }}-\
+            packer${{ env.PACKER_VERSION }}-\
+            tf${{ env.TERRAFORM_VERSION }}-"
         with:
+          # Note that the .terraform directory IS NOT included in the
+          # cache because if we were caching, then we would need to use
+          # the `-upgrade=true` option. This option blindly pulls down the
+          # latest modules and providers instead of checking to see if an
+          # update is required. That behavior defeats the benefits of caching.
+          # so there is no point in doing it for the .terraform directory.
           path: |
             ${{ env.PIP_CACHE_DIR }}
             ${{ env.PRE_COMMIT_CACHE_DIR }}
+            ${{ env.CURL_CACHE_DIR }}
+            ${{ steps.go-cache.outputs.dir }}
           key: "${{ env.BASE_CACHE_KEY }}\
             ${{ hashFiles('**/requirements-test.txt') }}-\
             ${{ hashFiles('**/requirements.txt') }}-\
             ${{ hashFiles('**/.pre-commit-config.yaml') }}"
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
+      - name: Setup curl cache
+        run: mkdir -p ${{ env.CURL_CACHE_DIR }}
+      - name: Install Packer
+        run: |
+          PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
+          curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
+            --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
+            --location \
+            "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
+          sudo unzip -d /opt/packer \
+            ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
+          sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
+          sudo ln -s /opt/packer/packer /usr/local/bin/packer
+      - name: Install Terraform
+        run: |
+          TERRAFORM_ZIP="terraform_${TERRAFORM_VERSION}_linux_amd64.zip"
+          curl --output ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" \
+            --time-cond ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" \
+            --location \
+            "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${TERRAFORM_ZIP}"
+          sudo unzip -d /opt/terraform \
+            ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}"
+          sudo mv /usr/local/bin/terraform /usr/local/bin/terraform-default
+          sudo ln -s /opt/terraform/terraform /usr/local/bin/terraform
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION}
+      - name: Install Terraform-docs
+        run: |
+          go install \
+            github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION}
+      - name: Find and initialize Terraform directories
+        run: |
+          for path in $(find . -not \( -type d -name ".terraform" -prune \) \
+            -type f -iname "*.tf" -exec dirname "{}" \; | sort -u); do \
+            echo "Initializing '$path'..."; \
+            terraform init -input=false -backend=false "$path"; \
+            done
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -66,7 +131,9 @@ jobs:
         run: pre-commit install-hooks
       - name: Run pre-commit on all files
         run: pre-commit run --all-files
-
+      - name: Setup tmate debug session
+        uses: mxschmitt/action-tmate@v3
+        if: env.RUN_TMATE
   prepare:
     # Calculates and publishes outputs that are used by other jobs.
     #
@@ -79,13 +146,13 @@ jobs:
     #     The source version as reported by the `bump_version.sh show` command.
     #   tags:
     #     A comma separated list of Docker tags to be applied to the images on
-    #     DockerHub.  The tags will vary depending on:
+    #     Docker Hub.  The tags will vary depending on:
     #     - The event that triggered the build.
     #     - The branch the build is based upon.
     #     - The git tag the build is based upon.
     #
     #     When a build is based on a git tag of the form `v*.*.*` the image will
-    #     be tagged on DockerHub with multiple levels of version specificity.
+    #     be tagged on Docker Hub with multiple levels of version specificity.
     #     For example, a git tag of `v1.2.3+a` will generate Docker tags of
     #     `:1.2.3_a`, `:1.2.3`, `:1.2`, `:1`, and `:latest`.
     #
@@ -119,7 +186,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Gather repository metadata
         id: repo
-        uses: actions/github-script@v3
+        uses: actions/github-script@v4
         with:
           script: |
             const repo = await github.repos.get(context.repo)
@@ -164,10 +231,9 @@ jobs:
           echo ::set-output name=source_version::$(./bump_version.sh show)
           echo ::set-output name=tags::${TAGS}
           echo tags=${TAGS}
-      - name: Setup debug session remote shell
+      - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
-        if: github.event.inputs.remote-shell == 'true'
-
+        if: github.event.inputs.remote-shell == 'true' || env.RUN_TMATE
   build:
     # Builds a single test image for the native platform.  This image is saved
     # as an artifact and loaded by the test job.
@@ -236,7 +302,9 @@ jobs:
         with:
           name: dist
           path: dist
-
+      - name: Setup tmate debug session
+        uses: mxschmitt/action-tmate@v3
+        if: env.RUN_TMATE
   test:
     # Executes tests on the single-platform image created in the "build" job.
     name: "Test image"
@@ -275,20 +343,22 @@ jobs:
         env:
           RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: pytest --runslow
-
+      - name: Setup tmate debug session
+        uses: mxschmitt/action-tmate@v3
+        if: env.RUN_TMATE
   build-push-all:
     # Builds the final set of images for each of the platforms listed in
     # PLATFORMS environment variable.  These images are tagged with the Docker
-    # tags calculated in the "prepare" job and pushed to DockerHub and the
+    # tags calculated in the "prepare" job and pushed to Docker Hub and the
     # GitHub Container Registry.  The contents of README.md are pushed as the
-    # image's description to DockerHub.  This job is skipped when the triggering
-    # event is a pull request.
+    # image's description to Docker Hub.  This job is skipped when the
+    # triggering event is a pull request.
     name: "Build and push all platforms"
     runs-on: ubuntu-latest
     needs: [lint, prepare, test]
     if: github.event_name != 'pull_request'
     steps:
-      - name: Login to DockerHub
+      - name: Login to Docker Hub
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -359,3 +429,6 @@ jobs:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         run: ./push_readme.sh
+      - name: Setup tmate debug session
+        uses: mxschmitt/action-tmate@v3
+        if: env.RUN_TMATE

.github/workflows/codeql-analysis.yml

@@ -9,6 +9,9 @@ name: "CodeQL"
 
 on:
   push:
+    # Dependabot triggered push events have read-only access, but uploading code
+    # scanning requires write access.
+    branches-ignore: [dependabot/**]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [develop]

.gitignore

@@ -1,5 +1,12 @@
+# This file specifies intentionally untracked files that Git should ignore.
+# Files already tracked by Git are not affected.
+# See: https://git-scm.com/docs/gitignore
+
+## Docker ##
+Dockerfile-x
+
+## Python ##
 __pycache__
 .mypy_cache
 .pytest_cache
 .python-version
-Dockerfile-x

.mdl_config.yaml

@@ -0,0 +1,40 @@
+---
+
+# Default state for all rules
+default: true
+
+# MD003/heading-style/header-style - Heading style
+MD003:
+  # Enforce the ATX-closed style of header
+  style: "atx_closed"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  # Enforce dashes for unordered lists
+  style: "dash"
+
+# MD013/line-length - Line length
+MD013:
+  # Do not enforce for code blocks
+  code_blocks: false
+  # Do not enforce for tables
+  tables: false
+
+# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the
+# same content
+MD024:
+  # Allow headers with the same content as long as they are not in the same
+  # parent heading
+  allow_different_nesting: true
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # Enforce the `1.` style for ordered lists
+  style: "one"
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # The h1 and img elements are allowed to permit header images
+  allowed_elements:
+    - h1
+    - img