Skip to content

Commit

Permalink
Merge pull request #103 from cisagov/lineage/skeleton
Browse files Browse the repository at this point in the history 
⚠️ CONFLICT! Lineage pull request for: skeleton
  • Loading branch information
@jsf9k
jsf9k authored Nov 13, 2024
2 parents a0c6683 + 66f8478 commit 3eae1af
Show file tree
Hide file tree
Showing 15 changed files with 203 additions and 106 deletions.
28 changes: 14 additions & 14 deletions .github/CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,22 @@
# These owners will be the default owners for everything in the
# repo. Unless a later match takes precedence, these owners will be
# requested for review when someone opens a pull request.
* @dav3r @jasonodoom @jsf9k @mcdonnnj
* @dav3r @jsf9k @mcdonnnj

# These folks own any files in the .github directory at the root of
# the repository and any of its subdirectories.
/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.github/ @dav3r @felddy @jsf9k @mcdonnnj

# These folks own all linting configuration files.
/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.ansible-lint @dav3r @felddy @jsf9k @mcdonnnj
/.bandit.yml @dav3r @felddy @jsf9k @mcdonnnj
/.flake8 @dav3r @felddy @jsf9k @mcdonnnj
/.isort.cfg @dav3r @felddy @jsf9k @mcdonnnj
/.mdl_config.yaml @dav3r @felddy @jsf9k @mcdonnnj
/.pre-commit-config.yaml @dav3r @felddy @jsf9k @mcdonnnj
/.prettierignore @dav3r @felddy @jsf9k @mcdonnnj
/.yamllint @dav3r @felddy @jsf9k @mcdonnnj
/requirements.txt @dav3r @felddy @jsf9k @mcdonnnj
/requirements-dev.txt @dav3r @felddy @jsf9k @mcdonnnj
/requirements-test.txt @dav3r @felddy @jsf9k @mcdonnnj
/setup-env @dav3r @felddy @jsf9k @mcdonnnj
3 changes: 3 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,12 @@ updates:
- dependency-name: actions/checkout
- dependency-name: actions/setup-go
- dependency-name: actions/setup-python
- dependency-name: cisagov/setup-env-github-action
- dependency-name: crazy-max/ghaction-dump-context
- dependency-name: crazy-max/ghaction-github-labeler
- dependency-name: crazy-max/ghaction-github-status
- dependency-name: GitHubSecurityLab/actions-permissions
- dependency-name: hashicorp/setup-packer
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
Expand Down
37 changes: 19 additions & 18 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ defaults:
shell: bash -Eueo pipefail -x {0}

env:
CURL_CACHE_DIR: ~/.cache/curl
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
RUN_TMATE: ${{ secrets.RUN_TMATE }}
Expand All @@ -31,10 +30,18 @@ env:
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand All @@ -49,8 +56,15 @@ jobs:
lint:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand All @@ -76,7 +90,7 @@ jobs:
name: Lookup Go cache directory
run: |
echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
- uses: actions/cache@v4
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
py${{ steps.setup-python.outputs.python-version }}-\
Expand All @@ -97,25 +111,12 @@ jobs:
path: |
${{ env.PIP_CACHE_DIR }}
${{ env.PRE_COMMIT_CACHE_DIR }}
${{ env.CURL_CACHE_DIR }}
${{ steps.go-cache.outputs.dir }}
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Setup curl cache
run: mkdir -p ${{ env.CURL_CACHE_DIR }}
- name: Install Packer
env:
PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }}
run: |
PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip"
curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
--time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \
--location \
"https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}"
sudo unzip -d /opt/packer \
${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-packer@v3
with:
version: ${{ steps.setup-env.outputs.packer-version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
Expand Down
19 changes: 16 additions & 3 deletions .github/workflows/sync-labels.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,36 @@ name: sync-labels
on:
push:
paths:
- '.github/labels.yml'
- '.github/workflows/sync-labels.yml'
- .github/labels.yml
- .github/workflows/sync-labels.yml
workflow_dispatch:

permissions:
contents: read

jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
Expand All @@ -38,6 +47,10 @@ jobs:
issues: write
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand Down
85 changes: 49 additions & 36 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,30 @@ default_language_version:
python: python3

repos:
# Check the pre-commit configuration
- repo: meta
hooks:
- id: check-useless-excludes

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
rev: v5.0.0
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-shebang-scripts-are-executable
- id: check-symlinks
- id: check-toml
- id: check-vcs-permalinks
- id: check-xml
- id: debug-statements
- id: destroyed-symlinks
- id: detect-aws-credentials
args:
- --allow-missing-credentials
- id: detect-private-key
- id: end-of-file-fixer
exclude: files/(issue|motd)
- id: mixed-line-ending
args:
- --fix=lf
Expand All @@ -31,22 +39,15 @@ repos:

# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.41.0
rev: v0.42.0
hooks:
- id: markdownlint
args:
- --config=.mdl_config.yaml
- repo: https://github.com/pre-commit/mirrors-prettier
# This is the last version of v3 available from the mirror. We should hold
# here until v4, which is currently in alpha, is more stable.
rev: v3.1.0
- repo: https://github.com/rbubley/mirrors-prettier
rev: v3.3.3
hooks:
- id: prettier
# This is the latest version of v3 available from NPM. The pre-commit
# mirror does not pull tags for old major versions once a new major
# version tag is published.
additional_dependencies:
- prettier@3.3.1
- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
Expand All @@ -56,40 +57,40 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.28.4
rev: 0.29.4
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.7.1
rev: v4.0.1
hooks:
- id: validate_manifest

# Go hooks
- repo: https://github.com/TekWizely/pre-commit-golang
rev: v1.0.0-rc.1
hooks:
# Style Checkers
- id: go-critic
# StaticCheck
- id: go-staticcheck-repo-mod
# Go Build
- id: go-build-repo-mod
# Style Checkers
- id: go-critic
# goimports
- id: go-imports-repo
args:
# Write changes to files
- -w
# Go Mod Tidy
- id: go-mod-tidy-repo
# GoSec
- id: go-sec-repo-mod
# StaticCheck
- id: go-staticcheck-repo-mod
# Go Test
- id: go-test-repo-mod
# Go Vet
- id: go-vet-repo-mod
# GoSec
- id: go-sec-repo-mod
# goimports
- id: go-imports-repo
args:
# Write changes to files
- -w
# Nix hooks
- repo: https://github.com/nix-community/nixpkgs-fmt
rev: v1.3.0
Expand All @@ -98,7 +99,7 @@ repos:

# Shell script hooks
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.8.0-1
rev: v3.10.0-1
hooks:
- id: shfmt
args:
Expand All @@ -122,39 +123,51 @@ repos:

# Python hooks
- repo: https://github.com/PyCQA/bandit
rev: 1.7.8
rev: 1.7.10
hooks:
- id: bandit
args:
- --config=.bandit.yml
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 24.4.2
rev: 24.10.0
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
rev: 7.0.0
rev: 7.1.1
hooks:
- id: flake8
additional_dependencies:
- flake8-docstrings
- flake8-docstrings==1.7.0
- repo: https://github.com/PyCQA/isort
rev: 5.13.2
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.10.0
rev: v1.13.0
hooks:
- id: mypy
additional_dependencies:
- types-pyyaml
- repo: https://github.com/pypa/pip-audit
rev: v2.7.3
hooks:
- id: pip-audit
args:
# Add any pip requirements files to scan
- --requirement
- requirements-dev.txt
- --requirement
- requirements-test.txt
- --requirement
- requirements.txt
- repo: https://github.com/asottile/pyupgrade
rev: v3.15.2
rev: v3.19.0
hooks:
- id: pyupgrade

# Ansible hooks
- repo: https://github.com/ansible/ansible-lint
rev: v24.6.0
rev: v24.9.2
hooks:
- id: ansible-lint
additional_dependencies:
Expand All @@ -179,7 +192,7 @@ repos:

# Terraform hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.90.0
rev: v1.96.1
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand All @@ -192,7 +205,7 @@ repos:

# Packer hooks
- repo: https://github.com/cisagov/pre-commit-packer
rev: v0.0.2
rev: v0.3.0
hooks:
- id: packer_validate
- id: packer_fmt
- id: packer_validate
Loading

0 comments on commit 3eae1af

Please sign in to comment.