From 162e2c2459cbf565584686a04cc59fab81101843 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 14:40:23 -0500 Subject: [PATCH 01/49] Fix spelling error in comment --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 059ccad..f3304d9 100755 --- a/setup-env +++ b/setup-env @@ -74,7 +74,8 @@ check_python_version() { "invalid version of Python." exit 1 # Else if the Python version isn't installed then notify the user. - # grep -E is used for searching through text lines that match the specific verison. + # grep -E is used for searching through text lines that match the + # specific version. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" From 5a3ac91d11700566e7df2bb926a13301e5912096 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:47:49 -0500 Subject: [PATCH 02/49] Adjust the indentation rule for yamllint Use a specific number of spaces instead of the default of only caring if the number of spaces used is consistent within a file. Ensure that block sequences inside of mappings are indented. --- .yamllint | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.yamllint b/.yamllint index 2a119a6..56e6d6e 100644 --- a/.yamllint +++ b/.yamllint @@ -8,6 +8,12 @@ rules: # this behavior. comments-indentation: disable + indentation: + # Ensure that block sequences inside of a mapping are indented + indent-sequences: true + # Enforce a specific number of spaces + spaces: 2 + # yamllint does not allow inline mappings that exceed the line length by # default. There are many scenarios where the inline mapping may be a key, # hash, or other long value that would exceed the line length but cannot From ac080edea412b521cc37c732e6817a0d6ed26694 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:55:41 -0500 Subject: [PATCH 03/49] Update yamllint to disallow non-empty flow collection styles The use of flow sequences and mappings is not as readable as block collections and so should be discouraged. Since it is a cleaner representation for empty collections we will allow those, but if an application otherwise requires flow collections they can be explicitly enabled by disabling the checks per https://yamllint.readthedocs.io/en/stable/disable_with_comments.html --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 56e6d6e..59fd2e9 100644 --- a/.yamllint +++ b/.yamllint @@ -2,6 +2,14 @@ extends: default rules: + braces: + # Do not allow non-empty flow mappings + forbid: non-empty + + brackets: + # Do not allow non-empty flow sequences + forbid: non-empty + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of From 66cdbf548778a40b321d8142ab481e8c43202995 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:12:04 -0500 Subject: [PATCH 04/49] Add yamllint configuration settings to appease ansible-lint When running ansible-lint it will throw the following warning with our current configuration: WARNING Found incompatible custom yamllint configuration (.yamllint), please either remove the file or edit it to comply with: - comments.min-spaces-from-content must be 1 - braces.max-spaces-inside must be 1 - octal-values.forbid-implicit-octal must be true - octal-values.forbid-explicit-octal must be true. Thus we implement these configuration rules. --- .yamllint | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.yamllint b/.yamllint index 59fd2e9..0a2af51 100644 --- a/.yamllint +++ b/.yamllint @@ -5,11 +5,18 @@ rules: braces: # Do not allow non-empty flow mappings forbid: non-empty + # Allow up to one space inside braces. This is required for Ansible compatibility. + max-spaces-inside: 1 brackets: # Do not allow non-empty flow sequences forbid: non-empty + comments: + # Ensure that inline comments have at least one space before the preceding content. + # This is required for Ansible compatibility. + min-spaces-from-content: 1 + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of @@ -32,6 +39,17 @@ rules: # Allows a 10% overage from the default limit of 80 max: 88 + # Using anything other than strings to express octal values can lead to unexpected + # and potentially unsafe behavior. Ansible strongly recommends against such practices + # and these rules are needed for Ansible compatibility. Please see the following for + # more information: + # https://ansible.readthedocs.io/projects/lint/rules/risky-octal/ + octal-values: + # Do not allow explicit octal values (those beginning with a leading 0o). + forbid-explicit-octal: true + # Do not allow implicit octal values (those beginning with a leading 0). + forbid-implicit-octal: true + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From dd102fe0adb490098968509c79530bd13af52a86 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:28:15 -0500 Subject: [PATCH 05/49] Re-enable the yamllint truthy rule Previously we disabled the `truthy` rule due to Ansible's use of `yes`/`no` for boolean values. That is no longer the case and the default configuration used by ansible-lint now has this rule enabled. The use of `on` as a key in GitHub Actions workflow syntax means we needed to add disable-line comments for the truthy rule. --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- .yamllint | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 15a004c..082f150 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,7 @@ --- name: build -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0005147..b8ecfa6 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -1,7 +1,7 @@ --- name: sync-labels -on: +on: # yamllint disable-line rule:truthy push: paths: - .github/labels.yml diff --git a/.yamllint b/.yamllint index 0a2af51..de2e183 100644 --- a/.yamllint +++ b/.yamllint @@ -49,7 +49,3 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true - - # yamllint doesn't like when we use yes and no for true and false, - # but that's pretty standard in Ansible. - truthy: disable From dc891af40f7c0e8d69a8e57c6bc32f8c16c340e5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 16:12:32 -0500 Subject: [PATCH 06/49] Configure quoted strings rule for yamllint Add a configuration for the `quoted-strings` rule that matches our best practices. Other files are updated to comply with these new settings. --- .github/labels.yml | 40 ++++++++++++++++++------------------- .github/workflows/build.yml | 8 ++++---- .mdl_config.yaml | 14 ++++++------- .yamllint | 11 ++++++++++ 4 files changed, 42 insertions(+), 31 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 5b16492..fe9a53e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,69 +2,69 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "eb6420" +- color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked - color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses broken functionality name: bug -- color: "07648d" +- color: 07648d description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "0366d6" +- color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: "5319e7" +- color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation -- color: "cfd3d7" +- color: cfd3d7 description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "b005bc" +- color: b005bc description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic - color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "0e8a16" +- color: 0e8a16 description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "ff7518" +- color: ff7518 description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "a2eeef" +- color: a2eeef description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "fef2c0" +- color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "ce099a" +- color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "a4fc5d" +- color: a4fc5d description: This issue or pull request requires further information name: need info -- color: "fcdb45" +- color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "ef476c" +- color: ef476c description: This issue is a request for information or needs discussion name: question -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses a security issue name: security -- color: "00008b" +- color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: "1d76db" +- color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update -- color: "d4c5f9" +- color: d4c5f9 description: This issue or pull request increments the version number name: version bump -- color: "ffffff" +- color: ffffff description: This issue will not be incorporated name: wontfix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 082f150..98a9ebc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -92,16 +92,16 @@ jobs: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}-" + tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" + ${{ hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 4a650c1..1b48994 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -6,12 +6,12 @@ default: true # MD003/heading-style/header-style - Heading style MD003: # Enforce the ATX-closed style of header - style: "atx_closed" + style: atx_closed # MD004/ul-style - Unordered list style MD004: # Enforce dashes for unordered lists - style: "dash" + style: dash # MD013/line-length - Line length MD013: @@ -30,7 +30,7 @@ MD024: # MD029/ol-prefix - Ordered list item prefix MD029: # Enforce the `1.` style for ordered lists - style: "one" + style: one # MD033/no-inline-html - Inline HTML MD033: @@ -42,19 +42,19 @@ MD033: # MD035/hr-style - Horizontal rule style MD035: # Enforce dashes for horizontal rules - style: "---" + style: --- # MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks - style: "fenced" + style: fenced # MD049/emphasis-style - Emphasis style should be consistent MD049: # Enforce asterisks as the style to use for emphasis - style: "asterisk" + style: asterisk # MD050/strong-style - Strong style should be consistent MD050: # Enforce asterisks as the style to use for strong - style: "asterisk" + style: asterisk diff --git a/.yamllint b/.yamllint index de2e183..00e85a6 100644 --- a/.yamllint +++ b/.yamllint @@ -49,3 +49,14 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true + + quoted-strings: + # Allow disallowed quotes (single quotes) for strings that contain allowed quotes + # (double quotes). + allow-quoted-quotes: true + # Apply these rules to keys in mappings as well + check-keys: true + # We prefer double quotes for strings when they are needed + quote-type: double + # Only require quotes when they are necessary for proper processing + required: only-when-needed From 03933fe233e5a6e41f8adf452e7e7b3e548236e4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:14:59 -0400 Subject: [PATCH 07/49] Add version file and bump_version script Also add semver as a dev requirement. I'd like to start versioning descendants of skeleton-ansible-role (in anticipation of pinning Ansible role versions at a future date), and I thought it would make sense to go ahead and implement this at the skeleton-generic level to force us to start versioning all repositories. Repositories that already version can ignore these changes when they flow down via Lineage, since they will already have their own version files and version-bumping script. --- bump-version | 172 +++++++++++++++++++++++++++++++++++++++++++ requirements-dev.txt | 2 + version.txt | 1 + 3 files changed, 175 insertions(+) create mode 100755 bump-version create mode 100644 version.txt diff --git a/bump-version b/bump-version new file mode 100755 index 0000000..15b4af1 --- /dev/null +++ b/bump-version @@ -0,0 +1,172 @@ +#!/usr/bin/env bash + +# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) +# bump-version --list-files + +set -o nounset +set -o errexit +set -o pipefail + +# Stores the canonical version for the project. +VERSION_FILE=version.txt +# Files that should be updated with the new version. +VERSION_FILES=("$VERSION_FILE") + +USAGE=$( + cat << END_OF_LINE +Update the version of the project. + +Usage: + ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) + ${0##*/} --list-files + ${0##*/} (-h | --help) + +Options: + -h | --help Show this message. + --push Perform a \`git push\` after updating the version. + --label LABEL Specify the label to use when updating the build or prerelease version. + --list-files List the files that will be updated when the version is bumped. +END_OF_LINE +) + +old_version=$(< "$VERSION_FILE") +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} +new_version="$old_version" + +bump_part="" +label="" +commit_prefix="Bump" +with_push=false +commands_with_label=("build" "prerelease") +commands_with_prerelease=("major" "minor" "patch") +with_prerelease=false + +####################################### +# Display an error message, the help information, and exit with a non-zero status. +# Arguments: +# Error message. +####################################### +function invalid_option() { + echo "$1" + echo "$USAGE" + exit 1 +} + +####################################### +# Bump the version using the provided command. +# Arguments: +# The version to bump. +# The command to bump the version. +# Returns: +# The new version. +####################################### +function bump_version() { + local temp_version + temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})") + echo "$temp_version" +} + +if [ $# -eq 0 ]; then + echo "$USAGE" + exit 1 +else + while [ $# -gt 0 ]; do + case $1 in + --push) + if [ "$with_push" = true ]; then + invalid_option "Push has already been set." + fi + + with_push=true + shift + ;; + --label) + if [ -n "$label" ]; then + invalid_option "Label has already been set." + fi + + label="$2" + shift 2 + ;; + build | finalize | major | minor | patch) + if [ -n "$bump_part" ]; then + invalid_option "Only one version part should be bumped at a time." + fi + + bump_part="$1" + shift + ;; + prerelease) + with_prerelease=true + shift + ;; + show) + echo "$old_version" + exit 0 + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + --list-files) + printf '%s\n' "${VERSION_FILES[@]}" + exit 0 + ;; + *) + invalid_option "Invalid option: $1" + ;; + esac + done +fi + +if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}" +fi + +if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}" +fi + +label_option="" +if [ -n "$label" ]; then + label_option="token='$label'" +fi + +if [ -n "$bump_part" ]; then + if [ "$bump_part" = "finalize" ]; then + commit_prefix="Finalize" + bump_command="finalize_version()" + elif [ "$bump_part" = "build" ]; then + bump_command="bump_${bump_part}($label_option)" + else + bump_command="bump_${bump_part}()" + fi + new_version=$(bump_version "$old_version" "$bump_command") + echo Changing version from "$old_version" to "$new_version" +fi + +if [ "$with_prerelease" = true ]; then + bump_command="bump_prerelease($label_option)" + temp_version=$(bump_version "$new_version" "$bump_command") + echo Changing version from "$new_version" to "$temp_version" + new_version="$temp_version" +fi + +tmp_file=/tmp/version.$$ +for version_file in "${VERSION_FILES[@]}"; do + if [ ! -f "$version_file" ]; then + echo Missing expected file: "$version_file" + exit 1 + fi + sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file + mv $tmp_file "$version_file" +done + +git add "${VERSION_FILES[@]}" +git commit --message "$commit_prefix version from $old_version to $new_version" + +if [ "$with_push" = true ]; then + git push +fi diff --git a/requirements-dev.txt b/requirements-dev.txt index d84ee68..23d5741 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,4 @@ --requirement requirements-test.txt ipython +# The bump-version script requires at least version 3 of semver. +semver>=3 diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..8acdd82 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +0.0.1 From 3401551afa5a894f9a0f82c86d3fd9e1b8cadf0f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:24:29 -0400 Subject: [PATCH 08/49] Bump version from 0.0.1 to 0.0.1-rc.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 8acdd82..871d40b 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1 +0.0.1-rc.1 From 5b5a52684119ae107f2b1fedf9e4fb0b7757047a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:34:09 -0500 Subject: [PATCH 09/49] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 144df31..c165bde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,17 +39,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.42.0 + rev: v0.44.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.3.3 + rev: v3.5.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.37.0 hooks: - id: yamllint args: @@ -57,14 +57,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.32.1 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.0.1 + rev: v4.2.0 hooks: - id: validate_manifest @@ -99,7 +99,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.10.0-1 + rev: v3.11.0-1 hooks: - id: shfmt args: @@ -123,31 +123,31 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.1 + rev: 7.1.2 hooks: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 5.13.2 + rev: 6.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.13.0 + rev: v1.15.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.7.3 + rev: v2.8.0 hooks: - id: pip-audit args: @@ -159,13 +159,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.19.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.10.0 + rev: v25.1.3 hooks: - id: ansible-lint additional_dependencies: @@ -209,7 +209,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.98.0 hooks: - id: terraform_fmt - id: terraform_validate From da028eae03932a532ee61901b3dc8eea12f3728e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:16:38 -0500 Subject: [PATCH 10/49] Apply our standard job preamble via cisagov/action-job-preamble This new action simply applies our standard permissions monitoring and runner hardening. Using it allows us to DRY out the GH Actions workflows in our skeleton repositories a bit. --- .github/workflows/build.yml | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98a9ebc..ac74007 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,17 +36,7 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -61,15 +51,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 0e93632ab21c50598e2cbf88ab5327705c1d8d7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:43:45 -0500 Subject: [PATCH 11/49] Set actions_permissions_config input --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac74007..4d5f1cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,6 +37,8 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -52,6 +54,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 8b2ac55da906e27c05fea416d06129c7f8b98324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:58:45 -0500 Subject: [PATCH 12/49] Add a friendly name to the cisagov/action-job-preamble steps --- .github/workflows/build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4d5f1cb..b37436d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,8 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -53,7 +54,8 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env From 864b5af7d95f396956972948484eec0cdbd6647b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 22:26:44 -0500 Subject: [PATCH 13/49] Add a Dependabot ignore directive for cisagov/action-job-preamble Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 81cd6bd..3521754 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler From 8cdce2a0185d082b3896eedae10d7cfb363df2e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:39:04 -0500 Subject: [PATCH 14/49] Update input name for cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b37436d..21ee0f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,7 +39,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -57,7 +57,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 17b93ec6464a2e44a950889fb9e5e5456819a77f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:45:41 -0500 Subject: [PATCH 15/49] Remove two Dependabot ignore directives GitHubSecurityLab/actions-permissions and step-security/harden-runner are no longer direct dependencies since we are now using cisagov/action-job-preamble. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3521754..3df3371 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,11 +18,9 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly From 6a9e3314d8aebe6a1be685d32b0af092d6dc8324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:50:22 -0500 Subject: [PATCH 16/49] Use cisagov/action-job-preamble in sync-labels.yml workflow Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/sync-labels.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index b8ecfa6..0683eed 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -20,17 +20,10 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -47,15 +40,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels if: success() From b5b3b9d0dd04767342997795bc4a288b222762c8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sun, 23 Feb 2025 08:35:09 -0500 Subject: [PATCH 17/49] Use v1 tag of cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- .github/workflows/sync-labels.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 21ee0f1..e0546d2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0683eed..9442a1c 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -21,7 +21,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 From 3ec1b1f19ef6bbc7f698a36b40ec0bba7d7eb5bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 13:28:48 -0500 Subject: [PATCH 18/49] Re-add comment explaining where the org var comes from Flesh out the comment a little so its meaning is clearer. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++++ .github/workflows/sync-labels.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e0546d2..fcd740b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -57,6 +59,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 9442a1c..0a27b59 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -43,6 +45,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From 764df0c1797700b585577850b96ca41f6ceb80d6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Feb 2025 14:43:59 -0500 Subject: [PATCH 19/49] Flesh out org var comment even more Make sure to mention that the permissions monitoring config can be changed by creating a repo-level variable; there is no need to modify the workflow. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 30 ++++++++++++++++++++++++++---- .github/workflows/sync-labels.yml | 30 ++++++++++++++++++++++++++---- 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcd740b..d9ca254 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,8 +39,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -59,8 +70,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0a27b59..351d33b 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,8 +23,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -45,8 +56,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From c271b40846324b48f6c511209925f00a5a48264d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Mar 2025 11:34:33 -0400 Subject: [PATCH 20/49] Subsume GH status checks and context dumping into cisagov/action-job-preamble This action supports this functionality now, so we may as well take advantage of it. Also disable GH permissions monitoring, since that functionality is poorly implemented and has been causing a lot of problems due to the MITM implementation hogging or leaking memory. --- .github/dependabot.yml | 2 -- .github/workflows/build.yml | 16 ++++++++++------ .github/workflows/sync-labels.yml | 16 ++++++++++------ 3 files changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3df3371..7aa2f06 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,9 +15,7 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action - # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d9ca254..9ffe432 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -53,12 +59,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics @@ -70,6 +70,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 351d33b..56859f2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -37,12 +43,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 labeler: needs: - diagnostics @@ -56,6 +56,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From c4b192b6b0465f460127884aeedc19727e0bf311 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:06:00 -0500 Subject: [PATCH 21/49] Add a CodeQL workflow to this repository CodeQL now supports GitHub Actions as a language, so it makes sense to add such a workflow to this repository. See this link for more details: https://github.blog/changelog/2024-12-17-find-and-fix-actions-workflows-vulnerabilities-with-codeql-public-preview/ --- .github/workflows/codeql-analysis.yml | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..0136466 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,112 @@ +--- +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: CodeQL + +on: + merge_group: + types: + - checks_requested + push: + # Dependabot triggered push events have read-only access, but uploading code + # scanning requires write access. + branches-ignore: + - dependabot/** + pull_request: + # The branches below must be a subset of the branches above + branches: + - develop + schedule: + - cron: '0 2 * * 6' + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + analyze: + name: Analyze + needs: + - diagnostics + runs-on: ubuntu-latest + permissions: + # actions/checkout needs this to fetch code + contents: read + # required for all workflows + security-events: write + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below + # list + # + # Supported options are actions, c-cpp, csharp, go, + # java-kotlin, javascript-typescript, python, ruby, and swift. + language: + - actions + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Java). If this step fails, then you should remove it and run the build + # manually (see below). + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language + + # - run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 0032cc2df6db1a1a472679933df3e95f8612a540 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 3 Mar 2025 15:19:29 -0500 Subject: [PATCH 22/49] Update comment to match what is in cisagov/skeleton-docker Also correctly sort YAML keys. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0136466..595f058 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,15 +10,15 @@ on: merge_group: types: - checks_requested + pull_request: + # The branches here must be a subset of the ones in the push key + branches: + - develop push: - # Dependabot triggered push events have read-only access, but uploading code + # Dependabot-triggered push events have read-only access, but uploading code # scanning requires write access. branches-ignore: - dependabot/** - pull_request: - # The branches below must be a subset of the branches above - branches: - - develop schedule: - cron: '0 2 * * 6' From 0534337d4724f53447f0c47c345ef4cb14c64d0d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:19:04 -0500 Subject: [PATCH 23/49] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 50 +++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 595f058..152bac6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,17 +31,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -72,15 +78,23 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository uses: actions/checkout@v4 From adea10cc6ecd71e2a71720e839510548b8c2a87b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:20:35 -0500 Subject: [PATCH 24/49] Add the CodeQL action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..899db5b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: github/codeql-action # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 5dfe5dfd7d544deb9bc6934c70ba5269b1baf750 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 14:47:02 -0400 Subject: [PATCH 25/49] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. --- .github/workflows/codeql-analysis.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 152bac6..9329fdc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,8 @@ # or to provide custom queries or build logic. name: CodeQL +# The use of on here as a key is part of the GitHub actions syntax. +# yamllint disable-line rule:truthy on: merge_group: types: @@ -20,7 +22,7 @@ on: branches-ignore: - dependabot/** schedule: - - cron: '0 2 * * 6' + - cron: 0 2 * * 6 jobs: diagnostics: @@ -34,6 +36,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -48,12 +56,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 analyze: name: Analyze needs: @@ -81,6 +83,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From d740ee83c2eac243c3a53447316935766042b7cf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:52:48 -0500 Subject: [PATCH 26/49] Add a workflow to run actions/dependency-review-action This action reviews dependency changes for vulnerabilities and license changes. --- .github/workflows/dependency-review.yml | 67 +++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..90549f6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,67 @@ +--- +name: Dependency review + +on: + merge_group: + types: + - checks_requested + pull_request: + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + dependency-review: + name: Dependency review + needs: + - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: checkout-repo + name: Checkout the repository + uses: actions/checkout@v4 + - id: dependency-review + name: Review dependency changes for vulnerabilities and license changes + uses: actions/dependency-review-action@v4 From a446dde01d1aaef7db62f6a7c49a8bc9f54a1460 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 10:52:34 -0500 Subject: [PATCH 27/49] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 50 ++++++++++++++++--------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 90549f6..848feb5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,17 +24,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -50,15 +56,23 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository uses: actions/checkout@v4 From 494e11663dd2fad7b19f2861de772d55ee8410bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:00:43 -0500 Subject: [PATCH 28/49] Add the dependency review action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..6554d39 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,7 @@ updates: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout + # - dependency-name: actions/dependency-review-action # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble From 3679b7d004c0c16f09530e7ca38101d566b6ab2a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:06:36 -0400 Subject: [PATCH 29/49] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. Also disable permissions monitoring since it is poorly implemented and has been causing a lot of problems due to hogging or leaking memory. --- .github/workflows/dependency-review.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 848feb5..1b05dff 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,7 +1,7 @@ --- name: Dependency review -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested @@ -27,6 +27,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -41,12 +47,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 dependency-review: name: Dependency review needs: @@ -59,6 +59,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 028f652f68762a12dc7465c881ce221d3031e8c1 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:59:26 -0400 Subject: [PATCH 30/49] Do not disable GitHub permissions monitoring by default But do leave a commented-out line that can be uncommented to do so. The idea is that we should only comment out this functionality where we really must. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 14 ++++++++------ .github/workflows/codeql-analysis.yml | 14 ++++++++------ .github/workflows/dependency-review.yml | 14 ++++++++------ .github/workflows/sync-labels.yml | 14 ++++++++------ 4 files changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ffe432..eeebb23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,9 +41,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -71,9 +72,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9329fdc..d1590e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,9 +38,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -84,9 +85,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1b05dff..9901352 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,9 +29,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -60,9 +61,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 56859f2..07c0acf 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -25,9 +25,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -57,9 +58,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 779ebd3ea88e22c2ec6c201fa79db6cee56fe380 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 19:37:15 -0400 Subject: [PATCH 31/49] Remove redundant version file This skeleton already supported versioning. --- version.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 version.txt diff --git a/version.txt b/version.txt deleted file mode 100644 index 871d40b..0000000 --- a/version.txt +++ /dev/null @@ -1 +0,0 @@ -0.0.1-rc.1 From a7c04351d14240983bee3cee2198c2b506b04127 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 19:39:27 -0400 Subject: [PATCH 32/49] Remove old bump_version.sh file Also correct the version file in the new bump-version.sh. --- bump-version | 2 +- bump_version.sh | 53 ------------------------------------------------- 2 files changed, 1 insertion(+), 54 deletions(-) delete mode 100755 bump_version.sh diff --git a/bump-version b/bump-version index 15b4af1..3011d79 100755 --- a/bump-version +++ b/bump-version @@ -8,7 +8,7 @@ set -o errexit set -o pipefail # Stores the canonical version for the project. -VERSION_FILE=version.txt +VERSION_FILE=src/example/_version.py # Files that should be updated with the new version. VERSION_FILES=("$VERSION_FILE") diff --git a/bump_version.sh b/bump_version.sh deleted file mode 100755 index bd520bd..0000000 --- a/bump_version.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env bash - -# bump_version.sh (show|major|minor|patch|prerelease|build) - -set -o nounset -set -o errexit -set -o pipefail - -VERSION_FILE=src/example/_version.py - -HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|finalize)" - -old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) -# Comment out periods so they are interpreted as periods and don't -# just match any character -old_version_regex=${old_version//\./\\\.} - -if [ $# -ne 1 ]; then - echo "$HELP_INFORMATION" -else - case $1 in - major | minor | patch | prerelease | build) - new_version=$(python -c "import semver; print(semver.bump_$1('$old_version'))") - echo Changing version from "$old_version" to "$new_version" - # A temp file is used to provide compatability with macOS development - # as a result of macOS using the BSD version of sed - tmp_file=/tmp/version.$$ - sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file - mv $tmp_file $VERSION_FILE - git add $VERSION_FILE - git commit -m"Bump version from $old_version to $new_version" - git push - ;; - finalize) - new_version=$(python -c "import semver; print(semver.finalize_version('$old_version'))") - echo Changing version from "$old_version" to "$new_version" - # A temp file is used to provide compatability with macOS development - # as a result of macOS using the BSD version of sed - tmp_file=/tmp/version.$$ - sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file - mv $tmp_file $VERSION_FILE - git add $VERSION_FILE - git commit -m"Finalize version from $old_version to $new_version" - git push - ;; - show) - echo "$old_version" - ;; - *) - echo "$HELP_INFORMATION" - ;; - esac -fi From 186c4956c70253197bd94500f78a2c3658714dd9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 19:58:12 -0400 Subject: [PATCH 33/49] Prefer double quotes to single quotes where possible --- .github/lineage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/lineage.yml b/.github/lineage.yml index 49f9c4f..46d3224 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -2,4 +2,4 @@ lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-generic.git -version: '1' +version: "1" From 86ea40cc6204539db0a8a8cf329a2f7c7083f3be Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 21:36:21 -0400 Subject: [PATCH 34/49] Use the cisagov/action-job-preamble action wherever possible --- .github/workflows/build.yml | 116 ++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c9b15ae..2beacc7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -210,15 +210,28 @@ jobs: - "3.12" - "3.13" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 @@ -267,15 +280,28 @@ jobs: - diagnostics - test steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-env uses: cisagov/setup-env-github-action@develop @@ -329,15 +355,28 @@ jobs: - "3.12" - "3.13" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 @@ -390,15 +429,28 @@ jobs: - "3.12" - "3.13" steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 From 9b8dd5863c6c9e0d004ba2a3d8a7375264d36ad0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 21:39:05 -0400 Subject: [PATCH 35/49] Remove unnecessary quotes This gets rid of some errors from the yamllint pre-commit hook. --- .github/workflows/build.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2beacc7..802a32b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -239,17 +239,17 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies @@ -263,7 +263,7 @@ jobs: - name: Upload coverage report run: coveralls env: - COVERALLS_FLAG_NAME: "py${{ matrix.python-version }}" + COVERALLS_FLAG_NAME: py${{ matrix.python-version }} COVERALLS_PARALLEL: true COVERALLS_SERVICE_NAME: github GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -311,17 +311,17 @@ jobs: python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies @@ -384,16 +384,16 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install build dependencies @@ -458,16 +458,16 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} # We do not use '**/setup.py' in the cache key so only the 'setup.py' # file in the root of the repository is used. This is in case a Python # package were to have a 'setup.py' as part of its internal codebase. - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }}" + ${{ hashFiles('setup.py') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel From 4e3fa5afc850c066f3d5b0afeaa989e92dd58014 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 21:44:54 -0400 Subject: [PATCH 36/49] Use the same version of bandit everywhere --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a90bea2..8312ba0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -133,7 +133,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit name: bandit (everything else) From 3b9b37added94feab534dc3f5c4b01dac183bd24 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 1 Apr 2025 11:19:08 -0400 Subject: [PATCH 37/49] Correct code that extracts the version from the version file The version file is not a simple text file that only contains the version in this case. --- bump-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bump-version b/bump-version index 3011d79..4fc1452 100755 --- a/bump-version +++ b/bump-version @@ -29,7 +29,7 @@ Options: END_OF_LINE ) -old_version=$(< "$VERSION_FILE") +old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) # Comment out periods so they are interpreted as periods and don't # just match any character old_version_regex=${old_version//\./\\\.} From 65f9c3012bed807253f1c91aa9ee79234cdd517a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 11:39:47 -0400 Subject: [PATCH 38/49] Disable GH permissions monitoring everywhere This functionality (https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor) is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. This functionality should be re-enabled when practical. See cisagov/skeleton-generic#207 for more details. --- .github/workflows/build.yml | 20 ++++++++++++++------ .github/workflows/codeql-analysis.yml | 20 ++++++++++++++------ .github/workflows/dependency-review.yml | 20 ++++++++++++++------ .github/workflows/sync-labels.yml | 20 ++++++++++++++------ 4 files changed, 56 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eeebb23..130ec8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -73,9 +77,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d1590e9..382999a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,9 +39,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -86,9 +90,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9901352..52a3ee9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -30,9 +30,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -62,9 +66,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 07c0acf..04503e2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -26,9 +26,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -59,9 +63,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 2cfc534f2a4cb11d5bd310f6cfe5832565399885 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 12:57:31 -0400 Subject: [PATCH 39/49] Fix typo that was copied and pasted all over the show Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 130ec8c..7fe4f16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -81,7 +81,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 382999a..dd59d04 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,7 +43,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -94,7 +94,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 52a3ee9..f98c687 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -70,7 +70,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 04503e2..fa6f772 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -30,7 +30,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -67,7 +67,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring From ac2813c3ee5fa87f680cbab6c0e365d45f9c292b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 15:23:07 -0400 Subject: [PATCH 40/49] Disable GH permissions monitoring in build.yml workflow This functionality is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. --- .github/workflows/build.yml | 40 ++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 107270c..eae23ec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -223,9 +223,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -293,9 +297,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -368,9 +376,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -442,9 +454,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-python-library#149 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From e0bf15782d8220a1886693bef704489df1df17cb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 9 Apr 2025 09:48:38 -0400 Subject: [PATCH 41/49] Fix typo --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f98c687..ee87e04 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -34,7 +34,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" From 9c6e2636811dd5c592cafe3c86392643b1a57f82 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 14 May 2025 15:20:27 -0400 Subject: [PATCH 42/49] Remove now-duplicated GH action dependency Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 10d9c81..d4822fe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -24,7 +24,6 @@ updates: # # Managed by cisagov/skeleton-python-library # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact - # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly From b1f760e45dd783f02ea50d4004e8cdc8a537edf6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 19 May 2025 15:30:16 -0400 Subject: [PATCH 43/49] Prefer importlib to pkg_resources The latter is deprecated and is not included in the most recent version of types-setuptools. This leads to an error from the mypy pre-commit hook. --- src/example/example.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/example/example.py b/src/example/example.py index 54e8cc1..7df5bac 100644 --- a/src/example/example.py +++ b/src/example/example.py @@ -20,6 +20,7 @@ """ # Standard Python Libraries +from importlib.resources import files import logging import os import sys @@ -27,7 +28,6 @@ # Third-Party Libraries import docopt -import pkg_resources # There are no type stubs for the schema library, so mypy requires the type: # ignore hint. @@ -96,9 +96,7 @@ def main() -> None: # Access some data from our package data (see the setup.py) secret_message: str = ( - pkg_resources.resource_string("example", "data/secret.txt") - .decode("utf-8") - .strip() + files(f"{__package__}.data").joinpath("secret.txt").read_text().strip() ) logging.info('Secret="%s"', secret_message) From 2b8de19f2710983d46b0c758f415e966e94ef3b5 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 20 May 2025 10:44:41 -0400 Subject: [PATCH 44/49] Add an __init__.py to the data subpackage This is necessary for the secret_message line using importlib to correctly work with Python 3.9. See here for more details: https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support Co-authored-by: felddy --- src/example/data/__init__.py | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 src/example/data/__init__.py diff --git a/src/example/data/__init__.py b/src/example/data/__init__.py new file mode 100644 index 0000000..7f11534 --- /dev/null +++ b/src/example/data/__init__.py @@ -0,0 +1,5 @@ +"""The example.data package.""" + +# This is necessary for the secret_message line using importlib to correctly +# work with Python 3.9. See here for more details: +# https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support From b65198e6ae69dba0071a086233cfef48e307fbbe Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 26 Mar 2025 09:56:13 -0400 Subject: [PATCH 45/49] Use the coveralls/github-action action Instead of installing coveralls and running it we will use the Coveralls GitHub action to upload test coverage reports. --- .github/workflows/build.yml | 41 +++++++------------------------------ 1 file changed, 7 insertions(+), 34 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eae23ec..ecf0742 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -273,12 +273,10 @@ jobs: RELEASE_TAG: ${{ github.event.release.tag_name }} run: pytest - name: Upload coverage report - run: coveralls - env: - COVERALLS_FLAG_NAME: py${{ matrix.python-version }} - COVERALLS_PARALLEL: true - COVERALLS_SERVICE_NAME: github - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: coverallsapp/github-action@v2 + with: + flag-name: "py${{ matrix.python-version }}" + parallel: true if: success() - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 @@ -319,35 +317,10 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - - id: setup-env - uses: cisagov/setup-env-github-action@develop - - id: setup-python - uses: actions/setup-python@v5 - with: - python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v4 - env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}- - with: - path: ${{ env.PIP_CACHE_DIR }} - # We do not use '**/setup.py' in the cache key so only the 'setup.py' - # file in the root of the repository is used. This is in case a Python - # package were to have a 'setup.py' as part of its internal codebase. - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }} - restore-keys: | - ${{ env.BASE_CACHE_KEY }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install --upgrade --requirement requirements-test.txt - name: Finished coveralls reports - run: coveralls --finish - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: coverallsapp/github-action@v2 + with: + parallel-finished: true - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE From 02995095f02aed5a15a4673ae42beda2db450259 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 20 May 2025 13:02:57 -0400 Subject: [PATCH 46/49] Remove unnecessary quotes around YAML string --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ecf0742..f8c4c62 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -275,7 +275,7 @@ jobs: - name: Upload coverage report uses: coverallsapp/github-action@v2 with: - flag-name: "py${{ matrix.python-version }}" + flag-name: py${{ matrix.python-version }} parallel: true if: success() - name: Setup tmate debug session From ae1a8e1e6c6ba02beee4050d0f18b67743d62202 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 22 May 2025 15:03:34 -0400 Subject: [PATCH 47/49] Remove unnecessary upstream file --- src/example/data/__init__.py | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 src/example/data/__init__.py diff --git a/src/example/data/__init__.py b/src/example/data/__init__.py deleted file mode 100644 index 7f11534..0000000 --- a/src/example/data/__init__.py +++ /dev/null @@ -1,5 +0,0 @@ -"""The example.data package.""" - -# This is necessary for the secret_message line using importlib to correctly -# work with Python 3.9. See here for more details: -# https://setuptools.pypa.io/en/latest/userguide/datafiles.html?utm_source=chatgpt.com#namespace-support From 0f29d1ead965fbd1e578f446090fddab7d8522c4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 22 May 2025 15:04:27 -0400 Subject: [PATCH 48/49] Correct location of version file --- bump-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bump-version b/bump-version index 4fc1452..64cad44 100755 --- a/bump-version +++ b/bump-version @@ -8,7 +8,7 @@ set -o errexit set -o pipefail # Stores the canonical version for the project. -VERSION_FILE=src/example/_version.py +VERSION_FILE=src/apb_dashboard/_version.py # Files that should be updated with the new version. VERSION_FILES=("$VERSION_FILE") From dd998c06caafc25d29f182440ecdb473ec4fafb7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 22 May 2025 15:05:51 -0400 Subject: [PATCH 49/49] Remove unnecessary quotes around YAML strings --- action.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/action.yml b/action.yml index 71344e7..5fe9316 100644 --- a/action.yml +++ b/action.yml @@ -1,24 +1,24 @@ --- -author: "Cyber and Infrastructure Security Agency" +author: Cyber and Infrastructure Security Agency branding: - icon: "list" - color: "purple" -description: "Render the json output of apb into markdown." -name: "All Projects Builder Dashboard" + icon: list + color: purple +description: Render the json output of apb into markdown. +name: All Projects Builder Dashboard inputs: read-filename: - description: "The input file to read the apb json." + description: The input file to read the apb json. required: false - default: "apb.json" + default: apb.json write-filename: - description: "The output file in which to write dashboard markdown." + description: The output file in which to write dashboard markdown. required: false - default: "apb.md" + default: apb.md template_filename: - description: "The template to render." + description: The template to render. required: false runs: - using: "docker" - image: "Dockerfile" + using: docker + image: Dockerfile