cisagov · cisagovbot · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024 · Dec 6, 2024
@@ -3,8 +3,22 @@
 # These owners will be the default owners for everything in the
 # repo. Unless a later match takes precedence, these owners will be
 # requested for review when someone opens a pull request.
-* @dav3r @jasonodoom @jsf9k @mcdonnnj
+* @dav3r @jsf9k @mcdonnnj
 
 # These folks own any files in the .github directory at the root of
 # the repository and any of its subdirectories.
-/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
+/.github/ @dav3r @felddy @jsf9k @mcdonnnj
+
+# These folks own all linting configuration files.
+/.ansible-lint @dav3r @felddy @jsf9k @mcdonnnj
+/.bandit.yml @dav3r @felddy @jsf9k @mcdonnnj
+/.flake8 @dav3r @felddy @jsf9k @mcdonnnj
+/.isort.cfg @dav3r @felddy @jsf9k @mcdonnnj
+/.mdl_config.yaml @dav3r @felddy @jsf9k @mcdonnnj
+/.pre-commit-config.yaml @dav3r @felddy @jsf9k @mcdonnnj
+/.prettierignore @dav3r @felddy @jsf9k @mcdonnnj
+/.yamllint @dav3r @felddy @jsf9k @mcdonnnj
+/requirements.txt @dav3r @felddy @jsf9k @mcdonnnj
+/requirements-dev.txt @dav3r @felddy @jsf9k @mcdonnnj
+/requirements-test.txt @dav3r @felddy @jsf9k @mcdonnnj
+/setup-env @dav3r @felddy @jsf9k @mcdonnnj
@@ -11,28 +11,43 @@ updates:
     schedule:
       interval: weekly
 
+  - directory: /
+    package-ecosystem: docker-compose
+    schedule:
+      interval: weekly
+
   - directory: /
     ignore:
       # Managed by cisagov/skeleton-generic
       - dependency-name: actions/cache
       - dependency-name: actions/checkout
+      - dependency-name: actions/dependency-review-action
+      - dependency-name: actions/labeler
       - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
-      - dependency-name: crazy-max/ghaction-dump-context
+      - dependency-name: cisagov/action-job-preamble
+      - dependency-name: cisagov/setup-env-github-action
       - dependency-name: crazy-max/ghaction-github-labeler
-      - dependency-name: crazy-max/ghaction-github-status
+      - dependency-name: github/codeql-action
+      - dependency-name: hashicorp/setup-packer
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
-      - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-docker
       - dependency-name: actions/download-artifact
-      - dependency-name: actions/github-script
       - dependency-name: actions/upload-artifact
+      - dependency-name: aquasecurity/trivy-action
       - dependency-name: docker/build-push-action
       - dependency-name: docker/login-action
+      - dependency-name: docker/metadata-action
       - dependency-name: docker/setup-buildx-action
       - dependency-name: docker/setup-qemu-action
-      - dependency-name: github/codeql-action
+      - dependency-name: peter-evans/dockerhub-description
+    labels:
+      # dependabot default we need to replicate
+      - dependencies
+      # This matches our label definition in .github/labels.yml as opposed to
+      # dependabot's default of `github_actions`.
+      - github-actions
     package-ecosystem: github-actions
     schedule:
       interval: weekly

@@ -0,0 +1,76 @@
+---
+# Each entry in this file is a label that will be applied to pull requests
+# if there is a match based on the matching rules for the entry. Please see
+# the actions/labeler documentation for more information:
+# https://github.com/actions/labeler#match-object
+#
+# Note: Verify that the label you want to use is defined in the
+# crazy-max/ghaction-github-labeler configuration file located at
+# .github/labels.yml.
+
+ansible:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/ansible/**"
+dependencies:
+  - changed-files:
+      - any-glob-to-any-file:
+          # Add any dependency files used.
+          - .pre-commit-config.yaml
+          - requirements*.txt
+docker:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/compose*.yml"
+          - "**/docker-compose*.yml"
+          - "**/Dockerfile*"
+documentation:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.md"
+github-actions:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .github/workflows/**
+javascript:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.js"
+packer:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.pkr.hcl"
+python:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.py"
+terraform:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.tf"
+test:
+  - changed-files:
+      - any-glob-to-any-file:
+          # Add any test-related files or paths.
+          - .ansible-lint
+          - .bandit.yml
+          - .flake8
+          - .isort.cfg
+          - .mdl_config.yaml
+          - .yamllint
+          - compose.yml
+          - pytest.ini
+          - tests/**
+typescript:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.ts"
+upstream update:
+  - head-branch:
+      # Any Lineage pull requests should use this branch.
+      - lineage/skeleton
+version bump:
+  - changed-files:
+      - any-glob-to-any-file:
+          # Ensure this matches your version tracking file(s).
+          - src/version.txt
@@ -2,75 +2,90 @@
 # Rather than breaking up descriptions into multiline strings we disable that
 # specific rule in yamllint for this file.
 # yamllint disable rule:line-length
-- color: "eb6420"
+- color: f15a53
+  description: Pull requests that update Ansible code
+  name: ansible
+- color: eb6420
   description: This issue or pull request is awaiting the outcome of another issue or pull request
   name: blocked
 - color: "000000"
   description: This issue or pull request involves changes to existing functionality
   name: breaking change
-- color: "d73a4a"
+- color: d73a4a
   description: This issue or pull request addresses broken functionality
   name: bug
-- color: "07648d"
+- color: 07648d
   description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks)
   name: code.gov
-- color: "0366d6"
+- color: 0366d6
   description: Pull requests that update a dependency file
   name: dependencies
-- color: "2497ed"
+- color: 2497ed
   description: Pull requests that update Docker code
   name: docker
-- color: "5319e7"
+- color: 5319e7
   description: This issue or pull request improves or adds to documentation
   name: documentation
-- color: "cfd3d7"
+- color: cfd3d7
   description: This issue or pull request already exists or is covered in another issue or pull request
   name: duplicate
-- color: "b005bc"
+- color: b005bc
   description: A high-level objective issue encompassing multiple issues instead of a specific unit of work
   name: epic
 - color: "000000"
   description: Pull requests that update GitHub Actions code
   name: github-actions
-- color: "0e8a16"
+- color: 0e8a16
   description: This issue or pull request is well-defined and good for newcomers
   name: good first issue
-- color: "ff7518"
+- color: ff7518
   description: Pull request that should count toward Hacktoberfest participation
   name: hacktoberfest-accepted
-- color: "a2eeef"
+- color: a2eeef
   description: This issue or pull request will add or improve functionality, maintainability, or ease of use
   name: improvement
-- color: "fef2c0"
+- color: fef2c0
   description: This issue or pull request is not applicable, incorrect, or obsolete
   name: invalid
-- color: "ce099a"
+- color: f1d642
+  description: Pull requests that update JavaScript code
+  name: javascript
+- color: ce099a
   description: This pull request is ready to merge during the next Lineage Kraken release
   name: kraken 🐙
-- color: "a4fc5d"
+- color: a4fc5d
   description: This issue or pull request requires further information
   name: need info
-- color: "fcdb45"
+- color: fcdb45
   description: This pull request is awaiting an action or decision to move forward
   name: on hold
-- color: "3772a4"
+- color: 02a8ef
+  description: Pull requests that update Packer code
+  name: packer
+- color: 3772a4
   description: Pull requests that update Python code
   name: python
-- color: "ef476c"
+- color: ef476c
   description: This issue is a request for information or needs discussion
   name: question
-- color: "d73a4a"
+- color: d73a4a
   description: This issue or pull request addresses a security issue
   name: security
-- color: "00008b"
+- color: 7b42bc
+  description: Pull requests that update Terraform code
+  name: terraform
+- color: 00008b
   description: This issue or pull request adds or otherwise modifies test code
   name: test
-- color: "1d76db"
+- color: 2b6ebf
+  description: Pull requests that update TypeScript code
+  name: typescript
+- color: 1d76db
   description: This issue or pull request pulls in upstream updates
   name: upstream update
-- color: "d4c5f9"
+- color: d4c5f9
   description: This issue or pull request increments the version number
   name: version bump
-- color: "ffffff"
+- color: ffffff
   description: This issue will not be incorporated
   name: wontfix
@@ -2,4 +2,4 @@
 lineage:
   skeleton:
     remote-url: https://github.com/cisagov/skeleton-docker.git
-version: '1'
+version: "1"
@@ -0,0 +1,81 @@
+---
+name: Provide repository metadata
+
+on:  # yamllint disable-line rule:truthy
+  workflow_call:
+    outputs:
+      image-name:
+        description: The name of the Docker image.
+        value: ${{ jobs.output-repo-metadata.outputs.image-name }}
+      image-platforms:
+        description: The supported platforms for the Docker image.
+        value: ${{ jobs.output-repo-metadata.outputs.image-platforms }}
+
+jobs:
+  output-repo-metadata:
+    name: Generate outputs for repository metadata
+    outputs:
+      image-name: ${{ steps.set-outputs.outputs.image-name }}
+      image-platforms: ${{ steps.set-outputs.outputs.image-platforms }}
+    permissions: {}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set outputs for repository metadata
+        id: set-outputs
+        run: |
+          # Standard Python Libraries
+          import json
+          import os
+          import sys
+          from typing import Any, TypedDict
+
+
+          class GhaOutput(TypedDict):
+
+              description: str
+              name: str
+              value: Any
+
+
+          # Every output in this list must be configured as an output for the workflow.
+          gha_outputs: list[GhaOutput] = [
+              {
+                  "description": "The name of the Docker image.",
+                  "name": "image-name",
+                  "value": "cisagov/pshtt_reporter",
+              },
+              {
+                  "description": "The supported platforms for the Docker image.",
+                  "name": "image-platforms",
+                  "value": [
+                      # The GitHub runners take forever when building
+                      # wheels for all these platforms, so we comment
+                      # out the less common ones: 386, arm/v6, arm/v7,
+                      # ppc64le, and s390x.
+                      # "linux/386",
+                      "linux/amd64",
+                      # "linux/arm/v6",
+                      # "linux/arm/v7",
+                      "linux/arm64",
+                      # "linux/ppc64le",
+                      # The base Docker image does not support the
+                      # riscv64 hardware platform.
+                      # "linux/riscv64",
+                      # "linux/s390x",
+                  ],
+              },
+          ]
+
+          if os.getenv("GITHUB_OUTPUT") is None:
+              print(
+                  "GITHUB_OUTPUT is not set. "
+                  "This script is intended to be run in a GitHub Actions environment."
+              )
+              sys.exit(1)
+
+          with open(os.environ["GITHUB_OUTPUT"], "a") as gh_output:
+              for output in gha_outputs:
+                  if any(isinstance(output["value"], t) for t in [list, dict]):
+                      output["value"] = json.dumps(output["value"])
+                  gh_output.write(f"{output['name']}={output['value']}\n")
+        shell: python3 {0}