diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c1a3da6..d936eef 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: - dependency-name: actions/cache - dependency-name: actions/checkout - dependency-name: actions/dependency-review-action + - dependency-name: actions/labeler - dependency-name: actions/setup-go - dependency-name: actions/setup-python - dependency-name: cisagov/action-job-preamble @@ -21,9 +22,21 @@ updates: - dependency-name: hashicorp/setup-packer - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate +<<<<<<< HEAD # Managed by cisagov/skeleton-python-library - dependency-name: actions/download-artifact - dependency-name: actions/upload-artifact +======= + # # Managed by cisagov/skeleton-python-library + # - dependency-name: actions/download-artifact + # - dependency-name: actions/upload-artifact + labels: + # dependabot default we need to replicate + - dependencies + # This matches our label definition in .github/labels.yml as opposed to + # dependabot's default of `github_actions`. + - github-actions +>>>>>>> cf0d937626ca5213720b7dd074735bc960d174b0 package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..cc5c3be --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,76 @@ +--- +# Each entry in this file is a label that will be applied to pull requests +# if there is a match based on the matching rules for the entry. Please see +# the actions/labeler documentation for more information: +# https://github.com/actions/labeler#match-object +# +# Note: Verify that the label you want to use is defined in the +# crazy-max/ghaction-github-labeler configuration file located at +# .github/labels.yml. + +ansible: + - changed-files: + - any-glob-to-any-file: + - "**/ansible/**" +dependencies: + - changed-files: + - any-glob-to-any-file: + # Add any dependency files used. + - .pre-commit-config.yaml + - requirements*.txt + - setup.py +docker: + - changed-files: + - any-glob-to-any-file: + - "**/compose*.yml" + - "**/docker-compose*.yml" + - "**/Dockerfile*" +documentation: + - changed-files: + - any-glob-to-any-file: + - "**/*.md" +github-actions: + - changed-files: + - any-glob-to-any-file: + - .github/workflows/** +javascript: + - changed-files: + - any-glob-to-any-file: + - "**/*.js" +packer: + - changed-files: + - any-glob-to-any-file: + - "**/*.pkr.hcl" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" +terraform: + - changed-files: + - any-glob-to-any-file: + - "**/*.tf" +test: + - changed-files: + - any-glob-to-any-file: + # Add any test-related files or paths. + - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg + - .mdl_config.yaml + - .yamllint + - pytest.ini + - tests/**/*.py +typescript: + - changed-files: + - any-glob-to-any-file: + - "**/*.ts" +upstream update: + - head-branch: + # Any Lineage pull requests should use this branch. + - lineage/skeleton +version bump: + - changed-files: + - any-glob-to-any-file: + # Ensure this matches your version tracking file(s). + - src/**/_version.py diff --git a/.github/labels.yml b/.github/labels.yml index d2142ac..650ed7c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,6 +2,9 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length +- color: f15a53 + description: Pull requests that update Ansible code + name: ansible - color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked @@ -17,6 +20,9 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies +- color: 2497ed + description: Pull requests that update Docker code + name: docker - color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation @@ -41,6 +47,9 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid +- color: f1d642 + description: Pull requests that update JavaScript code + name: javascript - color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 @@ -50,6 +59,9 @@ - color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold +- color: 02a8ef + description: Pull requests that update Packer code + name: packer - color: 3772a4 description: Pull requests that update Python code name: python @@ -59,9 +71,15 @@ - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 7b42bc + description: Pull requests that update Terraform code + name: terraform - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test +- color: 2b6ebf + description: Pull requests that update TypeScript code + name: typescript - color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c1097a1..0970689 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,16 +99,16 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v4 + uses: cisagov/setup-env-github-action@v1 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. @@ -255,9 +255,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -287,7 +287,7 @@ jobs: - name: Upload coverage report uses: coverallsapp/github-action@v2 with: - flag-name: py${{ matrix.python-version }} + flag-name: py${{ matrix.python-version }} - ${{ matrix.platform }} parallel: true if: success() - name: Setup tmate debug session @@ -328,7 +328,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Finished coveralls reports uses: coverallsapp/github-action@v2 with: @@ -388,9 +388,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -477,9 +477,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -498,7 +498,7 @@ jobs: restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: dist-${{ matrix.python-version }} path: dist diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2c5845b..79b3045 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -114,7 +114,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ee87e04..bc859d1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml new file mode 100644 index 0000000..9d78e39 --- /dev/null +++ b/.github/workflows/label-prs.yml @@ -0,0 +1,93 @@ +--- +name: Label pull requests + +on: # yamllint disable-line rule:truthy + pull_request: + types: + - edited + - opened + - synchronize + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + label: + needs: + - diagnostics + permissions: + # Permissions required by actions/labeler + contents: read + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - name: Apply suitable labels to a pull request + uses: actions/labeler@v6 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index fa6f772..19e0129 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ed7ec9d..49e87b9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,10 @@ --- +ci: + # Do not commit changes from running pre-commit for pull requests. + autofix_prs: false + # Autoupdate hooks weekly (this is the default). + autoupdate_schedule: weekly + default_language_version: # force all unspecified python hooks to run python3 python: python3 @@ -10,7 +16,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -39,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.44.0 + rev: v0.45.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.5.3 + rev: v3.6.2 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.0 + rev: v1.37.1 hooks: - id: yamllint args: @@ -57,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.32.1 + rev: 0.33.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.2.0 + rev: v4.3.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.1 + rev: v1.0.0-rc.2 hooks: # Go Build - id: go-build-repo-mod @@ -99,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.11.0-1 + rev: v3.12.0-2 hooks: - id: shfmt args: @@ -117,14 +123,14 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.10.0.1 + rev: v0.11.0.1 hooks: - id: shellcheck # Python hooks # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit name: bandit (tests tree) @@ -133,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit name: bandit (everything else) @@ -143,7 +149,7 @@ repos: hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.2 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: @@ -153,7 +159,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.15.0 + rev: v1.18.1 hooks: - id: mypy # IMPORTANT: Keep type hinting-related dependencies of the @@ -165,7 +171,7 @@ repos: - types-requests - types-setuptools - repo: https://github.com/pypa/pip-audit - rev: v2.8.0 + rev: v2.9.0 hooks: - id: pip-audit args: @@ -177,13 +183,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.4.0 + rev: v25.9.0 hooks: - id: ansible-lint additional_dependencies: @@ -227,7 +233,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.98.0 + rev: v1.100.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -240,7 +246,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.3.0 + rev: v0.3.1 hooks: - id: packer_fmt - id: packer_validate diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 87f045a..ada4543 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -132,11 +132,10 @@ you can begin to use `pyenv`. For a list of Python versions that are already installed and ready to use with `pyenv`, use the command `pyenv versions`. To see a list of the Python versions available to be installed and used with `pyenv` -use the command `pyenv install --list`. You can read more -[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about -the many things that `pyenv` can do. See -[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the -additional capabilities that pyenv-virtualenv adds to the `pyenv` +use the command `pyenv install --list`. You can read more about +the [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md). +See the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage) +for the additional capabilities that pyenv-virtualenv adds to the `pyenv` command. #### Creating the Python virtual environment #### diff --git a/README.md b/README.md index 809d362..57820ab 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,16 @@ # Trustworthy Mail # +<<<<<<< HEAD [![Latest Version](https://img.shields.io/pypi/v/trustymail.svg)](https://pypi.org/project/trustymail/) [![GitHub Build Status](https://github.com/cisagov/trustymail/workflows/build/badge.svg)](https://github.com/cisagov/trustymail/actions) [![CodeQL](https://github.com/cisagov/trustymail/workflows/CodeQL/badge.svg)](https://github.com/cisagov/trustymail/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/trustymail/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/trustymail?branch=develop) [![Known Vulnerabilities](https://snyk.io/test/github/cisagov/trustymail/develop/badge.svg)](https://snyk.io/test/github/cisagov/trustymail) +======= +[![GitHub Build Status](https://github.com/cisagov/skeleton-python-library/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions) +[![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) +[![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) +>>>>>>> cf0d937626ca5213720b7dd074735bc960d174b0 `trustymail` is a tool that evaluates SPF/DMARC records set in a domain's DNS. It also checks the mail servers listed in a domain's MX diff --git a/setup-env b/setup-env index fb9e2cf..cf9d787 100755 --- a/setup-env +++ b/setup-env @@ -101,10 +101,10 @@ LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt SHORTOPTS="fhilp:v:" -# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") -# in its version output. This approach presumes the output format remains stable. -# Be aware that format changes could invalidate this check. -if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then +# Check for GNU getopt by testing for long option support. GNU getopt supports +# the "--test" option and will return exit code 4 while POSIX/BSD getopt does +# not and will return exit code 0. +if getopt --test > /dev/null 2>&1; then cat << 'END_OF_LINE' Please note, this script requires GNU getopt due to its enhanced