From 4d88c8b10852e057d0d95cf36f0ef74c1b509162 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 May 2025 11:15:29 -0400 Subject: [PATCH 01/26] Add a configuration block for pre-commit.ci This adds a `ci` block to the pre-commit configurations to control the behavior of the pre-commit.ci GitHub app. --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0760b36..9273b18 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,10 @@ --- +ci: + # Do not commit changes from running pre-commit for pull requests. + autofix_prs: false + # Autoupdate hooks weekly (this is the default). + autoupdate_schedule: weekly + default_language_version: # force all unspecified python hooks to run python3 python: python3 From 3b584271602c8b0a39e83522119e728882f5b481 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 15 May 2025 14:57:11 -0400 Subject: [PATCH 02/26] Use a version tag for cisagov/setup-env-github-action We currently use the `develop` branch as our reference for the cisagov/setup-env-github-action action in the build workflow. We will instead use the major version tag which puts our usage of this action in line with how we use other actions in our workflows. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..2e5c1e2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,7 +99,7 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@v1 - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v5 From 8ac7776f822692638fd421b936295fb0f7ce9467 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 23:47:33 +0000 Subject: [PATCH 03/26] Bump actions/download-artifact from 4 to 5 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 5. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 728a0d4..910e2d9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -484,7 +484,7 @@ jobs: restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: dist-${{ matrix.python-version }} path: dist From f89170422e22989a8314be4d6355b2919301d9b5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 28 Aug 2025 14:04:27 -0400 Subject: [PATCH 04/26] Add a configuration to automatically label pull requests This includes updating the dependabot configuration, adding a new `label-prs.yml` GitHub Actions workflow, and adding a suitable configuration file for the actions/labeler action used by the aforementioned workflow. --- .github/dependabot.yml | 1 + .github/labeler.yml | 63 ++++++++++++++++++++++ .github/workflows/label-prs.yml | 93 +++++++++++++++++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/label-prs.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..6dc2a95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: # - dependency-name: actions/cache # - dependency-name: actions/checkout # - dependency-name: actions/dependency-review-action + # - dependency-name: actions/labeler # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..c7f044b --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,63 @@ +--- +# Each entry in this file is a label that will be applied to pull requests +# if there is a match based on the matching rules for the entry. Please see +# the actions/labeler documentation for more information: +# https://github.com/actions/labeler#match-object +# +# Note: Verify that the label you want to use is defined in the +# crazy-max/ghaction-github-labeler configuration file located at +# .github/labels.yml. + +# Enable if Ansible playbooks are used in the repository. +# ansible: +# - changed-files: +# - any-glob-to-any-file: +# - "**/ansible/**" +dependencies: + - changed-files: + - any-glob-to-any-file: + # Add any dependency files used. + - .pre-commit-config.yaml + - requirements*.txt +documentation: + - changed-files: + - any-glob-to-any-file: + - "**/*.md" +github-actions: + - changed-files: + - any-glob-to-any-file: + - .github/workflows/** +# Enable if Packer is used in the repository. +# packer: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.pkr.hcl" +# Enable if Python is used in the repository. +# python: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.py" +# Enable if Terraform is used in the repository. +# terraform: +# - changed-files: +# - any-glob-to-any-file: +# - "**/*.tf" +test: + - changed-files: + - any-glob-to-any-file: + # Add any test-related files or paths. + - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg + - .mdl_config.yaml + - .yamllint +upstream update: + - head-branch: + # Any Lineage pull requests should use this branch. + - lineage/skeleton +version bump: + - changed-files: + - any-glob-to-any-file: + # Ensure this matches your version tracking file(s). + - version.txt diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml new file mode 100644 index 0000000..a107347 --- /dev/null +++ b/.github/workflows/label-prs.yml @@ -0,0 +1,93 @@ +--- +name: Label pull requests + +on: # yamllint disable-line rule:truthy + pull_request: + types: + - edited + - opened + - synchronize + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + output_workflow_context: "true" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + label: + needs: + - diagnostics + permissions: + # Permissions required by actions/labeler + contents: read + issues: write + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - name: Apply suitable labels to a pull request + uses: actions/labeler@v5 From 0aba2813c7f64b7ab1cb601544bf05064f9a71f2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 12:44:47 -0400 Subject: [PATCH 05/26] Bump actions/labeler from 5 to 6 Bumps [actions/labeler](https://github.com/actions/labeler) from 5 to 6. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@v5...v6) --- updated-dependencies: - dependency-name: actions/labeler dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/label-prs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index a107347..9d78e39 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -90,4 +90,4 @@ jobs: # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Apply suitable labels to a pull request - uses: actions/labeler@v5 + uses: actions/labeler@v6 From 507fe983481126be7e953ccb8e9476368b378c42 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:55 +0000 Subject: [PATCH 06/26] Bump actions/setup-python from 5 to 6 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..bcd9028 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -102,7 +102,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} # We need the Go version and Go cache location for the actions/cache step, From 428ab617f1162c6514ddd2efb575ba2f37ff4c1f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Sep 2025 19:00:58 +0000 Subject: [PATCH 07/26] Bump actions/setup-go from 5 to 6 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7fe4f16..d302901 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - id: setup-go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: # There is no expectation for actual Go code so we disable caching as # it relies on the existence of a go.sum file. From 623a983457d949be691753782997c97f50ebe9c6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:23:07 -0400 Subject: [PATCH 08/26] Adjust the labels dependabot uses Instead of using the default labels for the `github-actions` package ecosystem we specify the labels explicitly. This is done to ensure that dependabot uses our `github-actions` label instead of the default of `github_actions`. We must also explicitly specify the `dependencies` label since we are overriding the default label values. --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c17fa4c..d3688af 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,12 @@ updates: # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + labels: + # dependabot default we need to replicate + - dependencies + # This matches our label definition in .github/labels.yml as opposed to + # dependabot's default of `github_actions`. + - github-actions package-ecosystem: github-actions schedule: interval: weekly From 03065cdc17b57141a9fc88b7c95cd76c9c2b93d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:14:00 -0400 Subject: [PATCH 09/26] Adjust GNU getopt check logic in the `setup-env` script Change the check from looking for specific text in the version output to using the `--test` option. This will provide a more robust implementation of this check that does not have to worry about output format stability. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- setup-env | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup-env b/setup-env index f3304d9..89c7603 100755 --- a/setup-env +++ b/setup-env @@ -101,10 +101,10 @@ LONGOPTS="force,help,install-hooks,list-versions,python-version:,venv-name:" # Define short options for getopt SHORTOPTS="fhilp:v:" -# Check for GNU getopt by matching a specific pattern ("getopt from util-linux") -# in its version output. This approach presumes the output format remains stable. -# Be aware that format changes could invalidate this check. -if [[ $(getopt --version 2> /dev/null) != *"getopt from util-linux"* ]]; then +# Check for GNU getopt by testing for long option support. GNU getopt supports +# the "--test" option and will return exit code 4 while POSIX/BSD getopt does +# not and will return exit code 0. +if getopt --test > /dev/null 2>&1; then cat << 'END_OF_LINE' Please note, this script requires GNU getopt due to its enhanced From c7e1ce848099c84bf1124f66acc93de52021bb2b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Sep 2025 15:45:32 +0000 Subject: [PATCH 10/26] Bump actions/checkout from 4 to 5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d62be35..c11089c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,7 +100,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dd59d04..0722fa3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ee87e04..bc859d1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index fa6f772..19e0129 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 From d070095f0a23e31fec3eab43acf1d9bdc67797b3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 4 May 2025 05:51:15 -0400 Subject: [PATCH 11/26] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9273b18..bc76d85 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,7 +16,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -45,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.44.0 + rev: v0.45.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.5.3 + rev: v3.6.2 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.0 + rev: v1.37.1 hooks: - id: yamllint args: @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.32.1 + rev: 0.33.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.2.0 + rev: v4.3.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.1 + rev: v1.0.0-rc.2 hooks: # Go Build - id: go-build-repo-mod @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.11.0-1 + rev: v3.12.0-2 hooks: - id: shfmt args: @@ -123,13 +123,13 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.10.0.1 + rev: v0.11.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit args: @@ -139,7 +139,7 @@ repos: hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.2 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: @@ -149,11 +149,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.15.0 + rev: v1.18.1 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.8.0 + rev: v2.9.0 hooks: - id: pip-audit args: @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.1 + rev: v3.20.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.4.0 + rev: v25.9.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.98.0 + rev: v1.100.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -228,7 +228,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.3.0 + rev: v0.3.1 hooks: - id: packer_fmt - id: packer_validate From ee20b2a6866b77f826a93dad5eaa689e18377275 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 29 Aug 2025 17:19:53 -0400 Subject: [PATCH 12/26] Conform to new markdownlint rule A new rule, `MD059/descriptive-link-text`, was added in markdownlint's 0.38.0 release, which itself is used in v0.45.0 of markdownlint-cli. As such, we must update to conform to the new rule. --- CONTRIBUTING.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f9fa53a..a631733 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -132,11 +132,10 @@ you can begin to use `pyenv`. For a list of Python versions that are already installed and ready to use with `pyenv`, use the command `pyenv versions`. To see a list of the Python versions available to be installed and used with `pyenv` -use the command `pyenv install --list`. You can read more -[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about -the many things that `pyenv` can do. See -[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the -additional capabilities that pyenv-virtualenv adds to the `pyenv` +use the command `pyenv install --list`. You can read more about +the [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md). +See the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage) +for the additional capabilities that pyenv-virtualenv adds to the `pyenv` command. #### Creating the Python virtual environment #### From 5bde44c0ead00f5c2b6c421d25a109d4cc839601 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 17 Sep 2025 12:22:39 -0400 Subject: [PATCH 13/26] Bump version from 0.0.1-rc.1 to 1.0.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 871d40b..3eefcb9 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1-rc.1 +1.0.0 From f23025ae9eb1b5b731517f1c046de7e2973d1e8e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 11:29:58 -0400 Subject: [PATCH 14/26] Update GitHub actions to versions used upstream --- .github/workflows/build.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c9f0820..3e1f069 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -251,9 +251,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -324,7 +324,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Finished coveralls reports uses: coverallsapp/github-action@v2 with: @@ -378,9 +378,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 @@ -463,9 +463,9 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 From f5eb17b2f9d4a32163d619d58f0f5b8295806db0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 11:30:41 -0400 Subject: [PATCH 15/26] Sync bandit versions used in pre-commit config --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a91ce0a..df67df9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.3 + rev: 1.8.6 hooks: - id: bandit name: bandit (everything else) From 187e76b1a72f5c27cdf6aa5d3bc6512687165f6f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:31:13 -0400 Subject: [PATCH 16/26] Add python configuration to labeler --- .github/labeler.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..224b713 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -33,10 +33,10 @@ github-actions: # - any-glob-to-any-file: # - "**/*.pkr.hcl" # Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" # Enable if Terraform is used in the repository. # terraform: # - changed-files: From 11b22549708520ebebdd4cd6a1dff193da23bc1e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:33:06 -0400 Subject: [PATCH 17/26] Add Python tests and pytest.ini to labeler test configuration --- .github/labeler.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 224b713..33bfbaf 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -52,6 +52,8 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint + - pytest.ini + - tests/**/*.py upstream update: - head-branch: # Any Lineage pull requests should use this branch. From bc0278ba6298428e4828da87eeb6852e6540f3bf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 18 Sep 2025 14:34:35 -0400 Subject: [PATCH 18/26] Correct version file in labeler configuration --- .github/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 33bfbaf..5e6e91a 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -62,4 +62,4 @@ version bump: - changed-files: - any-glob-to-any-file: # Ensure this matches your version tracking file(s). - - version.txt + - src/**/_version.py From d18e90bfb8070d41dd539044a4e151486b627080 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 19 Sep 2025 16:03:28 -0400 Subject: [PATCH 19/26] Add additional repository labels This adds labels that are common in downstream repositories to the core configuration. This will help ensure consistent label availability. --- .github/labels.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index fe9a53e..b1311af 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,6 +2,9 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length +- color: f15a53 + description: Pull requests that update Ansible code + name: ansible - color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked @@ -17,6 +20,9 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies +- color: 2497ed + description: Pull requests that update Docker code + name: docker - color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation @@ -50,12 +56,21 @@ - color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold +- color: 02a8ef + description: Pull requests that update Packer code + name: packer +- color: 3772a4 + description: Pull requests that update Python code + name: python - color: ef476c description: This issue is a request for information or needs discussion name: question - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 7b42bc + description: Pull requests that update Terraform code + name: terraform - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test From e875abf74fc8cd799c17430c74a1d95eddc63466 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 22 Sep 2025 01:13:44 -0400 Subject: [PATCH 20/26] Add auto-label configuration for the `docker` label Add a configuration to automatically apply the `docker` label to pull requests. --- .github/labeler.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index c7f044b..49b89ef 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,13 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt +# Enable if Docker is used in the repository. +# docker: +# - changed-files: +# - any-glob-to-any-file: +# - "**/compose*.yml" +# - "**/docker-compose*.yml" +# - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: From b5e805ef4c441e8d5f9dfd49bbf69935de8820d4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Sep 2025 09:10:14 -0400 Subject: [PATCH 21/26] Add setup.py as a trigger for the dependencies label Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/labeler.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 5e6e91a..945e498 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -19,6 +19,7 @@ dependencies: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt + - setup.py documentation: - changed-files: - any-glob-to-any-file: From 4b040c118288daff49ffe4d20b62a9c528f14adb Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 8 Feb 2025 05:30:34 -0500 Subject: [PATCH 22/26] Remove the Snyk badge from the README We no longer use the Snyk service so it makes sense to remove the badge. --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 79390aa..67a35ac 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,6 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-python-library/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions) [![CodeQL](https://github.com/cisagov/skeleton-python-library/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-python-library/actions/workflows/codeql-analysis.yml) [![Coverage Status](https://coveralls.io/repos/github/cisagov/skeleton-python-library/badge.svg?branch=develop)](https://coveralls.io/github/cisagov/skeleton-python-library?branch=develop) -[![Known Vulnerabilities](https://snyk.io/test/github/cisagov/skeleton-python-library/develop/badge.svg)](https://snyk.io/test/github/cisagov/skeleton-python-library) This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) Python library GitHub From f0638404e07e7aa02eafcc0505e413802f0c32af Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 22 Sep 2025 01:29:56 -0400 Subject: [PATCH 23/26] Separate Coveralls build results by platform Currently we only set the flag for build results to the Python version, but since we test across platforms now we should also separate by the platform as well. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8202dc8..4f0822d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -283,7 +283,7 @@ jobs: - name: Upload coverage report uses: coverallsapp/github-action@v2 with: - flag-name: py${{ matrix.python-version }} + flag-name: py${{ matrix.python-version }} - ${{ matrix.platform }} parallel: true if: success() - name: Setup tmate debug session From 65474e25bdeb697e85653f74e7587e7f6cd42ce5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 09:36:57 -0400 Subject: [PATCH 24/26] Enable all label configuration for actions/labeler We can enable all label configurations for actions/labeler by default now that all of these labels are defined in the configuration for crazy-max/ghaction-github-labeler. --- .github/labeler.yml | 49 ++++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 49b89ef..8100ae7 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -8,24 +8,22 @@ # crazy-max/ghaction-github-labeler configuration file located at # .github/labels.yml. -# Enable if Ansible playbooks are used in the repository. -# ansible: -# - changed-files: -# - any-glob-to-any-file: -# - "**/ansible/**" +ansible: + - changed-files: + - any-glob-to-any-file: + - "**/ansible/**" dependencies: - changed-files: - any-glob-to-any-file: # Add any dependency files used. - .pre-commit-config.yaml - requirements*.txt -# Enable if Docker is used in the repository. -# docker: -# - changed-files: -# - any-glob-to-any-file: -# - "**/compose*.yml" -# - "**/docker-compose*.yml" -# - "**/Dockerfile*" +docker: + - changed-files: + - any-glob-to-any-file: + - "**/compose*.yml" + - "**/docker-compose*.yml" + - "**/Dockerfile*" documentation: - changed-files: - any-glob-to-any-file: @@ -34,21 +32,18 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** -# Enable if Packer is used in the repository. -# packer: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.pkr.hcl" -# Enable if Python is used in the repository. -# python: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.py" -# Enable if Terraform is used in the repository. -# terraform: -# - changed-files: -# - any-glob-to-any-file: -# - "**/*.tf" +packer: + - changed-files: + - any-glob-to-any-file: + - "**/*.pkr.hcl" +python: + - changed-files: + - any-glob-to-any-file: + - "**/*.py" +terraform: + - changed-files: + - any-glob-to-any-file: + - "**/*.tf" test: - changed-files: - any-glob-to-any-file: From 3cf19cd3794f5d325ec0ba57ce5f8d7fe5dfdac9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:42:12 -0400 Subject: [PATCH 25/26] Add JavaScript-related labels Add labels for JavaScript and TypeScript to the configuration for crazy-max/ghaction-github-labeler. --- .github/labels.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index b1311af..650ed7c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,6 +47,9 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid +- color: f1d642 + description: Pull requests that update JavaScript code + name: javascript - color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 @@ -74,6 +77,9 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test +- color: 2b6ebf + description: Pull requests that update TypeScript code + name: typescript - color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update From e38c7f0d43b84c8b5390773eb20d3d99ff643230 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:54:50 -0400 Subject: [PATCH 26/26] Add JavaScript-related labels to the labeler configuration Add the new `javascript` and `typescript` labels with appropriate matching rules to the actions/labeler configuration. --- .github/labeler.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 8100ae7..a4e2186 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -32,6 +32,10 @@ github-actions: - changed-files: - any-glob-to-any-file: - .github/workflows/** +javascript: + - changed-files: + - any-glob-to-any-file: + - "**/*.js" packer: - changed-files: - any-glob-to-any-file: @@ -54,6 +58,10 @@ test: - .isort.cfg - .mdl_config.yaml - .yamllint +typescript: + - changed-files: + - any-glob-to-any-file: + - "**/*.ts" upstream update: - head-branch: # Any Lineage pull requests should use this branch.