Skip to content

Commit

Permalink
Merge pull request #39 from cisagov/lineage/skeleton
Browse files Browse the repository at this point in the history
⚠️ CONFLICT! Lineage pull request for: skeleton
  • Loading branch information
jsf9k authored Oct 31, 2024
2 parents 0776cee + 1b206f4 commit b870dde
Show file tree
Hide file tree
Showing 30 changed files with 57 additions and 69 deletions.
1 change: 1 addition & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ updates:
- dependency-name: crazy-max/ghaction-dump-context
- dependency-name: crazy-max/ghaction-github-labeler
- dependency-name: crazy-max/ghaction-github-status
- dependency-name: GitHubSecurityLab/actions-permissions
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,18 @@ env:
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand All @@ -48,8 +56,15 @@ jobs:
lint:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand Down
17 changes: 15 additions & 2 deletions .github/workflows/sync-labels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,28 @@ name: sync-labels
on:
push:
paths:
- '.github/labels.yml'
- '.github/workflows/sync-labels.yml'
- .github/labels.yml
- .github/workflows/sync-labels.yml
workflow_dispatch:

permissions:
contents: read

jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand All @@ -38,6 +47,10 @@ jobs:
issues: write
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand Down
44 changes: 24 additions & 20 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,19 @@ repos:
- id: check-useless-excludes

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
rev: v5.0.0
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-shebang-scripts-are-executable
- id: check-symlinks
- id: check-toml
- id: check-vcs-permalinks
- id: check-xml
- id: debug-statements
- id: destroyed-symlinks
- id: detect-aws-credentials
args:
- --allow-missing-credentials
Expand Down Expand Up @@ -53,40 +57,40 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.29.2
rev: 0.29.4
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.8.0
rev: v4.0.1
hooks:
- id: validate_manifest

# Go hooks
- repo: https://github.com/TekWizely/pre-commit-golang
rev: v1.0.0-rc.1
hooks:
# Style Checkers
- id: go-critic
# StaticCheck
- id: go-staticcheck-repo-mod
# Go Build
- id: go-build-repo-mod
# Style Checkers
- id: go-critic
# goimports
- id: go-imports-repo
args:
# Write changes to files
- -w
# Go Mod Tidy
- id: go-mod-tidy-repo
# GoSec
- id: go-sec-repo-mod
# StaticCheck
- id: go-staticcheck-repo-mod
# Go Test
- id: go-test-repo-mod
# Go Vet
- id: go-vet-repo-mod
# GoSec
- id: go-sec-repo-mod
# goimports
- id: go-imports-repo
args:
# Write changes to files
- -w
# Nix hooks
- repo: https://github.com/nix-community/nixpkgs-fmt
rev: v1.3.0
Expand All @@ -95,7 +99,7 @@ repos:

# Shell script hooks
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.9.0-1
rev: v3.10.0-1
hooks:
- id: shfmt
args:
Expand Down Expand Up @@ -126,7 +130,7 @@ repos:
args:
- --config=.bandit.yml
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 24.8.0
rev: 24.10.0
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
Expand All @@ -140,7 +144,7 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.11.2
rev: v1.13.0
hooks:
- id: mypy
- repo: https://github.com/pypa/pip-audit
Expand All @@ -156,7 +160,7 @@ repos:
- --requirement
- requirements.txt
- repo: https://github.com/asottile/pyupgrade
rev: v3.17.0
rev: v3.19.0
hooks:
- id: pyupgrade

Expand Down Expand Up @@ -200,7 +204,7 @@ repos:

# Packer hooks
- repo: https://github.com/cisagov/pre-commit-packer
rev: v0.1.0
rev: v0.3.0
hooks:
- id: packer_validate
- id: packer_fmt
- id: packer_validate
1 change: 0 additions & 1 deletion bash/.bash_greeter
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
#!/bin/bash
# shellcheck disable=SC2034
# Disabled SC2034 to allow colors not currently in use to remain

Expand Down
1 change: 0 additions & 1 deletion bash/.bash_logout
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
#!/bin/bash
echo END OF LINE
2 changes: 1 addition & 1 deletion bash/.bash_profile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
# shellcheck shell=bash

# Workaround to get macOS to use .bashrc
if [[ "$OSTYPE" == "darwin"* ]] && [ -r "$HOME/.bashrc" ]; then
Expand Down
2 changes: 1 addition & 1 deletion bash/.bashrc
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
# shellcheck shell=bash

# If not running interactively, don't do anything
[[ $- != *i* ]] && return
Expand Down
2 changes: 0 additions & 2 deletions bash/.bashrc.d/aliases
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/bash

# Make some possibly destructive commands more interactive.
if [ ${UID} -eq 0 ]; then
alias rm='rm -i'
Expand Down
2 changes: 0 additions & 2 deletions bash/.bashrc.d/aws
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
#!/bin/bash

export AWS_PROFILE="cool-user"
2 changes: 0 additions & 2 deletions bash/.bashrc.d/cyhy
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
#!/bin/bash

export CYHY_CONF_DIR=/private/etc/cyhy
2 changes: 0 additions & 2 deletions bash/.bashrc.d/gpg
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/bash

# From gpg-agent manpage
GPG_TTY=$(tty)
export GPG_TTY
Expand Down
2 changes: 0 additions & 2 deletions bash/.bashrc.d/kerberos
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
#!/bin/bash

# Load MIT Kerberos (installed via brew) before the default
export PATH="/usr/local/opt/krb5/bin:/usr/local/opt/krb5/sbin:$PATH"
2 changes: 0 additions & 2 deletions bash/.bashrc.d/pip
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
#!/bin/bash

# pip cache
export PIP_DOWNLOAD_CACHE=$HOME/Library/Caches/pip-downloads
2 changes: 0 additions & 2 deletions bash/.bashrc.d/prompt
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/bash

# Disable SC2034 to allow colors not currently in use to remain
# shellcheck disable=SC2034
BLUE=$(tput setaf 4)
Expand Down
2 changes: 0 additions & 2 deletions bash/.bashrc.d/pyenv
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/bash

# Add pyenv to PATH
export PATH="$PATH:$HOME/.pyenv/bin"

Expand Down
2 changes: 0 additions & 2 deletions bash/.bashrc.d/rsync
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
#!/bin/bash

export RSYNC_RSH=ssh
1 change: 0 additions & 1 deletion zsh/.p10k.zsh
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
#!/bin/zsh
# Generated by Powerlevel10k configuration wizard on 2020-05-12 at 09:58 EDT.
# Based on romkatv/powerlevel10k/config/p10k-lean.zsh, checksum 28636.
# Wizard options: compatible, unicode, lean, 1 line, compact, fluent, transient_prompt,
Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Enable Powerlevel10k instant prompt. Should stay close to the top of ~/.zshrc.
# Initialization code that may require console input (password prompts, [y/n]
# confirmations, etc.) must go above this block; everything else may go below.
Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/aliases
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Make some possibly destructive commands more interactive.
if [ ${UID} -eq 0 ]; then
alias rm='rm -i'
Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/aws
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
#!/bin/zsh

export AWS_PROFILE="cool-user"
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/cyhy
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Set up CyHy docker environment variables
export CYHY_CONF_DIR=/private/etc/cyhy
export CYHY_CORE_IMAGE=ncats/cyhy-core
Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/gnu-sed
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Make it so gnu-sed replaces the MacOS version of sed
# If not installed, brew install gnu-sed first

Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/gpg
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# From gpg-agent manpage
GPG_TTY=$(tty)
export GPG_TTY
Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/kerberos
Original file line number Diff line number Diff line change
@@ -1,4 +1,2 @@
#!/bin/zsh

# Load MIT Kerberos (installed via brew) before the default
export PATH="/usr/local/opt/krb5/bin:/usr/local/opt/krb5/sbin:$PATH"
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/nvm
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Set up node/NVM
export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/pip
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Set pip cache
export PIP_DOWNLOAD_CACHE=$HOME/Library/Caches/pip-downloads

Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/prompt
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

BLUE=$(tput setaf 4)
BRIGHT_GREEN=$(tput setaf 10)
BRIGHT_RED=$(tput setaf 196)
Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/pyenv
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
#!/bin/zsh

# Add pyenv to PATH
export PATH="$PATH:$HOME/.pyenv/bin"

Expand Down
2 changes: 0 additions & 2 deletions zsh/.zshrc.d/rsync
100755 → 100644
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
#!/bin/zsh

export RSYNC_RSH=ssh

0 comments on commit b870dde

Please sign in to comment.