From 4cb9a4b5863abc317de4daa8fa72487ac930c3d0 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 12:52:36 -0400 Subject: [PATCH 01/57] Add steps to setup go packages for pre-commit --- .github/workflows/build.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..f07c640 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,6 +33,22 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" + - id: setup-go-critic + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + - id: setup staticheck + uses: actions/checkout@v2 + with: + fetch-depth: 1 + - name: Run staticcheck + uses: dominikh/staticcheck-action@v1.3.0 + with: + version: "2022.1.3" + - id: setup-go-sec + uses: actions/checkout@v3 + env: + GO111MODULE: on + - name: Run Gosec Security Scanner + uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | From 53f56b01103783ba2d71c7ad64dc5c4c390c8388 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:01:24 -0400 Subject: [PATCH 02/57] Update action/checkout to use same version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f07c640..4731169 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: - id: setup-go-critic run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest - id: setup staticheck - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 1 - name: Run staticcheck From f2610994eacc942a8b4a3771c0c0d8d69fb286c1 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:17:46 -0400 Subject: [PATCH 03/57] Set specific gocritic version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4731169..cfbc847 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: cache: false go-version: "1.20" - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - id: setup staticheck uses: actions/checkout@v3 with: From 097b573a1eba564d2aeb260f676f01776ff10aba Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 19:34:48 -0400 Subject: [PATCH 04/57] Update build workflow with package installtion --- .github/workflows/build.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cfbc847..3cab3fb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,22 +33,6 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" - - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - - id: setup staticheck - uses: actions/checkout@v3 - with: - fetch-depth: 1 - - name: Run staticcheck - uses: dominikh/staticcheck-action@v1.3.0 - with: - version: "2022.1.3" - - id: setup-go-sec - uses: actions/checkout@v3 - env: - GO111MODULE: on - - name: Run Gosec Security Scanner - uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | @@ -80,6 +64,16 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -101,6 +95,11 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 254282a5f9c5c55c2e95459f929e41a1d85e9ae2 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 15:06:07 -0400 Subject: [PATCH 05/57] Group go tools together with comment --- .github/workflows/build.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3cab3fb..a3c90ea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,6 +64,7 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + # Install GoCrtitic, GoSec and Staticcheck Go tools - name: Install GoCritic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic @@ -74,6 +75,11 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -95,11 +101,6 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From ecf329956ac7e2428e2226e2ac0c9c3c0cea94bf Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:38:13 -0400 Subject: [PATCH 06/57] Update staticcheck id Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3c90ea..f54946c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,7 +78,7 @@ jobs: - name: Install Staticcheck env: PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: From 1eaedf57d23227522f0f302e6055ded6eb888a7a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:40:06 -0400 Subject: [PATCH 07/57] Update tool names to match author stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f54946c..db696ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,8 +64,8 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install GoCrtitic, GoSec and Staticcheck Go tools - - name: Install GoCritic + # Install go-critic, GoSec and staticcheck Go tools + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From fd04757b3339ed91a085e3028b2b88f9bf60e080 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:42:09 -0400 Subject: [PATCH 08/57] Update statcicheck stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db696ad..fee1ebe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -75,7 +75,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 12 Jul 2023 09:09:32 -0400 Subject: [PATCH 09/57] Temporarily use a different branch of cisagov/setup-env-github-action This is being done for testing purposes, and this commit can be reverted (or removed) once cisagov/setup-env-github-action#65 is merged. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fee1ebe..b7c0910 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 @@ -64,18 +64,18 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools + # Install go-critic, GoSec and staticcheck Go tools - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install GoSec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From a8af336b975def35f947694d61828ab633d8bc6d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 10:11:28 -0400 Subject: [PATCH 10/57] Move go packages install to separate section --- .github/workflows/build.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7c0910..4f0b8cd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,22 +64,6 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools - - name: Install go-critic - env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec - env: - PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec - PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -96,6 +80,22 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} + # Begin Go packages install below + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt From 1675b127e5ba645e36726d3f1858a974e7612998 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:32 -0400 Subject: [PATCH 11/57] Update go-critic name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4f0b8cd..faafd2f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -81,7 +81,7 @@ jobs: with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} # Begin Go packages install below - - name: Install GoCritic + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From c6ab22ea25d5608ab794542c96139bd5d65dac47 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:50 -0400 Subject: [PATCH 12/57] Update staticcheck name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index faafd2f..a799374 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,7 +91,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} From 29de03457f4ec4092d0dd98465d18a83a2193719 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 13 Jul 2023 10:05:20 -0400 Subject: [PATCH 13/57] Use the correct repo name for the ansible-lint pre-commit hook The repo name we were using redirects to the correct place, but we may as well cut out the middle man. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..9dc41ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -130,7 +130,7 @@ repos: - id: pyupgrade # Ansible hooks - - repo: https://github.com/ansible-community/ansible-lint + - repo: https://github.com/ansible/ansible-lint rev: v6.17.0 hooks: - id: ansible-lint From 1e7cb4f721542b260680ee51d4cd75126da0a979 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:53:34 -0400 Subject: [PATCH 14/57] Correct staticcheck reference to setup-env, sort alphabetically and correct staticcheck package URL Co-Authored By: @mcdonnnj --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a799374..7435881 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,16 +91,16 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install staticcheck + env: + PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 5f3bc132490dcdfcc7431133ed38c293eeeffaf5 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Thu, 13 Jul 2023 11:03:03 -0400 Subject: [PATCH 15/57] Remove Go section coment Co-authored-by: Shane Frasier --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7435881..00c5cdf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,6 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - # Begin Go packages install below - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic From d31182550a11db54cff212171bb9cc0dac8bb636 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:30:33 -0400 Subject: [PATCH 16/57] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..60f04c0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,10 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -20,12 +20,12 @@ updates: # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - - package-ecosystem: "pip" - directory: "/" + - package-ecosystem: pip + directory: / schedule: - interval: "weekly" + interval: weekly - - package-ecosystem: "terraform" - directory: "/" + - package-ecosystem: terraform + directory: / schedule: - interval: "weekly" + interval: weekly From 2294d4970596551c7c2c794b869d186dcda49921 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:41:38 -0400 Subject: [PATCH 17/57] Sort the keys in the Dependabot configuration Our standard practice for YAML files is to sort keys alphabetically. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 60f04c0..da2c02c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,8 @@ # these updates when the pull request(s) in the appropriate skeleton are merged # and Lineage processes these changes. -version: 2 updates: - - package-ecosystem: github-actions - directory: / - schedule: - interval: weekly + - directory: / # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -19,13 +15,17 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + package-ecosystem: github-actions + schedule: + interval: weekly - - package-ecosystem: pip - directory: / + - directory: / + package-ecosystem: pip schedule: interval: weekly - - package-ecosystem: terraform - directory: / + - directory: / + package-ecosystem: terraform schedule: interval: weekly +version: 2 From e678502adb77650dbd722134c469f20b5b46d32d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Jul 2023 15:06:13 -0400 Subject: [PATCH 18/57] Delete duplicate word "are" Co-authored-by: David Harris --- .bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bandit.yml b/.bandit.yml index 8ba42d1..ab3cb21 100644 --- a/.bandit.yml +++ b/.bandit.yml @@ -3,7 +3,7 @@ # https://bandit.readthedocs.io/en/latest/config.html # Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are are considered included. +# If `tests` is empty, all tests are considered included. tests: # - B101 From 948ebdeee11f77759311f85d256f19b5c4d7204d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 16 Aug 2023 10:20:21 -0400 Subject: [PATCH 19/57] Fix gosec stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00c5cdf..ec15b7d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,7 +85,7 @@ jobs: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install gosec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} From 98d3d3f6914b4601cf9d194ed7d750224a4fb401 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 22 Aug 2023 10:18:25 -0400 Subject: [PATCH 20/57] Revert "Temporarily use a different branch of cisagov/setup-env-github-action" This reverts commit ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7. This can be done now that cisagov/setup-env-github-action#65 has been merged. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec15b7d..34c3c6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton + uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 From 82db36a453deda26c99ee231879486b9e2d9ac1a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 28 Aug 2023 11:06:36 -0400 Subject: [PATCH 21/57] Add nixfmt pre-commit hook --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..e7262f6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -79,6 +79,12 @@ repos: # GoSec - id: go-sec-repo-mod + # Nix hooks + - repo: https://github.com/nix-community/nixpkgs-fmt + rev: v1.3.0 + hooks: + - id: nixpkgs-fmt + # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt rev: v0.0.2 From c0b5d5bb6cb644bf85171a8f5c89dfc3c770662f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 18:19:17 +0000 Subject: [PATCH 22/57] Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..3b38f76 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..b6f2024 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -19,7 +19,7 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v4 From b04654e922ec4eef978022b67374a2ab3cffab4c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:57:49 -0400 Subject: [PATCH 23/57] Bump crazy-max/ghaction-github-labeler from 4 to 5 --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..1c107e4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v3 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v4 + uses: crazy-max/ghaction-github-labeler@v5 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. From 49ac8c505181e79caefc12cfc2f8e906c1e88ab2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:59:09 -0400 Subject: [PATCH 24/57] Update the dependabot ignore configuration Add crazy-max/ghaction-github-labeler as a commented out dependency to ignore in the dependabot configuration file. This should be enabled in downstream projects to consolidate updating this Action to the cisagov/skeleton-generic repository. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..e1f2f34 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 94d753d10d8106be1e4634bac6a27c0fbfb51c40 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 3 Aug 2023 19:10:29 -0400 Subject: [PATCH 25/57] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5b7035..dad86ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,13 +31,13 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.34.0 + rev: v0.36.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.9-for-vscode + rev: v3.0.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.23.1 + rev: 0.26.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.3.2 + rev: v3.4.0 hooks: - id: validate_manifest @@ -113,11 +113,11 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.9.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 6.0.0 + rev: 6.1.0 hooks: - id: flake8 additional_dependencies: @@ -127,24 +127,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.3.0 + rev: v1.5.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.4.0 + rev: v3.10.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v6.17.0 + rev: v6.19.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.80.0 + rev: v1.83.2 hooks: - id: terraform_fmt - id: terraform_validate From 1bc2056836e544c813d944150932075bb7251e33 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 17:50:36 -0400 Subject: [PATCH 26/57] Switch to the pre-commit mirror for black This mirror was created to leverage performance optimizations from mypyc wheels that are available if black is installed from PyPI. These wheels are not available if black is installed from source as it would be using the old URL. Please see psf/black#3828 and psf/black#3405 for more information. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dad86ae..34f0253 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -112,7 +112,7 @@ repos: - id: bandit args: - --config=.bandit.yml - - repo: https://github.com/psf/black + - repo: https://github.com/psf/black-pre-commit-mirror rev: 23.9.1 hooks: - id: black From a62ebe79e749b4e66b1f2122b3f866fd6ab8c23e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 29 Aug 2023 17:10:03 -0400 Subject: [PATCH 27/57] Add the crazy-max/ghaction-github-status GitHub action This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9ab2270..2fdd39d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,6 +14,7 @@ updates: # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate package-ecosystem: github-actions diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c08880f..9382c48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,12 @@ env: RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: + diagnostics: + runs-on: ubuntu-latest + steps: + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 lint: runs-on: ubuntu-latest steps: From 3619c455e6bb559ed74f7f320026badcaa603ad9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 09:48:01 -0400 Subject: [PATCH 28/57] Make the lint job depend on the diagnostics job Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9382c48..1049da9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,8 @@ jobs: name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 lint: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env From f4370660795e7d97f3e5ef0d582ed5754b2c267f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:35:45 -0400 Subject: [PATCH 29/57] Add a GH Action to dump the context This can be useful when debugging why a GH Action failed. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fdd39d..dbb9b73 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1049da9..346fd81 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,6 +20,9 @@ jobs: - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics From c5e56a21c70e033b2093355b630dd172f85614f2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:36:31 -0400 Subject: [PATCH 30/57] Give the diagnostics job a descriptive name --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 346fd81..53c76f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ env: jobs: diagnostics: + name: Run diagnostics runs-on: ubuntu-latest steps: - id: github-status From 9afb516c20153c850088cfcc8318d7df3e68da92 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:47:40 -0400 Subject: [PATCH 31/57] Add the step-security/harden-runner GH Action This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dbb9b73..17220c6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,6 +18,7 @@ updates: # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 53c76f7..2fda8f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,11 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 From 9dc773cae76fcb144a8fde5b26118e915dea1a03 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 12:44:35 -0400 Subject: [PATCH 32/57] Add a harden-runner task to the lint job as well This task can only provide coverage for the job that contains it. --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fda8f7..3fbeff2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From bb81ec3a0418359c28fc495524959f9f897557b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 15:15:16 -0400 Subject: [PATCH 33/57] Add a reminder We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3fbeff2..e7b75a4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,8 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 888ad9d9db6485455dd65fa13d1985f5fc83bafa Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:01:07 -0400 Subject: [PATCH 34/57] Enable dependabot ignore directives Enable the new dependabot ignore directives that were added in cisagov/skeleton-generic. --- .github/dependabot.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d953b2e..83d86d5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,12 +13,12 @@ updates: - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status + - dependency-name: crazy-max/ghaction-dump-context + - dependency-name: crazy-max/ghaction-github-labeler + - dependency-name: crazy-max/ghaction-github-status - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner + - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-packer # - dependency-name: aws-actions/configure-aws-credentials package-ecosystem: github-actions From 4930fd50326bfbb42a1e4500f5a5e97e10fbe4a4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:02:13 -0400 Subject: [PATCH 35/57] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/dependabot.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 83d86d5..3159fd5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,19 +30,19 @@ updates: schedule: interval: weekly - - package-ecosystem: "terraform" - directory: "/terraform-build-user" + - package-ecosystem: terraform + directory: /terraform-build-user schedule: - interval: "weekly" + interval: weekly # # Managed by cisagov/skeleton-packer # ignore: - # - dependency-name: "hashicorp/aws" + # - dependency-name: hashicorp/aws - - package-ecosystem: "terraform" - directory: "/terraform-post-packer" + - package-ecosystem: terraform + directory: /terraform-post-packer schedule: - interval: "weekly" + interval: weekly # # Managed by cisagov/skeleton-packer # ignore: - # - dependency-name: "hashicorp/aws" + # - dependency-name: hashicorp/aws version: 2 From 58c56ad65bbf411c808ffe3b29514af3ead2a578 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:04:05 -0400 Subject: [PATCH 36/57] Sort the keys in the Dependabot configuration Our standard practice for YAML files is to sort keys alphabetically. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. This also moves the attribution comment for the ignore directives under the `ignore` block itself to match the way it is done fo rthe `github-actions` package ecosystem declaration. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3159fd5..829ac9e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -30,19 +30,19 @@ updates: schedule: interval: weekly - - package-ecosystem: terraform - directory: /terraform-build-user - schedule: - interval: weekly - # # Managed by cisagov/skeleton-packer + - directory: /terraform-build-user # ignore: + # # Managed by cisagov/skeleton-packer # - dependency-name: hashicorp/aws - - - package-ecosystem: terraform - directory: /terraform-post-packer + package-ecosystem: terraform schedule: interval: weekly - # # Managed by cisagov/skeleton-packer + + - directory: /terraform-post-packer # ignore: + # # Managed by cisagov/skeleton-packer # - dependency-name: hashicorp/aws + package-ecosystem: terraform + schedule: + interval: weekly version: 2 From b184ee8f47ebd866aee2a04a882c30f41c340244 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:08:39 -0400 Subject: [PATCH 37/57] Bump actions/checkout from 3 to 4 This updates the remaining declarations to match what was pulled down from cisagov/skeleton-generic. --- .github/workflows/build.yml | 4 ++-- .github/workflows/prerelease.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22aa04b..baed817 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -148,7 +148,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: @@ -201,7 +201,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index ddb4769..a156395 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -17,7 +17,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8f184bc..f6ada7d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: From e23c56bbcd5f73affc55ae2a3c8aa9aed94c5a1a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:13:34 -0400 Subject: [PATCH 38/57] Update job dependencies for the build.yml workflow Add the `diagnostics` job as a dependency for the `test` job. Reformat the dependencies for the `build` job to match the other jobs. --- .github/workflows/build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index baed817..e4a27e6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -144,6 +144,8 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env @@ -196,7 +198,9 @@ jobs: build: # The AMI build process is an expensive test (in terms of time) so # let's not run it unless the other jobs succeed. - needs: [lint, test] + needs: + - lint + - test runs-on: ubuntu-latest steps: - id: setup-env From b88f998d5bc4ac4dc9735a88bfc2f5067741c1a8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:15:25 -0400 Subject: [PATCH 39/57] Add the `diagnostics` job to the prerelease.yml workflow This matches what was done to the build.yml workflow. --- .github/workflows/prerelease.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index a156395..78c1780 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -12,7 +12,26 @@ env: RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: + diagnostics: + name: Run diagnostics + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 prerelease: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env From 56cb428ccc9e1847017a6da6bf2d3d8538a2096f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:16:43 -0400 Subject: [PATCH 40/57] Add the `diagnostics` job to the release.yml workflow This matches what was done to the build.yml and prerelease.yml workflows. --- .github/workflows/release.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f6ada7d..a2b2132 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,26 @@ env: RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: + diagnostics: + name: Run diagnostics + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 release: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env From 6682175d204458882b9dbde77dccf0c2a391e321 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 00:18:27 -0400 Subject: [PATCH 41/57] Add runner hardening to all jobs in our workflows This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic. --- .github/workflows/build.yml | 10 ++++++++++ .github/workflows/prerelease.yml | 5 +++++ .github/workflows/release.yml | 5 +++++ 3 files changed, 20 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e4a27e6..0297d46 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -148,6 +148,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 @@ -203,6 +208,11 @@ jobs: - test runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 78c1780..20763da 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -34,6 +34,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a2b2132..a33c3fb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,6 +41,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 1475191d5cea831ae5814c6ae3f3a6868e4f03a2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 13:05:20 -0400 Subject: [PATCH 42/57] Bump the bandit hook from 1.7.4 to 1.7.5 This bumps the second bandit hook that is used in this project lineage. Since this hook does not exist in the configuration from cisagov/skeleton-generic we must update it here. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6db7468..79894a8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -117,7 +117,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.7.4 + rev: 1.7.5 hooks: - id: bandit name: bandit (everything else) From fe4b7ff3fcea9ec09190dbbb054625038821d48e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 15 Sep 2023 12:24:28 -0400 Subject: [PATCH 43/57] Explicitly add required plugins for Packer packer init is supported as of Packer v1.7.0, and will eventually be required. See here for more details: https://developer.hashicorp.com/packer/guides/1.7-template-upgrade --- src/packer.pkr.hcl | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index 8a64d4e..d8d9bf9 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -1,3 +1,16 @@ +packer { + required_plugins { + amazon = { + source = "github.com/hashicorp/amazon" + version = "~> 1" + } + ansible = { + source = "github.com/hashicorp/ansible" + version = "~> 1" + } + } +} + variable "ami_regions" { default = [] description = "The list of AWS regions to copy the AMI to once it has been created. Example: [\"us-east-1\"]" From a2bc118e55e5b4174b31d920e01877d4615c4d75 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 15 Sep 2023 12:30:47 -0400 Subject: [PATCH 44/57] Require Packer 1.7.0 or later Packer 1.7.0 is the first version to support the required_plugins syntax. --- src/packer.pkr.hcl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index d8d9bf9..8347ebf 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -9,6 +9,10 @@ packer { version = "~> 1" } } + # The required_plugins section is only supported in Packer 1.7.0 and + # later. We also want to avoid jumping to Packer v2 until we are + # ready. + required_version = ">=1.7.0,<2" } variable "ami_regions" { From fcc2990b6057662782c615e1a56be3832490aaaa Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 15 Sep 2023 12:40:59 -0400 Subject: [PATCH 45/57] Add tasks to install Packer plugins These tasks must take place before either the Packer pre-commit linter or packer build is run; otherwise, the packer executable will error out. --- .github/workflows/build.yml | 6 ++++++ .github/workflows/prerelease.yml | 2 ++ .github/workflows/release.yml | 2 ++ 3 files changed, 10 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0297d46..93cb289 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -136,6 +136,10 @@ jobs: pip install --upgrade --requirement requirements-test.txt - name: Install Ansible roles run: ansible-galaxy install --force --role-file src/requirements.yml + # This must happen before pre-commit is run or the Packer format + # linter will throw an error. + - name: Install Packer plugins + run: packer init src/packer.pkr.hcl - name: Set up pre-commit hook environments run: pre-commit install-hooks - name: Run pre-commit on all files @@ -278,6 +282,8 @@ jobs: sudo mv /usr/bin/python3 /usr/bin/python3-default sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ /usr/bin/python3 + - name: Install Packer plugins + run: packer init src/packer.pkr.hcl - name: Create machine image # This runs through the AMI creation process but does not # actually create an AMI diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 20763da..9b531b8 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -104,6 +104,8 @@ jobs: sudo mv /usr/bin/python3 /usr/bin/python3-default sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ /usr/bin/python3 + - name: Install Packer plugins + run: packer init src/packer.pkr.hcl - name: Create machine image env: GITHUB_IS_PRERELEASE: ${{ github.event.release.prerelease }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a33c3fb..2874090 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -119,6 +119,8 @@ jobs: sudo mv /usr/bin/python3 /usr/bin/python3-default sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ /usr/bin/python3 + - name: Install Packer plugins + run: packer init src/packer.pkr.hcl - name: Create machine image run: | packer build -timestamp-ui \ From dc3976f2b7b34c96abac5e4c62cdec08b218bb09 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 15 Sep 2023 12:57:51 -0400 Subject: [PATCH 46/57] Add code to install Packer plugin dependencies This must be done before pre-commit can run successfully. --- setup-env | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup-env b/setup-env index 77926bf..929e4d9 100755 --- a/setup-env +++ b/setup-env @@ -154,6 +154,13 @@ for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt fi done +# Install Packer plugin dependencies +for packer_template_file in src/*.pkr.hcl; do + if [[ -f src/packer.pkr.hcl ]]; then + packer init -upgrade "$packer_template_file" + fi +done + # Install git pre-commit hooks now or later. pre-commit install ${INSTALL_HOOKS:+"--install-hooks"} From b39af7aa126784d83bb0a8ebf739a87d1c302c6f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 15 Sep 2023 13:40:47 -0400 Subject: [PATCH 47/57] Simplify packer init command Co-authored-by: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- .github/workflows/prerelease.yml | 2 +- .github/workflows/release.yml | 2 +- setup-env | 6 +----- 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 93cb289..487dcb9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -139,7 +139,7 @@ jobs: # This must happen before pre-commit is run or the Packer format # linter will throw an error. - name: Install Packer plugins - run: packer init src/packer.pkr.hcl + run: packer init src - name: Set up pre-commit hook environments run: pre-commit install-hooks - name: Run pre-commit on all files @@ -283,7 +283,7 @@ jobs: sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ /usr/bin/python3 - name: Install Packer plugins - run: packer init src/packer.pkr.hcl + run: packer init src - name: Create machine image # This runs through the AMI creation process but does not # actually create an AMI diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 9b531b8..9aaf3da 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -105,7 +105,7 @@ jobs: sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ /usr/bin/python3 - name: Install Packer plugins - run: packer init src/packer.pkr.hcl + run: packer init src - name: Create machine image env: GITHUB_IS_PRERELEASE: ${{ github.event.release.prerelease }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2874090..7403860 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -120,7 +120,7 @@ jobs: sudo ln -s ${{ env.pythonLocation }}/bin/python3 \ /usr/bin/python3 - name: Install Packer plugins - run: packer init src/packer.pkr.hcl + run: packer init src - name: Create machine image run: | packer build -timestamp-ui \ diff --git a/setup-env b/setup-env index 929e4d9..49f069f 100755 --- a/setup-env +++ b/setup-env @@ -155,11 +155,7 @@ for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt done # Install Packer plugin dependencies -for packer_template_file in src/*.pkr.hcl; do - if [[ -f src/packer.pkr.hcl ]]; then - packer init -upgrade "$packer_template_file" - fi -done +packer init -upgrade src # Install git pre-commit hooks now or later. pre-commit install ${INSTALL_HOOKS:+"--install-hooks"} From 92b07902bed8957e78a4dcb69147a933f0ee4ccc Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 18 Sep 2023 10:15:20 -0400 Subject: [PATCH 48/57] Simplify version constraint for Packer itself Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- src/packer.pkr.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index 8347ebf..265f7a2 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -12,7 +12,7 @@ packer { # The required_plugins section is only supported in Packer 1.7.0 and # later. We also want to avoid jumping to Packer v2 until we are # ready. - required_version = ">=1.7.0,<2" + required_version = "~> 1.7" } variable "ami_regions" { From fd4dc0e47581b942246b54125bee4313e25ff8f9 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 18 Sep 2023 10:16:32 -0400 Subject: [PATCH 49/57] Correct version constraints The version constraints should allow updates up to but not including the next major version of the plugin. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- src/packer.pkr.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/packer.pkr.hcl b/src/packer.pkr.hcl index 265f7a2..cce1c94 100644 --- a/src/packer.pkr.hcl +++ b/src/packer.pkr.hcl @@ -2,11 +2,11 @@ packer { required_plugins { amazon = { source = "github.com/hashicorp/amazon" - version = "~> 1" + version = "~> 1.2" } ansible = { source = "github.com/hashicorp/ansible" - version = "~> 1" + version = "~> 1.1" } } # The required_plugins section is only supported in Packer 1.7.0 and From 70374e2c0b80e9abb5255fbf66224544d75ffae9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Oct 2023 06:54:47 +0000 Subject: [PATCH 50/57] Bump aws-actions/configure-aws-credentials from 1 to 4 Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 1 to 4. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v1...v4) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/prerelease.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0297d46..8103a96 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -260,7 +260,7 @@ jobs: - name: Install Ansible roles run: ansible-galaxy install --force --role-file src/requirements.yml - name: Assume AWS build role - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 20763da..5008f2d 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -86,7 +86,7 @@ jobs: - name: Install ansible roles run: ansible-galaxy install --force --role-file src/requirements.yml - name: Assume AWS build role - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a33c3fb..362fd62 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -101,7 +101,7 @@ jobs: # echo $COPY_REGIONS_KMS_MAP | \ # ./patch_packer_config.py src/packer.pkr.hcl - name: Assume AWS build role - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 4ada601b6a77560c8a7806cd4d1a2622f5d4add5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 24 Oct 2023 15:55:14 -0400 Subject: [PATCH 51/57] Prefer `true`/`false` to `yes`/`no` for Ansible booleans This aligns the Ansible configuration with the changes made in cisagov/skeleton-ansible-role#157. --- src/aws.yml | 2 +- src/base.yml | 2 +- src/example.yml | 2 +- src/python.yml | 2 +- src/upgrade.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/aws.yml b/src/aws.yml index 70c10c0..f05d07f 100644 --- a/src/aws.yml +++ b/src/aws.yml @@ -1,7 +1,7 @@ --- - hosts: all name: AWS-specific roles - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Install Amazon EFS utilities diff --git a/src/base.yml b/src/base.yml index 560796c..5064841 100644 --- a/src/base.yml +++ b/src/base.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Setup base image - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Install and configure automated security updates diff --git a/src/example.yml b/src/example.yml index d1ddfa6..ca2e6f5 100644 --- a/src/example.yml +++ b/src/example.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Project-specific roles - become: yes + become: true become_method: ansible.builtin.sudo tasks: # The cisagov/ansible-role-example Ansible role is just a no-op, diff --git a/src/python.yml b/src/python.yml index c98ef2a..c1d369f 100644 --- a/src/python.yml +++ b/src/python.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Install pip3/python3 and remove pip2/python2 - become: yes + become: true become_method: ansible.builtin.sudo tasks: # If pip were to be installed first, then the OS _could_ pull diff --git a/src/upgrade.yml b/src/upgrade.yml index 417992f..e8dfe7d 100644 --- a/src/upgrade.yml +++ b/src/upgrade.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Upgrade base image - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Upgrade all packages From 1385a6af929873117a3f498994991251ab153fdd Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 24 Oct 2023 15:43:00 -0400 Subject: [PATCH 52/57] Alphabetize backend configuration arguments This updates the two Terraform configurations in this repository so that any AWS S3 backend configurations have a configuration sorted alphabetically. --- terraform-build-user/backend.tf | 4 ++-- terraform-build-user/remote_states.tf | 20 ++++++++++---------- terraform-post-packer/backend.tf | 4 ++-- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform-build-user/backend.tf b/terraform-build-user/backend.tf index 0893f0e..3b50d59 100644 --- a/terraform-build-user/backend.tf +++ b/terraform-build-user/backend.tf @@ -1,10 +1,10 @@ terraform { backend "s3" { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "skeleton-packer/terraform-build-user.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "skeleton-packer/terraform-build-user.tfstate" } } diff --git a/terraform-build-user/remote_states.tf b/terraform-build-user/remote_states.tf index 2c048bc..4ef8c84 100644 --- a/terraform-build-user/remote_states.tf +++ b/terraform-build-user/remote_states.tf @@ -8,12 +8,12 @@ data "terraform_remote_state" "images_parameterstore_production" { backend = "s3" config = { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "cool-images-parameterstore/terraform.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "cool-images-parameterstore/terraform.tfstate" } workspace = "production" @@ -23,12 +23,12 @@ data "terraform_remote_state" "images_parameterstore_staging" { backend = "s3" config = { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "cool-images-parameterstore/terraform.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "cool-images-parameterstore/terraform.tfstate" } workspace = "staging" @@ -38,12 +38,12 @@ data "terraform_remote_state" "images_production" { backend = "s3" config = { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "cool-accounts/images.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "cool-accounts/images.tfstate" } workspace = "production" @@ -53,12 +53,12 @@ data "terraform_remote_state" "images_staging" { backend = "s3" config = { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "cool-accounts/images.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "cool-accounts/images.tfstate" } workspace = "staging" @@ -68,12 +68,12 @@ data "terraform_remote_state" "users" { backend = "s3" config = { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "cool-accounts/users.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "cool-accounts/users.tfstate" } workspace = "production" diff --git a/terraform-post-packer/backend.tf b/terraform-post-packer/backend.tf index 1fea95f..ebf3d7d 100644 --- a/terraform-post-packer/backend.tf +++ b/terraform-post-packer/backend.tf @@ -1,10 +1,10 @@ terraform { backend "s3" { - encrypt = true bucket = "cisa-cool-terraform-state" dynamodb_table = "terraform-state-lock" + encrypt = true + key = "skeleton-packer/terraform-post-packer.tfstate" profile = "cool-terraform-backend" region = "us-east-1" - key = "skeleton-packer/terraform-post-packer.tfstate" } } From 65caa9f81cb1552b3bc5c843ab33fb23daa1eddf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 24 Oct 2023 15:46:34 -0400 Subject: [PATCH 53/57] Ensure all provider arguments are sorted alphabetically --- terraform-build-user/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform-build-user/main.tf b/terraform-build-user/main.tf index 6057fb1..356750e 100644 --- a/terraform-build-user/main.tf +++ b/terraform-build-user/main.tf @@ -4,8 +4,8 @@ module "iam_user" { providers = { aws = aws aws.images-production-ami = aws.images-production-ami - aws.images-staging-ami = aws.images-staging-ami aws.images-production-ssm = aws.images-production-ssm + aws.images-staging-ami = aws.images-staging-ami aws.images-staging-ssm = aws.images-staging-ssm } From 222a8b69c21ea9698cb7d475b5ed96236ba933e9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 24 Oct 2023 15:48:59 -0400 Subject: [PATCH 54/57] Ensure all tag map keys are sorted alphabetically This mainly brings the Terraform configuration into alignment with the Packer configuration. --- terraform-build-user/providers.tf | 2 +- terraform-post-packer/providers.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform-build-user/providers.tf b/terraform-build-user/providers.tf index 5a76a7e..2ad45e9 100644 --- a/terraform-build-user/providers.tf +++ b/terraform-build-user/providers.tf @@ -9,8 +9,8 @@ locals { caller_user_name = replace(data.aws_caller_identity.terraform_backend.user_id, ":", ".") tags = { - Team = "CISA - Development" Application = "skeleton-packer" + Team = "CISA - Development" } } diff --git a/terraform-post-packer/providers.tf b/terraform-post-packer/providers.tf index a7162a3..2553e6c 100644 --- a/terraform-post-packer/providers.tf +++ b/terraform-post-packer/providers.tf @@ -1,7 +1,7 @@ locals { tags = { - Team = "CISA - Development" Application = "skeleton-packer" + Team = "CISA - Development" } } From 96655af4959ead9c1cf29518e8c1a40a55283ac7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 24 Oct 2023 15:51:11 -0400 Subject: [PATCH 55/57] Ensure all variable attributes are sorted alphabetically This mainly brings the Terraform configuration into alignment with the Packer configuration. --- terraform-post-packer/variables.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform-post-packer/variables.tf b/terraform-post-packer/variables.tf index 58016e2..22b2a33 100644 --- a/terraform-post-packer/variables.tf +++ b/terraform-post-packer/variables.tf @@ -5,13 +5,13 @@ # ------------------------------------------------------------------------------ variable "extraorg_account_ids" { - type = list(string) - description = "A list of AWS account IDs corresponding to \"extra\" accounts with which you want to share this AMI (e.g. [\"123456789012\"]). Normally this variable is used to share an AMI with accounts that are not a member of the same AWS Organization as the account that owns the AMI." default = [] + description = "A list of AWS account IDs corresponding to \"extra\" accounts with which you want to share this AMI (e.g. [\"123456789012\"]). Normally this variable is used to share an AMI with accounts that are not a member of the same AWS Organization as the account that owns the AMI." + type = list(string) } variable "recent_ami_count" { - type = number - description = "The number of most-recent AMIs for which to grant launch permission (e.g. \"3\"). If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence)." default = 12 + description = "The number of most-recent AMIs for which to grant launch permission (e.g. \"3\"). If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence)." + type = number } From c6249c367834d1e9b097bf5b283c6648c14731b6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 24 Oct 2023 16:14:24 -0400 Subject: [PATCH 56/57] Add two new repository labels Add `ansible` and `packer` labels to the crazy-max/ghaction-github-labeler configuration. --- .github/labels.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 5d1e6d5..9eeee9f 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,6 +2,9 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length +- color: "f15a53" + description: Pull requests that update Ansible code + name: ansible - color: "eb6420" description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked @@ -50,6 +53,9 @@ - color: "fcdb45" description: This pull request is awaiting an action or decision to move forward name: on hold +- color: "02a8ef" + description: Pull requests that update Packer code + name: packer - color: "ef476c" description: This issue is a request for information or needs discussion name: question From cf7985f3c624786d0c29c8d438148d0caad6a86e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 30 Oct 2023 10:40:15 -0400 Subject: [PATCH 57/57] Prefer true to yes in YAML files --- src/automated-security-updates.yml | 2 +- src/cdm.yml | 2 +- src/harden.yml | 2 +- src/ipa-initial-seeding-script.yml | 7 +++++++ src/openvpn.yml | 2 +- src/ufw.yml | 4 ++-- 6 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 src/ipa-initial-seeding-script.yml diff --git a/src/automated-security-updates.yml b/src/automated-security-updates.yml index 989d30c..d9ffbe7 100644 --- a/src/automated-security-updates.yml +++ b/src/automated-security-updates.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Configure for automated security updates - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Set up automated security updates diff --git a/src/cdm.yml b/src/cdm.yml index 12276b9..fda8776 100644 --- a/src/cdm.yml +++ b/src/cdm.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Configure for the CISA CDM environment - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Install CDM Tanium client diff --git a/src/harden.yml b/src/harden.yml index 0396c69..fbcb5ed 100644 --- a/src/harden.yml +++ b/src/harden.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Hardening tasks - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Harden system diff --git a/src/ipa-initial-seeding-script.yml b/src/ipa-initial-seeding-script.yml new file mode 100644 index 0000000..c079c67 --- /dev/null +++ b/src/ipa-initial-seeding-script.yml @@ -0,0 +1,7 @@ +--- +- name: Install create-ipa-initial-seeding-script.sh + ansible.builtin.get_url: + dest: /usr/local/sbin + mode: 0500 + url: > + https://raw.githubusercontent.com/cisagov/cool-users/master/create-ipa-initial-seeding-script.sh diff --git a/src/openvpn.yml b/src/openvpn.yml index e724578..ae2f8e9 100644 --- a/src/openvpn.yml +++ b/src/openvpn.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Install OpenVPN - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Install OpenVPN diff --git a/src/ufw.yml b/src/ufw.yml index 352587a..43b6b59 100644 --- a/src/ufw.yml +++ b/src/ufw.yml @@ -23,7 +23,7 @@ proto: tcp - port: ldaps proto: tcp - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Install UFW @@ -93,7 +93,7 @@ - name: Allow routed packets from anywhere to anywhere community.general.ufw: comment: Allow routed packets from anywhere to anywhere - route: yes + route: true rule: allow - name: Configure loopback traffic # CIS hardening demands these changes.