From 57b4abe8fd21bfd03d1010f82ff20d33aea353c4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 18:04:15 -0400 Subject: [PATCH 01/43] Update actions/setup-go from v2 to v3 Additionally as of v3.1.0 of actions/setup-go there is a go-version output value to retrieve the version of Go installed by the Action. This allows us to remove the step to manually retrieve this information from the Go executable. --- .github/workflows/build.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27b2dcf..3216eec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,14 +26,10 @@ jobs: python-version: "3.10" # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - - uses: actions/setup-go@v2 + - id: setup-go + uses: actions/setup-go@v3 with: go-version: "1.16" - - name: Store installed Go version - id: go-version - run: | - echo "::set-output name=version::"\ - "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" - name: Lookup Go cache directory id: go-cache run: | @@ -42,7 +38,7 @@ jobs: env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ - go${{ steps.go-version.outputs.version }}-\ + go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: From 8f6849857bc2a66254cafa94db31526692fab209 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 18:07:10 -0400 Subject: [PATCH 02/43] Update the version of Go used from 1.16 to 1.18 Go 1.16 is no longer supported as of the release of 1.18 so it makes sense to update to the latest version available. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3216eec..d4c50c5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,7 @@ jobs: - id: setup-go uses: actions/setup-go@v3 with: - go-version: "1.16" + go-version: "1.18" - name: Lookup Go cache directory id: go-cache run: | From fc55e84feba28e9652e2a21b976e3f8225b708af Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 8 Nov 2022 13:27:47 -0500 Subject: [PATCH 03/43] Update the version of Go used from 1.18 to 1.19 Go 1.19 was released while this branch was in the wings and it makes sense to bump to the latest Go release. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d4c50c5..66e0c95 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,7 +29,7 @@ jobs: - id: setup-go uses: actions/setup-go@v3 with: - go-version: "1.18" + go-version: "1.19" - name: Lookup Go cache directory id: go-cache run: | From 2775dfa470b433cb9692b5b8c604ad55aa24ea2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Nov 2022 20:00:23 +0000 Subject: [PATCH 04/43] Bump hashicorp/setup-terraform from 1 to 2 Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 1 to 2. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v1...v2) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 66e0c95..37df1a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,7 +74,7 @@ jobs: ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" sudo mv /usr/local/bin/packer /usr/local/bin/packer-default sudo ln -s /opt/packer/packer /usr/local/bin/packer - - uses: hashicorp/setup-terraform@v1 + - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install shfmt From 1f7c62e5f21f1ee0a034122b1e96e2e035ae4a5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 8 Nov 2022 20:06:28 +0000 Subject: [PATCH 05/43] Bump actions/setup-python from 3 to 4 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3 to 4. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 37df1a3..a624fe2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v3 - id: setup-python - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: "3.10" # We need the Go version and Go cache location for the actions/cache step, From 6a9c630f869dbd96001d9a00ea300e3195f2c05d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 17:30:33 -0400 Subject: [PATCH 06/43] Add an ownership comment to the Dependabot configuration Add a comment that states that the commented out ignore directives are managed by cisagov/skeleton-generic. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 208659c..38ffdc0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,6 +12,7 @@ updates: schedule: interval: "weekly" # ignore: + # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout # - dependency-name: actions/setup-python From dfd54e9ad294cedce783c61071f5dab151cf79e5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 17:38:06 -0400 Subject: [PATCH 07/43] Add additional Dependabot ignore directives This adds the other versioned Actions that should be managed by cisagov/skeleton-generic to the list of commented out dependencies to ignore. --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 38ffdc0..fef57f5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,7 +15,10 @@ updates: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout + # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: hashicorp/setup-terraform + # - dependency-name: mxschmitt/action-tmate - package-ecosystem: "pip" directory: "/" From 71a88a5694347f17115f90f69e8ab09108aae1ed Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 11 Oct 2022 10:57:16 -0400 Subject: [PATCH 08/43] Remove usage of set-output from our GitHub Actions workflow GitHub has deprecated the set-output command per: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ This updates the GitHub Actions workflow to use the newly preferred method to set the output for a job's step. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a624fe2..8d17421 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,7 +33,7 @@ jobs: - name: Lookup Go cache directory id: go-cache run: | - echo "::set-output name=dir::$(go env GOCACHE)" + echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v3 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ From 21a68f461cf04ee5009c22e6311afdfdeff6f0fe Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 7 Sep 2022 13:35:44 -0400 Subject: [PATCH 09/43] Enable the allow-non-breakable-inline-mappings rule for yamllint --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 76a1cce..b5b302f 100644 --- a/.yamllint +++ b/.yamllint @@ -8,6 +8,14 @@ rules: # this behavior. comments-indentation: disable + # yamllint does not allow inline mappings that exceed the line length by + # default. There are many scenarios where the inline mapping may be a key, + # hash, or other long value that would exceed the line length but cannot + # reasonably be broken across lines. + line-length: + # This rule implies the allow-non-breakable-words rule + allow-non-breakable-inline-mappings: true + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From 3547c4f28d98a0e08582f5cf02e53d102a9e5dac Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 7 Sep 2022 13:37:21 -0400 Subject: [PATCH 10/43] Increase the maximum line length in the yamllint configuration Increase the line length maximum from the default of 80 to 88. This 10% increase mirrors the line length allowed in other linter configurations such as black. --- .yamllint | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.yamllint b/.yamllint index b5b302f..8f4e6bf 100644 --- a/.yamllint +++ b/.yamllint @@ -15,7 +15,8 @@ rules: line-length: # This rule implies the allow-non-breakable-words rule allow-non-breakable-inline-mappings: true - + # Allows a 10% overage from the default limit of 80 + max: 88 # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From b1ea3d4239179f9dc15a3509593f921c77dedc6b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 14 Oct 2022 09:48:04 -0400 Subject: [PATCH 11/43] Fix the repo of the flake8 pre-commit hook Per PyCQA/flake8#1290 this hook moved from GitLab to GitHub. The version we use is bumped to the latest tag on GitHub as well. --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5c2e10..804fa6c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -91,8 +91,8 @@ repos: rev: 22.3.0 hooks: - id: black - - repo: https://gitlab.com/pycqa/flake8 - rev: 3.9.2 + - repo: https://github.com/PyCQA/flake8 + rev: 5.0.4 hooks: - id: flake8 additional_dependencies: From fb8d13f5baff79b0f0e8a231cdf2c68817695d4e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 27 May 2022 18:45:45 -0400 Subject: [PATCH 12/43] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back due to issues with upgrading to v6. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 804fa6c..25f8d1d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 + rev: v4.3.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.31.1 + rev: v0.32.2 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.6.1 + rev: v3.0.0-alpha.4 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.26.3 + rev: v1.28.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.14.2 + rev: 0.18.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.17.0 + rev: v2.20.0 hooks: - id: validate_manifest @@ -88,7 +88,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.3.0 + rev: 22.10.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -102,11 +102,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.942 + rev: v0.990 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.31.1 + rev: v3.2.0 hooks: - id: pyupgrade @@ -119,14 +119,14 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.64.0 + rev: v1.76.0 hooks: - id: terraform_fmt - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v2.1.0 + rev: v2.1.1 hooks: - id: docker-compose-check From e5fbd70b2035b6de74c5bcc804af929a19d9cb17 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 5 Oct 2022 04:44:13 -0400 Subject: [PATCH 13/43] Add a label configuration file This configuration file stores information about the labels expected in this repository. --- .github/labels.yml | 67 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/labels.yml diff --git a/.github/labels.yml b/.github/labels.yml new file mode 100644 index 0000000..7d7f7f3 --- /dev/null +++ b/.github/labels.yml @@ -0,0 +1,67 @@ +--- +# Rather than breaking up descriptions into multiline strings we disable that +# specific rule in yamllint for this file. +# yamllint disable rule:line-length +- color: "#eb6420" + description: This issue or pull request is awaiting the outcome of another issue or pull request + name: blocked +- color: "#000000" + description: This issue or pull request involves changes to existing functionality + name: breaking change +- color: "#d73a4a" + description: This issue or pull request addresses broken functionality + name: bug +- color: "#07648d" + description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) + name: code.gov +- color: "#0366d6" + description: Pull requests that update a dependency file + name: dependencies +- color: "#5319e7" + description: This issue or pull request improves or adds to documentation + name: documentation +- color: "#5319e7" + description: This issue or pull request improves or adds to documentation + name: documentation +- color: "#cfd3d7" + description: This issue or pull request already exists or is covered in another issue or pull request + name: duplicate +- color: "#b005bc" + description: A high-level objective issue encompassing multiple issues instead of a specific unit of work + name: epic +- color: "#000000" + description: Pull requests that update GitHub Actions code + name: github-actions +- color: "#0e8a16" + description: This issue or pull request is well-defined and good for newcomers + name: good first issue +- color: "#ff7518" + description: Pull request that should count toward Hacktoberfest participation + name: hacktoberfest-accepted +- color: "#a2eeef" + description: This issue or pull request will add or improve functionality, maintainability, or ease of use + name: improvement +- color: "#fef2c0" + description: This issue or pull request is not applicable, incorrect, or obsolete + name: invalid +- color: "#ce099a" + description: This pull request is ready to merge during the next Lineage Kraken release + name: kraken 🐙 +- color: "#a4fc5d" + description: This issue or pull request requires further information + name: need info +- color: "#fcdb45" + description: This pull request is awaiting an action or decision to move forward + name: on hold +- color: "#ef476c" + description: This issue is a request for information or needs discussion + name: question +- color: "#1d76db" + description: This issue or pull request pulls in upstream updates + name: upstream update +- color: "#d4c5f9" + description: This issue or pull request increments the version number + name: version bump +- color: "#ffffff" + description: This issue will not be incorporated + name: wontfix From b9792a8d18d3690b8497e0cfe31ce855c85a7c2b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 5 Oct 2022 04:57:03 -0400 Subject: [PATCH 14/43] Add a workflow to synchronize repository labels This adds a workflow to ensure that the repository labels are updated to reflect changes to the label configuration file .github/labels.yml. --- .github/workflows/sync-labels.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/sync-labels.yml diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml new file mode 100644 index 0000000..ae7c091 --- /dev/null +++ b/.github/workflows/sync-labels.yml @@ -0,0 +1,29 @@ +--- +name: sync-labels + +on: + push: + paths: + - '.github/labels.yml' + - '.github/workflows/sync-labels.yml' + +permissions: + contents: read + +jobs: + labeler: + permissions: + # actions/checkout needs this to fetch code + contents: read + # crazy-max/ghaction-github-labeler needs this to manage repository labels + issues: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Sync repository labels + if: success() + uses: crazy-max/ghaction-github-labeler@v4 + with: + # This is a hideous ternary equivalent so we only do a dry run unless + # this workflow is triggered by the develop branch. + dry-run: ${{ github.ref_name == 'develop' && 'false' || 'true' }} From 161c4aebba002d4073a634749f3ae67f649a8a2a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Oct 2022 15:56:30 -0400 Subject: [PATCH 15/43] Remove duplicate label --- .github/labels.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 7d7f7f3..24bd511 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -20,9 +20,6 @@ - color: "#5319e7" description: This issue or pull request improves or adds to documentation name: documentation -- color: "#5319e7" - description: This issue or pull request improves or adds to documentation - name: documentation - color: "#cfd3d7" description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate From 5993231c3a136c86fe2dad178ac47495771cccce Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Oct 2022 15:56:49 -0400 Subject: [PATCH 16/43] Add a label for issues or PRs that involve test code --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 24bd511..b108748 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -53,6 +53,9 @@ - color: "#ef476c" description: This issue is a request for information or needs discussion name: question +- color: "#00008b" + description: This issue or pull request adds or otherwise modifies test code + name: test - color: "#1d76db" description: This issue or pull request pulls in upstream updates name: upstream update From 6cc53dc1f0bf5123465082100c57bb6a325024cf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Nov 2022 11:23:04 -0500 Subject: [PATCH 17/43] Fix GitHub label color values Update the configuration for repository labels to remove the leading `#` from color values. With a `#` leading the values they are seen as invalid by the GitHub API. --- .github/labels.yml | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index b108748..500b000 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,66 +2,66 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "#eb6420" +- color: "eb6420" description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked -- color: "#000000" +- color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "#d73a4a" +- color: "d73a4a" description: This issue or pull request addresses broken functionality name: bug -- color: "#07648d" +- color: "07648d" description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "#0366d6" +- color: "0366d6" description: Pull requests that update a dependency file name: dependencies -- color: "#5319e7" +- color: "5319e7" description: This issue or pull request improves or adds to documentation name: documentation -- color: "#cfd3d7" +- color: "cfd3d7" description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "#b005bc" +- color: "b005bc" description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic -- color: "#000000" +- color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "#0e8a16" +- color: "0e8a16" description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "#ff7518" +- color: "ff7518" description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "#a2eeef" +- color: "a2eeef" description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "#fef2c0" +- color: "fef2c0" description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "#ce099a" +- color: "ce099a" description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "#a4fc5d" +- color: "a4fc5d" description: This issue or pull request requires further information name: need info -- color: "#fcdb45" +- color: "fcdb45" description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "#ef476c" +- color: "ef476c" description: This issue is a request for information or needs discussion name: question -- color: "#00008b" +- color: "00008b" description: This issue or pull request adds or otherwise modifies test code name: test -- color: "#1d76db" +- color: "1d76db" description: This issue or pull request pulls in upstream updates name: upstream update -- color: "#d4c5f9" +- color: "d4c5f9" description: This issue or pull request increments the version number name: version bump -- color: "#ffffff" +- color: "ffffff" description: This issue will not be incorporated name: wontfix From 8f1263549992de1edd4d4e30afae3fd7c8a8c546 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 9 Nov 2022 11:24:25 -0500 Subject: [PATCH 18/43] Correct spacing in yamllint rules There was a missing empty line in the `.yamllint` file between two rule definitions. --- .yamllint | 1 + 1 file changed, 1 insertion(+) diff --git a/.yamllint b/.yamllint index 8f4e6bf..2a119a6 100644 --- a/.yamllint +++ b/.yamllint @@ -17,6 +17,7 @@ rules: allow-non-breakable-inline-mappings: true # Allows a 10% overage from the default limit of 80 max: 88 + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From 663dd877b8b2849462deac74365b674d7cb858f0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 14 Nov 2022 17:38:17 -0500 Subject: [PATCH 19/43] Add repository specific label --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 500b000..e8813ce 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -17,6 +17,9 @@ - color: "0366d6" description: Pull requests that update a dependency file name: dependencies +- color: "2497ed" + description: Pull requests that update Docker code + name: docker - color: "5319e7" description: This issue or pull request improves or adds to documentation name: documentation From 3aa675e339d684172e6525cabeb82786787af549 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 14 Nov 2022 17:42:20 -0500 Subject: [PATCH 20/43] Update Python setup in the test job for GHA Bump actions/setup-python from v3 to v4 and use Python 3.10 to mirror the `lint` job. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 35e2ee4..87b5d2b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -301,9 +301,9 @@ jobs: steps: - uses: actions/checkout@v3 - id: setup-python - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: - python-version: 3.9 + python-version: "3.10" - name: Cache testing environments uses: actions/cache@v3 env: From 827ff50eff69295d4e1a0361b371116abbdaac97 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 14 Nov 2022 23:38:07 -0500 Subject: [PATCH 21/43] Remove uses of the `set-output` command Remove the remaining uses of the `set-output` command since it has been deprecated per: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 87b5d2b..da15890 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -215,9 +215,9 @@ jobs: do TAGS="${TAGS},ghcr.io/${i}" done - echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') - echo ::set-output name=source_version::$(./bump_version.sh show) - echo ::set-output name=tags::${TAGS} + echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + echo "source_version=$(./bump_version.sh show)" >> $GITHUB_OUTPUT + echo "tags=${TAGS}" >> $GITHUB_OUTPUT echo tags=${TAGS} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 From a856426b6c321ffbef11d1b1a2503ae21193ebea Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 21 Nov 2022 13:51:53 -0500 Subject: [PATCH 22/43] Update the version of the second bandit hook The `bandit (everything else)` hook was not updated in sync with the `bandit (tests tree)` hook and is using an older version of bandit. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e1ec95b..86c3d22 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -92,7 +92,7 @@ repos: - --config=.bandit.yml # Run bandit everything but tests directory - repo: https://github.com/PyCQA/bandit - rev: 1.7.0 + rev: 1.7.4 hooks: - id: bandit name: bandit (everything else) From 0ad31cc94043023ae72e92032362008623c13e98 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 21 Nov 2022 13:53:21 -0500 Subject: [PATCH 23/43] Correct poor English in comments for the bandit pre-commit hooks Co-authored-by: dav3r --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 86c3d22..a119f7c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -82,6 +82,7 @@ repos: - id: shell-lint # Python hooks + # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit rev: 1.7.4 hooks: @@ -90,7 +91,7 @@ repos: files: tests args: - --config=.bandit.yml - # Run bandit everything but tests directory + # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit rev: 1.7.4 hooks: From 0d24f9c08a6844a08d34adb616a7d49616ef1f6b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 14 Nov 2022 17:57:51 -0500 Subject: [PATCH 24/43] Update the CodeQL configuration Pull in the CodeQL workflow from cisagov/skeleton-python-library to update the CodeQL configuration for this repository. We also add github/codeql-action to the dependencies managed by this repository in the dependabot configuration. --- .github/dependabot.yml | 1 + .github/workflows/codeql-analysis.yml | 42 +++++++++++++-------------- 2 files changed, 21 insertions(+), 22 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9f71e38..f6eb2af 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -32,6 +32,7 @@ updates: # - dependency-name: docker/login-action # - dependency-name: docker/setup-buildx-action # - dependency-name: docker/setup-qemu-action + # - dependency-name: github/codeql-action - package-ecosystem: "pip" directory: "/" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 33d1999..bf0d148 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,5 +1,4 @@ --- - # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # @@ -11,10 +10,12 @@ on: push: # Dependabot triggered push events have read-only access, but uploading code # scanning requires write access. - branches-ignore: [dependabot/**] + branches-ignore: + - dependabot/** pull_request: # The branches below must be a subset of the branches above - branches: [develop] + branches: + - develop schedule: - cron: '0 21 * * 6' @@ -22,48 +23,45 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest - + permissions: + # required for all workflows + security-events: write strategy: fail-fast: false matrix: # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', - # 'python'] - language: ['python'] + # Supported options are go, javascript, csharp, python, cpp, and java + language: + - python # Learn more... # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a - # config file. By default, queries listed here will override any - # specified in a config file. Prefix the list here with "+" to use - # these queries and those in the config file. queries: - # ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Autobuild attempts to build any compiled languages (C/C++, C#, or # Java). If this step fails, then you should remove it and run the build - # manually (see below) + # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following - # three lines and modify them (or add more) to build your code if your - # project uses a compiled language + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language # - run: | - # make bootstrap - # make release + # make bootstrap + # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 From 87d0f97e200fe18d899e1d339fd0db6e36359535 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 30 Jun 2022 14:29:15 -0400 Subject: [PATCH 25/43] Remove dangling argument in the pre-commit configuration This argument references a file that is no longer found in the repository. The configuration also no longer uses any such files so it is safe to remove this as opposed to updating it instead. --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a119f7c..b5dce48 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,6 @@ repos: args: - --allow-missing-credentials - id: detect-private-key - exclude: src/secrets/privkey.pem - id: end-of-file-fixer exclude: files/(issue|motd) - id: mixed-line-ending From eacc4763ab864fdc35ab78d8e07dc83cca525561 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 30 Jun 2022 14:33:47 -0400 Subject: [PATCH 26/43] Update files used for Python requirements by LGTM Add all requirements*.txt files in the configuration to this file. This ensures that all requirements in use are being used for scanning. --- .lgtm.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.lgtm.yml b/.lgtm.yml index 8950263..70385b2 100644 --- a/.lgtm.yml +++ b/.lgtm.yml @@ -4,5 +4,7 @@ extraction: python_setup: version: 3 requirements_files: + - requirements-dev.txt - requirements-test.txt + - requirements.txt setup_py: false From 42f3468e16963694c8e7d3663c80a3faf9d7b1c0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:11:06 -0400 Subject: [PATCH 27/43] Restore the alerts badging for LGTM Until we completely remove LGTM from our repositories we should keep at least the minimum badging. This project does not directly use any Python, JavaScript, etc. so I am enabling the "Total alerts" badge. Other possibilities are commented out to make it easier for downstream repositories to enable what suits their configurations. --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 57f8c30..a04d771 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,11 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-docker/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-docker/actions/workflows/build.yml) [![CodeQL](https://github.com/cisagov/skeleton-docker/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-docker/actions/workflows/codeql-analysis.yml) [![Known Vulnerabilities](https://snyk.io/test/github/cisagov/skeleton-docker/badge.svg)](https://snyk.io/test/github/cisagov/skeleton-docker) +[![Total alerts](https://img.shields.io/lgtm/alerts/g/cisagov/skeleton-docker.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-docker/alerts/) + ## Docker Image ## From 5589f23d20ab012728eca11faab053d0e043189f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 21 Nov 2022 22:59:02 +0000 Subject: [PATCH 28/43] Bump actions/github-script from 5 to 6 Bumps [actions/github-script](https://github.com/actions/github-script) from 5 to 6. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index da15890..1f3a541 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -174,7 +174,7 @@ jobs: - uses: actions/checkout@v3 - name: Gather repository metadata id: repo - uses: actions/github-script@v5 + uses: actions/github-script@v6 with: script: | const repo = await github.rest.repos.get(context.repo) From 1a8ab89ff211813ff2f7e4c40d5aabdce2968b99 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 13 Sep 2022 09:59:08 -0400 Subject: [PATCH 29/43] Fix overly match-happy sed commands We saw in cisagov/postfix-docker#47 that the sed commands in the bump_version.sh script could inadvertently match the CC0 version in the README.md file. This change escapes the periods in the version before passing it on to sed so that they only match periods and not just any character. --- bump_version.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/bump_version.sh b/bump_version.sh index a6c8ed9..963389f 100755 --- a/bump_version.sh +++ b/bump_version.sh @@ -12,6 +12,9 @@ README_FILE=README.md HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|finalize)" old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} if [ $# -ne 1 ]; then echo "$HELP_INFORMATION" @@ -21,9 +24,9 @@ else new_version=$(python -c "import semver; print(semver.bump_$1('$old_version'))") echo Changing version from "$old_version" to "$new_version" tmp_file=/tmp/version.$$ - sed "s/$old_version/$new_version/" $VERSION_FILE > $tmp_file + sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file mv $tmp_file $VERSION_FILE - sed "s/$old_version/$new_version/" $README_FILE > $tmp_file + sed "s/$old_version_regex/$new_version/" $README_FILE > $tmp_file mv $tmp_file $README_FILE git add $VERSION_FILE $README_FILE git commit -m"Bump version from $old_version to $new_version" @@ -33,12 +36,12 @@ else new_version=$(python -c "import semver; print(semver.finalize_version('$old_version'))") echo Changing version from "$old_version" to "$new_version" tmp_file=/tmp/version.$$ - sed "s/$old_version/$new_version/" $VERSION_FILE > $tmp_file + sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file mv $tmp_file $VERSION_FILE - sed "s/$old_version/$new_version/" $README_FILE > $tmp_file + sed "s/$old_version_regex/$new_version/" $README_FILE > $tmp_file mv $tmp_file $README_FILE git add $VERSION_FILE $README_FILE - git commit -m"Bump version from $old_version to $new_version" + git commit -m"Finalize version from $old_version to $new_version" git push ;; show) From ba23619f6ab8a3d1a7ea65a43609024a4f9d75ca Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:01:01 -0400 Subject: [PATCH 30/43] Prettify a comment --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 248d6cf..6c50a0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,9 +4,12 @@ FROM python:3.10.1-alpine ARG VERSION +### # For a list of pre-defined annotation keys and value types see: # https://github.com/opencontainers/image-spec/blob/master/annotations.md +# # Note: Additional labels are added by the build workflow. +### LABEL org.opencontainers.image.authors="mark.feldhousen@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" From 343c0cb236fbf288f2574e6b5544000200d97e0a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:03:46 -0400 Subject: [PATCH 31/43] Rework creation of unprivileged user and installation of dependencies Also add a section to update pip and setuptools via pip. --- Dockerfile | 62 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6c50a0f..54bd465 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,17 +13,65 @@ ARG VERSION LABEL org.opencontainers.image.authors="mark.feldhousen@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" -ARG CISA_UID=421 +### +# Unprivileged user setup variables +### +ARG CISA_GID=421 +ARG CISA_UID=${CISA_GID} +ENV CISA_USER="cisa" +ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/cisa" ENV ECHO_MESSAGE="Hello World from Dockerfile" -RUN addgroup --system --gid ${CISA_UID} cisa \ - && adduser --system --uid ${CISA_UID} --ingroup cisa cisa +### +# Unprivileged user setup dependencies +# +# Install shadow, so we have adduser and addgroup. +# +# Note that we use apk --no-cache to avoid writing to a local cache. +# This results in a smaller final image, at the cost of slightly +# longer install times. +# +# Setup user dependencies are only needed for setting up the user and +# will be removed at the end of that process. +### +ENV SETUP_USER_DEPS \ + shadow +RUN apk --update --no-cache --quiet upgrade +RUN apk --no-cache --quiet add ${SETUP_USER_DEPS} + +### +# Create unprivileged user +### +RUN addgroup --system --gid ${CISA_UID} ${CISA_GROUP} \ + && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} + +### +# Remove build dependencies for unprivileged user +### +RUN apk --no-cache --quiet del ${SETUP_USER_DEPS} + +### +# Dependencies +# +# Note that we use apk --no-cache to avoid writing to a local cache. +# This results in a smaller final image, at the cost of slightly +# longer install times. +### +ENV DEPS \ + ca-certificates \ + openssl \ + py-pip +RUN apk --no-cache --quiet add ${DEPS} -RUN apk --update --no-cache add \ -ca-certificates \ -openssl \ -py-pip +### +# Make sure pip and setuptools are the latest versions +# +# Note that we use pip --no-cache-dir to avoid writing to a local +# cache. This results in a smaller final image, at the cost of +# slightly longer install times. +### +RUN pip install --no-cache-dir --upgrade pip setuptools WORKDIR ${CISA_HOME} From 717334c62cb1c972a16795d0e2bebd0ab724327f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:05:06 -0400 Subject: [PATCH 32/43] Add comments and prefer long CLI options --- Dockerfile | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 54bd465..de48f7c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -75,14 +75,24 @@ RUN pip install --no-cache-dir --upgrade pip setuptools WORKDIR ${CISA_HOME} -RUN wget -O sourcecode.tgz https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz && \ - tar xzf sourcecode.tgz --strip-components=1 && \ - pip install --requirement requirements.txt && \ - ln -snf /run/secrets/quote.txt src/example/data/secret.txt && \ - rm sourcecode.tgz +### +# Install Python dependencies +# +# Note that we use pip --no-cache-dir to avoid writing to a local +# cache. This results in a smaller final image, at the cost of +# slightly longer install times. +### +RUN wget --output-document sourcecode.tgz \ + https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz && \ + tar --extract --gzip --file sourcecode.tgz --strip-components=1 && \ + pip install --no-cache-dir --requirement requirements.txt && \ + ln -snf /run/secrets/quote.txt src/example/data/secret.txt && \ + rm sourcecode.tgz +### +# Prepare to run +### USER cisa - EXPOSE 8080/TCP VOLUME ["/var/log"] ENTRYPOINT ["example"] From 2a72bf612a152a0a4b32a481363cf394f5fbbf3b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 4 Nov 2022 00:16:05 -0400 Subject: [PATCH 33/43] Move ECHO_MESSAGE declaration to the "Prepare to run" section --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index de48f7c..f4dddd9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,6 @@ ARG CISA_UID=${CISA_GID} ENV CISA_USER="cisa" ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/cisa" -ENV ECHO_MESSAGE="Hello World from Dockerfile" ### # Unprivileged user setup dependencies @@ -92,6 +91,7 @@ RUN wget --output-document sourcecode.tgz \ ### # Prepare to run ### +ENV ECHO_MESSAGE="Hello World from Dockerfile" USER cisa EXPOSE 8080/TCP VOLUME ["/var/log"] From 8cf8d234f67bde8648ca60e6caa4886fdf851872 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 21 Nov 2022 21:47:09 -0500 Subject: [PATCH 34/43] Remove LGTM from the repository LGTM.com is shutting down 2022-12-16 so we should remove all LGTM-related items to prepare for disabling the LGTM.com integration in the organization. --- .lgtm.yml | 10 ---------- README.md | 5 ----- 2 files changed, 15 deletions(-) delete mode 100644 .lgtm.yml diff --git a/.lgtm.yml b/.lgtm.yml deleted file mode 100644 index 70385b2..0000000 --- a/.lgtm.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -extraction: - python: - python_setup: - version: 3 - requirements_files: - - requirements-dev.txt - - requirements-test.txt - - requirements.txt - setup_py: false diff --git a/README.md b/README.md index a04d771..57f8c30 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,6 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-docker/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-docker/actions/workflows/build.yml) [![CodeQL](https://github.com/cisagov/skeleton-docker/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-docker/actions/workflows/codeql-analysis.yml) [![Known Vulnerabilities](https://snyk.io/test/github/cisagov/skeleton-docker/badge.svg)](https://snyk.io/test/github/cisagov/skeleton-docker) -[![Total alerts](https://img.shields.io/lgtm/alerts/g/cisagov/skeleton-docker.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-docker/alerts/) - ## Docker Image ## From 8c73bf429d5b7e7b0403abdc789436fadb6840e1 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 22 Nov 2022 10:25:48 -0500 Subject: [PATCH 35/43] Restore Dockerfile changes from review I accidentally clobbered these changes when I was updating cisagov/skeleton-docker#135 for merge. This restores the changes made during review as well as fixing a missed reference to the CISA_USER argument. Co-authored-by: Shane Frasier --- Dockerfile | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4dddd9..e3cf8aa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,46 +10,39 @@ ARG VERSION # # Note: Additional labels are added by the build workflow. ### -LABEL org.opencontainers.image.authors="mark.feldhousen@cisa.dhs.gov" +# github@cisa.dhs.gov is a very generic email distribution, and it is +# unlikely that anyone on that distribution is familiar with the +# particulars of your repository. It is therefore *strongly* +# suggested that you use an email address here that is specific to the +# person or group that maintains this repository; for example: +# LABEL org.opencontainers.image.authors="vm-fusion-dev-group@trio.dhs.gov" +LABEL org.opencontainers.image.authors="github@cisa.dhs.gov" LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" ### # Unprivileged user setup variables ### -ARG CISA_GID=421 -ARG CISA_UID=${CISA_GID} -ENV CISA_USER="cisa" +ARG CISA_UID=421 +ARG CISA_GID=${CISA_UID} +ARG CISA_USER="cisa" ENV CISA_GROUP=${CISA_USER} -ENV CISA_HOME="/home/cisa" +ENV CISA_HOME="/home/${CISA_USER}" ### -# Unprivileged user setup dependencies -# -# Install shadow, so we have adduser and addgroup. +# Upgrade the system # # Note that we use apk --no-cache to avoid writing to a local cache. # This results in a smaller final image, at the cost of slightly # longer install times. -# -# Setup user dependencies are only needed for setting up the user and -# will be removed at the end of that process. ### -ENV SETUP_USER_DEPS \ - shadow RUN apk --update --no-cache --quiet upgrade -RUN apk --no-cache --quiet add ${SETUP_USER_DEPS} ### # Create unprivileged user ### -RUN addgroup --system --gid ${CISA_UID} ${CISA_GROUP} \ +RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} -### -# Remove build dependencies for unprivileged user -### -RUN apk --no-cache --quiet del ${SETUP_USER_DEPS} - ### # Dependencies # @@ -82,17 +75,17 @@ WORKDIR ${CISA_HOME} # slightly longer install times. ### RUN wget --output-document sourcecode.tgz \ - https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz && \ - tar --extract --gzip --file sourcecode.tgz --strip-components=1 && \ - pip install --no-cache-dir --requirement requirements.txt && \ - ln -snf /run/secrets/quote.txt src/example/data/secret.txt && \ - rm sourcecode.tgz + https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz \ + && tar --extract --gzip --file sourcecode.tgz --strip-components=1 \ + && pip install --no-cache-dir --requirement requirements.txt \ + && ln -snf /run/secrets/quote.txt src/example/data/secret.txt \ + && rm sourcecode.tgz ### # Prepare to run ### ENV ECHO_MESSAGE="Hello World from Dockerfile" -USER cisa +USER ${CISA_USER} EXPOSE 8080/TCP VOLUME ["/var/log"] ENTRYPOINT ["example"] From bf415ebfb01965ef17c0715b201bb0da74b34c3e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 23 Nov 2022 13:41:37 -0500 Subject: [PATCH 36/43] Ignore fake private key in this repo's src/secrets dir Without this directive the detect-private-key pre-commit linter is triggered. --- .pre-commit-config.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b5dce48..57af43d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,6 +18,8 @@ repos: args: - --allow-missing-credentials - id: detect-private-key + # Ignore the fake private key in this repo + exclude: src/secrets/privkey.pem - id: end-of-file-fixer exclude: files/(issue|motd) - id: mixed-line-ending From c578e00dfbe5f9f633e86b8f17e120f50847ee68 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 23 Nov 2022 14:06:15 -0500 Subject: [PATCH 37/43] Add code to clean up Aptitude cruft --- Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 7c66e91..28020fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,6 +52,12 @@ RUN DEBIAN_FRONTEND=noninteractive \ RUN adduser mailarchive --quiet --disabled-password \ --shell /usr/sbin/nologin --gecos "Mail Archive" +### +# Clean up aptitude cruft +### +RUN apt-get --quiet --quiet clean +RUN rm -rf /var/lib/apt/lists/* + ### # Setup entrypoint ### From 6118be6a2ede0a3eeea41517685a7845a5c3d7d3 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 23 Nov 2022 16:30:49 -0500 Subject: [PATCH 38/43] Bump version from 0.1.0 to 0.1.1 --- src/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/version.txt b/src/version.txt index 3dc1f76..485f44a 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -__version__ = "0.1.0" +__version__ = "0.1.1" From b9033cb01e45640148c40ab5d26d28925576fad3 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 7 Dec 2022 16:19:45 -0500 Subject: [PATCH 39/43] Combine two RUN commands into one Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 28020fc..869e141 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,7 +44,9 @@ ENV DEPS \ RUN DEBIAN_FRONTEND=noninteractive \ apt-get install --quiet --quiet --yes \ --no-install-recommends --no-install-suggests \ - $DEPS + $DEPS \ + && apt-get --quiet --quiet clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ### # Create a mailarchive user From 7d98c268c5cf9b58bb690f167170b143c247dc58 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 7 Dec 2022 16:20:29 -0500 Subject: [PATCH 40/43] Remove second, now-duplicated RUN command Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 869e141..755917e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,12 +54,6 @@ RUN DEBIAN_FRONTEND=noninteractive \ RUN adduser mailarchive --quiet --disabled-password \ --shell /usr/sbin/nologin --gecos "Mail Archive" -### -# Clean up aptitude cruft -### -RUN apt-get --quiet --quiet clean -RUN rm -rf /var/lib/apt/lists/* - ### # Setup entrypoint ### From 4118ed5fcc33f0bdce24dc1f89923976d345068c Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 16 Dec 2022 12:24:02 -0500 Subject: [PATCH 41/43] Use long command line options Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 755917e..2279309 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,7 +46,7 @@ RUN DEBIAN_FRONTEND=noninteractive \ --no-install-recommends --no-install-suggests \ $DEPS \ && apt-get --quiet --quiet clean \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + && rm --recursive --force /var/lib/apt/lists/* /tmp/* /var/tmp/* ### # Create a mailarchive user From 2acf7aade5dc1fc458db9ac61047fe300b5aee9f Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 16 Dec 2022 12:24:21 -0500 Subject: [PATCH 42/43] Lowercase a word in a comment Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2279309..50d2885 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,7 +70,7 @@ COPY ./src/templates ./templates/ COPY ./src/docker-entrypoint.sh ./src/version.txt ./ ### -# Prepare to Run +# Prepare to run ### VOLUME ["/var/log", "/var/spool/postfix"] EXPOSE 25/TCP 587/TCP 993/TCP From 8ba731a68431c2c34098aebdcd64050ea2e01275 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 16 Dec 2022 12:24:52 -0500 Subject: [PATCH 43/43] Remove leading ./ from COPY commands This improves consistency. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 50d2885..52927ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,8 +66,8 @@ RUN mv /etc/default/opendmarc /etc/default/opendmarc.orig RUN mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig RUN mv /etc/postfix/master.cf /etc/postfix/master.cf.orig -COPY ./src/templates ./templates/ -COPY ./src/docker-entrypoint.sh ./src/version.txt ./ +COPY src/templates templates/ +COPY src/docker-entrypoint.sh src/version.txt ./ ### # Prepare to run