Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

⚠️ CONFLICT! Lineage pull request for: skeleton #20

Merged
merged 163 commits into from
May 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
163 commits
Select commit Hold shift + click to select a range
4cb9a4b
Add steps to setup go packages for pre-commit
jasonodoom Jul 10, 2023
53f56b0
Update action/checkout to use same version
jasonodoom Jul 10, 2023
f261099
Set specific gocritic version
jasonodoom Jul 10, 2023
097b573
Update build workflow with package installtion
jasonodoom Jul 10, 2023
254282a
Group go tools together with comment
jasonodoom Jul 11, 2023
ecf3299
Update staticcheck id
jasonodoom Jul 11, 2023
1eaedf5
Update tool names to match author stylization
jasonodoom Jul 11, 2023
fd04757
Update statcicheck stylization
jasonodoom Jul 11, 2023
ddbf6f7
Temporarily use a different branch of cisagov/setup-env-github-action
jsf9k Jul 12, 2023
a8af336
Move go packages install to separate section
jasonodoom Jul 12, 2023
1675b12
Update go-critic name
jasonodoom Jul 12, 2023
c6ab22e
Update staticcheck name
jasonodoom Jul 12, 2023
29de034
Use the correct repo name for the ansible-lint pre-commit hook
jsf9k Jul 13, 2023
1e7cb4f
Correct staticcheck reference to setup-env, sort alphabetically and …
jasonodoom Jul 12, 2023
5f3bc13
Remove Go section coment
jasonodoom Jul 13, 2023
d311825
Remove unnecessary quotes in the dependabot configuration
mcdonnnj Jul 14, 2023
2294d49
Sort the keys in the Dependabot configuration
mcdonnnj Jul 14, 2023
e678502
Delete duplicate word "are"
jsf9k Jul 18, 2023
948ebde
Fix gosec stylization
jasonodoom Aug 16, 2023
98d3d3f
Revert "Temporarily use a different branch of cisagov/setup-env-githu…
jsf9k Aug 22, 2023
82db36a
Add nixfmt pre-commit hook
jasonodoom Aug 28, 2023
c0b5d5b
Bump actions/checkout from 3 to 4
dependabot[bot] Sep 4, 2023
b04654e
Bump crazy-max/ghaction-github-labeler from 4 to 5
mcdonnnj Sep 11, 2023
49ac8c5
Update the dependabot ignore configuration
mcdonnnj Sep 11, 2023
4ec50ab
Merge pull request #138 from cisagov/add-go-packages
mcdonnnj Sep 13, 2023
8145a93
Merge pull request #139 from cisagov/improvement/use-correct-repo-name
mcdonnnj Sep 13, 2023
ce74358
Merge pull request #140 from cisagov/improvement/update_dependabot_co…
mcdonnnj Sep 13, 2023
338e3e1
Merge pull request #141 from cisagov/documentation/grammar
mcdonnnj Sep 13, 2023
8432f1e
Merge pull request #143 from cisagov/add-nixfmt
mcdonnnj Sep 13, 2023
8cdbc7b
Merge pull request #145 from cisagov/dependabot/github_actions/action…
mcdonnnj Sep 13, 2023
ca49bea
Merge pull request #146 from cisagov/improvement/update_labeler_action
mcdonnnj Sep 13, 2023
94d753d
Update pre-commit hook versions
mcdonnnj Aug 3, 2023
1bc2056
Switch to the pre-commit mirror for black
mcdonnnj Sep 11, 2023
a62ebe7
Add the crazy-max/ghaction-github-status GitHub action
jsf9k Aug 29, 2023
3619c45
Make the lint job depend on the diagnostics job
jsf9k Aug 30, 2023
f437066
Add a GH Action to dump the context
jsf9k Aug 30, 2023
c5e56a2
Give the diagnostics job a descriptive name
jsf9k Aug 30, 2023
9afb516
Add the step-security/harden-runner GH Action
jsf9k Aug 30, 2023
9dc773c
Add a harden-runner task to the lint job as well
jsf9k Aug 30, 2023
bb81ec3
Add a reminder
jsf9k Aug 30, 2023
94903ae
Merge pull request #142 from cisagov/maintenance/update_pre-commit_hooks
mcdonnnj Sep 13, 2023
8d8577c
Merge pull request #148 from cisagov/improvement/change_black_repository
mcdonnnj Sep 13, 2023
c0eed09
Merge pull request #144 from cisagov/improvement/add-github-status-jazz
mcdonnnj Sep 13, 2023
b5e5c11
Bump crazy-max/ghaction-github-status from 3 to 4
dependabot[bot] Sep 13, 2023
371179e
Add a diagnostics job for the label syncing workflow
jsf9k Sep 13, 2023
1f611fc
Make the dev team the owners of the linter configuration files
jsf9k Sep 14, 2023
c356768
Make dev team members the codeowners of the requirements*.txt and set…
jsf9k Sep 14, 2023
0195005
Explicitly list the linter config files the dev team should own
jsf9k Sep 15, 2023
f4c6294
Bump cowsay from 5.0 to 6.1 in /src/py3.9
dependabot[bot] Sep 25, 2023
112cea7
Bump cowsay from 5.0 to 6.1 in /src/py3.8
dependabot[bot] Sep 25, 2023
6c731d1
Reformat Pipfile.lock to make JSON linter happy
jsf9k Sep 26, 2023
f51ca0a
Reformat Pipfile.lock to make JSON linter happy
jsf9k Sep 26, 2023
b768a28
Bump hashicorp/setup-terraform from 2 to 3
dependabot[bot] Oct 30, 2023
9f31700
Prefer block style to flow style
mcdonnnj Nov 2, 2023
696433a
Alphabetize entries in the build workflow
mcdonnnj Nov 2, 2023
6503a9e
Add a `merge_group` trigger to the build workflow
mcdonnnj Nov 2, 2023
193e799
Bump actions/setup-go from 4 to 5
dependabot[bot] Dec 11, 2023
5c84295
Bump actions/setup-python from 4 to 5
dependabot[bot] Dec 11, 2023
4a63dbe
Switch pre-commit hooks for running shfmt
mcdonnnj Jan 18, 2024
3236b1b
Remove installation of shfmt in the `build` workflow
mcdonnnj Jan 18, 2024
5ddb14d
Use long options for shfmt arguments
mcdonnnj Jan 18, 2024
8ecd957
Add additional shfmt options
mcdonnnj Jan 18, 2024
242921b
Set the default shell for all run steps in the build workflow
mcdonnnj Sep 21, 2023
c7b18dc
Add linting with goimports to the pre-commit configuration
mcdonnnj Jan 12, 2024
f6d9d6e
Add ATX Header Support for terraform-docs
Jan 22, 2024
544e478
Add prepended names to variables to describe their function
michaelsaki Jan 22, 2024
f5fa0ff
Remove unnecessary capitalizations and fix grammar
michaelsaki Jan 22, 2024
36361dd
Simplify steps in the build/install portion of workflow
michaelsaki Jan 22, 2024
3711ebe
Add TODO label
michaelsaki Jan 23, 2024
d114fb4
Move TODO and add link to the issue
michaelsaki Jan 23, 2024
c907cfc
Alphabetize switches
michaelsaki Jan 23, 2024
48db3e3
Allow setup-env to specify Python version
Jan 25, 2024
c10929a
Add /dev/null and remove TMPFILE
michaelsaki Jan 25, 2024
adada40
Place flags in the correct order for -r and -p
Jan 25, 2024
1861b9b
Remove unneccessary spacing
Jan 25, 2024
3f623e4
Alphabetize flags and descriptions
michaelsaki Jan 25, 2024
9497dc2
Move misplaced exit
jsf9k Jan 26, 2024
e1d0f28
Remove premature pyenv local command
jsf9k Jan 26, 2024
517b336
Include PYTHON_VERSION when running pyenv virtualenv
jsf9k Jan 26, 2024
2e5794c
Add getopt variables and short flags
Jan 30, 2024
8a50031
Remove redundant flag initialization
Jan 30, 2024
0df0e6a
Add getopt functionality and -n flag
Jan 30, 2024
60cad12
Update the usage and force documentation
Jan 30, 2024
b6ab6d8
Update usage with long options
Feb 7, 2024
d362614
Add gnu-getopt functionality and error handling
Feb 7, 2024
f924584
Add documentation in CONTRIBUTING.md for gnu-getopt
Feb 7, 2024
ba86ead
Fix grammar and capitalization errors
michaelsaki Feb 7, 2024
ba0fc19
Combine PATH exports to single line
michaelsaki Feb 7, 2024
1240bdd
Improve usage instructions
michaelsaki Feb 7, 2024
297b5bd
Add $(brew --prefix) to PATH for getopt
michaelsaki Feb 7, 2024
7af70f5
Fix confusing wording
michaelsaki Feb 7, 2024
e5a2d14
Replace virt_env_name w/ virtual_env_name for clarity
michaelsaki Feb 7, 2024
82c70e0
Differentiate between GNU getopt and gnu-getopt brew formula
michaelsaki Feb 13, 2024
493a4a3
Add parenthesis over brew link
michaelsaki Feb 13, 2024
3bc9aeb
Refactor flag names for clarity and accuracy
Feb 14, 2024
0be1f63
Elaborate on message when checking for GNU getopt
Feb 14, 2024
c8f0b1b
Remove unnecessary nounset flipping logic
Feb 14, 2024
495862a
Separate pyenv PATH from GNU getopt PATH
Feb 14, 2024
4752b37
Improve verbiage in comments
michaelsaki Feb 21, 2024
2e38997
Clarify between pyenv and GNU getopt setup
michaelsaki Feb 21, 2024
f8824c8
Improve comment on conditional check for regex
Feb 21, 2024
88724e7
Add comment explaining that GNU getopt is keg-only
Feb 21, 2024
c1870be
Improve comments to better describe `keg-only` terminology
michaelsaki Feb 21, 2024
a3f69cd
Change "'setup-env' tool" to "'setup-env' script"
michaelsaki Feb 26, 2024
8ff5179
Remove build-in error exit for generic error exit
michaelsaki Feb 26, 2024
1c21e2b
Change verbiage from 'tool' to 'script' for clarity
michaelsaki Feb 26, 2024
3acc8d6
Check for pyenv earlier in the script
Feb 26, 2024
b377ce7
Explain -r and -p in Python version prompt
Feb 26, 2024
74838a2
Refine exit code to 64 with gnu-getopt note
Feb 26, 2024
487126e
Rename gnu-getopt tool to GNU getopt formula
michaelsaki Feb 28, 2024
6c82a8d
Fix whitespace for usage menu
michaelsaki Feb 28, 2024
324f6d4
Add link to brew terminology
michaelsaki Feb 28, 2024
a26d0e3
Rephrase comment to improve clarity
michaelsaki Feb 28, 2024
0510870
Improve comment for clarity
michaelsaki Feb 28, 2024
01abde6
Improve verbiage in comment
Feb 28, 2024
0989d17
Change comments for macOS and venv_name
Feb 28, 2024
a9c6ed8
Improve comments for clarity
michaelsaki Feb 29, 2024
b9c729f
Update pre-commit hook versions
mcdonnnj Jan 4, 2024
4c93395
Manually update the prettier hook
mcdonnnj Jan 4, 2024
9a0e7c3
Merge pull request #149 from cisagov/dependabot/github_actions/crazy-…
mcdonnnj Mar 6, 2024
d0d8783
Merge pull request #150 from cisagov/improvement/add-diagnostics-to-l…
mcdonnnj Mar 6, 2024
158abf5
Merge pull request #151 from cisagov/improvement/make-ois-own-linting…
mcdonnnj Mar 6, 2024
6f23c97
Merge pull request #155 from cisagov/dependabot/github_actions/hashic…
mcdonnnj Mar 6, 2024
c0043bd
Merge pull request #156 from cisagov/improvement/better_support_merge…
mcdonnnj Mar 6, 2024
e5ffc52
Merge pull request #158 from cisagov/dependabot/github_actions/action…
mcdonnnj Mar 6, 2024
59b2ad1
Merge pull request #159 from cisagov/dependabot/github_actions/action…
mcdonnnj Mar 6, 2024
57bef4a
Merge pull request #161 from cisagov/maintenance/update_pre-commit_hooks
mcdonnnj Mar 6, 2024
01c9e11
Merge pull request #162 from cisagov/improvement/set_default_for_run_…
mcdonnnj Mar 6, 2024
d1a186d
Merge pull request #166 from cisagov/improvement/allow_setup-env_to_s…
mcdonnnj Mar 6, 2024
7169dcf
Use Python and Go versions provided by cisagov/setup-env-github-action
mcdonnnj Nov 11, 2023
95a61f5
Merge pull request #157 from cisagov/improvement/get_more_versions_fr…
mcdonnnj Mar 6, 2024
81735c2
Merge pull request #160 from cisagov/improvement/switch_pre-commit_ho…
mcdonnnj Mar 6, 2024
4f73489
Merge pull request #163 from cisagov/improvement/add_goimports_hook
mcdonnnj Mar 6, 2024
9020b55
Merge pull request #164 from cisagov/improvement/install_atx_header_s…
mcdonnnj Mar 6, 2024
035cf86
Switch pre-commit hooks for running shellcheck
mcdonnnj Feb 27, 2024
e79569c
Merge pull request #168 from cisagov/improvement/switch_pre-commit_ho…
mcdonnnj Mar 6, 2024
c9bf915
Merge github.com:cisagov/skeleton-generic into lineage/skeleton
mcdonnnj May 8, 2024
219d653
Enable new dependabot ignore directives from upstream
mcdonnnj May 8, 2024
2c8fb35
Adjust formatting of a comment in the dependabot configuration
mcdonnnj May 8, 2024
5dda6bf
Remove unnecessary quotation marks in the dependabot configuration
mcdonnnj May 8, 2024
c8c589b
Apply changes from the `black` pre-commit hook
mcdonnnj May 8, 2024
c9b49ed
Add the step-security/harden-runner Action as needed
mcdonnnj May 8, 2024
bbd1ddc
Use the centralized Python version in the `test` job
mcdonnnj May 8, 2024
14cb8b8
Bump actions/cache from v3 to v4 in the `build` workflow
mcdonnnj May 8, 2024
3ca9155
Bump actions/setup-python from v4 to v5 in the `build` workflow
mcdonnnj May 8, 2024
cd7c67e
Bump actions/checkout from v3 to v4 in `CodeQL` workflow
mcdonnnj May 9, 2024
d61d55b
Merge pull request #19 from cisagov/lineage/skeleton
mcdonnnj May 13, 2024
43f8275
Merge pull request #20 from cisagov/dependabot/pip/src/py3.9/cowsay-6.1
mcdonnnj May 13, 2024
de6f509
Merge pull request #21 from cisagov/dependabot/pip/src/py3.8/cowsay-6.1
mcdonnnj May 13, 2024
f6c44ca
Bump github/codeql-action from 2 to 3
dependabot[bot] May 13, 2024
fd47aa7
Bump actions/upload-artifact from 3 to 4
dependabot[bot] May 13, 2024
f34d0ae
Merge pull request #23 from cisagov/dependabot/github_actions/actions…
mcdonnnj May 13, 2024
546734a
Merge pull request #24 from cisagov/dependabot/github_actions/github/…
mcdonnnj May 13, 2024
e3381b1
Add a diagnostics job to the `CodeQL` workflow
mcdonnnj May 10, 2024
34a7da5
Use step-security/harden-runner in the `Analyze` job
mcdonnnj May 10, 2024
0227a71
Remove unnecessary quotes in the `CodeQL` job
mcdonnnj May 10, 2024
4dabc52
Add a disabled ignore directive for github/codeql-action
mcdonnnj May 13, 2024
862d289
Merge pull request #22 from cisagov/improvement/update_codeql_workflow
mcdonnnj May 13, 2024
17b10ab
Merge github.com:cisagov/skeleton-aws-lambda-python into lineage/skel…
mcdonnnj May 13, 2024
9a24c44
Enable dependabot ignore directive
mcdonnnj May 13, 2024
062b1cb
Ensure `build` jobs depend on the `diagnostics` job
mcdonnnj May 14, 2024
57bcc5b
Merge pull request #25 from cisagov/improvement/fix_workflow_requirem…
mcdonnnj May 14, 2024
352637d
Merge https://github.com/cisagov/skeleton-aws-lambda-python into line…
May 14, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .bandit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# https://bandit.readthedocs.io/en/latest/config.html

# Tests are first included by `tests`, and then excluded by `skips`.
# If `tests` is empty, all tests are are considered included.
# If `tests` is empty, all tests are considered included.

tests:
# - B101
Expand Down
14 changes: 14 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,17 @@
# These folks own any files in the .github directory at the root of
# the repository and any of its subdirectories.
/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj

# These folks own all linting configuration files.
/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
45 changes: 25 additions & 20 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,49 @@
# these updates when the pull request(s) in the appropriate skeleton are merged
# and Lineage processes these changes.

version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- directory: /
ignore:
# Managed by cisagov/skeleton-generic
- dependency-name: actions/cache
- dependency-name: actions/checkout
- dependency-name: actions/setup-go
- dependency-name: actions/setup-python
- dependency-name: crazy-max/ghaction-dump-context
- dependency-name: crazy-max/ghaction-github-labeler
- dependency-name: crazy-max/ghaction-github-status
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
# Managed by cisagov/skeleton-aws-lambda-python
- dependency-name: actions/upload-artifact
- dependency-name: github/codeql-action
package-ecosystem: github-actions
schedule:
interval: weekly

- package-ecosystem: "pip"
directory: "/"
- directory: /
package-ecosystem: pip
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "pip"
directory: "/src/py3.7"
- directory: /src/py3.7
package-ecosystem: pip
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "pip"
directory: "/src/py3.8"
- directory: /src/py3.8
package-ecosystem: pip
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "pip"
directory: "/src/py3.9"
- directory: /src/py3.9
package-ecosystem: pip
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "terraform"
directory: "/"
- directory: /
package-ecosystem: terraform
schedule:
interval: "weekly"
interval: weekly
version: 2
131 changes: 105 additions & 26 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,40 +2,79 @@
name: build

on:
push:
merge_group:
types:
- checks_requested
pull_request:
push:
repository_dispatch:
types: [apb]
types:
- apb

# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
run:
shell: bash -Eueo pipefail -x {0}

env:
CURL_CACHE_DIR: ~/.cache/curl
DEFAULT_ARTIFACT_NAME: lambda_build.zip
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
RUN_TMATE: ${{ secrets.RUN_TMATE }}
TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
TERRAFORM_DOCS_REPO_DEPTH: 1
TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
lint:
needs:
- diagnostics
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: "3.11"
python-version: ${{ steps.setup-env.outputs.python-version }}
# We need the Go version and Go cache location for the actions/cache step,
# so the Go installation must happen before that.
- id: setup-go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
# There is no expectation for actual Go code so we disable caching as
# it relies on the existence of a go.sum file.
cache: false
go-version: "1.20"
- name: Lookup Go cache directory
id: go-cache
go-version: ${{ steps.setup-env.outputs.go-version }}
- id: go-cache
name: Lookup Go cache directory
run: |
echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
Expand All @@ -46,6 +85,10 @@ jobs:
packer${{ steps.setup-env.outputs.packer-version }}-\
tf${{ steps.setup-env.outputs.terraform-version }}-"
with:
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('**/.pre-commit-config.yaml') }}"
# Note that the .terraform directory IS NOT included in the
# cache because if we were caching, then we would need to use
# the `-upgrade=true` option. This option blindly pulls down the
Expand All @@ -57,10 +100,6 @@ jobs:
${{ env.PRE_COMMIT_CACHE_DIR }}
${{ env.CURL_CACHE_DIR }}
${{ steps.go-cache.outputs.dir }}
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('**/.pre-commit-config.yaml') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Setup curl cache
Expand All @@ -78,19 +117,46 @@ jobs:
${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v2
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install shfmt
- name: Install go-critic
env:
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install goimports
env:
PACKAGE_URL: golang.org/x/tools/cmd/goimports
PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install gosec
env:
PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install Terraform-docs
- name: Install staticcheck
env:
PACKAGE_URL: github.com/terraform-docs/terraform-docs
PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }}
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
# TODO: https://github.com/cisagov/skeleton-generic/issues/165
# We are temporarily using @mcdonnnj's forked branch of terraform-docs
# until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
# is approved. This temporary fix will allow for ATX header support when
# terraform-docs is run during linting.
- name: Clone ATX headers branch from terraform-docs fork
run: |
git clone \
--branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
--depth $TERRAFORM_DOCS_REPO_DEPTH \
--single-branch \
$TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs
- name: Build and install terraform-docs binary
run: |
go build \
-C /tmp/terraform-docs \
-o $(go env GOPATH)/bin/terraform-docs
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
Expand All @@ -104,15 +170,22 @@ jobs:
if: env.RUN_TMATE
test:
runs-on: ubuntu-latest
needs: lint
needs:
- diagnostics
- lint
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: "3.10"
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
Expand All @@ -139,6 +212,7 @@ jobs:
build:
runs-on: ubuntu-latest
needs:
- diagnostics
- lint
- test
strategy:
Expand All @@ -149,7 +223,12 @@ jobs:
- "3.8"
- "3.9"
steps:
- uses: actions/checkout@v3
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- name: Get the short SHA for the commit being used
run: |
echo "GH_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV
Expand All @@ -161,7 +240,7 @@ jobs:
- name: Generate the Lambda deployment package
run: docker compose up build_deployment_package
- name: Upload the generated Lambda deployment package as an artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: "${{ github.event.repository.name }}-\
py${{ matrix.python-version }}-\
Expand Down
35 changes: 30 additions & 5 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
name: CodeQL

on:
push:
Expand All @@ -20,8 +20,27 @@ on:
- cron: '0 14 * * 6'

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
analyze:
name: Analyze
needs:
- diagnostics
runs-on: ubuntu-latest
permissions:
# required for all workflows
Expand All @@ -37,20 +56,26 @@ jobs:
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, or
# Java). If this step fails, then you should remove it and run the build
# manually (see below).
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -64,4 +89,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
Loading
Loading