From 0bb91c5654db04ad15182dc8c0e491ae0664394f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:06:42 -0500 Subject: [PATCH 1/8] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back to be updated independently to v6. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 25f8d1d..2764bb4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.32.2 + rev: v0.33.0 hooks: - id: markdownlint args: @@ -41,7 +41,7 @@ repos: hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.28.0 + rev: v1.29.0 hooks: - id: yamllint args: @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.18.4 + rev: 0.21.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.20.0 + rev: v3.0.2 hooks: - id: validate_manifest @@ -88,25 +88,25 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.10.0 + rev: 22.12.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 5.0.4 + rev: 6.0.0 hooks: - id: flake8 additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.10.1 + rev: 5.12.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.990 + rev: v0.991 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.2.0 + rev: v3.3.1 hooks: - id: pyupgrade @@ -119,7 +119,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.77.0 hooks: - id: terraform_fmt - id: terraform_validate From 313e79263e8b6a1fbd311e5b9543a2b9a99ab93b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 2 Feb 2023 13:56:59 -0500 Subject: [PATCH 2/8] Add a security label --- .github/labels.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/labels.yml b/.github/labels.yml index 500b000..5b16492 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -53,6 +53,9 @@ - color: "ef476c" description: This issue is a request for information or needs discussion name: question +- color: "d73a4a" + description: This issue or pull request addresses a security issue + name: security - color: "00008b" description: This issue or pull request adds or otherwise modifies test code name: test From da15398ef27c2022f4fd1e88215cc0a72c9751b7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 6 Dec 2022 11:24:07 -0500 Subject: [PATCH 3/8] Add package write permission to workflow When Dependabot creates a PR it requires this permission in order to push Docker images to ghcr.io. --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f3a541..af07e26 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -345,6 +345,10 @@ jobs: runs-on: ubuntu-latest needs: [lint, prepare, test] if: github.event_name != 'pull_request' + # When Dependabot creates a PR it requires this permission in + # order to push Docker images to ghcr.io. + permissions: + packages: write steps: - name: Login to Docker Hub uses: docker/login-action@v2 From 4e5287fe05d6ba47aedce58cc851a69fe495e769 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 3 Dec 2022 15:05:50 -0500 Subject: [PATCH 4/8] Update wheel along with pip and setuptools Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e3cf8aa..3635be0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -57,13 +57,16 @@ ENV DEPS \ RUN apk --no-cache --quiet add ${DEPS} ### -# Make sure pip and setuptools are the latest versions +# Make sure pip, setuptools, and wheel are the latest versions # # Note that we use pip --no-cache-dir to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN pip install --no-cache-dir --upgrade pip setuptools +RUN pip install --no-cache-dir --upgrade \ + pip \ + setuptools \ + wheel WORKDIR ${CISA_HOME} From 83beae5295821391ffc88f7190514b0881520b95 Mon Sep 17 00:00:00 2001 From: Jeremy Morrow Date: Thu, 9 Feb 2023 21:24:50 -0500 Subject: [PATCH 5/8] Specify pip3 In this case it doesn't matter because we are starting from a Python3-specific base container, but other projects that use this skeleton may not be. Specifying pip3 ensures that the Python 2 version of pip is not called by mistake. --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3635be0..9f4e9c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,7 +59,7 @@ RUN apk --no-cache --quiet add ${DEPS} ### # Make sure pip, setuptools, and wheel are the latest versions # -# Note that we use pip --no-cache-dir to avoid writing to a local +# Note that we use pip3 --no-cache-dir to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### @@ -73,14 +73,14 @@ WORKDIR ${CISA_HOME} ### # Install Python dependencies # -# Note that we use pip --no-cache-dir to avoid writing to a local +# Note that we use pip3 --no-cache-dir to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### RUN wget --output-document sourcecode.tgz \ https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz \ && tar --extract --gzip --file sourcecode.tgz --strip-components=1 \ - && pip install --no-cache-dir --requirement requirements.txt \ + && pip3 install --no-cache-dir --requirement requirements.txt \ && ln -snf /run/secrets/quote.txt src/example/data/secret.txt \ && rm sourcecode.tgz From d6bf3c0e641a60def66cefea4d3185b540a7eae2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 22 Nov 2022 12:13:43 -0500 Subject: [PATCH 6/8] Specify the default group to run under in the Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9f4e9c2..b32ee0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,7 +88,7 @@ RUN wget --output-document sourcecode.tgz \ # Prepare to run ### ENV ECHO_MESSAGE="Hello World from Dockerfile" -USER ${CISA_USER} +USER ${CISA_USER}:${CISA_GROUP} EXPOSE 8080/TCP VOLUME ["/var/log"] ENTRYPOINT ["example"] From 73a526f57f0756ac2d622d0e714a76515344f5f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Feb 2023 04:55:35 +0000 Subject: [PATCH 7/8] Bump docker/build-push-action from 3 to 4 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3 to 4. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index af07e26..08d67c7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -248,7 +248,7 @@ jobs: run: mkdir -p dist - name: Build image id: docker_build - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v4 with: build-args: | VERSION=${{ needs.prepare.outputs.source_version }} @@ -380,7 +380,7 @@ jobs: run: ./buildx-dockerfile.sh - name: Build and push platform images to registries id: docker_build - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v4 with: build-args: | VERSION=${{ needs.prepare.outputs.source_version }} From 7aab0747e550ee1b81c016f171f2fcb5f26f42e0 Mon Sep 17 00:00:00 2001 From: Jeremy Morrow Date: Fri, 10 Feb 2023 10:26:10 -0500 Subject: [PATCH 8/8] Specify pip3 in the file where it got blown away by a rebase --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b32ee0f..1516787 100644 --- a/Dockerfile +++ b/Dockerfile @@ -63,7 +63,7 @@ RUN apk --no-cache --quiet add ${DEPS} # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN pip install --no-cache-dir --upgrade \ +RUN pip3 install --no-cache-dir --upgrade \ pip \ setuptools \ wheel