⚠️ CONFLICT! Lineage pull request for: skeleton

.github/labels.yml

@@ -56,6 +56,9 @@
 - color: "ef476c"
  description: This issue is a request for information or needs discussion
  name: question
+- color: "d73a4a"
+ description: This issue or pull request addresses a security issue
+ name: security
 - color: "00008b"
  description: This issue or pull request adds or otherwise modifies test code
  name: test

.github/workflows/build.yml

@@ -249,7 +249,7 @@ jobs:
  run: mkdir -p dist
  - name: Build image
  id: docker_build
- uses: docker/build-push-action@v3
+ uses: docker/build-push-action@v4
  with:
  build-args: |
  VERSION=${{ needs.prepare.outputs.source_version }}
@@ -346,6 +346,10 @@ jobs:
  runs-on: ubuntu-latest
  needs: [lint, prepare, test]
  if: github.event_name != 'pull_request'
+ # When Dependabot creates a PR it requires this permission in
+ # order to push Docker images to ghcr.io.
+ permissions:
+ packages: write
  steps:
  - name: Login to Docker Hub
  uses: docker/login-action@v2
@@ -377,7 +381,7 @@ jobs:
  run: ./buildx-dockerfile.sh
  - name: Build and push platform images to registries
  id: docker_build
- uses: docker/build-push-action@v3
+ uses: docker/build-push-action@v4
  with:
  build-args: |
  VERSION=${{ needs.prepare.outputs.source_version }}

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.3.0
+ rev: v4.4.0
  hooks:
  - id: check-case-conflict
  - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
  # Text file hooks
  - repo: https://github.com/igorshubovych/markdownlint-cli
- rev: v0.32.2
+ rev: v0.33.0
  hooks:
  - id: markdownlint
  args:
@@ -41,22 +41,22 @@ repos:
  hooks:
  - id: prettier
  - repo: https://github.com/adrienverge/yamllint
- rev: v1.28.0
+ rev: v1.29.0
  hooks:
  - id: yamllint
  args:
  - --strict
 
  # GitHub Actions hooks
  - repo: https://github.com/python-jsonschema/check-jsonschema
- rev: 0.18.4
+ rev: 0.21.0
  hooks:
  - id: check-github-actions
  - id: check-github-workflows
 
  # pre-commit hooks
  - repo: https://github.com/pre-commit/pre-commit
- rev: v2.20.0
+ rev: v3.0.2
  hooks:
  - id: validate_manifest
 
@@ -98,25 +98,25 @@ repos:
  name: bandit (everything else)
  exclude: tests
  - repo: https://github.com/psf/black
- rev: 22.10.0
+ rev: 22.12.0
  hooks:
  - id: black
  - repo: https://github.com/PyCQA/flake8
- rev: 5.0.4
+ rev: 6.0.0
  hooks:
  - id: flake8
  additional_dependencies:
  - flake8-docstrings
  - repo: https://github.com/PyCQA/isort
- rev: 5.10.1
+ rev: 5.12.0
  hooks:
  - id: isort
  - repo: https://github.com/pre-commit/mirrors-mypy
- rev: v0.990
+ rev: v0.991
  hooks:
  - id: mypy
  - repo: https://github.com/asottile/pyupgrade
- rev: v3.2.0
+ rev: v3.3.1
  hooks:
  - id: pyupgrade
 
@@ -129,7 +129,7 @@ repos:
 
  # Terraform hooks
  - repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.76.0
+ rev: v1.77.0
  hooks:
  - id: terraform_fmt
  - id: terraform_validate

Dockerfile

@@ -52,13 +52,16 @@ RUN apt-get install --quiet --quiet --yes \
  $DEPS $INSTALL_DEPS
 
 ###
-# Make sure pip and setuptools are the latest versions
+# Make sure pip, setuptools, and wheel are the latest versions
 #
-# Note that we use pip --no-cache-dir to avoid writing to a local
+# Note that we use pip3 --no-cache-dir to avoid writing to a local
 # cache. This results in a smaller final image, at the cost of
 # slightly longer install times.
 ###
-RUN pip install --no-cache-dir --upgrade pip setuptools
+RUN pip3 install --no-cache-dir --upgrade \
+ pip \
+ setuptools \
+ wheel
 
 ###
 # We're using Lambda, but we need to install pshtt locally because the
@@ -67,7 +70,7 @@ RUN pip install --no-cache-dir --upgrade pip setuptools
 # the file. (trustymail imports only in the scan function, so it
 # isn't required here.)
 ###
-RUN pip install --no-cache-dir --upgrade pshtt==0.6.10
+RUN pip3 install --no-cache-dir --upgrade pshtt==0.6.10
 
 ###
 # Install domain-scan
@@ -80,7 +83,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN mkdir ${CISA_HOME}/domain-scan \
  && curl --location https://github.com/cisagov/domain-scan/tarball/master \
  | tar --extract --gzip --strip-components 1 --directory ${CISA_HOME}/domain-scan/
-RUN pip install --no-cache-dir --upgrade \
+RUN pip3 install --no-cache-dir --upgrade \
  --requirement ${CISA_HOME}/domain-scan/requirements.txt
 
 ###