Skip to content

Commit

Permalink
Merge pull request #4 from cisagov/lineage/skeleton
Browse files Browse the repository at this point in the history
Lineage pull request for: skeleton
  • Loading branch information
jsf9k authored Aug 6, 2024
2 parents c455048 + 4122791 commit acf9fc2
Show file tree
Hide file tree
Showing 12 changed files with 333 additions and 141 deletions.
14 changes: 14 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,17 @@
# These folks own any files in the .github directory at the root of
# the repository and any of its subdirectories.
/.github/ @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj

# These folks own all linting configuration files.
/.ansible-lint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.bandit.yml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.flake8 @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.isort.cfg @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.mdl_config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.pre-commit-config.yaml @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.prettierignore @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/.yamllint @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements-dev.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/requirements-test.txt @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
/setup-env @dav3r @felddy @jasonodoom @jsf9k @mcdonnnj
4 changes: 1 addition & 3 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@ updates:
# # Managed by cisagov/cyhy-db
# - dependency-name: actions/download-artifact
# - dependency-name: actions/upload-artifact
# - dependency-name: github/codeql-action/analyze
# - dependency-name: github/codeql-action/autobuild
# - dependency-name: github/codeql-action/init
# - dependency-name: github/codeql-action
package-ecosystem: github-actions
schedule:
interval: weekly
Expand Down
120 changes: 67 additions & 53 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,31 @@
name: build

on:
push:
merge_group:
types:
- checks_requested
pull_request:
push:
repository_dispatch:
types: [apb]
types:
- apb

# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
run:
shell: bash -Eueo pipefail -x {0}

env:
CURL_CACHE_DIR: ~/.cache/curl
PIP_CACHE_DIR: ~/.cache/pip
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
RUN_TMATE: ${{ secrets.RUN_TMATE }}
TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
TERRAFORM_DOCS_REPO_DEPTH: 1
TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git

jobs:
diagnostics:
Expand All @@ -27,7 +42,7 @@ jobs:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
uses: crazy-max/ghaction-github-status@v4
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
Expand All @@ -45,20 +60,20 @@ jobs:
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: "3.11"
python-version: ${{ steps.setup-env.outputs.python-version }}
# We need the Go version and Go cache location for the actions/cache step,
# so the Go installation must happen before that.
- id: setup-go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
# There is no expectation for actual Go code so we disable caching as
# it relies on the existence of a go.sum file.
cache: false
go-version: "1.20"
- name: Lookup Go cache directory
id: go-cache
go-version: ${{ steps.setup-env.outputs.go-version }}
- id: go-cache
name: Lookup Go cache directory
run: |
echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
- uses: actions/cache@v3
Expand All @@ -69,6 +84,14 @@ jobs:
packer${{ steps.setup-env.outputs.packer-version }}-\
tf${{ steps.setup-env.outputs.terraform-version }}-"
with:
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('**/.pre-commit-config.yaml') }}-\
${{ hashFiles('setup.py') }}"
# Note that the .terraform directory IS NOT included in the
# cache because if we were caching, then we would need to use
# the `-upgrade=true` option. This option blindly pulls down the
Expand All @@ -80,14 +103,6 @@ jobs:
${{ env.PRE_COMMIT_CACHE_DIR }}
${{ env.CURL_CACHE_DIR }}
${{ steps.go-cache.outputs.dir }}
# We do not use '**/setup.py' in the cache key so only the 'setup.py'
# file in the root of the repository is used. This is in case a Python
# package were to have a 'setup.py' as part of its internal codebase.
key: "${{ env.BASE_CACHE_KEY }}\
${{ hashFiles('**/requirements-test.txt') }}-\
${{ hashFiles('**/requirements.txt') }}-\
${{ hashFiles('**/.pre-commit-config.yaml') }}-\
${{ hashFiles('setup.py') }}"
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Setup curl cache
Expand All @@ -105,34 +120,46 @@ jobs:
${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
sudo ln -s /opt/packer/packer /usr/local/bin/packer
- uses: hashicorp/setup-terraform@v2
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install go-critic
env:
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install goimports
env:
PACKAGE_URL: golang.org/x/tools/cmd/goimports
PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install gosec
env:
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install shfmt
env:
PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install staticcheck
env:
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install Terraform-docs
env:
PACKAGE_URL: github.com/terraform-docs/terraform-docs
PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
# TODO: https://github.com/cisagov/skeleton-generic/issues/165
# We are temporarily using @mcdonnnj's forked branch of terraform-docs
# until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
# is approved. This temporary fix will allow for ATX header support when
# terraform-docs is run during linting.
- name: Clone ATX headers branch from terraform-docs fork
run: |
git clone \
--branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
--depth $TERRAFORM_DOCS_REPO_DEPTH \
--single-branch \
$TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs
- name: Build and install terraform-docs binary
run: |
go build \
-C /tmp/terraform-docs \
-o $(go env GOPATH)/bin/terraform-docs
- name: Install dependencies
run: |
python -m pip install --upgrade pip setuptools wheel
Expand All @@ -148,22 +175,17 @@ jobs:
name: test source - py${{ matrix.python-version }}
needs:
- diagnostics
runs-on: ${{ matrix.os }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
python-version:
- "3.7"
- "3.8"
- "3.9"
- "3.10"
- "3.11"
- "3.12"
include:
- os: ubuntu-20.04
python-version: "3.6"
steps:
- id: harden-runner
name: Harden the runner
Expand All @@ -172,7 +194,7 @@ jobs:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v3
Expand Down Expand Up @@ -221,10 +243,12 @@ jobs:
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: "3.10"
python-version: ${{ steps.setup-env.outputs.python-version }}
- uses: actions/cache@v3
env:
BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
Expand Down Expand Up @@ -257,22 +281,17 @@ jobs:
- diagnostics
- lint
- test
runs-on: ${{ matrix.os }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
python-version:
- "3.7"
- "3.8"
- "3.9"
- "3.10"
- "3.11"
- "3.12"
include:
- os: ubuntu-20.04
python-version: "3.6"
steps:
- id: harden-runner
name: Harden the runner
Expand All @@ -281,7 +300,7 @@ jobs:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v3
Expand All @@ -305,7 +324,7 @@ jobs:
- name: Build artifacts
run: python -m build
- name: Upload artifacts
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: dist-${{ matrix.python-version }}
path: dist
Expand All @@ -317,22 +336,17 @@ jobs:
needs:
- diagnostics
- build
runs-on: ${{ matrix.os }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
python-version:
- "3.7"
- "3.8"
- "3.9"
- "3.10"
- "3.11"
- "3.12"
include:
- os: ubuntu-20.04
python-version: "3.6"
steps:
- id: harden-runner
name: Harden the runner
Expand All @@ -341,7 +355,7 @@ jobs:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- uses: actions/cache@v3
Expand All @@ -359,7 +373,7 @@ jobs:
restore-keys: |
${{ env.BASE_CACHE_KEY }}
- name: Retrieve the built wheel
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: dist-${{ matrix.python-version }}
path: dist
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,15 +67,15 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, or
# Java). If this step fails, then you should remove it and run the build
# manually (see below).
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -89,4 +89,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
24 changes: 24 additions & 0 deletions .github/workflows/sync-labels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,38 @@ permissions:
contents: read

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
labeler:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
# crazy-max/ghaction-github-labeler needs this to manage repository labels
issues: write
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- name: Sync repository labels
if: success()
Expand Down
Loading

0 comments on commit acf9fc2

Please sign in to comment.