From 60b612ded599d0a24b99c9aa24e33a1f7ba8f598 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Thu, 26 Aug 2021 09:56:34 -0400 Subject: [PATCH 01/45] Enable terraform validate pre-commit hook This hook should now work as expected in most, if not all of our repos now that we are finally updating to terraform 0.13.x (on our way to 1.0.x). --- .pre-commit-config.yaml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5f06453..da27f36 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -117,22 +117,7 @@ repos: rev: v1.50.0 hooks: - id: terraform_fmt - # There are ongoing issues with how this command works. This issue - # documents the core issue: - # https://github.com/hashicorp/terraform/issues/21408 - # We have seen issues primarily with proxy providers and Terraform code - # that uses remote state. The PR - # https://github.com/hashicorp/terraform/pull/24887 - # has been approved and is part of the 0.13 release to resolve the issue - # with remote states. - # The PR - # https://github.com/hashicorp/terraform/pull/24896 - # is a proprosed fix to deal with `terraform validate` with proxy - # providers (among other configurations). - # We have decided to disable the terraform_validate hook until the issues - # above have been resolved, which we hope will be with the release of - # Terraform 0.13. - # - id: terraform_validate + - id: terraform_validate # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit From 6a7fbf07bd371d0493c523ce24647e5c04c77c03 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Thu, 26 Aug 2021 15:33:59 -0400 Subject: [PATCH 02/45] Temporarily use cisagov/setup-env-github-action@improvement/support_tf_0.13 This change will be reverted when testing is completed. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6aa2aeb..b2b73fd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: cisagov/setup-env-github-action@develop + - uses: cisagov/setup-env-github-action@improvement/support_tf_0.13 - uses: actions/checkout@v2 - id: setup-python uses: actions/setup-python@v2 From 895a692ad8dfc3df50b1c2c9a79bca7166b5f5f2 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Fri, 27 Aug 2021 13:02:00 -0400 Subject: [PATCH 03/45] Remove lint job step to initialize Terraform directories Initialization will now be done during the "terraform validate" step. --- .github/workflows/build.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b2b73fd..f276a36 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,13 +84,6 @@ jobs: run: | go install \ github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION} - - name: Find and initialize Terraform directories - run: | - for path in $(find . -not \( -type d -name ".terraform" -prune \) \ - -type f -iname "*.tf" -exec dirname "{}" \; | sort -u); do \ - echo "Initializing '$path'..."; \ - terraform init -input=false -backend=false "$path"; \ - done - name: Install dependencies run: | python -m pip install --upgrade pip From b51dbb577e02baff361a6494e22f61aa517e28d4 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Fri, 27 Aug 2021 14:59:29 -0400 Subject: [PATCH 04/45] Revert "Temporarily use cisagov/setup-env-github-action@improvement/support_tf_0.13" This reverts commit 6a7fbf07bd371d0493c523ce24647e5c04c77c03. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f276a36..090f039 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: cisagov/setup-env-github-action@improvement/support_tf_0.13 + - uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v2 - id: setup-python uses: actions/setup-python@v2 From de7e2d437c4d2bd34a1df4f253ad3cd55bacecb6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 6 Oct 2021 13:28:59 -0400 Subject: [PATCH 05/45] Add Python 3.10 to GHA version matrices Add Python 3.10 to the matrices of versions used by the `test` and `build` steps. --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6cc2c5c..24e9b28 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -115,6 +115,7 @@ jobs: - 3.7 - 3.8 - 3.9 + - 3.10 steps: - uses: actions/checkout@v2 - id: setup-python @@ -200,6 +201,7 @@ jobs: - 3.7 - 3.8 - 3.9 + - 3.10 steps: - uses: actions/checkout@v2 - id: setup-python From c8fa763aee64d6016d06a700f28bf8f67cfb8fa7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 6 Oct 2021 13:43:41 -0400 Subject: [PATCH 06/45] Force strings for GHA version matrices Ensure that the versions listed in the version matrices used by the `test` and `build` jobs are interpreted as strings. Without this change the version `3.10` is interpreted as `3.1` when converted to a fixnum. Since these are intended to be interpreted as string values we should enforce it for all versions listed. --- .github/workflows/build.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 24e9b28..a2ec81a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -111,11 +111,11 @@ jobs: strategy: matrix: python-version: - - 3.6 - - 3.7 - - 3.8 - - 3.9 - - 3.10 + - "3.6" + - "3.7" + - "3.8" + - "3.9" + - "3.10" steps: - uses: actions/checkout@v2 - id: setup-python @@ -197,11 +197,11 @@ jobs: strategy: matrix: python-version: - - 3.6 - - 3.7 - - 3.8 - - 3.9 - - 3.10 + - "3.6" + - "3.7" + - "3.8" + - "3.9" + - "3.10" steps: - uses: actions/checkout@v2 - id: setup-python From b66988de8c7547e456d570f718244b54a39e79e8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Sep 2021 13:34:39 -0400 Subject: [PATCH 07/45] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back due to issues with switching to v5. --- .pre-commit-config.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index da27f36..3171404 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.28.1 + rev: v0.29.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.3.2 + rev: v2.4.1 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.26.2 + rev: v1.26.3 hooks: - id: yamllint args: @@ -49,7 +49,7 @@ repos: # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.14.0 + rev: v2.15.0 hooks: - id: validate_manifest @@ -81,7 +81,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 21.7b0 + rev: 21.9b0 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 @@ -95,11 +95,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.910 + rev: v0.910-1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.23.3 + rev: v2.29.0 hooks: - id: pyupgrade @@ -114,7 +114,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.50.0 + rev: v1.52.0 hooks: - id: terraform_fmt - id: terraform_validate From b78b83226904126138ad1bdc1fc37e44ed7c2d41 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Oct 2021 13:01:56 -0400 Subject: [PATCH 08/45] Update the ansible-lint version for pre-commit --- .pre-commit-config.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3171404..d83fdbc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -105,9 +105,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - # This is intentionally being held back because of issues in v5 per - # https://github.com/cisagov/skeleton-ansible-role/issues/69 - rev: v4.3.7 + rev: v5.2.1 hooks: - id: ansible-lint # files: molecule/default/playbook.yml From a3c5aa71cf2e8497bb0581b09bbf2978b6a96fc6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Oct 2021 13:05:45 -0400 Subject: [PATCH 09/45] Add an ansible-lint configuration file This file is copied from cisagov/skeleton-ansible-role#85 and tweaked to pass pre-commit. See here for for a list of the elements that can exist in this file: https://ansible-lint.readthedocs.io/en/latest/configuring.html Co-authored-by: Shane Frasier --- .ansible-lint | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..bc8e0e5 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,22 @@ +--- +# See https://ansible-lint.readthedocs.io/en/latest/configuring.html +# for a list of the configuration elements that can exist in this +# file. +enable_list: + # Useful checks that one must opt-into. See here for more details: + # https://ansible-lint.readthedocs.io/en/latest/rules.html + - fcqn-builtins + - no-log-password + - no-same-owner +exclude_paths: + # This exclusion is implicit, unless exclude_paths is defined + - .cache + # Seems wise to ignore this too + - .github + # ansible-lint doesn't like the role name in this playbook, but it's + # what molecule requires + - molecule/default/converge.yml + # These two are Molecule configuration files, not Ansible playbooks + - molecule/default/molecule-no-systemd.yml + - molecule/default/molecule-with-systemd.yml +use_default_rules: true From 24df40abd141eb93c056df90a7809fd8573d5328 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 8 Oct 2021 12:19:14 -0400 Subject: [PATCH 10/45] Add dependabot configuration for Terraform This will configure `dependabot` to scan Terraform configurations if they exist in a repository. If a repository stores a Terraform configuration in a sub- directory this configuration will need to be modified or an additional configuration must be added if there still exists a Terraform configuration in the root directory. --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1fd2ed3..a3bcd94 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,3 +11,8 @@ updates: directory: "/" schedule: interval: "weekly" + + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "weekly" From 6cf78c02e11f78ebc35a151a38f4280bb0f8e53c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 30 Sep 2021 01:00:47 -0400 Subject: [PATCH 11/45] Use an id when using cisagov/setup-env-github-action --- .github/workflows/build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 090f039..18a327f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,8 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: cisagov/setup-env-github-action@develop + - id: setup-env + uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v2 - id: setup-python uses: actions/setup-python@v2 From 1e16136272bfd8d55dcb554c4c1ee059223fafe7 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 30 Sep 2021 11:33:00 -0400 Subject: [PATCH 12/45] Use setup-env outputs for Terraform version Change from using an environment variable to the outputs of the cisagov/setup-env-github-action instead. --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18a327f..eb0f504 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,7 +44,7 @@ jobs: py${{ steps.setup-python.outputs.python-version }}-\ go${{ env.GO_VERSION }}-\ packer${{ env.PACKER_VERSION }}-\ - tf${{ env.TERRAFORM_VERSION }}-" + tf${{ steps.setup-env.outputs.terraform-version }}-" with: # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use @@ -78,7 +78,7 @@ jobs: sudo ln -s /opt/packer/packer /usr/local/bin/packer - uses: hashicorp/setup-terraform@v1 with: - terraform_version: ${{ env.TERRAFORM_VERSION }} + terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install shfmt run: go install mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION} - name: Install Terraform-docs From 64b24714ac3f06a2fc2f5d9096eca29ecac41e47 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Oct 2021 11:03:19 -0400 Subject: [PATCH 13/45] Use setup-env outputs for Packer version We use a `PACKER_VERSION` environment variable for the "Install Packer" step that is populated from the `setup-env` outputs to get around `yamllint` lint length limits. --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eb0f504..e6ef7ce 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,7 +43,7 @@ jobs: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ env.GO_VERSION }}-\ - packer${{ env.PACKER_VERSION }}-\ + packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: # Note that the .terraform directory IS NOT included in the @@ -66,6 +66,8 @@ jobs: - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - name: Install Packer + env: + PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} run: | PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ From 0851598edda3bf21d0976b4c2fa615e15cbec8e4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Oct 2021 11:08:15 -0400 Subject: [PATCH 14/45] Use setup-env outputs for shfmt version We change the "Install shfmt" step to use two local environment variables to provide the package's URL and version to install. This allows us to work around `yamllint` line length limits. --- .github/workflows/build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e6ef7ce..f0f39b2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -82,7 +82,10 @@ jobs: with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install shfmt - run: go install mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION} + env: + PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt + PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs run: | go install \ From 2699e09eb7e81ccd73d5f668345ad711dc162dc5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Oct 2021 11:11:11 -0400 Subject: [PATCH 15/45] Use setup-env outputs for Terraform-docs version We change the "Install Terraform-docs" step to use two local environment variables to provide the package's URL and version to install. This allows us to work around `yamllint` line length limits. --- .github/workflows/build.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f0f39b2..c7141c1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -87,9 +87,10 @@ jobs: PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs - run: | - go install \ - github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION} + env: + PACKAGE_URL: github.com/terraform-docs/terraform-docs + PACKAGE_VERSION: ${{ steps.setup-env.outputs.terraform-docs-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install dependencies run: | python -m pip install --upgrade pip From 8797e110d3c9cefbfe7e72a80496164bcdd7620a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Oct 2021 11:49:45 -0400 Subject: [PATCH 16/45] Store Go version as a step output This changes from using an environment variable to using a step output to store the Go version that is installed. This mirrors changes made to the other program versions and how they're stored. --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c7141c1..7be2ce8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,16 +24,16 @@ jobs: uses: actions/setup-python@v2 with: python-version: 3.9 - # GO_VERSION and GOCACHE are used by the cache task, so the Go - # installation must happen before that. + # We need the Go version and Go cache location for the actions/cache step, + # so the Go installation must happen before that. - uses: actions/setup-go@v2 with: go-version: '1.16' - name: Store installed Go version + id: go-version run: | - echo "GO_VERSION="\ - "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ - >> $GITHUB_ENV + echo "::set-output name=version::"\ + "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" - name: Lookup Go cache directory id: go-cache run: | @@ -42,7 +42,7 @@ jobs: env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ - go${{ env.GO_VERSION }}-\ + go${{ steps.go-version.outputs.version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}-" with: From 6a10135f8155b0128a0019d451bc9673a0c463ee Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 27 Oct 2021 21:50:51 -0400 Subject: [PATCH 17/45] Update ansible-lint configuration Remove the manual exclusion of the `converge.yml` file in the default molecule scenario. With the changes in cisagov/skeleton-ansible-role#88 this exclusion is no longer necessary. --- .ansible-lint | 3 --- 1 file changed, 3 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index bc8e0e5..08c1ae7 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -13,9 +13,6 @@ exclude_paths: - .cache # Seems wise to ignore this too - .github - # ansible-lint doesn't like the role name in this playbook, but it's - # what molecule requires - - molecule/default/converge.yml # These two are Molecule configuration files, not Ansible playbooks - molecule/default/molecule-no-systemd.yml - molecule/default/molecule-with-systemd.yml From 4b912fe7caf317793606afc626d19a4b840d4f2e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 27 Oct 2021 21:53:10 -0400 Subject: [PATCH 18/45] Update ansible-lint configuration Instead of excluding molecule configurations for systemd individually we instead direct ansible-lint to process any of these configurations in scenario directories as plain yaml files. This mirrors how ansible-lint handles `molecule.yml` files in scenario directories by default. --- .ansible-lint | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 08c1ae7..0e80b05 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -13,7 +13,10 @@ exclude_paths: - .cache # Seems wise to ignore this too - .github - # These two are Molecule configuration files, not Ansible playbooks - - molecule/default/molecule-no-systemd.yml - - molecule/default/molecule-with-systemd.yml +kinds: + # This will force our systemd specific molecule configurations to be treated + # as plain yaml files by ansible-lint. This mirrors the default kind + # configuration in ansible-lint for molecule configurations: + # yaml: "**/molecule/*/{base,molecule}.{yaml,yml}" + - yaml: "**/molecule/*/molecule-{no,with}-systemd.yml" use_default_rules: true From d0c117f1636b8b18ac675e71f5ffc8b0f4397ed6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 29 Oct 2021 15:11:45 -0400 Subject: [PATCH 19/45] Disable fail-fast for matrix GHA jobs Override the default by setting `fail-fast` to `false` for the test and build jobs in our GHA build workflow. This ensure that all matrix jobs run regardless of a failure. --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a2ec81a..31d1120 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -109,6 +109,7 @@ jobs: test: runs-on: ubuntu-latest strategy: + fail-fast: false matrix: python-version: - "3.6" @@ -195,6 +196,7 @@ jobs: runs-on: ubuntu-latest needs: [lint, test] strategy: + fail-fast: false matrix: python-version: - "3.6" From 3f370ebddeb80461a609e0ac1c51e4c1dfb04652 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 17 Nov 2021 12:22:15 -0500 Subject: [PATCH 20/45] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d83fdbc..b8dcbe0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 + rev: v4.1.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,13 +31,13 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.29.0 + rev: v0.30.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.4.1 + rev: v2.5.1 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -49,7 +49,7 @@ repos: # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.15.0 + rev: v2.16.0 hooks: - id: validate_manifest @@ -75,13 +75,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.0 + rev: 1.7.1 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 21.9b0 + rev: 21.12b0 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 @@ -91,28 +91,28 @@ repos: additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.9.3 + rev: 5.10.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.910-1 + rev: v0.931 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.29.0 + rev: v2.31.0 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - rev: v5.2.1 + rev: v5.3.2 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.52.0 + rev: v1.62.3 hooks: - id: terraform_fmt - id: terraform_validate From 3dac9898ee7416aac9611842315175f4c7755fad Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 3 Feb 2022 10:10:54 -0500 Subject: [PATCH 21/45] Add Python 3.10 to package classifiers This was missed when we added testing/building for Python 3.10. --- setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.py b/setup.py index 14bd3fd..f123137 100644 --- a/setup.py +++ b/setup.py @@ -78,6 +78,7 @@ def get_version(version_file): "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", ], python_requires=">=3.6", # What does your project relate to? From ad71ef369b933e709e051873c50298e2ddaf2345 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 23 Feb 2022 20:11:49 -0500 Subject: [PATCH 22/45] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. --- .pre-commit-config.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b8dcbe0..e6dc7b7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.30.0 + rev: v0.31.1 hooks: - id: markdownlint args: @@ -49,7 +49,7 @@ repos: # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v2.16.0 + rev: v2.17.0 hooks: - id: validate_manifest @@ -75,13 +75,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.1 + rev: 1.7.2 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 21.12b0 + rev: 22.1.0 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 @@ -105,14 +105,14 @@ repos: # Ansible hooks - repo: https://github.com/ansible-community/ansible-lint - rev: v5.3.2 + rev: v5.4.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.62.3 + rev: v1.64.0 hooks: - id: terraform_fmt - id: terraform_validate From a05b45adf9d817ee50357470363e212c4b6f81a0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 25 Feb 2022 08:26:08 -0500 Subject: [PATCH 23/45] Add comment to Dependabot configuration This comment explains that the configuration may have commented out ignore directives that should be uncommented in downstream projects. --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a3bcd94..5792ed9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,10 @@ --- +# Any ignore directives should be uncommented in downstream projects to disable +# Dependabot updates for the given dependency. Downstream projects will get +# these updates when the pull request(s) in the appropriate skeleton are merged +# and Lineage processes these changes. + version: 2 updates: - package-ecosystem: "github-actions" From 77b20ab3d7822b66715db168240b25e72d1c4ed0 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 25 Feb 2022 08:27:32 -0500 Subject: [PATCH 24/45] Disable comments-indentation rule for yamllint yamllint does not like it when you comment out pieces of dictionaries in lists. Upcoming additions to the Dependabot configuration will run afoul of this so we are updating the yamllint configuration. --- .yamllint | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.yamllint b/.yamllint index 7ed00eb..76a1cce 100644 --- a/.yamllint +++ b/.yamllint @@ -2,6 +2,12 @@ extends: default rules: + # yamllint does not like it when you comment out different parts of + # dictionaries in a list. You can see + # https://github.com/adrienverge/yamllint/issues/384 for some examples of + # this behavior. + comments-indentation: disable + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From 706bdeda5a2adbf27919a217603aa127d63975f8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 25 Feb 2022 11:21:37 -0500 Subject: [PATCH 25/45] Use asterisks for emphasis- and strong-styles Given the inconsistent behavior of underscores used within words for style we should prefer asterisks now that these rules are available. --- .mdl_config.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.mdl_config.yaml b/.mdl_config.yaml index b36f943..15a1a7c 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -48,3 +48,13 @@ MD035: MD046: # Enforce the fenced style for code blocks style: "fenced" + +# MD049/emphasis-style - Emphasis style should be consistent +MD049: + # Enforce asterisks as the style to use for emphasis + style: "asterisk" + +# MD050/strong-style - Strong style should be consistent +MD050: + # Enforce asterisks as the style to use for strong + style: "asterisk" From 7868a35e1097d291a73edb22fae3aa9017ec3768 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 25 Feb 2022 11:23:25 -0500 Subject: [PATCH 26/45] Add missing hyphen in markdownlint rule header --- .mdl_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 15a1a7c..4a650c1 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -44,7 +44,7 @@ MD035: # Enforce dashes for horizontal rules style: "---" -# MD046/code-block-style Code block style +# MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks style: "fenced" From 4ee1bfd96b83aa1d8fda363d0a8e93db9acc395a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Feb 2022 18:02:16 +0000 Subject: [PATCH 27/45] Bump actions/setup-python from 2 to 3 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2 to 3. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7be2ce8..f15dacc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,7 +21,7 @@ jobs: uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v2 - id: setup-python - uses: actions/setup-python@v2 + uses: actions/setup-python@v3 with: python-version: 3.9 # We need the Go version and Go cache location for the actions/cache step, From da5ca8f5d5cf6f6eb6a641723d04daacbe4fcec2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 3 Feb 2022 10:16:38 -0500 Subject: [PATCH 28/45] Bump version from 0.0.1 to 0.1.0 --- src/example/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/example/_version.py b/src/example/_version.py index 33cee84..5eb9b0e 100644 --- a/src/example/_version.py +++ b/src/example/_version.py @@ -1,2 +1,2 @@ """This file defines the version of this module.""" -__version__ = "0.0.1" +__version__ = "0.1.0" From 3406c2d4207140951e6442f797d699e0336da2e1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Mar 2022 18:01:37 +0000 Subject: [PATCH 29/45] Bump actions/checkout from 2 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7be2ce8..a6e092e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v2 with: From 9a0380870ca93c2417956c1c959d9286588f4fec Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Mar 2022 16:19:18 -0400 Subject: [PATCH 30/45] Update pre-commit hooks Update pre-commit hooks using `pre-commit autoupdate`. The `ansible-lint` hook is intentionally held back due to issues with upgrading to v6. --- .pre-commit-config.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e6dc7b7..d991216 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.5.1 + rev: v2.6.1 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -75,13 +75,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.2 + rev: 1.7.4 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 22.1.0 + rev: 22.3.0 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 @@ -95,11 +95,11 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.931 + rev: v0.942 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.31.0 + rev: v2.31.1 hooks: - id: pyupgrade @@ -119,7 +119,7 @@ repos: # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v2.0.1 + rev: v2.1.0 hooks: - id: docker-compose-check From 511a37cf1ecc9283f7a6793322067aa712d1abc4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Mar 2022 16:26:36 -0400 Subject: [PATCH 31/45] Add Dependabot ignore directives This adds commented out ignore directives for the following GitHub Actions: - action/cache - action/checkout - action/setup-python These should be uncommented downstream to ensure that updates to these dependencies are pushed from pull requests made in the skeleton. --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5792ed9..208659c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,10 @@ updates: directory: "/" schedule: interval: "weekly" + # ignore: + # - dependency-name: actions/cache + # - dependency-name: actions/checkout + # - dependency-name: actions/setup-python - package-ecosystem: "pip" directory: "/" From 583992602c3815cd5c1b8338f12df83b1721883b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Mar 2022 16:29:30 -0400 Subject: [PATCH 32/45] Upgrade from Python 3.9 to 3.10 for the `lint` job in GHA --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7be2ce8..56de702 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,7 +23,7 @@ jobs: - id: setup-python uses: actions/setup-python@v2 with: - python-version: 3.9 + python-version: "3.10" # We need the Go version and Go cache location for the actions/cache step, # so the Go installation must happen before that. - uses: actions/setup-go@v2 From e22c12cbd467cac3e43298c67380b244da936782 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Mar 2022 16:35:59 -0400 Subject: [PATCH 33/45] Use consistent quoting for software versions --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 56de702..917af8a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,7 +28,7 @@ jobs: # so the Go installation must happen before that. - uses: actions/setup-go@v2 with: - go-version: '1.16' + go-version: "1.16" - name: Store installed Go version id: go-version run: | From c576ef56fbe70907da23a464b29eb243a6d5361b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Apr 2022 16:22:39 +0000 Subject: [PATCH 34/45] Bump actions/cache from 2 to 3 Bumps [actions/cache](https://github.com/actions/cache) from 2 to 3. - [Release notes](https://github.com/actions/cache/releases) - [Commits](https://github.com/actions/cache/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 264d488..ef95f3f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -38,7 +38,7 @@ jobs: id: go-cache run: | echo "::set-output name=dir::$(go env GOCACHE)" - - uses: actions/cache@v2 + - uses: actions/cache@v3 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ From 4d37032f8274811f8c2e5047a7fd5a134d2cd22b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 15:41:49 -0400 Subject: [PATCH 35/45] Enable Dependabot ignore directives This enables the Dependabot ignore directives for GitHub Actions. --- .github/dependabot.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 208659c..48e226b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,10 +11,10 @@ updates: directory: "/" schedule: interval: "weekly" - # ignore: - # - dependency-name: actions/cache - # - dependency-name: actions/checkout - # - dependency-name: actions/setup-python + ignore: + - dependency-name: actions/cache + - dependency-name: actions/checkout + - dependency-name: actions/setup-python - package-ecosystem: "pip" directory: "/" From 49d87d40e4f2bb6bfbba595c6a643e58b3ceccf9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 16:46:16 -0400 Subject: [PATCH 36/45] Add pre-commit hooks to validate GitHub Actions content Add hooks to validate GitHub Actions and GitHub Action workflows. These are validated using JSON Schemas. --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d991216..c5c2e10 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,6 +47,13 @@ repos: args: - --strict + # GitHub Actions hooks + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.14.2 + hooks: + - id: check-github-actions + - id: check-github-workflows + # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit rev: v2.17.0 From 3464799408e0bc24900a7fca247000b1e2b4bbec Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 15:49:47 -0400 Subject: [PATCH 37/45] Add permission scoping for the CodeQL Analyze GHA job This sets permissions around `GITHUB_TOKEN` to the minimum necessary for this workflow. Please see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions for more information. --- .github/workflows/codeql-analysis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 375cd15..4b5dec7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,7 +21,9 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest - + permissions: + # required for all workflows + security-events: write strategy: fail-fast: false matrix: From d03d2c9e776c30a887887cad065fef5689f528c3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 15:56:46 -0400 Subject: [PATCH 38/45] Update github/codeql-action/init from 1 to 2 Update the comments to better mirror the current documentation for github/codeql-action. Switch to block style for the map of languages. --- .github/workflows/codeql-analysis.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4b5dec7..af11ee6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -28,9 +28,9 @@ jobs: fail-fast: false matrix: # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', - # 'python'] - language: ['python'] + # Supported options are go, javascript, csharp, python, cpp, and java + language: + - python # Learn more... # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection @@ -40,14 +40,9 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a - # config file. By default, queries listed here will override any - # specified in a config file. Prefix the list here with "+" to use - # these queries and those in the config file. queries: - # ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or # Java). If this step fails, then you should remove it and run the build From 256cd174e2e5f3addf1a77632f6f3519c4848218 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 15:58:38 -0400 Subject: [PATCH 39/45] Consistently use block style in the CodeQL GHA workflow --- .github/workflows/codeql-analysis.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index af11ee6..0698a9b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,10 +10,12 @@ on: push: # Dependabot triggered push events have read-only access, but uploading code # scanning requires write access. - branches-ignore: [dependabot/**] + branches-ignore: + - dependabot/** pull_request: # The branches below must be a subset of the branches above - branches: [develop] + branches: + - develop schedule: - cron: '0 14 * * 6' From 5c86848ad5c86a5c2b9c73e319f0697d636340e1 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 16:00:16 -0400 Subject: [PATCH 40/45] Update github/codeql-action/autobuild from 1 to 2 Clean up the commenting while we're here. --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0698a9b..c3369af 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,11 +46,11 @@ jobs: with: languages: ${{ matrix.language }} - # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Autobuild attempts to build any compiled languages (C/C++, C#, or # Java). If this step fails, then you should remove it and run the build - # manually (see below) + # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl From 55d223889ed5e4b5f04e223660a89dbf046aa866 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Apr 2022 16:03:52 -0400 Subject: [PATCH 41/45] Update github/codeql-action/analyze from 1 to 2 Also clean up the commenting while we're here. --- .github/workflows/codeql-analysis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c3369af..5e344d1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -56,12 +56,12 @@ jobs: # 📚 https://git.io/JvXDl # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following - # three lines and modify them (or add more) to build your code if your - # project uses a compiled language + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language # - run: | - # make bootstrap - # make release + # make bootstrap + # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 From c251246061187760dab4dc9ba31527156aa7c5a1 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 13 Mar 2022 03:01:54 -0400 Subject: [PATCH 42/45] Update git ignore list Add dist/ to the .gitignore file to better support local building. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 53e6544..242b4aa 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ __pycache__ .pytest_cache .python-version *.egg-info +dist From 96f816ebd0362c9a2e3bfb13a31576f26a127e3b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 13 Mar 2022 03:07:02 -0400 Subject: [PATCH 43/45] Modernize the Python package build step Modernize the build process by using the build package instead of the now deprecated setup.py install method. Remove installing the package requirements as it is unnecessary for this build process. Upgrade the setuptools package as part of the initial dependency installation. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c61bfcb..db8491c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -224,12 +224,12 @@ jobs: ${{ hashFiles('setup.py') }}" restore-keys: | ${{ env.BASE_CACHE_KEY }} - - name: Install dependencies + - name: Install build dependencies run: | - python -m pip install --upgrade pip wheel - pip install --upgrade --requirement requirements.txt + python -m pip install --upgrade pip setuptools wheel + python -m pip install --upgrade build - name: Build artifacts - run: python3 setup.py sdist bdist_wheel + run: python -m build - name: Upload artifacts uses: actions/upload-artifact@v2 with: From a36e249dffbeb5c3c35f7104889a8f739920786f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Oct 2022 11:57:32 -0400 Subject: [PATCH 44/45] Resolve markdownlint issues --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 45d46cb..be25df4 100644 --- a/README.md +++ b/README.md @@ -172,7 +172,7 @@ for domain in dumped_json['domains']: This tool's original purpose was to automatically detect if a domain that uses a CDN is frontable. Due to the significant overhead for fronting detection, we -pivoted the development of this tool to be exclusively a CDN _detection_ tool. +pivoted the development of this tool to be exclusively a CDN *detection* tool. We use our [wiki](https://github.com/cisagov/findcdn/wiki) to describe further what Domain Fronting is, our research notes, design decisions, and playbooks for fronting specific domains. If you find any additional frontable domains or any @@ -180,7 +180,7 @@ flaws in the current playbooks, please consider [contributing!](CONTRIBUTING.md) ### Project Change Summary ### -- The project is now for CDN _detection_. +- The project is now for CDN *detection*. - Determining frontability was infeasible for every CDN provider. - Resources, Notes, and playbooks are now available in the [wiki](https://github.com/cisagov/findcdn/wiki) of this repository. From 29b1f56e7807d029f4f7b4f70ff936b7194cdf50 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Oct 2022 12:32:40 -0400 Subject: [PATCH 45/45] Fix failing tests asu.edu has changed its hosting provider, so the tests were failing as written. Co-authored-by: Yablargo <> --- tests/test_cdnengine.py | 12 ++++++------ tests/test_detectCDN.py | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/test_cdnengine.py b/tests/test_cdnengine.py index 4cb06d0..3223c0c 100644 --- a/tests/test_cdnengine.py +++ b/tests/test_cdnengine.py @@ -48,10 +48,10 @@ def test_grab_cdn(): # Assertions assert checked_domains[0].cdns == [ - ".cloudflare.net", - ".cloudflare.com", + ".fastly.net", + ".nocookie.net", ], "Did not detect {} from {}.".format( - [".cloudflare.net", ".cloudflare.com"], checked_domains[0].url + [".fastly.net", ".nocookie.net"], checked_domains[0].url ) assert checked_domains[1].cdns == [ ".cloudfront.net", @@ -80,8 +80,8 @@ def test_has_cdn(): assert cdn_present == 3, "Too many cdn_present domains counted." assert checked_domains[0].url == "asu.edu" and checked_domains[0].cdns == [ - ".cloudflare.net", - ".cloudflare.com", + ".fastly.net", + ".nocookie.net", ], ( "Incorrect CDN detected for %s" % checked_domains[0].url ) @@ -110,7 +110,7 @@ def test_run_checks_present(): if dom.cdn_present: cdn_present[dom.url] = dom.cdns expected = { - "asu.edu": [".cloudflare.net", ".cloudflare.com"], + "asu.edu": [".fastly.net", ".nocookie.net"], "censys.io": [".cloudflare.com"], "adobe.com": [".edgesuite.net", ".akamaitechnologies.fr"], } diff --git a/tests/test_detectCDN.py b/tests/test_detectCDN.py index f2c90b4..e5a0054 100644 --- a/tests/test_detectCDN.py +++ b/tests/test_detectCDN.py @@ -53,8 +53,8 @@ def test_cname(): check.cname(dom_in, timeout=TIMEOUT) assert ( - "www.asu.edu.cdn.cloudflare.net." in dom_in.cnames - ), "www.asu.edu should have www.asu.edu.cdn.cloudflare.net. as a cname" + "pantheon-systems.map.fastly.net." in dom_in.cnames + ), "www.asu.edu should have pantheon-systems.map.fastly.net. as a cname" def test_broken_cname():