Merge https://github.com/cisagov/skeleton-generic into lineage/skeleton

# Conflicts: # .github/dependabot.yml # .github/workflows/sync-labels.yml # .pre-commit-config.yaml
cisagov · Oct 30, 2024 · 435499e · 435499e
2 parents 6232826 + f517db7
commit 435499e
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 20 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,4 +1,41 @@
 ---
+<<<<<<< HEAD
+=======
+
+# Any ignore directives should be uncommented in downstream projects to disable
+# Dependabot updates for the given dependency. Downstream projects will get
+# these updates when the pull request(s) in the appropriate skeleton are merged
+# and Lineage processes these changes.
+
+updates:
+  - directory: /
+    # ignore:
+    #   # Managed by cisagov/skeleton-generic
+    #   - dependency-name: actions/cache
+    #   - dependency-name: actions/checkout
+    #   - dependency-name: actions/setup-go
+    #   - dependency-name: actions/setup-python
+    #   - dependency-name: crazy-max/ghaction-dump-context
+    #   - dependency-name: crazy-max/ghaction-github-labeler
+    #   - dependency-name: crazy-max/ghaction-github-status
+    #   - dependency-name: GitHubSecurityLab/actions-permissions
+    #   - dependency-name: hashicorp/setup-terraform
+    #   - dependency-name: mxschmitt/action-tmate
+    #   - dependency-name: step-security/harden-runner
+    package-ecosystem: github-actions
+    schedule:
+      interval: weekly
+
+  - directory: /
+    package-ecosystem: pip
+    schedule:
+      interval: weekly
+
+  - directory: /
+    package-ecosystem: terraform
+    schedule:
+      interval: weekly
+>>>>>>> f517db7930c879e0b365c3a7795d722894fea581
 version: 2
 updates:
   - package-ecosystem: github-actions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -30,10 +30,18 @@ env:
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -48,8 +56,15 @@ jobs:
   lint:
     needs:
       - diagnostics
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -6,17 +6,29 @@ on:
     paths:
       - .github/labels.yml
       - .github/workflows/sync-labels.yml
+<<<<<<< HEAD
+=======
+  workflow_dispatch:
+>>>>>>> f517db7930c879e0b365c3a7795d722894fea581
 
 permissions:
   contents: read
 
 jobs:
   diagnostics:
     name: Run diagnostics
+    # This job does not need any permissions
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       # Note that a duplicate of this step must be added at the top of
       # each job.
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2
@@ -38,6 +50,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          # Uses the organization variable unless overridden
+          config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: harden-runner
         name: Harden the runner
         uses: step-security/harden-runner@v2

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,13 +10,22 @@ repos:
       - id: check-useless-excludes
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
       - id: check-json
       - id: check-merge-conflict
+<<<<<<< HEAD
+=======
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-vcs-permalinks
+      - id: check-xml
+>>>>>>> f517db7930c879e0b365c3a7795d722894fea581
       - id: debug-statements
+      - id: destroyed-symlinks
       - id: detect-aws-credentials
         args:
           - --allow-missing-credentials
@@ -53,14 +62,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.29.2
+    rev: 0.29.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.8.0
+    rev: v4.0.1
     hooks:
       - id: validate_manifest
 
@@ -70,25 +79,25 @@ repos:
   - repo: https://github.com/TekWizely/pre-commit-golang
     rev: v1.0.0-rc.1
     hooks:
-      # Style Checkers
-      - id: go-critic
-      # StaticCheck
-      - id: go-staticcheck-repo-mod
       # Go Build
       - id: go-build-repo-mod
+      # Style Checkers
+      - id: go-critic
+      # goimports
+      - id: go-imports-repo
+        args:
+          # Write changes to files
+          - -w
       # Go Mod Tidy
       - id: go-mod-tidy-repo
+      # GoSec
+      - id: go-sec-repo-mod
+      # StaticCheck
+      - id: go-staticcheck-repo-mod
       # Go Test
       - id: go-test-repo-mod
       # Go Vet
       - id: go-vet-repo-mod
-      # GoSec
-      - id: go-sec-repo-mod
-      # goimports
-      - id: go-imports-repo
-        args:
-          # Write changes to files
-          - -w
   # Nix hooks
   - repo: https://github.com/nix-community/nixpkgs-fmt
     rev: v1.3.0
@@ -98,7 +107,7 @@ repos:
 >>>>>>> e79569c534ec91872ed8fb7733a23b7ca35f8b60
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.9.0-1
+    rev: v3.10.0-1
     hooks:
       - id: shfmt
         args:
@@ -128,7 +137,7 @@ repos:
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.8.0
+    rev: 24.10.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -142,7 +151,7 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.11.2
+    rev: v1.13.0
     hooks:
       - id: mypy
 <<<<<<< HEAD
@@ -163,7 +172,7 @@ repos:
           - requirements.txt
 >>>>>>> f0e55b3d6fefccf87103354e918b03028abd6f8e
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.17.0
+    rev: v3.19.0
     hooks:
       - id: pyupgrade
 
@@ -212,8 +221,11 @@ repos:
 
   # Packer hooks
   - repo: https://github.com/cisagov/pre-commit-packer
-    rev: v0.1.0
+    rev: v0.3.0
     hooks:
-      - id: packer_validate
       - id: packer_fmt
+<<<<<<< HEAD
 >>>>>>> f0e55b3d6fefccf87103354e918b03028abd6f8e
+=======
+      - id: packer_validate
+>>>>>>> f517db7930c879e0b365c3a7795d722894fea581