From 06e0b8a52990a823fe80eeeb4960d8ed0164dc59 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 10:03:51 -0500 Subject: [PATCH 01/13] Add versioning --- bump-version | 172 +++++++++++++++++++++++++++++++++++++++++++++++ requirements.txt | 2 + version.txt | 1 + 3 files changed, 175 insertions(+) create mode 100755 bump-version create mode 100644 version.txt diff --git a/bump-version b/bump-version new file mode 100755 index 0000000..15b4af1 --- /dev/null +++ b/bump-version @@ -0,0 +1,172 @@ +#!/usr/bin/env bash + +# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) +# bump-version --list-files + +set -o nounset +set -o errexit +set -o pipefail + +# Stores the canonical version for the project. +VERSION_FILE=version.txt +# Files that should be updated with the new version. +VERSION_FILES=("$VERSION_FILE") + +USAGE=$( + cat << END_OF_LINE +Update the version of the project. + +Usage: + ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) + ${0##*/} --list-files + ${0##*/} (-h | --help) + +Options: + -h | --help Show this message. + --push Perform a \`git push\` after updating the version. + --label LABEL Specify the label to use when updating the build or prerelease version. + --list-files List the files that will be updated when the version is bumped. +END_OF_LINE +) + +old_version=$(< "$VERSION_FILE") +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} +new_version="$old_version" + +bump_part="" +label="" +commit_prefix="Bump" +with_push=false +commands_with_label=("build" "prerelease") +commands_with_prerelease=("major" "minor" "patch") +with_prerelease=false + +####################################### +# Display an error message, the help information, and exit with a non-zero status. +# Arguments: +# Error message. +####################################### +function invalid_option() { + echo "$1" + echo "$USAGE" + exit 1 +} + +####################################### +# Bump the version using the provided command. +# Arguments: +# The version to bump. +# The command to bump the version. +# Returns: +# The new version. +####################################### +function bump_version() { + local temp_version + temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})") + echo "$temp_version" +} + +if [ $# -eq 0 ]; then + echo "$USAGE" + exit 1 +else + while [ $# -gt 0 ]; do + case $1 in + --push) + if [ "$with_push" = true ]; then + invalid_option "Push has already been set." + fi + + with_push=true + shift + ;; + --label) + if [ -n "$label" ]; then + invalid_option "Label has already been set." + fi + + label="$2" + shift 2 + ;; + build | finalize | major | minor | patch) + if [ -n "$bump_part" ]; then + invalid_option "Only one version part should be bumped at a time." + fi + + bump_part="$1" + shift + ;; + prerelease) + with_prerelease=true + shift + ;; + show) + echo "$old_version" + exit 0 + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + --list-files) + printf '%s\n' "${VERSION_FILES[@]}" + exit 0 + ;; + *) + invalid_option "Invalid option: $1" + ;; + esac + done +fi + +if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}" +fi + +if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}" +fi + +label_option="" +if [ -n "$label" ]; then + label_option="token='$label'" +fi + +if [ -n "$bump_part" ]; then + if [ "$bump_part" = "finalize" ]; then + commit_prefix="Finalize" + bump_command="finalize_version()" + elif [ "$bump_part" = "build" ]; then + bump_command="bump_${bump_part}($label_option)" + else + bump_command="bump_${bump_part}()" + fi + new_version=$(bump_version "$old_version" "$bump_command") + echo Changing version from "$old_version" to "$new_version" +fi + +if [ "$with_prerelease" = true ]; then + bump_command="bump_prerelease($label_option)" + temp_version=$(bump_version "$new_version" "$bump_command") + echo Changing version from "$new_version" to "$temp_version" + new_version="$temp_version" +fi + +tmp_file=/tmp/version.$$ +for version_file in "${VERSION_FILES[@]}"; do + if [ ! -f "$version_file" ]; then + echo Missing expected file: "$version_file" + exit 1 + fi + sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file + mv $tmp_file "$version_file" +done + +git add "${VERSION_FILES[@]}" +git commit --message "$commit_prefix version from $old_version to $new_version" + +if [ "$with_push" = true ]; then + git push +fi diff --git a/requirements.txt b/requirements.txt index 0a8547b..f4f0d8c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,4 @@ +# The bump-version script requires at least version 3 of semver. +semver>=3 setuptools wheel diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..8acdd82 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +0.0.1 From 2c6216ec08ab88a717b0960f95b5e661c02e04ed Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 10:04:44 -0500 Subject: [PATCH 02/13] Revert link This link was mistakenly changed by gh skeleton clone. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9409a5f..15a004c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -140,7 +140,7 @@ jobs: PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - # TODO: https://github.com/cisagov/skeleton-action-composite/issues/165 + # TODO: https://github.com/cisagov/skeleton-generic/issues/165 # We are temporarily using @mcdonnnj's forked branch of terraform-docs # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745 # is approved. This temporary fix will allow for ATX header support when From f4d983bfa896f037bf5bb8a76752b85f4f02be8a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 10:05:50 -0500 Subject: [PATCH 03/13] Add example action that simply prints a notice annotation --- action.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 action.yml diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..920a0c9 --- /dev/null +++ b/action.yml @@ -0,0 +1,15 @@ +--- +author: Cybersecurity and Infrastructure Security Agency +branding: + color: blue + icon: help-circle +description: Skeleton GitHub composite action. +name: Skeleton + +runs: + using: composite + steps: + - id: my-id + name: Say hello + run: "echo ::notice:: Hello, world!" + shell: bash From 0f95a68d61ca35e4d33477a226548604d89044c2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 10:10:08 -0500 Subject: [PATCH 04/13] Update README.md boilerplate from upstream --- README.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 47 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index d4c739d..a62cb5b 100644 --- a/README.md +++ b/README.md @@ -3,14 +3,55 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-action-composite/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-action-composite/actions) This is a generic skeleton project that can be used to quickly get a -new [cisagov](https://github.com/cisagov) GitHub project started. -This skeleton project contains [licensing information](LICENSE), as -well as [pre-commit hooks](https://pre-commit.com) and -[GitHub Actions](https://github.com/features/actions) configurations +new [cisagov](https://github.com/cisagov) GitHub composite Action +project started. This skeleton project contains [licensing +information](LICENSE), as well as [pre-commit +hooks](https://pre-commit.com) and [GitHub +Actions](https://github.com/features/actions) configurations appropriate for the major languages that we use. -In many cases you will instead want to use one of the more specific -skeleton projects derived from this one. +## Usage ## + +### Inputs ### + +None. + + +### Outputs ### + +None. + + +### Sample GitHub Actions workflow ### + +This GitHub Action only prints a notify annotation on the runner and +therefore requires no permissions. + +```yml +--- +name: The workflow + +on: + pull_request: + push: + +jobs: + my_job: + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + - name: Say hello + uses: cisagov/skeleton-action-composite@v1 +``` ## New Repositories from a Skeleton ## From 26a14dc91430f32fc73d1491743083aff4f6a623 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 11:20:28 -0500 Subject: [PATCH 05/13] Add a link to the GitHub documentation on composite actions Co-authored-by: Dave Redmin --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a62cb5b..94f58de 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,8 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-action-composite/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-action-composite/actions) This is a generic skeleton project that can be used to quickly get a -new [cisagov](https://github.com/cisagov) GitHub composite Action +new [cisagov](https://github.com/cisagov) [GitHub composite +Action](https://docs.github.com/en/actions/sharing-automations/creating-actions/about-custom-actions#composite-actions) project started. This skeleton project contains [licensing information](LICENSE), as well as [pre-commit hooks](https://pre-commit.com) and [GitHub From e1054d83dbe5b7cb3c8b61acf13759df800ce577 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Feb 2025 15:50:25 -0500 Subject: [PATCH 06/13] Remove unwanted word --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 94f58de..8fa77bd 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-action-composite/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-action-composite/actions) -This is a generic skeleton project that can be used to quickly get a -new [cisagov](https://github.com/cisagov) [GitHub composite +This is a skeleton project that can be used to quickly get a new +[cisagov](https://github.com/cisagov) [GitHub composite Action](https://docs.github.com/en/actions/sharing-automations/creating-actions/about-custom-actions#composite-actions) project started. This skeleton project contains [licensing information](LICENSE), as well as [pre-commit From 23bc7e59bd20933ccf8883693a84dee2b450b4e9 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Tue, 25 Feb 2025 22:32:20 -0500 Subject: [PATCH 07/13] Use lowercase when referring to GitHub actions Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8fa77bd..5545dd2 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This is a skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) [GitHub composite -Action](https://docs.github.com/en/actions/sharing-automations/creating-actions/about-custom-actions#composite-actions) +action](https://docs.github.com/en/actions/sharing-automations/creating-actions/about-custom-actions#composite-actions) project started. This skeleton project contains [licensing information](LICENSE), as well as [pre-commit hooks](https://pre-commit.com) and [GitHub From 51c9a76e99dcc81989b2719fcea1880b9ed784b4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Feb 2025 13:05:41 -0500 Subject: [PATCH 08/13] Add a workflow to create major and major-minor version tags upon release --- .github/dependabot.yml | 2 + .github/workflows/release.yml | 89 +++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 81cd6bd..8631940 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,6 +22,8 @@ updates: # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner + # # Managed by cisagov/skeleton-action-composite + # - zyactions/semver package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..edf0df4 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,89 @@ +--- +name: release + +on: + release: + types: + - released + +# Set a default shell for any run steps. The `-Eueo pipefail` sets +# errtrace, nounset, errexit, and pipefail. The `-x` will print all +# commands as they are run. Please see the GitHub Actions +# documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + release: + needs: + - diagnostics + permissions: + # We need write permission to move tags. + contents: write + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: extract-semver-parts + name: Extract semver parts + uses: zyactions/semver@v1 + with: + # This input consists of a newline-separated list of version + # prefixes, so in the interest of future expansion we go + # ahead and use the YAML multiline literal style indicator. + prefixes: | + v + - id: checkout-code + name: Checkout the code + uses: actions/checkout@v4 + - id: move-tags + # Just in case... + if: ${{ steps.extract-semver-parts.outputs.valid == 'true' }} + name: Move tags + run: | + major_tag=v${{ steps.extract-semver-parts.outputs.major }} + major_minor_tag=${major_tag}.${{ steps.extract-semver-parts.outputs.minor }} + # Delete old tags remotely, if they exist + git ls-remote --exit-code --tags origin ${major_tag} \ + && git push origin --delete ${major_tag} + git ls-remote --exit-code --tags origin ${major_minor_tag} \ + && git push origin --delete ${major_minor_tag} + # Create new tags locally + git tag ${major_tag} + git tag ${major_minor_tag} + # Push up new tags + git push origin ${major_tag} ${major_minor_tag} From 88a38a354b62893e5b31f96363f196ebe01c4f37 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Feb 2025 13:13:58 -0500 Subject: [PATCH 09/13] Bump version from 0.0.1 to 1.0.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 8acdd82..3eefcb9 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1 +1.0.0 From d8aa5706b3c09ab5d32e456b011ba659182527da Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 26 Feb 2025 14:53:55 -0500 Subject: [PATCH 10/13] Add missing map key Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8631940..587c9b3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,7 +23,7 @@ updates: # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-action-composite - # - zyactions/semver + # - dependency-name: zyactions/semver package-ecosystem: github-actions schedule: interval: weekly From 67e038e789069bd35fae4e22a7ac7cda18c27231 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 26 Feb 2025 14:54:54 -0500 Subject: [PATCH 11/13] Remove period from end of single-line comment Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index edf0df4..1afcbe7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,7 +45,7 @@ jobs: needs: - diagnostics permissions: - # We need write permission to move tags. + # We need write permission to move tags contents: write runs-on: ubuntu-latest steps: From df21b9883e3cb6d6e70e103d4c3718cb4a5984c1 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Thu, 27 Feb 2025 14:38:54 -0500 Subject: [PATCH 12/13] Improve step id and name "Repository" is more specific than "code". Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1afcbe7..f7dcbdb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,8 +67,8 @@ jobs: # ahead and use the YAML multiline literal style indicator. prefixes: | v - - id: checkout-code - name: Checkout the code + - id: checkout-repo + name: Checkout the repository uses: actions/checkout@v4 - id: move-tags # Just in case... From 8ef12284cf0939ff6ec56b790876b8204456aa77 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Feb 2025 14:42:59 -0500 Subject: [PATCH 13/13] Uncomment Dependabot ignore directives from upstream Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 587c9b3..4267ed4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,21 +7,21 @@ updates: - directory: / - # ignore: - # # Managed by cisagov/skeleton-generic - # - dependency-name: actions/cache - # - dependency-name: actions/checkout - # - dependency-name: actions/setup-go - # - dependency-name: actions/setup-python - # - dependency-name: cisagov/setup-env-github-action - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions - # - dependency-name: hashicorp/setup-packer - # - dependency-name: hashicorp/setup-terraform - # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner + ignore: + # Managed by cisagov/skeleton-generic + - dependency-name: actions/cache + - dependency-name: actions/checkout + - dependency-name: actions/setup-go + - dependency-name: actions/setup-python + - dependency-name: cisagov/setup-env-github-action + - dependency-name: crazy-max/ghaction-dump-context + - dependency-name: crazy-max/ghaction-github-labeler + - dependency-name: crazy-max/ghaction-github-status + - dependency-name: GitHubSecurityLab/actions-permissions + - dependency-name: hashicorp/setup-packer + - dependency-name: hashicorp/setup-terraform + - dependency-name: mxschmitt/action-tmate + - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-action-composite # - dependency-name: zyactions/semver package-ecosystem: github-actions