Merge pull request #53 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

.bandit.yml

@@ -3,7 +3,7 @@
 # https://bandit.readthedocs.io/en/latest/config.html
 
 # Tests are first included by `tests`, and then excluded by `skips`.
-# If `tests` is empty, all tests are are considered included.
+# If `tests` is empty, all tests are considered included.
 
 tests:
 # - B101

.github/dependabot.yml

@@ -5,31 +5,35 @@
 # these updates when the pull request(s) in the appropriate skeleton are merged
 # and Lineage processes these changes.
 
-version: 2
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
+  - directory: /
     ignore:
       # Managed by cisagov/skeleton-generic
       - dependency-name: actions/cache
       - dependency-name: actions/checkout
       - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
+      - dependency-name: crazy-max/ghaction-dump-context
+      - dependency-name: crazy-max/ghaction-github-labeler
+      - dependency-name: crazy-max/ghaction-github-status
       - dependency-name: hashicorp/setup-terraform
       - dependency-name: mxschmitt/action-tmate
-
-  - package-ecosystem: "pip"
-    directory: "/"
+      - dependency-name: step-security/harden-runner
+    package-ecosystem: github-actions
     schedule:
-      interval: "weekly"
+      interval: weekly
+
+  - directory: /
     ignore:
       # Managed by cisagov/skeleton-ansible-role
-      - dependency-name: "ansible"
-      - dependency-name: "ansible-lint"
+      - dependency-name: ansible
+      - dependency-name: ansible-lint
+    package-ecosystem: pip
+    schedule:
+      interval: weekly
 
-  - package-ecosystem: "terraform"
-    directory: "/"
+  - directory: /
+    package-ecosystem: terraform
     schedule:
-      interval: "weekly"
+      interval: weekly
+version: 2

.github/workflows/build.yml

@@ -14,12 +14,36 @@ env:
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
 
 jobs:
+  diagnostics:
+    name: Run diagnostics
+    runs-on: ubuntu-latest
+    steps:
+      # Note that a duplicate of this step must be added at the top of
+      # each job.
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - id: github-status
+        name: Check GitHub status
+        uses: crazy-max/ghaction-github-status@v3
+      - id: dump-context
+        name: Dump context
+        uses: crazy-max/ghaction-dump-context@v2
   lint:
+    needs:
+      - diagnostics
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - id: setup-env
         uses: cisagov/setup-env-github-action@develop
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:
@@ -80,11 +104,26 @@ jobs:
       - uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
+      - name: Install go-critic
+        env:
+          PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
+      - name: Install gosec
+        env:
+          PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install shfmt
         env:
           PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
+      - name: Install staticcheck
+        env:
+          PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
+          PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
+        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install Terraform-docs
         env:
           PACKAGE_URL: github.com/terraform-docs/terraform-docs
@@ -102,14 +141,21 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   test:
+    needs:
+      - diagnostics
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         scenario:
           - default
-    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
         with:

.github/workflows/codeql-analysis.yml

@@ -4,7 +4,7 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -37,8 +37,14 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/sync-labels.yml

@@ -19,10 +19,10 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Sync repository labels
         if: success()
-        uses: crazy-max/ghaction-github-labeler@v4
+        uses: crazy-max/ghaction-github-labeler@v5
         with:
           # This is a hideous ternary equivalent so we only do a dry run unless
           # this workflow is triggered by the develop branch.

.pre-commit-config.yaml

@@ -31,13 +31,13 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.34.0
+    rev: v0.36.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.yaml
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.0-alpha.9-for-vscode
+    rev: v3.0.3
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
@@ -49,14 +49,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.23.1
+    rev: 0.26.3
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.3.2
+    rev: v3.4.0
     hooks:
       - id: validate_manifest
 
@@ -79,6 +79,12 @@ repos:
       # GoSec
       - id: go-sec-repo-mod
 
+  # Nix hooks
+  - repo: https://github.com/nix-community/nixpkgs-fmt
+    rev: v1.3.0
+    hooks:
+      - id: nixpkgs-fmt
+
   # Shell script hooks
   - repo: https://github.com/cisagov/pre-commit-shfmt
     rev: v0.0.2
@@ -105,15 +111,15 @@ repos:
     hooks:
       - id: bandit
         # Bandit complains about the use of assert() in tests
-        exclude: molecule/default/tests
+        exclude: molecule/(default|systemd_enabled)/tests
         args:
           - --config=.bandit.yml
-  - repo: https://github.com/psf/black
-    rev: 23.3.0
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 23.9.1
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
-    rev: 6.0.0
+    rev: 6.1.0
     hooks:
       - id: flake8
         additional_dependencies:
@@ -123,24 +129,24 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.3.0
+    rev: v1.5.1
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.4.0
+    rev: v3.10.1
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
-  - repo: https://github.com/ansible-community/ansible-lint
-    rev: v6.17.0
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v6.19.0
     hooks:
       - id: ansible-lint
       # files: molecule/default/playbook.yml
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.80.0
+    rev: v1.83.2
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -28,7 +28,7 @@ Here's how to use it in a playbook:
 
 ```yaml
 - hosts: all
-  become: yes
+  become: true
   become_method: sudo
   tasks:
     - name: Install ufw

meta/main.yml

@@ -1,4 +1,9 @@
 ---
+# Note that dependencies listed here are automatically installed
+# before this role.  Role variables for any roles listed here can be
+# assigned static variables.
+#
+# See also cisagov/skeleton-ansible-role#153.
 dependencies: []
 galaxy_info:
   author: Shane Frasier
@@ -48,3 +53,4 @@ galaxy_info:
     #     - focal
     #     - jammy
   role_name: ufw
+  standalone: true

meta/requirements.yml

@@ -0,0 +1,12 @@
+---
+# Note that dependencies listed here are made available to the role
+# but _are not_ automatically installed.  Role variables cannot be
+# specified here.
+#
+# It _is_ possible to list both collections and roles in this file,
+# but unfortunately ansible-galaxy attempts to naively merge the
+# dependencies listed in meta/main.yml with these.  That means that
+# both sets of dependencies must be lists. :(
+#
+# See also cisagov/skeleton-ansible-role#153.
+[]

molecule/default/molecule-with-systemd.yml

@@ -25,53 +25,53 @@ platforms:
     image: geerlingguy/docker-debian10-ansible:latest
     name: debian10-systemd
     platform: amd64
-    pre_build_image: yes
-    privileged: yes
+    pre_build_image: true
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
   - cgroupns_mode: host
     command: /lib/systemd/systemd
     image: geerlingguy/docker-debian11-ansible:latest
     name: debian11-systemd
     platform: amd64
-    pre_build_image: yes
-    privileged: yes
+    pre_build_image: true
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
   - cgroupns_mode: host
     command: /lib/systemd/systemd
     image: cisagov/docker-debian12-ansible:latest
     name: debian12-systemd
     platform: amd64
-    pre_build_image: yes
-    privileged: yes
+    pre_build_image: true
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
   - cgroupns_mode: host
     command: /lib/systemd/systemd
     image: cisagov/docker-kali-ansible:latest
     name: kali-systemd
     platform: amd64
-    pre_build_image: yes
-    privileged: yes
+    pre_build_image: true
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
   - cgroupns_mode: host
     command: /lib/systemd/systemd
     image: geerlingguy/docker-fedora37-ansible:latest
     name: fedora37-systemd
     platform: amd64
-    pre_build_image: yes
-    privileged: yes
+    pre_build_image: true
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
   - cgroupns_mode: host
     command: /lib/systemd/systemd
     image: geerlingguy/docker-fedora38-ansible:latest
     name: fedora38-systemd
     platform: amd64
-    pre_build_image: yes
-    privileged: yes
+    pre_build_image: true
+    privileged: true
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
   # For reasons I haven't been able to discern, the Ubuntu molecule

molecule/default/requirements.yml

@@ -1,3 +1,3 @@
 ---
-- src: https://github.com/cisagov/ansible-role-upgrade
-  name: upgrade
+- name: upgrade
+  src: https://github.com/cisagov/ansible-role-upgrade

molecule/default/upgrade.yml

@@ -1,7 +1,7 @@
 ---
 - hosts: all
   name: Upgrade base image
-  become: yes
+  become: true
   become_method: ansible.builtin.sudo
   tasks:
     - name: Upgrade system packages