From 891a8edac10c035790d33f57daaeaa702da3f5b3 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 23 Jun 2023 13:56:33 -0400 Subject: [PATCH 01/52] Add a standalone attribute to the role metadata See here for more details: https://ansible.readthedocs.io/projects/lint/rules/schema/#schemameta --- meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/main.yml b/meta/main.yml index 3190d65..35831e0 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -35,3 +35,4 @@ galaxy_info: - focal - jammy role_name: skeleton + standalone: true From 5a42925b859977cf663ef962aa1d89779f45aef5 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 28 Jun 2023 09:52:42 -0400 Subject: [PATCH 02/52] Add an empty meta/requirements.yml file Also add comments explaining when dependencies should be listed in meta/main.yml versus meta/requirements.yml. --- meta/main.yml | 5 +++++ meta/requirements.yml | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 meta/requirements.yml diff --git a/meta/main.yml b/meta/main.yml index 3190d65..83db8d9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,4 +1,9 @@ --- +# Note that dependencies listed here are automatically installed +# before this role. Role variables for any roles listed here can be +# assigned static variables. +# +# See also cisagov/skeleton-ansible-role#153. dependencies: [] galaxy_info: author: First Last diff --git a/meta/requirements.yml b/meta/requirements.yml new file mode 100644 index 0000000..db3887f --- /dev/null +++ b/meta/requirements.yml @@ -0,0 +1,12 @@ +--- +# Note that dependencies listed here are made available to the role +# but _are not_ automatically installed. Role variables cannot be +# specified here. +# +# It _is_ possible to list both collections and roles in this file, +# but unfortunately ansible-galaxy attempts to naively merge the +# dependencies listed in meta/main.yml with these. That means that +# both sets of dependencies must be arrays. :( +# +# See also cisagov/skeleton-ansible-role#153. +[] From 3bb32da00ab2a9db2af76c76408241199c77ca5e Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 28 Jun 2023 12:18:51 -0400 Subject: [PATCH 03/52] Use list vice array This is done to be consistent with the language used in the Ansible project. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- meta/requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/requirements.yml b/meta/requirements.yml index db3887f..d8f8eef 100644 --- a/meta/requirements.yml +++ b/meta/requirements.yml @@ -6,7 +6,7 @@ # It _is_ possible to list both collections and roles in this file, # but unfortunately ansible-galaxy attempts to naively merge the # dependencies listed in meta/main.yml with these. That means that -# both sets of dependencies must be arrays. :( +# both sets of dependencies must be lists. :( # # See also cisagov/skeleton-ansible-role#153. [] From fd8ab1505372b7c130180ea1aad86c4cca68df82 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 29 Jun 2023 11:56:42 -0400 Subject: [PATCH 04/52] Alphabetize YAML attributes --- molecule/default/requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 2d114eb..d5927d8 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,3 +1,3 @@ --- -- src: https://github.com/cisagov/ansible-role-upgrade - name: upgrade +- name: upgrade + src: https://github.com/cisagov/ansible-role-upgrade From 4cb9a4b5863abc317de4daa8fa72487ac930c3d0 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 12:52:36 -0400 Subject: [PATCH 05/52] Add steps to setup go packages for pre-commit --- .github/workflows/build.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..f07c640 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,6 +33,22 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" + - id: setup-go-critic + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + - id: setup staticheck + uses: actions/checkout@v2 + with: + fetch-depth: 1 + - name: Run staticcheck + uses: dominikh/staticcheck-action@v1.3.0 + with: + version: "2022.1.3" + - id: setup-go-sec + uses: actions/checkout@v3 + env: + GO111MODULE: on + - name: Run Gosec Security Scanner + uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | From 53f56b01103783ba2d71c7ad64dc5c4c390c8388 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:01:24 -0400 Subject: [PATCH 06/52] Update action/checkout to use same version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f07c640..4731169 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: - id: setup-go-critic run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest - id: setup staticheck - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 1 - name: Run staticcheck From f2610994eacc942a8b4a3771c0c0d8d69fb286c1 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 18:17:46 -0400 Subject: [PATCH 07/52] Set specific gocritic version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4731169..cfbc847 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: cache: false go-version: "1.20" - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@latest + run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - id: setup staticheck uses: actions/checkout@v3 with: From 097b573a1eba564d2aeb260f676f01776ff10aba Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 10 Jul 2023 19:34:48 -0400 Subject: [PATCH 08/52] Update build workflow with package installtion --- .github/workflows/build.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cfbc847..3cab3fb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,22 +33,6 @@ jobs: # it relies on the existence of a go.sum file. cache: false go-version: "1.20" - - id: setup-go-critic - run: go install -v github.com/go-critic/go-critic/cmd/gocritic@0.8.1 - - id: setup staticheck - uses: actions/checkout@v3 - with: - fetch-depth: 1 - - name: Run staticcheck - uses: dominikh/staticcheck-action@v1.3.0 - with: - version: "2022.1.3" - - id: setup-go-sec - uses: actions/checkout@v3 - env: - GO111MODULE: on - - name: Run Gosec Security Scanner - uses: securego/gosec@master - name: Lookup Go cache directory id: go-cache run: | @@ -80,6 +64,16 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -101,6 +95,11 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 254282a5f9c5c55c2e95459f929e41a1d85e9ae2 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 15:06:07 -0400 Subject: [PATCH 09/52] Group go tools together with comment --- .github/workflows/build.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3cab3fb..a3c90ea 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,6 +64,7 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} + # Install GoCrtitic, GoSec and Staticcheck Go tools - name: Install GoCritic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic @@ -74,6 +75,11 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -95,11 +101,6 @@ jobs: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From ecf329956ac7e2428e2226e2ac0c9c3c0cea94bf Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:38:13 -0400 Subject: [PATCH 10/52] Update staticcheck id Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3c90ea..f54946c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,7 +78,7 @@ jobs: - name: Install Staticcheck env: PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: From 1eaedf57d23227522f0f302e6055ded6eb888a7a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:40:06 -0400 Subject: [PATCH 11/52] Update tool names to match author stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f54946c..db696ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,8 +64,8 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install GoCrtitic, GoSec and Staticcheck Go tools - - name: Install GoCritic + # Install go-critic, GoSec and staticcheck Go tools + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From fd04757b3339ed91a085e3028b2b88f9bf60e080 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Tue, 11 Jul 2023 16:42:09 -0400 Subject: [PATCH 12/52] Update statcicheck stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db696ad..fee1ebe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -75,7 +75,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 12 Jul 2023 09:09:32 -0400 Subject: [PATCH 13/52] Temporarily use a different branch of cisagov/setup-env-github-action This is being done for testing purposes, and this commit can be reverted (or removed) once cisagov/setup-env-github-action#65 is merged. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fee1ebe..b7c0910 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@develop + uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 @@ -64,18 +64,18 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools + # Install go-critic, GoSec and staticcheck Go tools - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install GoSec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} From a8af336b975def35f947694d61828ab633d8bc6d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 10:11:28 -0400 Subject: [PATCH 14/52] Move go packages install to separate section --- .github/workflows/build.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b7c0910..4f0b8cd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -64,22 +64,6 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - # Install go-critic, GoSec and staticcheck Go tools - - name: Install go-critic - env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec - env: - PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec - PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Packer env: PACKER_VERSION: ${{ steps.setup-env.outputs.packer-version }} @@ -96,6 +80,22 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} + # Begin Go packages install below + - name: Install GoCritic + env: + PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install GoSec + env: + PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec + PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install Staticcheck + env: + PACKAGE_URL: dominikh/staticcheck-action + PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt From 1675b127e5ba645e36726d3f1858a974e7612998 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:32 -0400 Subject: [PATCH 15/52] Update go-critic name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4f0b8cd..faafd2f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -81,7 +81,7 @@ jobs: with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} # Begin Go packages install below - - name: Install GoCritic + - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} From c6ab22ea25d5608ab794542c96139bd5d65dac47 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:52:50 -0400 Subject: [PATCH 16/52] Update staticcheck name Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index faafd2f..a799374 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,7 +91,7 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install Staticcheck + - name: Install staticcheck env: PACKAGE_URL: dominikh/staticcheck-action PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} From 29de03457f4ec4092d0dd98465d18a83a2193719 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 13 Jul 2023 10:05:20 -0400 Subject: [PATCH 17/52] Use the correct repo name for the ansible-lint pre-commit hook The repo name we were using redirects to the correct place, but we may as well cut out the middle man. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..9dc41ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -130,7 +130,7 @@ repos: - id: pyupgrade # Ansible hooks - - repo: https://github.com/ansible-community/ansible-lint + - repo: https://github.com/ansible/ansible-lint rev: v6.17.0 hooks: - id: ansible-lint From 1e7cb4f721542b260680ee51d4cd75126da0a979 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 12 Jul 2023 16:53:34 -0400 Subject: [PATCH 18/52] Correct staticcheck reference to setup-env, sort alphabetically and correct staticcheck package URL Co-Authored By: @mcdonnnj --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a799374..7435881 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -91,16 +91,16 @@ jobs: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install staticcheck - env: - PACKAGE_URL: dominikh/staticcheck-action - PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-staticcheck-version }} - run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install shfmt env: PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} + - name: Install staticcheck + env: + PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck + PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }} + run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install Terraform-docs env: PACKAGE_URL: github.com/terraform-docs/terraform-docs From 5f3bc132490dcdfcc7431133ed38c293eeeffaf5 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Thu, 13 Jul 2023 11:03:03 -0400 Subject: [PATCH 19/52] Remove Go section coment Co-authored-by: Shane Frasier --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7435881..00c5cdf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,6 @@ jobs: - uses: hashicorp/setup-terraform@v2 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - # Begin Go packages install below - name: Install go-critic env: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic From d31182550a11db54cff212171bb9cc0dac8bb636 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:30:33 -0400 Subject: [PATCH 20/52] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..60f04c0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,10 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -20,12 +20,12 @@ updates: # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - - package-ecosystem: "pip" - directory: "/" + - package-ecosystem: pip + directory: / schedule: - interval: "weekly" + interval: weekly - - package-ecosystem: "terraform" - directory: "/" + - package-ecosystem: terraform + directory: / schedule: - interval: "weekly" + interval: weekly From 2294d4970596551c7c2c794b869d186dcda49921 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 13 Jul 2023 22:41:38 -0400 Subject: [PATCH 21/52] Sort the keys in the Dependabot configuration Our standard practice for YAML files is to sort keys alphabetically. --- .github/dependabot.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 60f04c0..da2c02c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,12 +5,8 @@ # these updates when the pull request(s) in the appropriate skeleton are merged # and Lineage processes these changes. -version: 2 updates: - - package-ecosystem: github-actions - directory: / - schedule: - interval: weekly + - directory: / # ignore: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache @@ -19,13 +15,17 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + package-ecosystem: github-actions + schedule: + interval: weekly - - package-ecosystem: pip - directory: / + - directory: / + package-ecosystem: pip schedule: interval: weekly - - package-ecosystem: terraform - directory: / + - directory: / + package-ecosystem: terraform schedule: interval: weekly +version: 2 From e678502adb77650dbd722134c469f20b5b46d32d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 18 Jul 2023 15:06:13 -0400 Subject: [PATCH 22/52] Delete duplicate word "are" Co-authored-by: David Harris --- .bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.bandit.yml b/.bandit.yml index 8ba42d1..ab3cb21 100644 --- a/.bandit.yml +++ b/.bandit.yml @@ -3,7 +3,7 @@ # https://bandit.readthedocs.io/en/latest/config.html # Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are are considered included. +# If `tests` is empty, all tests are considered included. tests: # - B101 From 898a2418ed31d48fab9508904e53bbd3ba67387a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Jul 2023 10:00:30 -0400 Subject: [PATCH 23/52] Prefer true/false to yes/no in YAML files --- README.md | 2 +- molecule/default/molecule-with-systemd.yml | 36 +++++++++++----------- molecule/default/upgrade.yml | 2 +- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 3b7bf8b..1f806a0 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Here's how to use it in a playbook: ```yaml - hosts: all - become: yes + become: true become_method: sudo tasks: - name: Include skeleton diff --git a/molecule/default/molecule-with-systemd.yml b/molecule/default/molecule-with-systemd.yml index 1b9b052..8039782 100644 --- a/molecule/default/molecule-with-systemd.yml +++ b/molecule/default/molecule-with-systemd.yml @@ -15,8 +15,8 @@ platforms: image: geerlingguy/docker-amazonlinux2023-ansible:latest name: amazonlinux2023-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -24,8 +24,8 @@ platforms: image: geerlingguy/docker-debian10-ansible:latest name: debian10-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -33,8 +33,8 @@ platforms: image: geerlingguy/docker-debian11-ansible:latest name: debian11-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -42,8 +42,8 @@ platforms: image: cisagov/docker-debian12-ansible:latest name: debian12-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -51,8 +51,8 @@ platforms: image: cisagov/docker-kali-ansible:latest name: kali-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -60,8 +60,8 @@ platforms: image: geerlingguy/docker-fedora37-ansible:latest name: fedora37-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -69,8 +69,8 @@ platforms: image: geerlingguy/docker-fedora38-ansible:latest name: fedora38-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -78,8 +78,8 @@ platforms: image: geerlingguy/docker-ubuntu2004-ansible:latest name: ubuntu-20-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host @@ -87,8 +87,8 @@ platforms: image: geerlingguy/docker-ubuntu2204-ansible:latest name: ubuntu-22-systemd platform: amd64 - pre_build_image: yes - privileged: yes + pre_build_image: true + privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: diff --git a/molecule/default/upgrade.yml b/molecule/default/upgrade.yml index 67c299e..14cf86b 100644 --- a/molecule/default/upgrade.yml +++ b/molecule/default/upgrade.yml @@ -1,7 +1,7 @@ --- - hosts: all name: Upgrade base image - become: yes + become: true become_method: ansible.builtin.sudo tasks: - name: Upgrade system packages From 948ebdeee11f77759311f85d256f19b5c4d7204d Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 16 Aug 2023 10:20:21 -0400 Subject: [PATCH 24/52] Fix gosec stylization Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 00c5cdf..ec15b7d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,7 +85,7 @@ jobs: PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - - name: Install GoSec + - name: Install gosec env: PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }} From 98d3d3f6914b4601cf9d194ed7d750224a4fb401 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 22 Aug 2023 10:18:25 -0400 Subject: [PATCH 25/52] Revert "Temporarily use a different branch of cisagov/setup-env-github-action" This reverts commit ddbf6f7f6c7cb928ce9bc22f1ae3b1796f0602e7. This can be done now that cisagov/setup-env-github-action#65 has been merged. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec15b7d..34c3c6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - id: setup-env - uses: cisagov/setup-env-github-action@add-go-actions-for-go-skeleton + uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v3 - id: setup-python uses: actions/setup-python@v4 From 82db36a453deda26c99ee231879486b9e2d9ac1a Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Mon, 28 Aug 2023 11:06:36 -0400 Subject: [PATCH 26/52] Add nixfmt pre-commit hook --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6b87032..e7262f6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -79,6 +79,12 @@ repos: # GoSec - id: go-sec-repo-mod + # Nix hooks + - repo: https://github.com/nix-community/nixpkgs-fmt + rev: v1.3.0 + hooks: + - id: nixpkgs-fmt + # Shell script hooks - repo: https://github.com/cisagov/pre-commit-shfmt rev: v0.0.2 From c0b5d5bb6cb644bf85171a8f5c89dfc3c770662f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 4 Sep 2023 18:19:17 +0000 Subject: [PATCH 27/52] Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c992e8e..3b38f76 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,7 @@ jobs: steps: - id: setup-env uses: cisagov/setup-env-github-action@develop - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..b6f2024 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -19,7 +19,7 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v4 From b04654e922ec4eef978022b67374a2ab3cffab4c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:57:49 -0400 Subject: [PATCH 28/52] Bump crazy-max/ghaction-github-labeler from 4 to 5 --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index ae7c091..1c107e4 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v3 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v4 + uses: crazy-max/ghaction-github-labeler@v5 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. From 49ac8c505181e79caefc12cfc2f8e906c1e88ab2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 01:59:09 -0400 Subject: [PATCH 29/52] Update the dependabot ignore configuration Add crazy-max/ghaction-github-labeler as a commented out dependency to ignore in the dependabot configuration file. This should be enabled in downstream projects to consolidate updating this Action to the cisagov/skeleton-generic repository. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fef57f5..e1f2f34 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,6 +17,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 94d753d10d8106be1e4634bac6a27c0fbfb51c40 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 3 Aug 2023 19:10:29 -0400 Subject: [PATCH 30/52] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5b7035..dad86ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,13 +31,13 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.34.0 + rev: v0.36.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0-alpha.9-for-vscode + rev: v3.0.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -49,14 +49,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.23.1 + rev: 0.26.3 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.3.2 + rev: v3.4.0 hooks: - id: validate_manifest @@ -113,11 +113,11 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.9.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 6.0.0 + rev: 6.1.0 hooks: - id: flake8 additional_dependencies: @@ -127,24 +127,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.3.0 + rev: v1.5.1 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.4.0 + rev: v3.10.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v6.17.0 + rev: v6.19.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.80.0 + rev: v1.83.2 hooks: - id: terraform_fmt - id: terraform_validate From 1bc2056836e544c813d944150932075bb7251e33 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 11 Sep 2023 17:50:36 -0400 Subject: [PATCH 31/52] Switch to the pre-commit mirror for black This mirror was created to leverage performance optimizations from mypyc wheels that are available if black is installed from PyPI. These wheels are not available if black is installed from source as it would be using the old URL. Please see psf/black#3828 and psf/black#3405 for more information. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dad86ae..34f0253 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -112,7 +112,7 @@ repos: - id: bandit args: - --config=.bandit.yml - - repo: https://github.com/psf/black + - repo: https://github.com/psf/black-pre-commit-mirror rev: 23.9.1 hooks: - id: black From a62ebe79e749b4e66b1f2122b3f866fd6ab8c23e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 29 Aug 2023 17:10:03 -0400 Subject: [PATCH 32/52] Add the crazy-max/ghaction-github-status GitHub action This action is added in a separate "diagnostics" job. As configured it will never fail, but it will print out the status of the various GitHub components. This information will sometimes be useful when determining why builds fail after the fact. Co-authored-by: Mark Feldhousen Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9ab2270..2fdd39d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,6 +14,7 @@ updates: # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate package-ecosystem: github-actions diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c08880f..9382c48 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,12 @@ env: RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: + diagnostics: + runs-on: ubuntu-latest + steps: + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v3 lint: runs-on: ubuntu-latest steps: From 3619c455e6bb559ed74f7f320026badcaa603ad9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 09:48:01 -0400 Subject: [PATCH 33/52] Make the lint job depend on the diagnostics job Even though the diagnostics job is not currently configured to fail due to the GitHub status, it is still true that if the job is unable to run that does not bode well for the lint job's successful execution. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9382c48..1049da9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -21,6 +21,8 @@ jobs: name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 lint: + needs: + - diagnostics runs-on: ubuntu-latest steps: - id: setup-env From f4370660795e7d97f3e5ef0d582ed5754b2c267f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:35:45 -0400 Subject: [PATCH 34/52] Add a GH Action to dump the context This can be useful when debugging why a GH Action failed. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fdd39d..dbb9b73 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1049da9..346fd81 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,6 +20,9 @@ jobs: - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics From c5e56a21c70e033b2093355b630dd172f85614f2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:36:31 -0400 Subject: [PATCH 35/52] Give the diagnostics job a descriptive name --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 346fd81..53c76f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ env: jobs: diagnostics: + name: Run diagnostics runs-on: ubuntu-latest steps: - id: github-status From 9afb516c20153c850088cfcc8318d7df3e68da92 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 10:47:40 -0400 Subject: [PATCH 36/52] Add the step-security/harden-runner GH Action This GH Action is being configured to run in audit mode. It should warn us if an Action is reaching out to an unexpected web address, overwriting source code, etc. Co-authored-by: felddy --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dbb9b73..17220c6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,6 +18,7 @@ updates: # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate + # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 53c76f7..2fda8f7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,11 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v3 From 9dc773cae76fcb144a8fde5b26118e915dea1a03 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 12:44:35 -0400 Subject: [PATCH 37/52] Add a harden-runner task to the lint job as well This task can only provide coverage for the job that contains it. --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fda8f7..3fbeff2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,11 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From bb81ec3a0418359c28fc495524959f9f897557b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 30 Aug 2023 15:15:16 -0400 Subject: [PATCH 38/52] Add a reminder We need a reminder add the step-security/harden-runner action at the top of every job. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3fbeff2..e7b75a4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,8 @@ jobs: name: Run diagnostics runs-on: ubuntu-latest steps: + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 4dba25d0cc102bb4bf756a2cb457520583dd5a40 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:24:37 -0400 Subject: [PATCH 39/52] Enable dependabot ignore directives Enable the new dependabot ignore directives that were added in cisagov/skeleton-generic. --- .github/dependabot.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ae5d290..2b3f26e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,12 +13,12 @@ updates: - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python - # - dependency-name: crazy-max/ghaction-dump-context - # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status + - dependency-name: crazy-max/ghaction-dump-context + - dependency-name: crazy-max/ghaction-github-labeler + - dependency-name: crazy-max/ghaction-github-status - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner + - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly From a6c9bab2c632f8942a4c5c599fef71280ca27e61 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:25:11 -0400 Subject: [PATCH 40/52] Remove unnecessary quotes in the dependabot configuration We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. Co-authored-by: Shane Frasier --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2b3f26e..75be706 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,8 +26,8 @@ updates: - directory: / # ignore: # # Managed by cisagov/skeleton-ansible-role - # - dependency-name: "ansible" - # - dependency-name: "ansible-lint" + # - dependency-name: ansible + # - dependency-name: ansible-lint package-ecosystem: pip schedule: interval: weekly From d8654e6b8f69e18b79eac276e4e14985458d4fbf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:59:00 -0400 Subject: [PATCH 41/52] Bump actions/checkout from 3 to 4 This updates the `test` job to match what was pulled down from cisagov/skeleton-generic. --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c019482..d98f2c7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -148,7 +148,7 @@ jobs: - default runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index beb90cf..acf5103 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL From 2a249d059ce21f780c834444f17235bd6dc1b3d4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:26:54 -0400 Subject: [PATCH 42/52] Update job dependencies for the build.yml workflow Add the `diagnostics` job as a dependency for the `test` job. --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d98f2c7..e83e8d1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -141,6 +141,8 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + needs: + - diagnostics strategy: fail-fast: false matrix: From b32ab6bc049d7f354c07c43562c28dd18256ba27 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:27:52 -0400 Subject: [PATCH 43/52] Add runner hardening to all jobs in our workflows This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic. --- .github/workflows/build.yml | 5 +++++ .github/workflows/codeql-analysis.yml | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e83e8d1..3de600b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -150,6 +150,11 @@ jobs: - default runs-on: ubuntu-latest steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - uses: actions/checkout@v4 - id: setup-python uses: actions/setup-python@v4 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index acf5103..2316716 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,6 +37,12 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v4 From 7efdb923863f41338ca8857740d6137579386d1e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 14:30:01 -0400 Subject: [PATCH 44/52] Adjust key ordering for the `test` job Ensure that top-level keys except for `steps` are alphabetically sorted. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3de600b..2a79d87 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -143,12 +143,12 @@ jobs: test: needs: - diagnostics + runs-on: ubuntu-latest strategy: fail-fast: false matrix: scenario: - default - runs-on: ubuntu-latest steps: - id: harden-runner name: Harden the runner From 530576b0ea3e4c3e515c69ebd157740b9918579d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Sep 2023 16:40:03 -0400 Subject: [PATCH 45/52] Remove unnecessary quotes in the codeql-analysis.yml workflow We generally only use quotes when they are strictly necessary to ensure data is interpreted as a string value. This mirrors what was done to the configurations inherited from cisagov/skeleton-generic. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2316716..7493256 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -4,7 +4,7 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -name: "CodeQL" +name: CodeQL on: push: From e95447203ab1433bc9043458ba0c4a9e85a9794d Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Fri, 18 Aug 2023 15:28:38 -0500 Subject: [PATCH 46/52] Add systemd-enabled molecule scenario --- .github/workflows/build.yml | 1 + .pre-commit-config.yaml | 2 +- molecule/systemd-enabled/INSTALL.rst | 1 + molecule/systemd-enabled/converge.yml | 1 + .../systemd-enabled/molecule-no-systemd.yml | 1 + .../systemd-enabled/molecule-with-systemd.yml | 97 +++++++++++++++++++ molecule/systemd-enabled/molecule.yml | 1 + molecule/systemd-enabled/prepare.yml | 1 + molecule/systemd-enabled/requirements.yml | 1 + .../systemd-enabled/tests/test_default.py | 1 + molecule/systemd-enabled/upgrade.yml | 1 + 11 files changed, 107 insertions(+), 1 deletion(-) create mode 120000 molecule/systemd-enabled/INSTALL.rst create mode 120000 molecule/systemd-enabled/converge.yml create mode 120000 molecule/systemd-enabled/molecule-no-systemd.yml create mode 100644 molecule/systemd-enabled/molecule-with-systemd.yml create mode 120000 molecule/systemd-enabled/molecule.yml create mode 120000 molecule/systemd-enabled/prepare.yml create mode 120000 molecule/systemd-enabled/requirements.yml create mode 120000 molecule/systemd-enabled/tests/test_default.py create mode 120000 molecule/systemd-enabled/upgrade.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2a79d87..bc24d06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -149,6 +149,7 @@ jobs: matrix: scenario: - default + - systemd-enabled steps: - id: harden-runner name: Harden the runner diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9ea185a..caba9b1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -111,7 +111,7 @@ repos: hooks: - id: bandit # Bandit complains about the use of assert() in tests - exclude: molecule/default/tests + exclude: molecule/(default|systemd-enabled)/tests args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror diff --git a/molecule/systemd-enabled/INSTALL.rst b/molecule/systemd-enabled/INSTALL.rst new file mode 120000 index 0000000..42b71d5 --- /dev/null +++ b/molecule/systemd-enabled/INSTALL.rst @@ -0,0 +1 @@ +../default/INSTALL.rst \ No newline at end of file diff --git a/molecule/systemd-enabled/converge.yml b/molecule/systemd-enabled/converge.yml new file mode 120000 index 0000000..73cb8da --- /dev/null +++ b/molecule/systemd-enabled/converge.yml @@ -0,0 +1 @@ +../default/converge.yml \ No newline at end of file diff --git a/molecule/systemd-enabled/molecule-no-systemd.yml b/molecule/systemd-enabled/molecule-no-systemd.yml new file mode 120000 index 0000000..6b254f5 --- /dev/null +++ b/molecule/systemd-enabled/molecule-no-systemd.yml @@ -0,0 +1 @@ +../default/molecule-no-systemd.yml \ No newline at end of file diff --git a/molecule/systemd-enabled/molecule-with-systemd.yml b/molecule/systemd-enabled/molecule-with-systemd.yml new file mode 100644 index 0000000..2a0d816 --- /dev/null +++ b/molecule/systemd-enabled/molecule-with-systemd.yml @@ -0,0 +1,97 @@ +--- +# This molecule configuration file is suitable for testing Ansible +# roles that _do_ require SystemD. If your Ansible role _does not_ +# require SystemD then you should use molecule-no-systemd.yml instead. +# +# Note that the molecule configuration file that is symlinked to +# molecule.yml is the one that will be used. +dependency: + name: galaxy +driver: + name: docker +platforms: + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: cisagov/docker-debian12-ansible:latest + name: debian12-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: cisagov/docker-kali-ansible:latest + name: kali-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-fedora37-ansible:latest + name: fedora37-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-fedora38-ansible:latest + name: fedora38-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw +scenario: + name: systemd-enabled +verifier: + name: testinfra diff --git a/molecule/systemd-enabled/molecule.yml b/molecule/systemd-enabled/molecule.yml new file mode 120000 index 0000000..dcffcb2 --- /dev/null +++ b/molecule/systemd-enabled/molecule.yml @@ -0,0 +1 @@ +molecule-with-systemd.yml \ No newline at end of file diff --git a/molecule/systemd-enabled/prepare.yml b/molecule/systemd-enabled/prepare.yml new file mode 120000 index 0000000..1c017d9 --- /dev/null +++ b/molecule/systemd-enabled/prepare.yml @@ -0,0 +1 @@ +../default/prepare.yml \ No newline at end of file diff --git a/molecule/systemd-enabled/requirements.yml b/molecule/systemd-enabled/requirements.yml new file mode 120000 index 0000000..b6f4a01 --- /dev/null +++ b/molecule/systemd-enabled/requirements.yml @@ -0,0 +1 @@ +../default/requirements.yml \ No newline at end of file diff --git a/molecule/systemd-enabled/tests/test_default.py b/molecule/systemd-enabled/tests/test_default.py new file mode 120000 index 0000000..bc5a562 --- /dev/null +++ b/molecule/systemd-enabled/tests/test_default.py @@ -0,0 +1 @@ +../../default/tests/test_default.py \ No newline at end of file diff --git a/molecule/systemd-enabled/upgrade.yml b/molecule/systemd-enabled/upgrade.yml new file mode 120000 index 0000000..47a9638 --- /dev/null +++ b/molecule/systemd-enabled/upgrade.yml @@ -0,0 +1 @@ +../default/upgrade.yml \ No newline at end of file From 8deb1f91c7c44a64a951cb85d609f4b2f348960f Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 21 Aug 2023 10:53:24 -0500 Subject: [PATCH 47/52] Change symlink for molecule.yml to default scenario --- molecule/systemd_enabled/molecule.yml | 1 + 1 file changed, 1 insertion(+) create mode 120000 molecule/systemd_enabled/molecule.yml diff --git a/molecule/systemd_enabled/molecule.yml b/molecule/systemd_enabled/molecule.yml new file mode 120000 index 0000000..29dc0fa --- /dev/null +++ b/molecule/systemd_enabled/molecule.yml @@ -0,0 +1 @@ +../default/molecule-with-systemd.yml \ No newline at end of file From ce845dcbd127c9e5a50512c810a4490856b76306 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 21 Aug 2023 10:54:08 -0500 Subject: [PATCH 48/52] Rename molecule scenario to systemd_enabled --- molecule/systemd-enabled/molecule.yml | 1 - molecule/{systemd-enabled => systemd_enabled}/INSTALL.rst | 0 molecule/{systemd-enabled => systemd_enabled}/converge.yml | 0 .../{systemd-enabled => systemd_enabled}/molecule-no-systemd.yml | 0 .../molecule-with-systemd.yml | 0 molecule/{systemd-enabled => systemd_enabled}/prepare.yml | 0 molecule/{systemd-enabled => systemd_enabled}/requirements.yml | 0 .../{systemd-enabled => systemd_enabled}/tests/test_default.py | 0 molecule/{systemd-enabled => systemd_enabled}/upgrade.yml | 0 9 files changed, 1 deletion(-) delete mode 120000 molecule/systemd-enabled/molecule.yml rename molecule/{systemd-enabled => systemd_enabled}/INSTALL.rst (100%) rename molecule/{systemd-enabled => systemd_enabled}/converge.yml (100%) rename molecule/{systemd-enabled => systemd_enabled}/molecule-no-systemd.yml (100%) rename molecule/{systemd-enabled => systemd_enabled}/molecule-with-systemd.yml (100%) rename molecule/{systemd-enabled => systemd_enabled}/prepare.yml (100%) rename molecule/{systemd-enabled => systemd_enabled}/requirements.yml (100%) rename molecule/{systemd-enabled => systemd_enabled}/tests/test_default.py (100%) rename molecule/{systemd-enabled => systemd_enabled}/upgrade.yml (100%) diff --git a/molecule/systemd-enabled/molecule.yml b/molecule/systemd-enabled/molecule.yml deleted file mode 120000 index dcffcb2..0000000 --- a/molecule/systemd-enabled/molecule.yml +++ /dev/null @@ -1 +0,0 @@ -molecule-with-systemd.yml \ No newline at end of file diff --git a/molecule/systemd-enabled/INSTALL.rst b/molecule/systemd_enabled/INSTALL.rst similarity index 100% rename from molecule/systemd-enabled/INSTALL.rst rename to molecule/systemd_enabled/INSTALL.rst diff --git a/molecule/systemd-enabled/converge.yml b/molecule/systemd_enabled/converge.yml similarity index 100% rename from molecule/systemd-enabled/converge.yml rename to molecule/systemd_enabled/converge.yml diff --git a/molecule/systemd-enabled/molecule-no-systemd.yml b/molecule/systemd_enabled/molecule-no-systemd.yml similarity index 100% rename from molecule/systemd-enabled/molecule-no-systemd.yml rename to molecule/systemd_enabled/molecule-no-systemd.yml diff --git a/molecule/systemd-enabled/molecule-with-systemd.yml b/molecule/systemd_enabled/molecule-with-systemd.yml similarity index 100% rename from molecule/systemd-enabled/molecule-with-systemd.yml rename to molecule/systemd_enabled/molecule-with-systemd.yml diff --git a/molecule/systemd-enabled/prepare.yml b/molecule/systemd_enabled/prepare.yml similarity index 100% rename from molecule/systemd-enabled/prepare.yml rename to molecule/systemd_enabled/prepare.yml diff --git a/molecule/systemd-enabled/requirements.yml b/molecule/systemd_enabled/requirements.yml similarity index 100% rename from molecule/systemd-enabled/requirements.yml rename to molecule/systemd_enabled/requirements.yml diff --git a/molecule/systemd-enabled/tests/test_default.py b/molecule/systemd_enabled/tests/test_default.py similarity index 100% rename from molecule/systemd-enabled/tests/test_default.py rename to molecule/systemd_enabled/tests/test_default.py diff --git a/molecule/systemd-enabled/upgrade.yml b/molecule/systemd_enabled/upgrade.yml similarity index 100% rename from molecule/systemd-enabled/upgrade.yml rename to molecule/systemd_enabled/upgrade.yml From d25c30b85b381a6b89a71767868dfb2ddb2ce395 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 21 Aug 2023 14:30:44 -0500 Subject: [PATCH 49/52] Fix typos for systemd_enabled --- .github/workflows/build.yml | 2 +- .pre-commit-config.yaml | 2 +- molecule/systemd_enabled/molecule-with-systemd.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bc24d06..be2fff7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -149,7 +149,7 @@ jobs: matrix: scenario: - default - - systemd-enabled + - systemd_enabled steps: - id: harden-runner name: Harden the runner diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index caba9b1..efe389b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -111,7 +111,7 @@ repos: hooks: - id: bandit # Bandit complains about the use of assert() in tests - exclude: molecule/(default|systemd-enabled)/tests + exclude: molecule/(default|systemd_enabled)/tests args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror diff --git a/molecule/systemd_enabled/molecule-with-systemd.yml b/molecule/systemd_enabled/molecule-with-systemd.yml index 2a0d816..46056c2 100644 --- a/molecule/systemd_enabled/molecule-with-systemd.yml +++ b/molecule/systemd_enabled/molecule-with-systemd.yml @@ -92,6 +92,6 @@ platforms: volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: - name: systemd-enabled + name: systemd_enabled verifier: name: testinfra From dded0d24cf3be65201f9f4037b3f7fdfcf006193 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 21 Aug 2023 14:31:59 -0500 Subject: [PATCH 50/52] Add systemd_enabled scenario to molecule.yml --- molecule/systemd_enabled/molecule.yml | 98 ++++++++++++++++++++++++++- 1 file changed, 97 insertions(+), 1 deletion(-) mode change 120000 => 100644 molecule/systemd_enabled/molecule.yml diff --git a/molecule/systemd_enabled/molecule.yml b/molecule/systemd_enabled/molecule.yml deleted file mode 120000 index 29dc0fa..0000000 --- a/molecule/systemd_enabled/molecule.yml +++ /dev/null @@ -1 +0,0 @@ -../default/molecule-with-systemd.yml \ No newline at end of file diff --git a/molecule/systemd_enabled/molecule.yml b/molecule/systemd_enabled/molecule.yml new file mode 100644 index 0000000..46056c2 --- /dev/null +++ b/molecule/systemd_enabled/molecule.yml @@ -0,0 +1,97 @@ +--- +# This molecule configuration file is suitable for testing Ansible +# roles that _do_ require SystemD. If your Ansible role _does not_ +# require SystemD then you should use molecule-no-systemd.yml instead. +# +# Note that the molecule configuration file that is symlinked to +# molecule.yml is the one that will be used. +dependency: + name: galaxy +driver: + name: docker +platforms: + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: cisagov/docker-debian12-ansible:latest + name: debian12-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: cisagov/docker-kali-ansible:latest + name: kali-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-fedora37-ansible:latest + name: fedora37-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-fedora38-ansible:latest + name: fedora38-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd + platform: amd64 + pre_build_image: yes + privileged: yes + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw +scenario: + name: systemd_enabled +verifier: + name: testinfra From a6e294993e779e91b24a26ae6ab3042b66fe7037 Mon Sep 17 00:00:00 2001 From: Michael Saki Date: Mon, 18 Sep 2023 16:03:31 -0500 Subject: [PATCH 51/52] Add symlink to the default scenario molecule-with-systemd --- .../systemd_enabled/molecule-with-systemd.yml | 98 +------------------ 1 file changed, 1 insertion(+), 97 deletions(-) mode change 100644 => 120000 molecule/systemd_enabled/molecule-with-systemd.yml diff --git a/molecule/systemd_enabled/molecule-with-systemd.yml b/molecule/systemd_enabled/molecule-with-systemd.yml deleted file mode 100644 index 46056c2..0000000 --- a/molecule/systemd_enabled/molecule-with-systemd.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- -# This molecule configuration file is suitable for testing Ansible -# roles that _do_ require SystemD. If your Ansible role _does not_ -# require SystemD then you should use molecule-no-systemd.yml instead. -# -# Note that the molecule configuration file that is symlinked to -# molecule.yml is the one that will be used. -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: cisagov/docker-debian12-ansible:latest - name: debian12-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: cisagov/docker-kali-ansible:latest - name: kali-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-fedora37-ansible:latest - name: fedora37-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-fedora38-ansible:latest - name: fedora38-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -scenario: - name: systemd_enabled -verifier: - name: testinfra diff --git a/molecule/systemd_enabled/molecule-with-systemd.yml b/molecule/systemd_enabled/molecule-with-systemd.yml new file mode 120000 index 0000000..29dc0fa --- /dev/null +++ b/molecule/systemd_enabled/molecule-with-systemd.yml @@ -0,0 +1 @@ +../default/molecule-with-systemd.yml \ No newline at end of file From 0010bd76272b2d4d9eae8bda8c1ad9bcf473a34b Mon Sep 17 00:00:00 2001 From: Jeremy Morrow Date: Wed, 4 Oct 2023 14:39:48 -0400 Subject: [PATCH 52/52] Remove systemd_enabled molecule scenario and github workflow reference --- .github/workflows/build.yml | 1 - molecule/systemd_enabled/INSTALL.rst | 1 - molecule/systemd_enabled/converge.yml | 1 - .../systemd_enabled/molecule-no-systemd.yml | 1 - .../systemd_enabled/molecule-with-systemd.yml | 1 - molecule/systemd_enabled/molecule.yml | 97 ------------------- molecule/systemd_enabled/prepare.yml | 1 - molecule/systemd_enabled/requirements.yml | 1 - .../systemd_enabled/tests/test_default.py | 1 - molecule/systemd_enabled/upgrade.yml | 1 - 10 files changed, 106 deletions(-) delete mode 120000 molecule/systemd_enabled/INSTALL.rst delete mode 120000 molecule/systemd_enabled/converge.yml delete mode 120000 molecule/systemd_enabled/molecule-no-systemd.yml delete mode 120000 molecule/systemd_enabled/molecule-with-systemd.yml delete mode 100644 molecule/systemd_enabled/molecule.yml delete mode 120000 molecule/systemd_enabled/prepare.yml delete mode 120000 molecule/systemd_enabled/requirements.yml delete mode 120000 molecule/systemd_enabled/tests/test_default.py delete mode 120000 molecule/systemd_enabled/upgrade.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index be2fff7..2a79d87 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -149,7 +149,6 @@ jobs: matrix: scenario: - default - - systemd_enabled steps: - id: harden-runner name: Harden the runner diff --git a/molecule/systemd_enabled/INSTALL.rst b/molecule/systemd_enabled/INSTALL.rst deleted file mode 120000 index 42b71d5..0000000 --- a/molecule/systemd_enabled/INSTALL.rst +++ /dev/null @@ -1 +0,0 @@ -../default/INSTALL.rst \ No newline at end of file diff --git a/molecule/systemd_enabled/converge.yml b/molecule/systemd_enabled/converge.yml deleted file mode 120000 index 73cb8da..0000000 --- a/molecule/systemd_enabled/converge.yml +++ /dev/null @@ -1 +0,0 @@ -../default/converge.yml \ No newline at end of file diff --git a/molecule/systemd_enabled/molecule-no-systemd.yml b/molecule/systemd_enabled/molecule-no-systemd.yml deleted file mode 120000 index 6b254f5..0000000 --- a/molecule/systemd_enabled/molecule-no-systemd.yml +++ /dev/null @@ -1 +0,0 @@ -../default/molecule-no-systemd.yml \ No newline at end of file diff --git a/molecule/systemd_enabled/molecule-with-systemd.yml b/molecule/systemd_enabled/molecule-with-systemd.yml deleted file mode 120000 index 29dc0fa..0000000 --- a/molecule/systemd_enabled/molecule-with-systemd.yml +++ /dev/null @@ -1 +0,0 @@ -../default/molecule-with-systemd.yml \ No newline at end of file diff --git a/molecule/systemd_enabled/molecule.yml b/molecule/systemd_enabled/molecule.yml deleted file mode 100644 index 46056c2..0000000 --- a/molecule/systemd_enabled/molecule.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- -# This molecule configuration file is suitable for testing Ansible -# roles that _do_ require SystemD. If your Ansible role _does not_ -# require SystemD then you should use molecule-no-systemd.yml instead. -# -# Note that the molecule configuration file that is symlinked to -# molecule.yml is the one that will be used. -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: cisagov/docker-debian12-ansible:latest - name: debian12-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: cisagov/docker-kali-ansible:latest - name: kali-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-fedora37-ansible:latest - name: fedora37-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-fedora38-ansible:latest - name: fedora38-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd - platform: amd64 - pre_build_image: yes - privileged: yes - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -scenario: - name: systemd_enabled -verifier: - name: testinfra diff --git a/molecule/systemd_enabled/prepare.yml b/molecule/systemd_enabled/prepare.yml deleted file mode 120000 index 1c017d9..0000000 --- a/molecule/systemd_enabled/prepare.yml +++ /dev/null @@ -1 +0,0 @@ -../default/prepare.yml \ No newline at end of file diff --git a/molecule/systemd_enabled/requirements.yml b/molecule/systemd_enabled/requirements.yml deleted file mode 120000 index b6f4a01..0000000 --- a/molecule/systemd_enabled/requirements.yml +++ /dev/null @@ -1 +0,0 @@ -../default/requirements.yml \ No newline at end of file diff --git a/molecule/systemd_enabled/tests/test_default.py b/molecule/systemd_enabled/tests/test_default.py deleted file mode 120000 index bc5a562..0000000 --- a/molecule/systemd_enabled/tests/test_default.py +++ /dev/null @@ -1 +0,0 @@ -../../default/tests/test_default.py \ No newline at end of file diff --git a/molecule/systemd_enabled/upgrade.yml b/molecule/systemd_enabled/upgrade.yml deleted file mode 120000 index 47a9638..0000000 --- a/molecule/systemd_enabled/upgrade.yml +++ /dev/null @@ -1 +0,0 @@ -../default/upgrade.yml \ No newline at end of file