Improve security with scorecard changes and smaller fixes

.github/workflows/ansible-doc-validation.yml

@@ -11,15 +11,17 @@ env:
   COLLECTION_NAMESPACE: cisco
   COLLECTION_NAME: catalystwan
 
+permissions: read-all
+
 jobs:
   documentation-check:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 

.github/workflows/galaxy-importer.yml

@@ -12,17 +12,19 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   galaxy-importer:
     runs-on:
       - ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 

.github/workflows/linters.yml

@@ -7,6 +7,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   analyze-code:
     runs-on: ubuntu-latest
@@ -19,10 +21,10 @@ jobs:
 
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 
@@ -37,10 +39,10 @@ jobs:
         run: pycln --all .
 
       - name: Run check-yaml, end-of-file-fixer, trailing-whitespace
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@main # or version tag instead of 'main'
+        uses: ansible/ansible-lint@95382d398ea1744bf6bfa47b030f14c38b3f6957 # v24.7.0
 
       - name: Install detect-secrets
         run: pip install detect-secrets==1.4.0

.github/workflows/release-from-tag.yml

@@ -5,17 +5,19 @@ on:
     tags:
       - 'v*.*.*'
 
+permissions: read-all
+
 jobs:
   publish-release:
     runs-on:
       - ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 

.github/workflows/scorecard.yml

@@ -23,7 +23,7 @@ jobs:
     permissions:
       id-token: write
       security-events: write
-    secrets: inherit
+    secrets: inherit  # pragma: allowlist secret
     with:
       # Publish results of Scorecard analysis
       publish-results: true

.gitignore

@@ -21,3 +21,4 @@ playbooks/tests/payload*
 playbooks/tests/response*
 playbooks/tests/backup
 playbooks/tests/templates
+playbooks/tests/templates_export

README.md

@@ -5,7 +5,7 @@
 Reusable Ansible modules and roles that will help to automate Cisco
 SD-WAN management (post bringup operations, day0, day1).
 
-All modules are based on [catalystwan](https://github.com/CiscoDevNet/catalystwan).
+All modules are based on [catalystwan](https://github.com/cisco-open/cisco-catalyst-wan-sdk).
 
 Collection available on Ansible Galaxy: [cisco.catalystwan](https://galaxy.ansible.com/ui/repo/published/cisco/catalystwan/)
 

docs/CONTRIBUTING.md

@@ -54,8 +54,16 @@ testing your code.
 
 ### Dependencies in requirements.txt
 
-Dependencies defined for development are later used to generate `requirements.txt` file with command:
+All dependencies are updated via `poetry` tool. Dependencies defined for development are later used to generate `requirements.txt` file with command:
 
 ```bash
 poetry export --without-hashes --format=requirements.txt > requirements.txt
 ```
+
+---
+
+## Release process
+
+According to [release workflow inside .github workflows](../.github/workflows/release-from-tag.yml) collection publication to Ansible Galaxy will happen when admin of the repository will push new tag.
+This tag must much version used in [galaxy.yml](../galaxy.yml) file.
+Release will happen only if desired version was not published on Ansible Galaxy yet.

playbooks/tests/test_module_device_templates_recovery.yml

@@ -21,15 +21,16 @@
     - name: 1. Perform backup of all non factory default Device Templates
       cisco.catalystwan.device_templates_recovery:
         mode: backup
-        backup_dir_path: "/Users/acichon/Work/cisco-open/ansible-collection-catalystwan/templates_export"
+        backup_dir_path: "./templates_export"
         manager_credentials:
           <<: *manager_authentication
 
-    - name: 2. Get all Device Templates that are not attached to any device
+    - name: 2. Get all Device Templates that are not attached to any device and are Feature based
       cisco.catalystwan.device_templates_info:
         filters:
           devices_attached: 0
           factory_default: false
+          config_type: template
         manager_credentials:
           <<: *manager_authentication
       register: device_templates
@@ -68,6 +69,6 @@
     - name: 6. Restore Templates from backup directory
       cisco.catalystwan.device_templates_recovery:
         mode: restore
-        backup_dir_path: "/Users/acichon/Work/cisco-open/ansible-collection-catalystwan/templates_export"
+        backup_dir_path: "./templates_export"
         manager_credentials:
           <<: *manager_authentication

plugins/modules/device_templates_info.py

@@ -20,9 +20,9 @@
     type: dict
     required: false
     suboptions:
-      template_type:
+      config_type:
         description:
-          - The type of template, eg. "system-vsmart
+          - The type of template, file == cli, template == feature
         required: false
         default: null
         type: str

plugins/modules/device_templates_recovery.py

@@ -36,9 +36,9 @@
     type: dict
     required: false
     suboptions:
-      template_type:
+      config_type:
         description:
-          - The type of template, eg. "system-vsmart
+          - The type of template, file == cli, template == feature
         required: false
         default: null
         type: str

plugins/modules/feature_templates_info.py

@@ -21,7 +21,7 @@
     suboptions:
       template_type:
         description:
-          - The type of template, eg. "system-vsmart
+          - The type of template, file == cli, template == feature
         required: false
         default: null
         type: str

pyproject.toml

@@ -9,11 +9,13 @@ readme = "README.md"
 python = "^3.10"
 ansible-core = "^2.16.6"
 ansible = "^9.4.0"
-catalystwan = "v0.33.8dev7"
+catalystwan = "v0.34.0dev2"
 flake8 = "^5.0.4"
-black = "^23.12.1"
+black = "^24.3.0"
 pre-commit = "3.7"
 pydantic = "2.7"
+requests = "2.32.2"
+urllib3 = "2.2.2"
 ansible-lint = { version = "6.22.2", markers = "platform_system != 'Windows'" }
 
 [tool.poetry.group.dev.dependencies]

requirements.txt

@@ -5,9 +5,9 @@ ansible-lint==6.22.2 ; python_version >= "3.10" and python_version < "4.0" and p
 ansible==9.4.0 ; python_version >= "3.10" and python_version < "4.0"
 args==0.1.0 ; python_version >= "3.10" and python_version < "4.0"
 attrs==21.4.0 ; python_version >= "3.10" and python_version < "4.0"
-black==23.12.1 ; python_version >= "3.10" and python_version < "4.0"
+black==24.8.0 ; python_version >= "3.10" and python_version < "4.0"
 bracex==2.4 ; python_version >= "3.10" and python_version < "4.0" and platform_system != "Windows"
-catalystwan==0.33.6.post0 ; python_version >= "3.10" and python_version < "4.0"
+catalystwan==0.34.0.dev2 ; python_version >= "3.10" and python_version < "4.0"
 certifi==2024.2.2 ; python_version >= "3.10" and python_version < "4.0"
 cffi==1.16.0 ; python_version >= "3.10" and python_version < "4.0" and platform_python_implementation != "PyPy"
 cfgv==3.4.0 ; python_version >= "3.10" and python_version < "4.0"
@@ -50,7 +50,7 @@ pyrsistent==0.20.0 ; python_version >= "3.10" and python_version < "4.0" and pla
 python-dateutil==2.9.0.post0 ; python_version >= "3.10" and python_version < "4.0"
 pyyaml==6.0.1 ; python_version >= "3.10" and python_version < "4.0"
 requests-toolbelt==1.0.0 ; python_version >= "3.10" and python_version < "4.0"
-requests==2.31.0 ; python_version >= "3.10" and python_version < "4.0"
+requests==2.32.2 ; python_version >= "3.10" and python_version < "4.0"
 resolvelib==1.0.1 ; python_version >= "3.10" and python_version < "4.0"
 rich==13.7.1 ; python_version >= "3.10" and python_version < "4.0" and platform_system != "Windows"
 ruamel-yaml-clib==0.2.8 ; platform_python_implementation == "CPython" and python_version < "3.13" and python_version >= "3.10" and platform_system != "Windows"
@@ -62,7 +62,7 @@ tenacity==8.2.3 ; python_version >= "3.10" and python_version < "4.0"
 toml==0.10.2 ; python_version >= "3.10" and python_version < "4.0"
 tomli==2.0.1 ; python_version >= "3.10" and python_version < "3.11"
 typing-extensions==4.11.0 ; python_version >= "3.10" and python_version < "4.0"
-urllib3==2.2.1 ; python_version >= "3.10" and python_version < "4.0"
+urllib3==2.2.2 ; python_version >= "3.10" and python_version < "4.0"
 virtualenv==20.25.3 ; python_version >= "3.10" and python_version < "4.0"
 wcmatch==8.5.1 ; python_version >= "3.10" and python_version < "4.0" and platform_system != "Windows"
 win32-setctime==1.1.0 ; python_version >= "3.10" and python_version < "4.0" and sys_platform == "win32"