Skip to content

Commit

Permalink
Merge remote-tracking branch 'skeleton-docker/develop' into lineage/s…
Browse files Browse the repository at this point in the history
…keleton
jsf9k committed Dec 7, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
2 parents 1179c03 + 1ea8a3f commit cb690c6
Showing 8 changed files with 211 additions and 85 deletions.
2 changes: 1 addition & 1 deletion .bandit.yml
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
# https://bandit.readthedocs.io/en/latest/config.html

# Tests are first included by `tests`, and then excluded by `skips`.
# If `tests` is empty, all tests are are considered included.
# If `tests` is empty, all tests are considered included.

tests:
# - B101
35 changes: 17 additions & 18 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -5,25 +5,25 @@
# these updates when the pull request(s) in the appropriate skeleton are merged
# and Lineage processes these changes.

version: 2
updates:
- package-ecosystem: "docker"
directory: "/"
- directory: /
package-ecosystem: docker
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- directory: /
ignore:
# Managed by cisagov/skeleton-generic
- dependency-name: actions/cache
- dependency-name: actions/checkout
- dependency-name: actions/setup-go
- dependency-name: actions/setup-python
- dependency-name: crazy-max/ghaction-dump-context
- dependency-name: crazy-max/ghaction-github-labeler
- dependency-name: crazy-max/ghaction-github-status
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
# Managed by cisagov/skeleton-docker
- dependency-name: actions/download-artifact
- dependency-name: actions/github-script
@@ -33,18 +33,17 @@ updates:
- dependency-name: docker/setup-buildx-action
- dependency-name: docker/setup-qemu-action
- dependency-name: github/codeql-action

- package-ecosystem: "pip"
directory: "/"
package-ecosystem: github-actions
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "pip"
directory: "/src"
- directory: /src
package-ecosystem: pip
schedule:
interval: "weekly"
interval: weekly

- package-ecosystem: "terraform"
directory: "/"
- directory: /
package-ecosystem: terraform
schedule:
interval: "weekly"
interval: weekly
version: 2
111 changes: 90 additions & 21 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -36,15 +36,39 @@ env:
RUN_TMATE: ${{ secrets.RUN_TMATE }}

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
lint:
# Checks out the source and runs pre-commit hooks. Detects coding errors
# and style deviations.
name: "Lint sources"
name: Lint sources
needs:
- diagnostics
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: setup-env
uses: cisagov/setup-env-github-action@develop
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
with:
@@ -105,11 +129,26 @@ jobs:
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
- name: Install go-critic
env:
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install gosec
env:
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install shfmt
env:
PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install staticcheck
env:
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
- name: Install Terraform-docs
env:
PACKAGE_URL: github.com/terraform-docs/terraform-docs
@@ -167,15 +206,22 @@ jobs:
# with the value specified by the user.
#
# Scheduled builds are tagged with `:nightly`.
name: "Prepare build variables"
runs-on: ubuntu-latest
name: Prepare build variables
needs:
- diagnostics
outputs:
created: ${{ steps.prep.outputs.created }}
repometa: ${{ steps.repo.outputs.result }}
source_version: ${{ steps.prep.outputs.source_version }}
tags: ${{ steps.prep.outputs.tags }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- name: Gather repository metadata
id: repo
uses: actions/github-script@v6
@@ -229,16 +275,23 @@ jobs:
build:
# Builds a single test image for the native platform. This image is saved
# as an artifact and loaded by the test job.
name: "Build test image"
name: Build test image
needs:
- diagnostics
- prepare
runs-on: ubuntu-latest
needs: [prepare]
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v3
env:
@@ -299,11 +352,18 @@ jobs:
if: env.RUN_TMATE
test:
# Executes tests on the single-platform image created in the "build" job.
name: "Test image"
name: Test image
needs:
- diagnostics
- build
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@v3
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- id: setup-python
uses: actions/setup-python@v4
with:
@@ -345,32 +405,41 @@ jobs:
# GitHub Container Registry. The contents of README.md are pushed as the
# image's description to Docker Hub. This job is skipped when the
# triggering event is a pull request.
name: "Build and push all platforms"
runs-on: ubuntu-latest
needs: [lint, prepare, test]
if: github.event_name != 'pull_request'
name: Build and push all platforms
needs:
- diagnostics
- lint
- prepare
- test
# When Dependabot creates a PR it requires this permission in
# order to push Docker images to ghcr.io.
permissions:
packages: write
runs-on: ubuntu-latest
steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Login to Docker Hub
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v3
env:
29 changes: 27 additions & 2 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"
name: CodeQL

on:
push:
@@ -20,8 +20,27 @@ on:
- cron: '0 21 * * 6'

jobs:
diagnostics:
name: Run diagnostics
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- id: github-status
name: Check GitHub status
uses: crazy-max/ghaction-github-status@v3
- id: dump-context
name: Dump context
uses: crazy-max/ghaction-dump-context@v2
analyze:
name: Analyze
needs:
- diagnostics
runs-on: ubuntu-latest
permissions:
# required for all workflows
@@ -37,8 +56,14 @@ jobs:
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

steps:
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
4 changes: 2 additions & 2 deletions .github/workflows/sync-labels.yml
Original file line number Diff line number Diff line change
@@ -19,10 +19,10 @@ jobs:
issues: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Sync repository labels
if: success()
uses: crazy-max/ghaction-github-labeler@v4
uses: crazy-max/ghaction-github-labeler@v5
with:
# This is a hideous ternary equivalent so we only do a dry run unless
# this workflow is triggered by the develop branch.
30 changes: 18 additions & 12 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -31,13 +31,13 @@ repos:

# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.34.0
rev: v0.36.0
hooks:
- id: markdownlint
args:
- --config=.mdl_config.yaml
- repo: https://github.com/pre-commit/mirrors-prettier
rev: v3.0.0-alpha.9-for-vscode
rev: v3.0.3
hooks:
- id: prettier
- repo: https://github.com/adrienverge/yamllint
@@ -49,14 +49,14 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.23.1
rev: 0.26.3
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.3.2
rev: v3.4.0
hooks:
- id: validate_manifest

@@ -79,6 +79,12 @@ repos:
# GoSec
- id: go-sec-repo-mod

# Nix hooks
- repo: https://github.com/nix-community/nixpkgs-fmt
rev: v1.3.0
hooks:
- id: nixpkgs-fmt

# Shell script hooks
- repo: https://github.com/cisagov/pre-commit-shfmt
rev: v0.0.2
@@ -116,12 +122,12 @@ repos:
- id: bandit
name: bandit (everything else)
exclude: tests
- repo: https://github.com/psf/black
rev: 23.3.0
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.9.1
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
rev: 6.0.0
rev: 6.1.0
hooks:
- id: flake8
additional_dependencies:
@@ -131,28 +137,28 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.3.0
rev: v1.5.1
hooks:
- id: mypy
additional_dependencies:
- types-docopt
- types-requests
- types-urllib3
- repo: https://github.com/asottile/pyupgrade
rev: v3.4.0
rev: v3.10.1
hooks:
- id: pyupgrade

# Ansible hooks
- repo: https://github.com/ansible-community/ansible-lint
rev: v6.17.0
- repo: https://github.com/ansible/ansible-lint
rev: v6.19.0
hooks:
- id: ansible-lint
# files: molecule/default/playbook.yml

# Terraform hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.80.0
rev: v1.83.2
hooks:
- id: terraform_fmt
- id: terraform_validate
83 changes: 55 additions & 28 deletions bump_version.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
#!/usr/bin/env bash

# bump_version.sh (show|major|minor|patch|prerelease|build)
# Usage:
# bump_version.sh (show|major|minor|patch|finalize)
# bump_version.sh (build|prerelease) [token]
# Notes:
# - If you specify a token it will only be used if the current version is
# tokenless or if the provided token matches the token used in the current
# version.

set -o nounset
set -o errexit
@@ -9,46 +15,67 @@ set -o pipefail
VERSION_FILE=src/version.txt
README_FILE=README.md

HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|finalize)"
function usage {
cat << HELP
Usage:
${0##*/} (show|major|minor|patch|finalize)
${0##*/} (build|prerelease) [token]
old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE)
# Comment out periods so they are interpreted as periods and don't
# just match any character
old_version_regex=${old_version//\./\\\.}
Notes:
- If you specify a token it will only be used if the current version is
tokenless or if the provided token matches the token used in the current
version.
HELP
exit 1
}

if [ $# -ne 1 ]; then
echo "$HELP_INFORMATION"
function update_version {
# Comment out periods so they are interpreted as periods and don't
# just match any character
old_version_regex=${1//\./\\\.}

echo Changing version from "$1" to "$2"
tmp_file=/tmp/version.$$
sed "s/$old_version_regex/$2/" $VERSION_FILE > $tmp_file
mv $tmp_file $VERSION_FILE
sed "s/$old_version_regex/$2/" $README_FILE > $tmp_file
mv $tmp_file $README_FILE
git add $VERSION_FILE $README_FILE
git commit --message "$3"
}

if [ $# -lt 1 ] || [ $# -gt 2 ]; then
usage
else
old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE)
case $1 in
major | minor | patch | prerelease | build)
major | minor | patch)
if [ $# -ne 1 ]; then
usage
fi
new_version=$(python -c "import semver; print(semver.bump_$1('$old_version'))")
echo Changing version from "$old_version" to "$new_version"
tmp_file=/tmp/version.$$
sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file
mv $tmp_file $VERSION_FILE
sed "s/$old_version_regex/$new_version/" $README_FILE > $tmp_file
mv $tmp_file $README_FILE
git add $VERSION_FILE $README_FILE
git commit -m"Bump version from $old_version to $new_version"
git push
update_version "$old_version" "$new_version" "Bump version from $old_version to $new_version"
;;
build | prerelease)
if [ $# -eq 2 ]; then
new_version=$(python -c "import semver; print(semver.bump_$1('$old_version', token='$2'))")
else
new_version=$(python -c "import semver; print(semver.bump_$1('$old_version'))")
fi
update_version "$old_version" "$new_version" "Bump version from $old_version to $new_version"
;;
finalize)
if [ $# -ne 1 ]; then
usage
fi
new_version=$(python -c "import semver; print(semver.finalize_version('$old_version'))")
echo Changing version from "$old_version" to "$new_version"
tmp_file=/tmp/version.$$
sed "s/$old_version_regex/$new_version/" $VERSION_FILE > $tmp_file
mv $tmp_file $VERSION_FILE
sed "s/$old_version_regex/$new_version/" $README_FILE > $tmp_file
mv $tmp_file $README_FILE
git add $VERSION_FILE $README_FILE
git commit -m"Finalize version from $old_version to $new_version"
git push
update_version "$old_version" "$new_version" "Finalize version from $old_version to $new_version"
;;
show)
echo "$old_version"
;;
*)
echo "$HELP_INFORMATION"
usage
;;
esac
fi
2 changes: 1 addition & 1 deletion tests/container_test.py
Original file line number Diff line number Diff line change
@@ -13,7 +13,7 @@

def test_container_count(dockerc):
"""Verify the test composition and container."""
# stopped parameter allows non-running containers in results
# all parameter allows non-running containers in results
assert (
len(dockerc.compose.ps(all=True)) == 2
), "Wrong number of containers were started."

0 comments on commit cb690c6

Please sign in to comment.