From 162e2c2459cbf565584686a04cc59fab81101843 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 14:40:23 -0500 Subject: [PATCH 01/55] Fix spelling error in comment --- setup-env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup-env b/setup-env index 059ccad..f3304d9 100755 --- a/setup-env +++ b/setup-env @@ -74,7 +74,8 @@ check_python_version() { "invalid version of Python." exit 1 # Else if the Python version isn't installed then notify the user. - # grep -E is used for searching through text lines that match the specific verison. + # grep -E is used for searching through text lines that match the + # specific version. elif ! python_versions | grep -E "^${version}$" > /dev/null; then echo "Error: Python version $version is not installed." echo "Installed Python versions are:" From 5a3ac91d11700566e7df2bb926a13301e5912096 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:47:49 -0500 Subject: [PATCH 02/55] Adjust the indentation rule for yamllint Use a specific number of spaces instead of the default of only caring if the number of spaces used is consistent within a file. Ensure that block sequences inside of mappings are indented. --- .yamllint | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.yamllint b/.yamllint index 2a119a6..56e6d6e 100644 --- a/.yamllint +++ b/.yamllint @@ -8,6 +8,12 @@ rules: # this behavior. comments-indentation: disable + indentation: + # Ensure that block sequences inside of a mapping are indented + indent-sequences: true + # Enforce a specific number of spaces + spaces: 2 + # yamllint does not allow inline mappings that exceed the line length by # default. There are many scenarios where the inline mapping may be a key, # hash, or other long value that would exceed the line length but cannot From ac080edea412b521cc37c732e6817a0d6ed26694 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 15 Nov 2021 11:55:41 -0500 Subject: [PATCH 03/55] Update yamllint to disallow non-empty flow collection styles The use of flow sequences and mappings is not as readable as block collections and so should be discouraged. Since it is a cleaner representation for empty collections we will allow those, but if an application otherwise requires flow collections they can be explicitly enabled by disabling the checks per https://yamllint.readthedocs.io/en/stable/disable_with_comments.html --- .yamllint | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.yamllint b/.yamllint index 56e6d6e..59fd2e9 100644 --- a/.yamllint +++ b/.yamllint @@ -2,6 +2,14 @@ extends: default rules: + braces: + # Do not allow non-empty flow mappings + forbid: non-empty + + brackets: + # Do not allow non-empty flow sequences + forbid: non-empty + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of From 66cdbf548778a40b321d8142ab481e8c43202995 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:12:04 -0500 Subject: [PATCH 04/55] Add yamllint configuration settings to appease ansible-lint When running ansible-lint it will throw the following warning with our current configuration: WARNING Found incompatible custom yamllint configuration (.yamllint), please either remove the file or edit it to comply with: - comments.min-spaces-from-content must be 1 - braces.max-spaces-inside must be 1 - octal-values.forbid-implicit-octal must be true - octal-values.forbid-explicit-octal must be true. Thus we implement these configuration rules. --- .yamllint | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.yamllint b/.yamllint index 59fd2e9..0a2af51 100644 --- a/.yamllint +++ b/.yamllint @@ -5,11 +5,18 @@ rules: braces: # Do not allow non-empty flow mappings forbid: non-empty + # Allow up to one space inside braces. This is required for Ansible compatibility. + max-spaces-inside: 1 brackets: # Do not allow non-empty flow sequences forbid: non-empty + comments: + # Ensure that inline comments have at least one space before the preceding content. + # This is required for Ansible compatibility. + min-spaces-from-content: 1 + # yamllint does not like it when you comment out different parts of # dictionaries in a list. You can see # https://github.com/adrienverge/yamllint/issues/384 for some examples of @@ -32,6 +39,17 @@ rules: # Allows a 10% overage from the default limit of 80 max: 88 + # Using anything other than strings to express octal values can lead to unexpected + # and potentially unsafe behavior. Ansible strongly recommends against such practices + # and these rules are needed for Ansible compatibility. Please see the following for + # more information: + # https://ansible.readthedocs.io/projects/lint/rules/risky-octal/ + octal-values: + # Do not allow explicit octal values (those beginning with a leading 0o). + forbid-explicit-octal: true + # Do not allow implicit octal values (those beginning with a leading 0). + forbid-implicit-octal: true + # yamllint doesn't like when we use yes and no for true and false, # but that's pretty standard in Ansible. truthy: disable From dd102fe0adb490098968509c79530bd13af52a86 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 06:28:15 -0500 Subject: [PATCH 05/55] Re-enable the yamllint truthy rule Previously we disabled the `truthy` rule due to Ansible's use of `yes`/`no` for boolean values. That is no longer the case and the default configuration used by ansible-lint now has this rule enabled. The use of `on` as a key in GitHub Actions workflow syntax means we needed to add disable-line comments for the truthy rule. --- .github/workflows/build.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- .yamllint | 4 ---- 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 15a004c..082f150 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,7 @@ --- name: build -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0005147..b8ecfa6 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -1,7 +1,7 @@ --- name: sync-labels -on: +on: # yamllint disable-line rule:truthy push: paths: - .github/labels.yml diff --git a/.yamllint b/.yamllint index 0a2af51..de2e183 100644 --- a/.yamllint +++ b/.yamllint @@ -49,7 +49,3 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true - - # yamllint doesn't like when we use yes and no for true and false, - # but that's pretty standard in Ansible. - truthy: disable From dc891af40f7c0e8d69a8e57c6bc32f8c16c340e5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 4 Dec 2024 16:12:32 -0500 Subject: [PATCH 06/55] Configure quoted strings rule for yamllint Add a configuration for the `quoted-strings` rule that matches our best practices. Other files are updated to comply with these new settings. --- .github/labels.yml | 40 ++++++++++++++++++------------------- .github/workflows/build.yml | 8 ++++---- .mdl_config.yaml | 14 ++++++------- .yamllint | 11 ++++++++++ 4 files changed, 42 insertions(+), 31 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 5b16492..fe9a53e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,69 +2,69 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: "eb6420" +- color: eb6420 description: This issue or pull request is awaiting the outcome of another issue or pull request name: blocked - color: "000000" description: This issue or pull request involves changes to existing functionality name: breaking change -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses broken functionality name: bug -- color: "07648d" +- color: 07648d description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks) name: code.gov -- color: "0366d6" +- color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: "5319e7" +- color: 5319e7 description: This issue or pull request improves or adds to documentation name: documentation -- color: "cfd3d7" +- color: cfd3d7 description: This issue or pull request already exists or is covered in another issue or pull request name: duplicate -- color: "b005bc" +- color: b005bc description: A high-level objective issue encompassing multiple issues instead of a specific unit of work name: epic - color: "000000" description: Pull requests that update GitHub Actions code name: github-actions -- color: "0e8a16" +- color: 0e8a16 description: This issue or pull request is well-defined and good for newcomers name: good first issue -- color: "ff7518" +- color: ff7518 description: Pull request that should count toward Hacktoberfest participation name: hacktoberfest-accepted -- color: "a2eeef" +- color: a2eeef description: This issue or pull request will add or improve functionality, maintainability, or ease of use name: improvement -- color: "fef2c0" +- color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: "ce099a" +- color: ce099a description: This pull request is ready to merge during the next Lineage Kraken release name: kraken 🐙 -- color: "a4fc5d" +- color: a4fc5d description: This issue or pull request requires further information name: need info -- color: "fcdb45" +- color: fcdb45 description: This pull request is awaiting an action or decision to move forward name: on hold -- color: "ef476c" +- color: ef476c description: This issue is a request for information or needs discussion name: question -- color: "d73a4a" +- color: d73a4a description: This issue or pull request addresses a security issue name: security -- color: "00008b" +- color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: "1d76db" +- color: 1d76db description: This issue or pull request pulls in upstream updates name: upstream update -- color: "d4c5f9" +- color: d4c5f9 description: This issue or pull request increments the version number name: version bump -- color: "ffffff" +- color: ffffff description: This issue will not be incorporated name: wontfix diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 082f150..98a9ebc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -92,16 +92,16 @@ jobs: echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ py${{ steps.setup-python.outputs.python-version }}-\ go${{ steps.setup-go.outputs.go-version }}-\ packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}-" + tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }}" + ${{ hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 4a650c1..1b48994 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -6,12 +6,12 @@ default: true # MD003/heading-style/header-style - Heading style MD003: # Enforce the ATX-closed style of header - style: "atx_closed" + style: atx_closed # MD004/ul-style - Unordered list style MD004: # Enforce dashes for unordered lists - style: "dash" + style: dash # MD013/line-length - Line length MD013: @@ -30,7 +30,7 @@ MD024: # MD029/ol-prefix - Ordered list item prefix MD029: # Enforce the `1.` style for ordered lists - style: "one" + style: one # MD033/no-inline-html - Inline HTML MD033: @@ -42,19 +42,19 @@ MD033: # MD035/hr-style - Horizontal rule style MD035: # Enforce dashes for horizontal rules - style: "---" + style: --- # MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks - style: "fenced" + style: fenced # MD049/emphasis-style - Emphasis style should be consistent MD049: # Enforce asterisks as the style to use for emphasis - style: "asterisk" + style: asterisk # MD050/strong-style - Strong style should be consistent MD050: # Enforce asterisks as the style to use for strong - style: "asterisk" + style: asterisk diff --git a/.yamllint b/.yamllint index de2e183..00e85a6 100644 --- a/.yamllint +++ b/.yamllint @@ -49,3 +49,14 @@ rules: forbid-explicit-octal: true # Do not allow implicit octal values (those beginning with a leading 0). forbid-implicit-octal: true + + quoted-strings: + # Allow disallowed quotes (single quotes) for strings that contain allowed quotes + # (double quotes). + allow-quoted-quotes: true + # Apply these rules to keys in mappings as well + check-keys: true + # We prefer double quotes for strings when they are needed + quote-type: double + # Only require quotes when they are necessary for proper processing + required: only-when-needed From 03933fe233e5a6e41f8adf452e7e7b3e548236e4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:14:59 -0400 Subject: [PATCH 07/55] Add version file and bump_version script Also add semver as a dev requirement. I'd like to start versioning descendants of skeleton-ansible-role (in anticipation of pinning Ansible role versions at a future date), and I thought it would make sense to go ahead and implement this at the skeleton-generic level to force us to start versioning all repositories. Repositories that already version can ignore these changes when they flow down via Lineage, since they will already have their own version files and version-bumping script. --- bump-version | 172 +++++++++++++++++++++++++++++++++++++++++++ requirements-dev.txt | 2 + version.txt | 1 + 3 files changed, 175 insertions(+) create mode 100755 bump-version create mode 100644 version.txt diff --git a/bump-version b/bump-version new file mode 100755 index 0000000..15b4af1 --- /dev/null +++ b/bump-version @@ -0,0 +1,172 @@ +#!/usr/bin/env bash + +# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) +# bump-version --list-files + +set -o nounset +set -o errexit +set -o pipefail + +# Stores the canonical version for the project. +VERSION_FILE=version.txt +# Files that should be updated with the new version. +VERSION_FILES=("$VERSION_FILE") + +USAGE=$( + cat << END_OF_LINE +Update the version of the project. + +Usage: + ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show) + ${0##*/} --list-files + ${0##*/} (-h | --help) + +Options: + -h | --help Show this message. + --push Perform a \`git push\` after updating the version. + --label LABEL Specify the label to use when updating the build or prerelease version. + --list-files List the files that will be updated when the version is bumped. +END_OF_LINE +) + +old_version=$(< "$VERSION_FILE") +# Comment out periods so they are interpreted as periods and don't +# just match any character +old_version_regex=${old_version//\./\\\.} +new_version="$old_version" + +bump_part="" +label="" +commit_prefix="Bump" +with_push=false +commands_with_label=("build" "prerelease") +commands_with_prerelease=("major" "minor" "patch") +with_prerelease=false + +####################################### +# Display an error message, the help information, and exit with a non-zero status. +# Arguments: +# Error message. +####################################### +function invalid_option() { + echo "$1" + echo "$USAGE" + exit 1 +} + +####################################### +# Bump the version using the provided command. +# Arguments: +# The version to bump. +# The command to bump the version. +# Returns: +# The new version. +####################################### +function bump_version() { + local temp_version + temp_version=$(python -c "import semver; print(semver.parse_version_info('$1').${2})") + echo "$temp_version" +} + +if [ $# -eq 0 ]; then + echo "$USAGE" + exit 1 +else + while [ $# -gt 0 ]; do + case $1 in + --push) + if [ "$with_push" = true ]; then + invalid_option "Push has already been set." + fi + + with_push=true + shift + ;; + --label) + if [ -n "$label" ]; then + invalid_option "Label has already been set." + fi + + label="$2" + shift 2 + ;; + build | finalize | major | minor | patch) + if [ -n "$bump_part" ]; then + invalid_option "Only one version part should be bumped at a time." + fi + + bump_part="$1" + shift + ;; + prerelease) + with_prerelease=true + shift + ;; + show) + echo "$old_version" + exit 0 + ;; + -h | --help) + echo "$USAGE" + exit 0 + ;; + --list-files) + printf '%s\n' "${VERSION_FILES[@]}" + exit 0 + ;; + *) + invalid_option "Invalid option: $1" + ;; + esac + done +fi + +if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_label[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}" +fi + +if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then + invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}" +fi + +label_option="" +if [ -n "$label" ]; then + label_option="token='$label'" +fi + +if [ -n "$bump_part" ]; then + if [ "$bump_part" = "finalize" ]; then + commit_prefix="Finalize" + bump_command="finalize_version()" + elif [ "$bump_part" = "build" ]; then + bump_command="bump_${bump_part}($label_option)" + else + bump_command="bump_${bump_part}()" + fi + new_version=$(bump_version "$old_version" "$bump_command") + echo Changing version from "$old_version" to "$new_version" +fi + +if [ "$with_prerelease" = true ]; then + bump_command="bump_prerelease($label_option)" + temp_version=$(bump_version "$new_version" "$bump_command") + echo Changing version from "$new_version" to "$temp_version" + new_version="$temp_version" +fi + +tmp_file=/tmp/version.$$ +for version_file in "${VERSION_FILES[@]}"; do + if [ ! -f "$version_file" ]; then + echo Missing expected file: "$version_file" + exit 1 + fi + sed "s/$old_version_regex/$new_version/" "$version_file" > $tmp_file + mv $tmp_file "$version_file" +done + +git add "${VERSION_FILES[@]}" +git commit --message "$commit_prefix version from $old_version to $new_version" + +if [ "$with_push" = true ]; then + git push +fi diff --git a/requirements-dev.txt b/requirements-dev.txt index d84ee68..23d5741 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,4 @@ --requirement requirements-test.txt ipython +# The bump-version script requires at least version 3 of semver. +semver>=3 diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..8acdd82 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +0.0.1 From 3401551afa5a894f9a0f82c86d3fd9e1b8cadf0f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Mar 2025 13:24:29 -0400 Subject: [PATCH 08/55] Bump version from 0.0.1 to 0.0.1-rc.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 8acdd82..871d40b 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1 +0.0.1-rc.1 From 5b5a52684119ae107f2b1fedf9e4fb0b7757047a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 21 Feb 2025 17:34:09 -0500 Subject: [PATCH 09/55] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 144df31..c165bde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,17 +39,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.42.0 + rev: v0.44.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.3.3 + rev: v3.5.3 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.37.0 hooks: - id: yamllint args: @@ -57,14 +57,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.32.1 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.0.1 + rev: v4.2.0 hooks: - id: validate_manifest @@ -99,7 +99,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.10.0-1 + rev: v3.11.0-1 hooks: - id: shfmt args: @@ -123,31 +123,31 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.8.3 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.1 + rev: 7.1.2 hooks: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 5.13.2 + rev: 6.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.13.0 + rev: v1.15.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.7.3 + rev: v2.8.0 hooks: - id: pip-audit args: @@ -159,13 +159,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.19.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.10.0 + rev: v25.1.3 hooks: - id: ansible-lint additional_dependencies: @@ -209,7 +209,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.98.0 hooks: - id: terraform_fmt - id: terraform_validate From da028eae03932a532ee61901b3dc8eea12f3728e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:16:38 -0500 Subject: [PATCH 10/55] Apply our standard job preamble via cisagov/action-job-preamble This new action simply applies our standard permissions monitoring and runner hardening. Using it allows us to DRY out the GH Actions workflows in our skeleton repositories a bit. --- .github/workflows/build.yml | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 98a9ebc..ac74007 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,17 +36,7 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -61,15 +51,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cisagov/action-job-preamble@first-commits - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 0e93632ab21c50598e2cbf88ab5327705c1d8d7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:43:45 -0500 Subject: [PATCH 11/55] Set actions_permissions_config input --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac74007..4d5f1cb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,6 +37,8 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -52,6 +54,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: cisagov/action-job-preamble@first-commits + with: + actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 8b2ac55da906e27c05fea416d06129c7f8b98324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 15:58:45 -0500 Subject: [PATCH 12/55] Add a friendly name to the cisagov/action-job-preamble steps --- .github/workflows/build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4d5f1cb..b37436d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,8 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -53,7 +54,8 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: cisagov/action-job-preamble@first-commits + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env From 864b5af7d95f396956972948484eec0cdbd6647b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 22:26:44 -0500 Subject: [PATCH 13/55] Add a Dependabot ignore directive for cisagov/action-job-preamble Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 81cd6bd..3521754 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,6 +13,7 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler From 8cdce2a0185d082b3896eedae10d7cfb363df2e7 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:39:04 -0500 Subject: [PATCH 14/55] Update input name for cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b37436d..21ee0f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,7 +39,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -57,7 +57,7 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@first-commits with: - actions_permissions_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 17b93ec6464a2e44a950889fb9e5e5456819a77f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:45:41 -0500 Subject: [PATCH 15/55] Remove two Dependabot ignore directives GitHubSecurityLab/actions-permissions and step-security/harden-runner are no longer direct dependencies since we are now using cisagov/action-job-preamble. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3521754..3df3371 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,11 +18,9 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate - # - dependency-name: step-security/harden-runner package-ecosystem: github-actions schedule: interval: weekly From 6a9e3314d8aebe6a1be685d32b0af092d6dc8324 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 22 Feb 2025 21:50:22 -0500 Subject: [PATCH 16/55] Use cisagov/action-job-preamble in sync-labels.yml workflow Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/sync-labels.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index b8ecfa6..0683eed 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -20,17 +20,10 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -47,15 +40,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@first-commits with: - egress-policy: audit + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels if: success() From b5b3b9d0dd04767342997795bc4a288b222762c8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sun, 23 Feb 2025 08:35:09 -0500 Subject: [PATCH 17/55] Use v1 tag of cisagov/action-job-preamble --- .github/workflows/build.yml | 4 ++-- .github/workflows/sync-labels.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 21ee0f1..e0546d2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,7 +37,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -55,7 +55,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0683eed..9442a1c 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -21,7 +21,7 @@ jobs: # Note that a duplicate of this step must be added at the top of # each job. - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Apply standard cisagov job preamble - uses: cisagov/action-job-preamble@first-commits + uses: cisagov/action-job-preamble@v1 with: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 From 3ec1b1f19ef6bbc7f698a36b40ec0bba7d7eb5bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 13:28:48 -0500 Subject: [PATCH 18/55] Re-add comment explaining where the org var comes from Flesh out the comment a little so its meaning is clearer. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++++ .github/workflows/sync-labels.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e0546d2..fcd740b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -57,6 +59,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 9442a1c..0a27b59 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -43,6 +45,8 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # Use the cisagov organization variable containing the + # organization-wide permissions monitoring configuration. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From 764df0c1797700b585577850b96ca41f6ceb80d6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Feb 2025 14:43:59 -0500 Subject: [PATCH 19/55] Flesh out org var comment even more Make sure to mention that the permissions monitoring config can be changed by creating a repo-level variable; there is no need to modify the workflow. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 30 ++++++++++++++++++++++++++---- .github/workflows/sync-labels.yml | 30 ++++++++++++++++++++++++++---- 2 files changed, 52 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcd740b..d9ca254 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,8 +39,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -59,8 +70,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 0a27b59..351d33b 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,8 +23,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status @@ -45,8 +56,19 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: - # Use the cisagov organization variable containing the - # organization-wide permissions monitoring configuration. + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - uses: actions/checkout@v4 - name: Sync repository labels From c271b40846324b48f6c511209925f00a5a48264d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Mar 2025 11:34:33 -0400 Subject: [PATCH 20/55] Subsume GH status checks and context dumping into cisagov/action-job-preamble This action supports this functionality now, so we may as well take advantage of it. Also disable GH permissions monitoring, since that functionality is poorly implemented and has been causing a lot of problems due to the MITM implementation hogging or leaking memory. --- .github/dependabot.yml | 2 -- .github/workflows/build.yml | 16 ++++++++++------ .github/workflows/sync-labels.yml | 16 ++++++++++------ 3 files changed, 20 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3df3371..7aa2f06 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,9 +15,7 @@ updates: # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action - # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler - # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d9ca254..9ffe432 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -53,12 +59,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 lint: needs: - diagnostics @@ -70,6 +70,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 351d33b..56859f2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -23,6 +23,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -37,12 +43,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 labeler: needs: - diagnostics @@ -56,6 +56,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From c4b192b6b0465f460127884aeedc19727e0bf311 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:06:00 -0500 Subject: [PATCH 21/55] Add a CodeQL workflow to this repository CodeQL now supports GitHub Actions as a language, so it makes sense to add such a workflow to this repository. See this link for more details: https://github.blog/changelog/2024-12-17-find-and-fix-actions-workflows-vulnerabilities-with-codeql-public-preview/ --- .github/workflows/codeql-analysis.yml | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..0136466 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,112 @@ +--- +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: CodeQL + +on: + merge_group: + types: + - checks_requested + push: + # Dependabot triggered push events have read-only access, but uploading code + # scanning requires write access. + branches-ignore: + - dependabot/** + pull_request: + # The branches below must be a subset of the branches above + branches: + - develop + schedule: + - cron: '0 2 * * 6' + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + analyze: + name: Analyze + needs: + - diagnostics + runs-on: ubuntu-latest + permissions: + # actions/checkout needs this to fetch code + contents: read + # required for all workflows + security-events: write + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below + # list + # + # Supported options are actions, c-cpp, csharp, go, + # java-kotlin, javascript-typescript, python, ruby, and swift. + language: + - actions + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Java). If this step fails, then you should remove it and run the build + # manually (see below). + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language + + # - run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 0032cc2df6db1a1a472679933df3e95f8612a540 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 3 Mar 2025 15:19:29 -0500 Subject: [PATCH 22/55] Update comment to match what is in cisagov/skeleton-docker Also correctly sort YAML keys. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0136466..595f058 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,15 +10,15 @@ on: merge_group: types: - checks_requested + pull_request: + # The branches here must be a subset of the ones in the push key + branches: + - develop push: - # Dependabot triggered push events have read-only access, but uploading code + # Dependabot-triggered push events have read-only access, but uploading code # scanning requires write access. branches-ignore: - dependabot/** - pull_request: - # The branches below must be a subset of the branches above - branches: - - develop schedule: - cron: '0 2 * * 6' From 0534337d4724f53447f0c47c345ef4cb14c64d0d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:19:04 -0500 Subject: [PATCH 23/55] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 50 +++++++++++++++++---------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 595f058..152bac6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,17 +31,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -72,15 +78,23 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository uses: actions/checkout@v4 From adea10cc6ecd71e2a71720e839510548b8c2a87b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:20:35 -0500 Subject: [PATCH 24/55] Add the CodeQL action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..899db5b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: cisagov/action-job-preamble # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-github-labeler + # - dependency-name: github/codeql-action # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate From 5dfe5dfd7d544deb9bc6934c70ba5269b1baf750 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 14:47:02 -0400 Subject: [PATCH 25/55] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. --- .github/workflows/codeql-analysis.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 152bac6..9329fdc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,6 +6,8 @@ # or to provide custom queries or build logic. name: CodeQL +# The use of on here as a key is part of the GitHub actions syntax. +# yamllint disable-line rule:truthy on: merge_group: types: @@ -20,7 +22,7 @@ on: branches-ignore: - dependabot/** schedule: - - cron: '0 2 * * 6' + - cron: 0 2 * * 6 jobs: diagnostics: @@ -34,6 +36,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -48,12 +56,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 analyze: name: Analyze needs: @@ -81,6 +83,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From d740ee83c2eac243c3a53447316935766042b7cf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 1 Mar 2025 23:52:48 -0500 Subject: [PATCH 26/55] Add a workflow to run actions/dependency-review-action This action reviews dependency changes for vulnerabilities and license changes. --- .github/workflows/dependency-review.yml | 67 +++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..90549f6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,67 @@ +--- +name: Dependency review + +on: + merge_group: + types: + - checks_requested + pull_request: + +# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, +# nounset, errexit, and pipefail. The `-x` will print all commands as they are +# run. Please see the GitHub Actions documentation for more information: +# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs +defaults: + run: + shell: bash -Eueo pipefail -x {0} + +jobs: + diagnostics: + name: Run diagnostics + # This job does not need any permissions + permissions: {} + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 + dependency-review: + name: Dependency review + needs: + - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: checkout-repo + name: Checkout the repository + uses: actions/checkout@v4 + - id: dependency-review + name: Review dependency changes for vulnerabilities and license changes + uses: actions/dependency-review-action@v4 From a446dde01d1aaef7db62f6a7c49a8bc9f54a1460 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 10:52:34 -0500 Subject: [PATCH 27/55] Use cisagov/action-job-preamble This aligns with the changes in cisagov/skeleton-generic#201. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 50 ++++++++++++++++--------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 90549f6..848feb5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,17 +24,23 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - # Note that a duplicate of this step must be added at the top of - # each job. - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: github-status name: Check GitHub status uses: crazy-max/ghaction-github-status@v4 @@ -50,15 +56,23 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository uses: actions/checkout@v4 From 494e11663dd2fad7b19f2861de772d55ee8410bc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 4 Mar 2025 11:00:43 -0500 Subject: [PATCH 28/55] Add the dependency review action to the Dependabot configuration Children of this skeleton repository will require this Dependabot ignore directive. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7aa2f06..6554d39 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,7 @@ updates: # # Managed by cisagov/skeleton-generic # - dependency-name: actions/cache # - dependency-name: actions/checkout + # - dependency-name: actions/dependency-review-action # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python # - dependency-name: cisagov/action-job-preamble From 3679b7d004c0c16f09530e7ca38101d566b6ab2a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:06:36 -0400 Subject: [PATCH 29/55] Use cisagov/action-job-preamble instead of separate actions Use cisagov/action-job-preamble instead of crazy-max/ghaction-github-status and crazy-max/ghaction-dump-context directly. Also disable permissions monitoring since it is poorly implemented and has been causing a lot of problems due to hogging or leaking memory. --- .github/workflows/dependency-review.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 848feb5..1b05dff 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,7 +1,7 @@ --- name: Dependency review -on: +on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested @@ -27,6 +27,12 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + check_github_status: "true" + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" + output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level @@ -41,12 +47,6 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: github-status - name: Check GitHub status - uses: crazy-max/ghaction-github-status@v4 - - id: dump-context - name: Dump context - uses: crazy-max/ghaction-dump-context@v2 dependency-review: name: Dependency review needs: @@ -59,6 +59,10 @@ jobs: - name: Apply standard cisagov job preamble uses: cisagov/action-job-preamble@v1 with: + # This functionality is poorly implemented and has been + # causing a lot of problems due to the MITM implementation + # hogging or leaking memory, so we disable it for now. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 028f652f68762a12dc7465c881ce221d3031e8c1 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 27 Mar 2025 15:59:26 -0400 Subject: [PATCH 30/55] Do not disable GitHub permissions monitoring by default But do leave a commented-out line that can be uncommented to do so. The idea is that we should only comment out this functionality where we really must. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 14 ++++++++------ .github/workflows/codeql-analysis.yml | 14 ++++++++------ .github/workflows/dependency-review.yml | 14 ++++++++------ .github/workflows/sync-labels.yml | 14 ++++++++------ 4 files changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ffe432..eeebb23 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,9 +41,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -71,9 +72,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9329fdc..d1590e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,9 +38,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -84,9 +85,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 1b05dff..9901352 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -29,9 +29,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -60,9 +61,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 56859f2..07c0acf 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -25,9 +25,10 @@ jobs: with: check_github_status: "true" # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -57,9 +58,10 @@ jobs: uses: cisagov/action-job-preamble@v1 with: # This functionality is poorly implemented and has been - # causing a lot of problems due to the MITM implementation - # hogging or leaking memory, so we disable it for now. - monitor_permissions: "false" + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From fdab7fd18ddcadcf38d18e2c91708de8dfc3e2b2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 15:44:57 -0400 Subject: [PATCH 31/55] Fix YAML lines that are too long This gets rid of some errors from the yamllint pre-commit linter. --- .github/workflows/build.yml | 3 ++- .../default/externally-managed-python.yml | 19 +++++++++++-------- molecule/default/requirements.yml | 7 ++++--- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d1ef9f7..8fc1bd2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -197,7 +197,8 @@ jobs: permissions: # actions/checkout needs this to fetch code contents: read - runs-on: ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }} + runs-on: | + ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }} strategy: fail-fast: false matrix: diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index ce43622..a5cab8a 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -19,18 +19,21 @@ - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed when: '"python3" in ansible_facts.packages' block: - # This gets a unique list of installed Python packages in the form of major.minor - # by taking the list of installed Python packages and: + # This gets a unique list of installed Python packages in + # the form of major.minor by taking the list of installed + # Python packages and: # 1. Extracting the version from each package's information # 2. Removing any version information after the major.minor version # 3. Ensuring there are no duplicates # - # NOTE: - # Since the value of python_versions is a multiline string, the regex expressions used in - # the regex_replace filter must use single backslashes for special sequences. If the value - # of python_versions were to be changed from a multiline string, the special sequences - # must be modified to use double backslashes instead. This is due to how the YAML is - # processed when Ansible reads the playbook. + # NOTE: Since the value of python_versions is a multiline + # string, the regex expressions used in the regex_replace + # filter must use single backslashes for special + # sequences. If the value of python_versions were to be + # changed from a multiline string, the special sequences + # must be modified to use double backslashes instead. This + # is due to how the YAML is processed when Ansible reads + # the playbook. - name: Extract version information about installed Python packages ansible.builtin.set_fact: python_versions: >- diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 1854da0..1ef84c4 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,7 +1,8 @@ --- -# This is necessary to ensure a version of this collection that is compatible -# with version 2.32.0+ of the Python requests library. This should be removed when -# it is no longer required per https://github.com/cisagov/skeleton-ansible-role/issues/195 +# This is necessary to ensure a version of this collection that is +# compatible with version 2.32.0+ of the Python requests library. This +# should be removed when it is no longer required per +# https://github.com/cisagov/skeleton-ansible-role/issues/195 collections: - name: community.docker version: ">=3.10.2" From ff1428eb6d83ea714a163d1ebd7ebb6d8eb7066a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 15:46:29 -0400 Subject: [PATCH 32/55] Double-quote string This gets rid of an error from the yamllint pre-commit linter. --- .github/lineage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/lineage.yml b/.github/lineage.yml index 49f9c4f..46d3224 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -2,4 +2,4 @@ lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-generic.git -version: '1' +version: "1" From 72d252419ac1a3c9b79902ff9f0985e42701b7f0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 15:48:22 -0400 Subject: [PATCH 33/55] Remove redundant quotes This gets rid of errors from the yamllint pre-commit linter. --- .github/workflows/build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8fc1bd2..5e98161 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -239,13 +239,13 @@ jobs: python-version: ${{ steps.setup-env.outputs.python-version }} - uses: actions/cache@v4 env: - BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} - key: "${{ env.BASE_CACHE_KEY }}\ + key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}" + ${{ hashFiles('**/requirements.txt') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies From 36bc123a5298b34e261aaa38dc969a326f3eb248 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 15:48:48 -0400 Subject: [PATCH 34/55] Prefer symbolic mode over octal numbers This gets rid of an error from the yamllint pre-commit linter. --- molecule/default/externally-managed-python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index a5cab8a..c13b095 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -47,6 +47,6 @@ - name: Restore EXTERNALLY-MANAGED file for Python ansible.builtin.template: dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED - mode: 0644 + mode: u=rw,g=r,o=r src: EXTERNALLY-MANAGED.j2 loop: "{{ python_versions }}" From eb809d9232aabf83d3b5df952c404a5222ac1172 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 15:50:58 -0400 Subject: [PATCH 35/55] Use cisagov/action-job-preamble in test job of build workflow --- .github/workflows/build.yml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5e98161..952d1be 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -221,15 +221,28 @@ jobs: scenario: - default steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - # Uses the organization variable unless overridden - config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - id: harden-runner - name: Harden the runner - uses: step-security/harden-runner@v2 + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 with: - egress-policy: audit + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. If this happens to you just uncomment + # this line. + # monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v4 From 230a8e6a650889b8b196e3156e4364e349fd5645 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 16:06:29 -0400 Subject: [PATCH 36/55] Revert line and add a yamllint ignore directive The line is long, but if I use a block style indicator then GH Actions doesn't execute the expression and the test jobs never run. --- .github/workflows/build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 952d1be..5287c27 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -197,8 +197,10 @@ jobs: permissions: # actions/checkout needs this to fetch code contents: read - runs-on: | - ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }} + # This line is long, but if I use a block style indicator then GH + # Actions doesn't parse and execute the expression. + # yamllint disable-line rule:line-length + runs-on: ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }} strategy: fail-fast: false matrix: From c074ab8ec97a8e42872ba602dffcea11ec24235c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 28 Mar 2025 16:08:37 -0400 Subject: [PATCH 37/55] Bump version from 0.0.1-rc.1 to 1.0.0 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 871d40b..3eefcb9 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.0.1-rc.1 +1.0.0 From 65f9c3012bed807253f1c91aa9ee79234cdd517a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 11:39:47 -0400 Subject: [PATCH 38/55] Disable GH permissions monitoring everywhere This functionality (https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor) is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. This functionality should be re-enabled when practical. See cisagov/skeleton-generic#207 for more details. --- .github/workflows/build.yml | 20 ++++++++++++++------ .github/workflows/codeql-analysis.yml | 20 ++++++++++++++------ .github/workflows/dependency-review.yml | 20 ++++++++++++++------ .github/workflows/sync-labels.yml | 20 ++++++++++++++------ 4 files changed, 56 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index eeebb23..130ec8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -42,9 +42,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -73,9 +77,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d1590e9..382999a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,9 +39,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -86,9 +90,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9901352..52a3ee9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -30,9 +30,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -62,9 +66,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 07c0acf..04503e2 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -26,9 +26,13 @@ jobs: check_github_status: "true" # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" output_workflow_context: "true" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the @@ -59,9 +63,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-anable this functionality when practical. See + # cisagov/skeleton-generic#207 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From 2cfc534f2a4cb11d5bd310f6cfe5832565399885 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 12:57:31 -0400 Subject: [PATCH 39/55] Fix typo that was copied and pasted all over the show Co-authored-by: David Harris <123905168+dv4harr10@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 130ec8c..7fe4f16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -81,7 +81,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 382999a..dd59d04 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,7 +43,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -94,7 +94,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 52a3ee9..f98c687 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -70,7 +70,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 04503e2..fa6f772 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -30,7 +30,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" @@ -67,7 +67,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" # Use a variable to specify the permissions monitoring From b99c056734e4fca666320bd9fcc77fe0ab2817f9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 8 Apr 2025 13:44:10 -0400 Subject: [PATCH 40/55] Disable GH permissions monitoring in build.yml workflow This functionality is poorly implemented and has been causing problems due to the MITM implementation hogging or leaking memory. --- .github/workflows/build.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f48fb3d..12dcbb7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -236,9 +236,13 @@ jobs: with: # This functionality is poorly implemented and has been # causing problems due to the MITM implementation hogging or - # leaking memory. If this happens to you just uncomment - # this line. - # monitor_permissions: "false" + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-ansible-role#227 for more details. + monitor_permissions: "false" # Use a variable to specify the permissions monitoring # configuration. By default this will yield the # configuration stored in the cisagov organization-level From e0bf15782d8220a1886693bef704489df1df17cb Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 9 Apr 2025 09:48:38 -0400 Subject: [PATCH 41/55] Fix typo --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f98c687..ee87e04 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -34,7 +34,7 @@ jobs: # you want to temporarily enable it, simply set # monitor_permissions equal to "true". # - # TODO: Re-anable this functionality when practical. See + # TODO: Re-enable this functionality when practical. See # cisagov/skeleton-generic#207 for more details. monitor_permissions: "false" output_workflow_context: "true" From c4d9336af3b121233098135aefd8d358c006c3dc Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 11:15:06 -0500 Subject: [PATCH 42/55] Disable AppArmor before running Molecule tests This commit also resolves #215. --- .github/workflows/build.yml | 44 ++++++++++--------------------------- 1 file changed, 11 insertions(+), 33 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 12dcbb7..5987200 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -283,46 +283,24 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - # Disabling the unix-chkpwd AppArmor profile is necessary when - # running Molecule tests against Fedora 40 and 41; otherwise, - # the privileged container cannot successfully run sudo and - # hence Ansible is unable to do anything. See + # AppArmor interferes when running Molecule tests against Fedora + # 40 and 41; it does not allow the privileged container to run + # sudo and hence Ansible is unable to do anything. See # fedora-cloud/docker-brew-fedora#117 for more details. # - # Purging firefox is currently necessary because the - # installation available on the GitHub runner instance provides - # two conflicting AppArmor profiles: - # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox. - # This conflict causes the aa-disable /usr/sbin/unix_chkpwd - # command to fail. - # - # Purging passt is currently necessary because the installation - # available on the GitHub runner instance contains a wonky - # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes - # the aa-disable command to fail. - # - # TODO: Remove the apt-get purge and systemctl reload commands - # when possible. See cisagov/skeleton-ansible-role#215 for more - # details. - - name: Disable unix-chkpwd AppArmor profile - run: | - sudo apt-get purge firefox passt - sudo systemctl reload apparmor.service - sudo apt-get install apparmor-utils - sudo aa-disable /usr/sbin/unix_chkpwd - if: ${{ startsWith(matrix.platform, 'fedora') }} + # There is a growing consensus that AppArmor causes too many + # problems and should not be active on the short-lived GitHub + # runners. See, for example, + # actions/runner-images/issues/10015. To avoid problems in the + # future, it makes sense to simply disable AppArmor altogether + # before running Molecule tests. + - name: Disable AppArmor + uses: cisagov/action-disable-apparmor@first-commits - name: Run molecule tests run: >- molecule test --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} --scenario-name ${{ matrix.scenario }} - # TODO: Remove the apt-get install command when possible. See - # cisagov/skeleton-ansible-role#215 for more details. - - name: Re-enable unix-chkpwd AppArmor profile - run: | - sudo aa-enforce /usr/sbin/unix_chkpwd - sudo apt-get install firefox passt - if: ${{ startsWith(matrix.platform, 'fedora') }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE From 10646ca998a6916d0d552a34b83906218941f5b3 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 21 Feb 2025 22:34:06 -0500 Subject: [PATCH 43/55] Add a Dependabot ignore directive for cisagov/action-disable-apparmor Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8c6c48d..fcaf85b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -22,6 +22,7 @@ updates: - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate # # Managed by cisagov/skeleton-ansible-role + # - dependency-name: cisagov/action-disable-apparmor # - dependency-name: docker/setup-buildx-action # - dependency-name: docker/setup-qemu-action # - dependency-name: github/codeql-action From 943cf46df1aa2d260ce2459289e7d53a2f563099 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 25 Feb 2025 14:00:18 -0500 Subject: [PATCH 44/55] Use the v1 tag of cisagov/action-disable-apparmor --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5987200..dea0396 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -295,7 +295,7 @@ jobs: # future, it makes sense to simply disable AppArmor altogether # before running Molecule tests. - name: Disable AppArmor - uses: cisagov/action-disable-apparmor@first-commits + uses: cisagov/action-disable-apparmor@v1 - name: Run molecule tests run: >- molecule test From 7840f252e17691d5c45d4010cfd15e82a38bcaaf Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Feb 2025 14:52:16 -0500 Subject: [PATCH 45/55] Add .ansible directory to .gitignore Ansible tools now save any downloaded roles, collections, and modules to an .ansible directory located at the root of the project directory. This cache directory should be ignored by git. --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 937e21d..f80f425 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,9 @@ # Files already tracked by Git are not affected. # See: https://git-scm.com/docs/gitignore +## Ansible ## +.ansible + ## Python ## __pycache__ .mypy_cache From 0b5401f81f7cea4eafea03d3aa90e6299f9b1b52 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 11 Mar 2025 13:25:10 -0400 Subject: [PATCH 46/55] Remove step to setup QEMU We no longer use QEMU when testing Ansible roles now that we are able to use ARM-native GHA runners. --- .github/dependabot.yml | 1 - .github/workflows/build.yml | 2 -- 2 files changed, 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8c6c48d..08ed8e3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,7 +23,6 @@ updates: - dependency-name: mxschmitt/action-tmate # # Managed by cisagov/skeleton-ansible-role # - dependency-name: docker/setup-buildx-action - # - dependency-name: docker/setup-qemu-action # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 12dcbb7..3194bcd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -279,8 +279,6 @@ jobs: run: | python -m pip install --upgrade pip pip install --upgrade --requirement requirements-test.txt - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 # Disabling the unix-chkpwd AppArmor profile is necessary when From 86f0d01d88008d55f05de4ba7afc75a19fea679b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Feb 2025 14:34:21 -0500 Subject: [PATCH 47/55] Use a Molecule config that is shared across scenarios Also configure the Ansible roles path via the config_options parameter of the provisioner section in the shared Molecule configuration. This is a more direct way of setting the roles path than settong an environment variable. --- .config/molecule/config.yml | 234 +++++++++++++++++++++++++++++++++ molecule/default/molecule.yml | 235 +--------------------------------- 2 files changed, 237 insertions(+), 232 deletions(-) create mode 100644 .config/molecule/config.yml diff --git a/.config/molecule/config.yml b/.config/molecule/config.yml new file mode 100644 index 0000000..58a4a74 --- /dev/null +++ b/.config/molecule/config.yml @@ -0,0 +1,234 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora41-ansible:latest + name: fedora41-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora41-ansible:latest + name: fedora41-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-amd64 + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-arm64 + platform: arm64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw +provisioner: + name: ansible + config_options: + defaults: + # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this + # path for us pre-25.2.0, but now we have to do it ourselves. + # See ansible/molecule#4380 and + # https://github.com/ansible/molecule/releases/tag/v25.2.0 for + # more details. + roles_path: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +verifier: + name: testinfra diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 1032ba7..191b6ce 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,235 +1,6 @@ --- -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -provisioner: - name: ansible - env: - # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this - # path for us pre-25.2.0, but now we have to do it ourselves. See - # ansible/molecule#4380 and - # https://github.com/ansible/molecule/releases/tag/v25.2.0 for - # more details. - ANSIBLE_ROLES_PATH: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +# See ../../.config/molecule/config.yml for the Molecule configuration +# that is shared among all scenarios. Any values set here will +# override the values in that file. scenario: name: default -verifier: - name: testinfra From 9b6b6f13742a01c7e0ce70f3aae9cd54f147401f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 21 Apr 2025 13:59:03 -0400 Subject: [PATCH 48/55] Remove duplicate entry from dependabot.yml Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b7f27a0..c4f425d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -24,7 +24,6 @@ updates: # # Managed by cisagov/skeleton-ansible-role # - dependency-name: cisagov/action-disable-apparmor # - dependency-name: docker/setup-buildx-action - # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly From abf8c5d4c853b5efb1aaaf64cceaa3e247cf20b0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:36:34 -0400 Subject: [PATCH 49/55] Uncomment Dependabot ignore directives from upstream --- .github/dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 48ffdc0..927e821 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,9 +21,9 @@ updates: - dependency-name: hashicorp/setup-packer - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - # # Managed by cisagov/skeleton-ansible-role - # - dependency-name: cisagov/action-disable-apparmor - # - dependency-name: docker/setup-buildx-action + # Managed by cisagov/skeleton-ansible-role + - dependency-name: cisagov/action-disable-apparmor + - dependency-name: docker/setup-buildx-action package-ecosystem: github-actions schedule: interval: weekly From f3fb67b7168746e1f338e5878a3311bba909fb77 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:37:10 -0400 Subject: [PATCH 50/55] Comment out unsupported platforms --- .config/molecule/config.yml | 146 ++++++++++++++++++------------------ 1 file changed, 74 insertions(+), 72 deletions(-) diff --git a/.config/molecule/config.yml b/.config/molecule/config.yml index 58a4a74..db32661 100644 --- a/.config/molecule/config.yml +++ b/.config/molecule/config.yml @@ -22,42 +22,43 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw + # These platforms do not provide systemd-resolved. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian10-ansible:latest + # name: debian10-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian10-ansible:latest + # name: debian10-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian11-ansible:latest + # name: debian11-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-debian11-ansible:latest + # name: debian11-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest @@ -166,42 +167,43 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw + # These platforms do not provide systemd-resolved. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + # name: ubuntu-20-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + # name: ubuntu-20-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + # name: ubuntu-22-systemd-amd64 + # platform: amd64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + # name: ubuntu-22-systemd-arm64 + # platform: arm64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest From 2098885d288c533c8a47971cf813b47689615887 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:41:38 -0400 Subject: [PATCH 51/55] Copy molecule.yml changes from default scenario to non-default scenarios --- molecule/disable_stub_resolver/molecule.yml | 237 +----------------- .../specify_resolv_conf_target/molecule.yml | 237 +----------------- 2 files changed, 6 insertions(+), 468 deletions(-) diff --git a/molecule/disable_stub_resolver/molecule.yml b/molecule/disable_stub_resolver/molecule.yml index 7782a03..c65aec5 100644 --- a/molecule/disable_stub_resolver/molecule.yml +++ b/molecule/disable_stub_resolver/molecule.yml @@ -1,237 +1,6 @@ --- -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -provisioner: - name: ansible - env: - # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this - # path for us pre-25.2.0, but now we have to do it ourselves. See - # ansible/molecule#4380 and - # https://github.com/ansible/molecule/releases/tag/v25.2.0 for - # more details. - ANSIBLE_ROLES_PATH: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +# See ../../.config/molecule/config.yml for the Molecule configuration +# that is shared among all scenarios. Any values set here will +# override the values in that file. scenario: name: disable_stub_resolver -verifier: - name: testinfra diff --git a/molecule/specify_resolv_conf_target/molecule.yml b/molecule/specify_resolv_conf_target/molecule.yml index 898224d..982a97e 100644 --- a/molecule/specify_resolv_conf_target/molecule.yml +++ b/molecule/specify_resolv_conf_target/molecule.yml @@ -1,237 +1,6 @@ --- -dependency: - name: galaxy -driver: - name: docker -platforms: - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian10-ansible:latest - # name: debian10-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-debian11-ansible:latest - # name: debian11-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora41-ansible:latest - name: fedora41-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - # These platforms do not provide systemd-resolved. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - # name: ubuntu-20-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-amd64 - # platform: amd64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - # name: ubuntu-22-systemd-arm64 - # platform: arm64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-amd64 - platform: amd64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - - cgroupns_mode: host - command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-arm64 - platform: arm64 - pre_build_image: true - privileged: true - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw -provisioner: - name: ansible - env: - # Molecule used to add ${MOLECULE_PROJECT_DIRECTORY}/. to this - # path for us pre-25.2.0, but now we have to do it ourselves. See - # ansible/molecule#4380 and - # https://github.com/ansible/molecule/releases/tag/v25.2.0 for - # more details. - ANSIBLE_ROLES_PATH: ~/.cache/molecule/skeleton-ansible-role/${MOLECULE_SCENARIO_NAME}/roles:${MOLECULE_PROJECT_DIRECTORY}/..:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles +# See ../../.config/molecule/config.yml for the Molecule configuration +# that is shared among all scenarios. Any values set here will +# override the values in that file. scenario: name: specify_resolv_conf_target -verifier: - name: testinfra From f521f4a788411332596dc36fa5e6f6eb930bb4ab Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:44:08 -0400 Subject: [PATCH 52/55] Prefer symbolic specification of file permissions --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7daa6cd..f480379 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -37,7 +37,7 @@ live actually exists ansible.builtin.file: group: root - mode: 0755 + mode: u=rwx,g=rx,o=rx owner: root path: "{{ systemd_resolved_dropin_config_file | dirname }}" state: directory @@ -45,7 +45,7 @@ - name: Set DNSStubListener config value for systemd-resolved community.general.ini_file: group: root - mode: 0644 + mode: u=rw,g=r,o=r # This is just to maintain the look and feel of the # /etc/systemd/resolved.conf file as provided by systemd-resolved. no_extra_spaces: true From f7fc34162691227b30b7855740e2c80976caca78 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:49:34 -0400 Subject: [PATCH 53/55] Correct indentation --- molecule/default/prepare.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index cb43771..7c8356c 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -58,8 +58,8 @@ become: true become_method: ansible.builtin.sudo tasks: - - name: Install some tools that are required for testing - ansible.builtin.package: - name: - - dnsutils - - net-tools + - name: Install some tools that are required for testing + ansible.builtin.package: + name: + - dnsutils + - net-tools From fe07c38ca60de66fef8daa8cc4fe44730e875cc0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:50:32 -0400 Subject: [PATCH 54/55] Correct YAML lines that are too long In these cases I am able to use YAML block scalar strings to shorten the lines. --- defaults/main.yml | 3 ++- molecule/specify_resolv_conf_target/converge.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0134d38..6d431a9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,4 +26,5 @@ systemd_resolved_dropin_config_file: /etc/systemd/resolved.conf.d/99-ansible-rol # using the DNS resolver provided via DHCP. See here for more # information: # https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF -systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf" +systemd_resolved_resolv_conf_filename: >- + {{ dynamic_resolv_conf_target_dir }}/stub-resolv.conf diff --git a/molecule/specify_resolv_conf_target/converge.yml b/molecule/specify_resolv_conf_target/converge.yml index 17d71af..aa71f57 100644 --- a/molecule/specify_resolv_conf_target/converge.yml +++ b/molecule/specify_resolv_conf_target/converge.yml @@ -6,4 +6,5 @@ ansible.builtin.include_role: name: ansible-role-systemd-resolved vars: - systemd_resolved_resolv_conf_filename: "{{ dynamic_resolv_conf_target_dir }}/resolv.conf" + systemd_resolved_resolv_conf_filename: >- + {{ dynamic_resolv_conf_target_dir }}/resolv.conf From 6ab5dbaff7452e42975f975ac36e292d7d24f877 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 24 Apr 2025 11:52:29 -0400 Subject: [PATCH 55/55] Add yamllint ignore directives for long lines In these cases there is no clean way to shorten the lines. --- tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index f480379..3d7469c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,7 +12,12 @@ vars: conditions: - systemd_resolved_dns_stub_listener is boolean + # yamllint doesn't like these next two lines because they + # are so long, but there is no clean way to shorten them. + # + # yamllint disable-line rule:line-length - systemd_resolved_dns_stub_listener is string and systemd_resolved_dns_stub_listener == "tcp" + # yamllint disable-line rule:line-length - systemd_resolved_dns_stub_listener is string and systemd_resolved_dns_stub_listener == "udp" - name: Load var file with OS-specific information