diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c11089c..471a494 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -100,7 +100,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ac19c95..5458e86 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bc859d1..580fa9c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 19e0129..f60bc84 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 471cdc3..54e50f1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -168,10 +168,16 @@ repos: rev: v3.21.1 hooks: - id: pyupgrade + args: + # Python 3.10 is currently the oldest non-EOL version of + # Python, so we want to apply all rules that apply to this + # version or later. See here for more details: + # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/ + - --py310-plus # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.11.0 + rev: v25.11.1 hooks: - id: ansible-lint additional_dependencies: @@ -187,31 +193,13 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. - # - # It is also a good idea to go ahead and upgrade to version - # 10 since version 9 is going EOL at the end of November: - # https://endoflife.date/ansible # - ansible>=10,<11 - # ansible-core 2.16.3 through 2.16.6 suffer from the bug - # discussed in ansible/ansible#82702, which breaks any - # symlinked files in vars, tasks, etc. for any Ansible role - # installed via ansible-galaxy. Hence we never want to - # install those versions. - # - # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. The pin of - # ansible-core to >=2.17 effectively also pins ansible to - # >=10. - # - # It is also a good idea to go ahead and upgrade to - # ansible-core 2.17 since security support for ansible-core - # 2.16 ends this month: - # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.17 + - ansible-core>=2.17.7 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform