diff --git a/.github/workflows/_config.yml b/.github/workflows/_config.yml index 3b789d9..eea890c 100644 --- a/.github/workflows/_config.yml +++ b/.github/workflows/_config.yml @@ -39,6 +39,6 @@ on: jobs: csv-to-json: name: "Convert CSV to JSON" - uses: felddy/reusable-workflows/.github/workflows/csv-to-json.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/csv-to-json.yml@v3 with: csv: ${{ inputs.platforms }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2233325..4c17e4d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,4 @@ --- - name: Build on: @@ -12,7 +11,7 @@ on: release: types: [edited, published] schedule: - - cron: '0 10 * * *' # everyday at 10am + - cron: "0 10 * * *" # everyday at 10am workflow_dispatch: inputs: dispatch-tag: @@ -27,7 +26,7 @@ permissions: jobs: diagnostics: name: "Diagnostics" - uses: felddy/reusable-workflows/.github/workflows/diagnostics.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/diagnostics.yml@v3 config: name: "Config" @@ -36,7 +35,7 @@ jobs: metadata: name: "Metadata" needs: [config] - uses: felddy/reusable-workflows/.github/workflows/docker-metadata.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/container-metadata.yml@v3 with: image_name: ${{ needs.config.outputs.image_name }} @@ -60,15 +59,15 @@ jobs: lint: name: "Lint" needs: [config] - uses: felddy/reusable-workflows/.github/workflows/common-lint.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/common-lint.yml@v3 - build-test-image: - name: "Build test image" + build-test-container: + name: "Build container for testing" needs: - config - lint - metadata - uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/container-build.yml@v3 with: artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ needs.config.outputs.test_platform }} build_arg_1_name: VERSION @@ -80,32 +79,32 @@ jobs: secrets: build_arg_1_value: ${{ needs.metadata.outputs.source_version }} - test-normal-image: + test-normal-container: name: "Test image" needs: - - build-test-image + - build-test-container - config - uses: felddy/reusable-workflows/.github/workflows/docker-pytest-image.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/container-test.yml@v3 with: data_artifact_name: ${{ needs.config.outputs.data_artifact_name }} data_artifact_path: ${{ needs.config.outputs.data_artifact_path }} - image_artifact_name: ${{ needs.build-test-image.outputs.artifact_name }} - image_archive_name: ${{ needs.build-test-image.outputs.image_archive_name }} + image_artifact_name: ${{ needs.build-test-container.outputs.artifact_name }} + image_archive_name: ${{ needs.build-test-container.outputs.image_archive_name }} build-each-platform: - name: "Build platform" + name: "Build container" needs: - config - lint - metadata - - test-normal-image + - test-normal-container if: github.event_name != 'pull_request' strategy: matrix: platform: ${{ fromJson(needs.config.outputs.platforms_json) }} exclude: - platform: ${{ needs.config.outputs.test_platform }} - uses: felddy/reusable-workflows/.github/workflows/docker-build-image.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/container-build.yml@v3 with: artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ matrix.platform }} build_arg_1_name: VERSION @@ -127,13 +126,13 @@ jobs: strategy: matrix: platform: ${{ fromJson(needs.config.outputs.platforms_json) }} - uses: felddy/reusable-workflows/.github/workflows/sbom-artifact.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/container-sbom.yml@v3 with: image_artifact_name: ${{ needs.config.outputs.image_artifact_name_stem }}-${{ matrix.platform }} sbom_artifact_name: ${{ needs.config.outputs.sbom_artifact_name_stem }}-${{ matrix.platform }} build-multi-arch-image: - name: "Publish image" + name: "Publish container" needs: - build-each-platform - config @@ -142,23 +141,40 @@ jobs: if: github.event_name != 'pull_request' permissions: packages: write - uses: felddy/reusable-workflows/.github/workflows/docker-multi-arch-push.yml@v2 + uses: felddy/reusable-workflows/.github/workflows/container-publish-multiarch.yml@v3 with: artifact_name_pattern: ${{ needs.config.outputs.image_artifact_name_stem }}-* image_tags: ${{ needs.metadata.outputs.image_tags }} + + mirror-to-dockerhub: + name: Mirror images to DockerHub + needs: + - build-multi-arch-image + - config + - docker-secrets + - metadata + if: github.event_name == 'release' && !github.event.release.prerelease + permissions: + contents: read + packages: read + uses: felddy/reusable-workflows/.github/workflows/container-mirror.yml@v3 + with: + image_name: ${{ needs.config.outputs.image_name }} + image_tag_names: ${{ needs.metadata.outputs.image_tag_names }} + target_registry: docker.io secrets: - docker_password: ${{ secrets.DOCKER_PASSWORD }} - docker_username: ${{ secrets.DOCKER_USERNAME }} + registry_password: ${{ secrets.DOCKER_PASSWORD }} + registry_username: ${{ secrets.DOCKER_USERNAME }} publish-readme: - name: "Publish docs" + name: Publish docs to DockerHub needs: - build-multi-arch-image - config - docker-secrets - metadata - if: needs.metadata.outputs.latest == 'true' - uses: felddy/reusable-workflows/.github/workflows/docker-publish-description.yml@v2 + if: github.event_name == 'release' && needs.metadata.outputs.latest == 'true' + uses: felddy/reusable-workflows/.github/workflows/dockerhub-description.yml@v3 with: image_name: ${{ needs.config.outputs.image_name }} secrets: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f3c12e3..dfafa91 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,17 +45,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # tag=v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # tag=v2.14.0 with: # TODO: change to 'egress-policy: block' after couple of runs egress-policy: audit - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # tag=v6.0.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # tag=codeql-bundle-v4.31.6 + uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # tag=codeql-bundle-v4.31.7 with: languages: ${{ matrix.language }} @@ -65,7 +65,7 @@ jobs: # manually (see below). # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@fe4161a26a8629af62121b670040955b330f9af2 # tag=codeql-bundle-v4.31.6 + uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # tag=codeql-bundle-v4.31.7 # ℹī¸ Command-line programs to run using the OS shell. 📚 # https://git.io/JvXDl @@ -83,4 +83,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@fe4161a26a8629af62121b670040955b330f9af2 # tag=codeql-bundle-v4.31.6 + uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # tag=codeql-bundle-v4.31.7 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 6c30c58..115d132 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,10 +12,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # tag=v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # tag=v2.14.0 with: # TODO: change to 'egress-policy: block' after couple of runs egress-policy: audit - name: 'Checkout Repository' - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # tag=v6.0.1 - name: 'Dependency Review' uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # tag=v4.8.2 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index fa1a937..f0c377f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -28,7 +28,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # tag=v6.0.1 with: persist-credentials: false @@ -60,6 +60,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # tag=codeql-bundle-v4.31.6 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # tag=codeql-bundle-v4.31.7 with: sarif_file: results.sarif diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml index 2a55441..a7d39cd 100644 --- a/.github/workflows/stale-issues.yml +++ b/.github/workflows/stale-issues.yml @@ -14,11 +14,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # tag=v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # tag=v2.14.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # tag=v10.1.0 + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # tag=v10.1.1 with: days-before-stale: 28 days-before-close: 7 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 9c18914..db31f08 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # tag=v2.13.3 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # tag=v2.14.0 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # tag=v6.0.0 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # tag=v6.0.1 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916 # tag=v5.3.0 diff --git a/.mdl_config.yaml b/.mdl_config.yaml index 79aebe9..3897ac4 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -1,17 +1,16 @@ --- - # Default state for all rules default: true # MD003/heading-style/header-style - Heading style MD003: # Enforce the ATX-closed style of header - style: "atx_closed" + style: atx_closed # MD004/ul-style - Unordered list style MD004: # Enforce dashes for unordered lists - style: "dash" + style: dash # MD013/line-length - Line length MD013: @@ -30,11 +29,11 @@ MD024: # MD029/ol-prefix - Ordered list item prefix MD029: # Enforce the `1.` style for ordered lists - style: "one" + style: one # MD033/no-inline-html - Inline HTML MD033: - # The h1 and img elements are allowed to permit header images + # The div, h1 and img elements are allowed to permit header images allowed_elements: - div - h1 @@ -43,19 +42,30 @@ MD033: # MD035/hr-style - Horizontal rule style MD035: # Enforce dashes for horizontal rules - style: "---" + style: --- + +# MD041/first-line-heading/first-line-h1 - First line in file should be a top +# level heading +MD041: + # Allow content before first heading + allow_preamble: true # MD046/code-block-style - Code block style MD046: # Enforce the fenced style for code blocks - style: "fenced" + style: fenced # MD049/emphasis-style - Emphasis style should be consistent MD049: # Enforce asterisks as the style to use for emphasis - style: "asterisk" + style: asterisk # MD050/strong-style - Strong style should be consistent MD050: # Enforce asterisks as the style to use for strong - style: "asterisk" + style: asterisk + +# MD060/table-column-style +MD060: + # Allow tables to use different styles + style: any diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 144df31..8ed5c14 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,10 @@ --- +ci: + # Do not commit changes from running pre-commit for pull requests. + autofix_prs: false + # Autoupdate hooks weekly (this is the default). + autoupdate_schedule: weekly + default_language_version: # force all unspecified python hooks to run python3 python: python3 @@ -10,7 +16,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -39,17 +45,22 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.42.0 + rev: v0.46.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.3.3 + rev: v3.6.2 hooks: - id: prettier + # This is the latest version of v3 available from NPM. The pre-commit + # mirror does not pull tags for old major versions once a new major + # version tag is published. + additional_dependencies: + - prettier@3.3.1 - repo: https://github.com/adrienverge/yamllint - rev: v1.35.1 + rev: v1.37.1 hooks: - id: yamllint args: @@ -57,20 +68,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.4 + rev: 0.35.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.0.1 + rev: v4.5.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.1 + rev: v1.0.0-rc.4 hooks: # Go Build - id: go-build-repo-mod @@ -99,7 +110,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.10.0-1 + rev: v3.12.0-2 hooks: - id: shfmt args: @@ -117,37 +128,50 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.10.0.1 + rev: v0.11.0.1 hooks: - id: shellcheck # Python hooks + # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.7.10 + rev: 1.9.2 hooks: - id: bandit + name: bandit (tests tree) + files: tests args: - --config=.bandit.yml + # Run bandit on everything except the "tests" tree + - repo: https://github.com/PyCQA/bandit + rev: 1.9.2 + hooks: + - id: bandit + name: bandit (everything else) + exclude: tests - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.10.0 + rev: 25.11.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 - rev: 7.1.1 + rev: 7.3.0 hooks: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 + # This is necessary to read the flake8 configuration from + # the pyproject.toml file. + - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort - rev: 5.13.2 + rev: 7.0.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.13.0 + rev: v1.18.2 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.7.3 + rev: v2.9.0 hooks: - id: pip-audit args: @@ -159,13 +183,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.19.0 + rev: v3.21.2 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.10.0 + rev: v25.11.1 hooks: - id: ansible-lint additional_dependencies: @@ -206,10 +230,15 @@ repos: # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - ansible-core>=2.17 + # Forcing language_version back to python3 due to a bug introduced by a + # PR 4796 in ansible-lint which pinned to Python 3.13 which we are no + # longer using. + # https://github.com/ansible/ansible-lint/pull/4796 + language_version: python3 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.96.1 + rev: v1.104.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -222,7 +251,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.3.0 + rev: v0.3.1 hooks: - id: packer_fmt - id: packer_validate diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 509dfe7..30b43f0 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -46,9 +46,13 @@ There are a few ways to do this, but we prefer to use create and manage a Python virtual environment specific to this project. -If you already have `pyenv` and `pyenv-virtualenv` configured you can -take advantage of the `setup-env` tool in this repo to automate the -entire environment configuration process. +We recommend using the `setup-env` script located in this repository, +as it automates the entire environment configuration process. The +dependencies required to run this script are +[GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc), +[`pyenv`](https://github.com/pyenv/pyenv), and [`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv). +If these tools are already configured on your system, you can simply run the +following command: ```console ./setup-env @@ -57,13 +61,18 @@ entire environment configuration process. Otherwise, follow the steps below to manually configure your environment. -#### Installing and using `pyenv` and `pyenv-virtualenv` #### +#### Installing and using GNU `getopt`, `pyenv`, and `pyenv-virtualenv` #### -On the Mac, we recommend installing [brew](https://brew.sh/). Then -installation is as simple as `brew install pyenv pyenv-virtualenv` and +On macOS, we recommend installing [brew](https://brew.sh/). Then +installation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` and adding this to your profile: ```bash +# GNU getopt must be explicitly added to the path since it is +# keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean) +export PATH="$(brew --prefix)/opt/gnu-getopt/bin:$PATH" + +# Setup pyenv export PYENV_ROOT="$HOME/.pyenv" export PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init --path)" @@ -71,13 +80,15 @@ eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" ``` -For Linux, Windows Subsystem for Linux (WSL), or on the Mac (if you +For Linux, Windows Subsystem for Linux (WSL), or macOS (if you don't want to use `brew`) you can use [pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to install the necessary tools. Before running this ensure that you have installed the prerequisites for your platform according to the [`pyenv` wiki page](https://github.com/pyenv/pyenv/wiki/common-build-problems). +GNU `getopt` is included in most Linux distributions as part of the +[`util-linux`](https://github.com/util-linux/util-linux) package. On WSL you should treat your platform as whatever Linux distribution you've chosen to install. @@ -121,11 +132,10 @@ you can begin to use `pyenv`. For a list of Python versions that are already installed and ready to use with `pyenv`, use the command `pyenv versions`. To see a list of the Python versions available to be installed and used with `pyenv` -use the command `pyenv install --list`. You can read more -[here](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md) about -the many things that `pyenv` can do. See -[here](https://github.com/pyenv/pyenv-virtualenv#usage) for the -additional capabilities that pyenv-virtualenv adds to the `pyenv` +use the command `pyenv install --list`. You can read more about +the [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md). +See the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage) +for the additional capabilities that pyenv-virtualenv adds to the `pyenv` command. #### Creating the Python virtual environment #### @@ -153,13 +163,10 @@ At this point the pre-commit checks will run against any files that you attempt to commit. If you want to run the checks against the entire repo, just execute `pre-commit run --all-files`. -## Public domain ## +## License ## -This project is in the public domain within the United States, and -copyright and related rights in the work worldwide are waived through -the [CC0 1.0 Universal public domain -dedication](https://creativecommons.org/publicdomain/zero/1.0/). +This project is released as open source under the [MIT license](LICENSE). -All contributions to this project will be released under the CC0 -dedication. By submitting a pull request, you are agreeing to comply -with this waiver of copyright interest. +All contributions to this project will be released under the same MIT license. +By submitting a pull request, you are agreeing to comply with this waiver of +copyright interest. diff --git a/README.md b/README.md index 18a8638..395842c 100644 --- a/README.md +++ b/README.md @@ -146,19 +146,19 @@ WeeWX](https://weewx.com/docs.html) that they support. > is compatible with your saved data, and prevents inadvertent upgrades to a new > major version. -| Image:tag | Description | -|-----------|-------------| -|`felddy/weewx:5`| The most recent image matching the major version number. Most users will use this tag. | -|`felddy/weewx:5.1`| The most recent image matching the major and minor version numbers. | -|`felddy/weewx:5.1.0`| An exact image version. | +| Image:tag | Description | +| -------------------- | --------------------------------------------------------------------------------------- | +| `felddy/weewx:5` | The most recent image matching the major version number. Most users will use this tag. | +| `felddy/weewx:5.1` | The most recent image matching the major and minor version numbers. | +| `felddy/weewx:5.1.0` | An exact image version. | See the [tags tab](https://hub.docker.com/r/felddy/weewx/tags) on Docker Hub for a list of all the supported tags. ## Volumes ## -| Mount point | Purpose | -|-------------|----------------| +| Mount point | Purpose | +| ----------- | ------------------------------------------------------------------------------------------------- | | `/data` | [WeeWX root](https://weewx.com/docs/5.1/usersguide/where/#location-of-weewx-components) directory | ## Building from source ##