Merge branch 'master' into dependabot/github_actions/dot-github/workflows/master/ossf/scorecard-action-6622d322b30ed8cdd77455e4af0bddb2b735325c

reactive-firewall · reactive-firewall · commit 39ee4ccdf06b · 2024-11-19T13:14:15.000-08:00
diff --git a/.appveyor.yml b/.appveyor.yml
@@ -1,3 +1,4 @@
+---
 version: 1.0.{build}
 branches:
   only:
diff --git a/.bandit.yml b/.bandit.yml
@@ -1,4 +1,5 @@
 # .bandit.yml
+---
 # Strict configuration for Bandit to enforce comprehensive security checks.
 
 # Define the directories to exclude from scanning.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,3 +1,4 @@
+---
 version: 2.1
 jobs:
   build:
@@ -177,7 +178,7 @@ jobs:
           shell: /bin/bash
           name: "check code style and spelling"
           command: |
-            make test-style || python3 -m flake8 --ignore=W191,W391,E117 --max-line-length=100 --verbose --count --config=.flake8.ini --max-complexity=10
+            make test-style || python3 -m flake8 --verbose --count --config=.flake8.ini
       - run:
           shell: /bin/bash
           name: "clean up when done"
diff --git a/.codecov.yml b/.codecov.yml
@@ -1,3 +1,4 @@
+---
 codecov:
   notify:
     wait_for_ci: true
@@ -15,7 +16,7 @@ coverage:
   round: nearest
   status:
     changes: false
-    default_rules:
+    default_rules:  # yamllint disable-line rule:truthy
       flag_coverage_not_uploaded_behavior: include
     patch: true
     project:
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -1,4 +1,5 @@
 # .coderabbit.yaml
+---
 language: en
 early_access: true
 enable_free_tier: true
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,11 +2,11 @@
 # package ecosystems to update and where the package manifests are located.
 # Please see the documentation for all configuration options:
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
+---
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "pip"  # See documentation for possible values
+    directory: "/"  # Location of package manifests
     milestone: 1
     target-branch: "master"
     versioning-strategy: increase-if-necessary
@@ -41,8 +41,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "tuesday"
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "tests/" # Location of package manifests
+  - package-ecosystem: "pip"  # See documentation for possible values
+    directory: "tests/"  # Location of package manifests
     target-branch: "master"
     versioning-strategy: increase-if-necessary
     # Labels on pull requests for version updates only
@@ -96,8 +96,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "tuesday"
-  - package-ecosystem: "github-actions" # See documentation for possible values
-    directory: ".github/workflows/" # Location of package manifests
+  - package-ecosystem: "github-actions"  # See documentation for possible values
+    directory: ".github/workflows/"  # Location of package manifests
     milestone: 1
     target-branch: "master"
     rebase-strategy: "disabled"
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,3 +1,5 @@
+# .github/labler.yml
+---
 # Add 'Multicast' label to any root file changes
 Multicast:
   - changed-files:
diff --git a/.github/workflows/Labeler.yml b/.github/workflows/Labeler.yml
@@ -1,5 +1,6 @@
+---
 name: "Pull Request Labeler"
-on:
+on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened]
     branches: ["master", "stable"]
diff --git a/.github/workflows/Tests.yml b/.github/workflows/Tests.yml
@@ -1,3 +1,4 @@
+---
 name: CI
 on:  # yamllint disable-line rule:truthy
   push:
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -9,7 +9,7 @@
 
 # https://github.com/marketplace/actions/python-bandit-scan is ISC licensed
 # https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
-
+---
 name: Bandit
 on:  # yamllint disable-line rule:truthy
   push:
@@ -23,9 +23,9 @@ permissions: {}
 jobs:
   bandit:
     permissions:
-      contents: read # for actions/checkout to fetch code
+      contents: read  # for actions/checkout to fetch code
       statuses: write
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -34,20 +34,24 @@ jobs:
           persist-credentials: false
       - name: Bandit Scan
         uses: reactive-firewall/python-bandit-scan@v2.1
-        with: # optional arguments
+        with:  # optional arguments
           # exit with 0, even with results found
-          # exit_zero: false # optional, default is DEFAULT
+          # exit_zero: false  # optional, default is DEFAULT
           # Github token of the repository (automatically created by Github)
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information.
           # File or directory to run bandit on
-          path: "." # optional, default is .
-          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # level: MEDIUM # optional, default is UNDEFINED
-          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          confidence: LOW # optional, default is UNDEFINED
-          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-          # excluded_paths: # optional, default is DEFAULT
+          path: "."  # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH.
+          #  Default is UNDEFINED (everything)
+          # level: MEDIUM  # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH.
+          #  Default is UNDEFINED (everything)
+          confidence: LOW  # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan
+          #  (note that these are in addition to the excluded paths provided in the config file)
+          #  (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths:  # optional, default is DEFAULT
           # comma-separated list of test IDs to skip
-          # skips: # optional, default is DEFAULT
+          # skips:  # optional, default is DEFAULT
           # path to a .bandit file that supplies command line arguments
-          # ini_path: # optional, default is DEFAULT
+          # ini_path:  # optional, default is DEFAULT
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,9 +9,9 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
+---
 name: "CodeQL"
-
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches: ["master", "stable"]
   pull_request:
@@ -64,9 +64,9 @@ jobs:
     #    and modify them (or add more) to build your code if your project
     #    uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+    # - run: |
+    #    make bootstrap
+    #    make release
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/makefile-lint.yml b/.github/workflows/makefile-lint.yml
@@ -25,37 +25,37 @@ jobs:
           sudo apt-get update || exit 1
           sudo apt-get install -y yamllint golang-go pandoc || exit 1
           ERR_MSG_STUB="Go installation failed."
-          ERR_DETAILS="file=.github/workflow/makefile-lint.yml,line=25,endLine=30,title=FAILURE"
+          ERR_DETAILS="file=.github/workflows/makefile-lint.yml,line=25,endLine=30,title=FAILURE"
           ERR_MSG_LINE="::error ${ERR_DETAILS}::ERROR ${ERR_MSG_STUB}"
           go version || { printf "%s\n" "${ERR_MSG_LINE}"; exit 1; }
       - name: Lint Workflow YAML
         if: ${{ success() }}
         run: |
-          yamllint -f github --no-warnings .github/workflows/makefile-lint.yml
+          yamllint ${{ vars.YAML_ARGS }} .github/workflows/makefile-lint.yml
       - uses: actions/checkout@v4
       - name: Install checkmake
         if: ${{ success() }}
         env:
           BUILDER_NAME: "makefile-lint"
           BUILDER_EMAIL: "no-reply@localhost"
         run: |
-          git clone --depth 1 --branch v0.2.2 https://github.com/mrtazz/checkmake.git checkmake
+          git clone --depth 1 --branch 0.2.2 https://github.com/mrtazz/checkmake.git checkmake
           cd checkmake
           EXPECTED_SHA="48ab7819837d1bdfcbac58e301478a06efebf4a8" # v0.2.2
           ACTUAL_SHA=$(git rev-parse HEAD)
           if [ "$EXPECTED_SHA" != "$ACTUAL_SHA" ]; then
             ERR_MSG_STUB="Checkmake repository hash verification failed."
-            ERR_DETAILS="file=.github/workflow/makefile-lint.yml,line=42,endLine=51,title=FAILURE"
+            ERR_DETAILS="file=.github/workflows/makefile-lint.yml,line=42,endLine=51,title=FAILURE"
             ERR_MSG_LINE="::error ${ERR_DETAILS}::ERROR ${ERR_MSG_STUB}"
             printf "%s\n" "${ERR_MSG_LINE}"
             exit 1;
           fi
           make || { \
             ERR_MSG_STUB="Checkmake build failed." \
-            ERR_DETS="file=.github/workflow/makefile-lint.yml,line=52,endLine=57,title=FAILURE" \
+            ERR_DETS="file=.github/workflows/makefile-lint.yml,line=52,endLine=57,title=FAILURE" \
             ERR_MSG_LINE="::error ${ERR_DETS}::ERROR ${ERR_MSG_STUB}" \
             printf "%s\n" "${ERR_MSG_LINE}" \
-            exit 1; \
+            exit 1 \
              ;}
           cd ..
       - name: Get makefiles Files
@@ -80,16 +80,16 @@ jobs:
           if [ ! -x "$TOOL_PATH" ]; then
             { \
             ERR_MSG_STUB="$TOOL_PATH not found or not executable." \
-            ERR_DETS="file=.github/workflow/makefile-lint.yml,line=79,endLine=88,title=FAILURE" \
+            ERR_DETS="file=.github/workflows/makefile-lint.yml,line=79,endLine=88,title=FAILURE" \
             ERR_MSG_LINE="::error ${ERR_DETS}::ERROR ${ERR_MSG_STUB}" \
             printf "%s\n" "${ERR_MSG_LINE}" \
-            exit 1; \
+            exit 1 \
             ;}
           fi
           FILE="${{ steps.makefiles.outputs.files }}" ;
           printf "::group::%s\n" "${FILE}" ;
           ERR_MSG_STUB="Linting failed."
-          ERR_DETS="file=.github/workflow/makefile-lint.yml,line=89,endLine=97,title=FAILURE"
+          ERR_DETS="file=.github/workflows/makefile-lint.yml,line=89,endLine=97,title=FAILURE"
           ERR_MSG_LINE="::error ${ERR_DETS}::ERROR ${ERR_MSG_STUB}"
           "$TOOL_PATH" "${FILE}" || { printf "%s\n" "${ERR_MSG_LINE}"; exit 1; } ;
           printf "::endgroup::\n" ; unset FILE 2>/dev/null || true ;
diff --git a/.github/workflows/markdown-lint.yml b/.github/workflows/markdown-lint.yml
@@ -26,13 +26,13 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y yamllint npm
           ERR_MSG_STUB="yamllint installation failed."
-          ERR_DETAILS="file=.github/workflow/markdown-lint.yml,line=26,endLine=31,title=FAILURE"
+          ERR_DETAILS="file=.github/workflows/markdown-lint.yml,line=26,endLine=31,title=FAILURE"
           ERR_MSG_LINE="::error ${ERR_DETAILS}::ERROR ${ERR_MSG_STUB}"
           yamllint --version || { printf "%s\n" "${ERR_MSG_LINE}"; exit 1; }
 
       - name: Lint Workflow YAML
         run: |
-          yamllint -f github --no-warnings .github/workflows/markdown-lint.yml
+          yamllint ${{ vars.YAML_ARGS }} .github/workflows/markdown-lint.yml
 
       - name: Install NPM Dependencies
         run: |
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,5 +1,6 @@
+---
 name: Scorecards supply-chain security
-on:
+on:  # yamllint disable-line rule:truthy
   # Only the default branch is supported.
   branch_protection_rule:
   schedule:
@@ -21,12 +22,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@6622d322b30ed8cdd77455e4af0bddb2b735325c # v2.4.0+deps
+        uses: ossf/scorecard-action@6622d322b30ed8cdd77455e4af0bddb2b735325c  # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -41,14 +42,14 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.0
+        uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe  # v3.27
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml
@@ -15,6 +15,9 @@ jobs:
       contents: read
       statuses: write
     runs-on: ubuntu-latest
+    env:
+      YAML_ARGS: ${{ vars.YAML_ARGS }}
+      GIT_MATCH_PATTERN: "*.yaml *.yml **/*.yml ./.circleci/*.yml ./.github/**/*.yml"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -32,7 +35,7 @@ jobs:
         id: yamlfiles
         shell: bash
         run: |
-          FILES=$(git ls-files --exclude-standard -- *.yaml *.yml **/*.yml ./.circleci/*.yml ./.github/**/*.yml )
+          FILES=$(git ls-files --exclude-standard -- ${{ env.GIT_MATCH_PATTERN }} )
           if [ -z "$FILES" ]; then
             printf "%s\n" "No YAML files found."
             printf "%s\n" "files=" >> "$GITHUB_OUTPUT"
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
@@ -1,4 +1,5 @@
 # .markdownlint.yaml
+---
 # extends: markdownlint:recommended
 
 MD001: true   # Enforce proper heading increments
@@ -10,7 +11,7 @@ MD013:  # Disable line length rule for flexibility
   line_length: 100
   code_blocks: false
   tables: false
-MD033: false  # Allow inline HTML if needed
+MD033: true  # Allow inline HTML if needed
 MD034: false  # Allow bare URLs
 
 # Customizations
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -1,7 +1,7 @@
 # .readthedocs.yaml
 # Read the Docs configuration file
 # See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
-
+---
 # Required
 version: 2
 
diff --git a/docs/FAQ.md b/docs/FAQ.md
diff --git a/tests/__init__.py b/tests/__init__.py
diff --git a/tests/check_pip b/tests/check_pip

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+---`
`1`	`2`	`version: 1.0.{build}`
`2`	`3`	`branches:`
`3`	`4`	`only:`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`# .bandit.yml`
	`2`	`+---`
`2`	`3`	`# Strict configuration for Bandit to enforce comprehensive security checks.`
`3`	`4`
`4`	`5`	`# Define the directories to exclude from scanning.`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`# .coderabbit.yaml`
	`2`	`+---`
`2`	`3`	`language: en`
`3`	`4`	`early_access: true`
`4`	`5`	`enable_free_tier: true`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+# .github/labler.yml`
	`2`	`+---`
`1`	`3`	`# Add 'Multicast' label to any root file changes`
`2`	`4`	`Multicast:`
`3`	`5`	`- changed-files:`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+---`
`1`	`2`	`name: CI`
`2`	`3`	`on: # yamllint disable-line rule:truthy`
`3`	`4`	`push:`