Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ CONFLICT! Lineage pull request for: skeleton #31

Merged
merged 17 commits into from
Nov 4, 2024
Merged

⚠️ CONFLICT! Lineage pull request for: skeleton #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
942c0dc
Add a new trigger for the sync-labels GitHub Actions workflow
mcdonnnj Aug 13, 2024
a267662
Remove unnecessary quotes in the sync-labels workflow
mcdonnnj Aug 13, 2024
dc7f09e
Add four new hooks from pre-commit/pre-commit-hooks
mcdonnnj Sep 14, 2024
343d2cc
Add the GitHubSecurityLab/actions-permissions/monitor Action
mcdonnnj Oct 28, 2024
8a77a8b
Restrict permissions of GITHUB_TOKEN
mcdonnnj Oct 28, 2024
3b1d4ef
Update pre-commit hook versions
mcdonnnj Oct 16, 2024
1d285f2
Sort hook ids in each pre-commit hook entry
mcdonnnj Oct 29, 2024
5da1059
Merge pull request #189 from cisagov/improvement/manually_run_sync-la…
mcdonnnj Oct 30, 2024
ff221ba
Merge pull request #190 from cisagov/improvement/add_actions-permissi…
mcdonnnj Oct 30, 2024
971602a
Merge pull request #191 from cisagov/improvement/github_tokenn_polp
mcdonnnj Oct 30, 2024
bdf8a25
Merge pull request #192 from cisagov/maintenance/update_pre-commit_hooks
mcdonnnj Oct 30, 2024
6959971
Merge pull request #193 from cisagov/improvement/add_more_pre-commit_…
mcdonnnj Oct 30, 2024
f517db7
Merge pull request #194 from cisagov/improvement/ensure_pre-commit_ho…
mcdonnnj Oct 30, 2024
8824475
Update the commented out dependabot ignore directives
mcdonnnj Nov 1, 2024
e6afb68
Merge pull request #195 from cisagov/bug/add_missing_dependabot_ignore
mcdonnnj Nov 1, 2024
4b72879
Merge github.com:cisagov/skeleton-generic into lineage/skeleton
mcdonnnj Nov 2, 2024
13e13a6
Enable new dependabot ignore directives
mcdonnnj Nov 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,12 @@ updates:
- dependency-name: actions/checkout
- dependency-name: actions/setup-go
- dependency-name: actions/setup-python
- dependency-name: cisagov/setup-env-github-action
- dependency-name: crazy-max/ghaction-dump-context
- dependency-name: crazy-max/ghaction-github-labeler
- dependency-name: crazy-max/ghaction-github-status
- dependency-name: GitHubSecurityLab/actions-permissions
- dependency-name: hashicorp/setup-packer
- dependency-name: hashicorp/setup-terraform
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,18 @@ env:
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand All @@ -48,8 +56,15 @@ jobs:
lint:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand Down
17 changes: 15 additions & 2 deletions .github/workflows/sync-labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,28 @@ name: sync-labels
on:
push:
paths:
- '.github/labels.yml'
- '.github/workflows/sync-labels.yml'
- .github/labels.yml
- .github/workflows/sync-labels.yml
workflow_dispatch:

permissions:
contents: read

jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
# Note that a duplicate of this step must be added at the top of
# each job.
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand All @@ -38,6 +47,10 @@ jobs:
issues: write
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/monitor@v1
with:
# Uses the organization variable unless overridden
config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- id: harden-runner
name: Harden the runner
uses: step-security/harden-runner@v2
Expand Down
44 changes: 24 additions & 20 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,19 @@ repos:
- id: check-useless-excludes

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
rev: v5.0.0
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
- id: check-json
- id: check-merge-conflict
- id: check-shebang-scripts-are-executable
- id: check-symlinks
- id: check-toml
- id: check-vcs-permalinks
- id: check-xml
- id: debug-statements
- id: destroyed-symlinks
- id: detect-aws-credentials
args:
- --allow-missing-credentials
Expand Down Expand Up @@ -53,40 +57,40 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.29.2
rev: 0.29.4
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.8.0
rev: v4.0.1
hooks:
- id: validate_manifest

# Go hooks
- repo: https://github.com/TekWizely/pre-commit-golang
rev: v1.0.0-rc.1
hooks:
# Style Checkers
- id: go-critic
# StaticCheck
- id: go-staticcheck-repo-mod
# Go Build
- id: go-build-repo-mod
# Style Checkers
- id: go-critic
# goimports
- id: go-imports-repo
args:
# Write changes to files
- -w
# Go Mod Tidy
- id: go-mod-tidy-repo
# GoSec
- id: go-sec-repo-mod
# StaticCheck
- id: go-staticcheck-repo-mod
# Go Test
- id: go-test-repo-mod
# Go Vet
- id: go-vet-repo-mod
# GoSec
- id: go-sec-repo-mod
# goimports
- id: go-imports-repo
args:
# Write changes to files
- -w
# Nix hooks
- repo: https://github.com/nix-community/nixpkgs-fmt
rev: v1.3.0
Expand All @@ -95,7 +99,7 @@ repos:

# Shell script hooks
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.9.0-1
rev: v3.10.0-1
hooks:
- id: shfmt
args:
Expand Down Expand Up @@ -125,7 +129,7 @@ repos:
args:
- --config=.bandit.yml
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 24.8.0
rev: 24.10.0
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
Expand All @@ -139,7 +143,7 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.11.2
rev: v1.13.0
hooks:
- id: mypy
- repo: https://github.com/pypa/pip-audit
Expand All @@ -155,7 +159,7 @@ repos:
- --requirement
- requirements.txt
- repo: https://github.com/asottile/pyupgrade
rev: v3.17.0
rev: v3.19.0
hooks:
- id: pyupgrade

Expand Down Expand Up @@ -199,7 +203,7 @@ repos:

# Packer hooks
- repo: https://github.com/cisagov/pre-commit-packer
rev: v0.1.0
rev: v0.3.0
hooks:
- id: packer_validate
- id: packer_fmt
- id: packer_validate