Skip to content

⚠️ CONFLICT! Lineage pull request for: skeleton #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 41 commits into from
Jul 13, 2025
Merged

Conversation

cisagovbot
Copy link

@cisagovbot cisagovbot commented Jul 2, 2025

Lineage Pull Request: CONFLICT

Achtung!!!

Lineage has created this pull request to incorporate new changes found in an upstream repository:

Upstream repository: https://github.com/cisagov/skeleton-docker.git
Remote branch: HEAD

Check the changes in this pull request to ensure they won't cause issues with your project.

The lineage/skeleton branch has one or more unresolved merge conflicts that you must resolve before merging this pull request!

How to resolve the conflicts

  1. Take ownership of this pull request by removing any other assignees.

  2. Clone the repository locally, and reapply the merge:

    git clone [email protected]:cisagov/code-gov-update.git code-gov-update
    cd code-gov-update
    git remote add skeleton https://github.com/cisagov/skeleton-docker.git
    git remote set-url --push skeleton no_push
    git switch develop
    git switch --create lineage/skeleton --track origin/develop
    git pull skeleton HEAD
    git status
  3. Review the changes displayed by the status command. Fix any conflicts and possibly incorrect auto-merges.

  4. After resolving each of the conflicts, add your changes to the branch, commit, and push your changes:

    git add .github/dependabot.yml .github/workflows/build.yml Dockerfile README.md src/Pipfile src/Pipfile.lock src/version.txt 
    git commit
    git push --force --set-upstream origin lineage/skeleton

    Note that you may append to the default merge commit message that git creates for you, but please do not delete the existing content. It provides useful information about the merge that is being performed.

  5. Wait for all the automated tests to pass.

  6. Confirm each item in the "Pre-approval checklist" below.

  7. Remove any of the checklist items that do not apply.

  8. Ensure every remaining checkbox has been checked.

  9. Mark this draft pull request "Ready for review".

✅ Pre-approval checklist

Remove any of the following that do not apply. If you're unsure about any of these, don't hesitate to ask. We're here to help!

  • ✌️ The conflicts in this pull request have been resolved.
  • All relevant type-of-change labels have been added.
  • All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
  • All new and existing tests pass.
  • Bump major, minor, patch, pre-release, and/or build versions as appropriate via the bump_version script if this repository is versioned and the changes in this PR warrant a version bump.

✅ Pre-merge checklist

Remove any of the following that do not apply. These boxes should remain unchecked until the pull request has been approved.

  • Add the new GitHub Actions jobs to the required checks.

✅ Post-merge checklist

  • Create a pre-release (necessary if and only if the pre-release version was bumped).

Note

You are seeing this because one of this repository's maintainers has configured Lineage to open pull requests.

For more information:

🛠 Lineage configurations for this project are stored in .github/lineage.yml

📚 Read more about Lineage

jsf9k and others added 21 commits May 7, 2025 14:10
Version 25.4.0 is the first version to support Fedora 42 in the
Ansible YAML metadata schema.
…sible-lint

Upgrade to the latest version of the `ansible-lint` `pre-commit` hook
This includes updating the Pipfile configuration to reflect the
updated Python version.
Bump the following Python packages installed in the Dockerfile:
- pip from 25.0.1 to 25.1.1
- pipenv from 2024.4.1 to 2025.0.3
- setuptools from 75.8.0 to 80.9.0
Update the dependencies installed in the Python virtual environment by
running `pipenv lock` in the `src/` directory.
Pipenv has deprecated the `pipenv check` command and un-vendored the
safety package that is used to check Python dependencies. Additionally
the safety package itself has moved to a model that requires the use of
an API key to function. With these changes in mind we remove the use of
`pipenv check` from the Dockerfile configuration.
Version 25.4.0 is the first version to support Fedora 42 in the
Ansible YAML metadata schema.
This reusable workflow will provide the image name and supported image
platforms as outputs. This will allow us to access this information in
any other workflow while storing this information in a centralized
location.
Now that we have a reusable workflow for repository metadata we should
use it where appropriate.
Also fix the order of the keys for the `output-repo-metadata` job.
…in_one_place

Store repository metadata in a reusable workflow
Lineage pull request for: skeleton
Move the job that updates the description for the image on Docker Hub
into its own workflow. This will ensure it only runs if the README is
updated on the `develop` branch without any special logic.
…cription_as_separate_workflow

Move GitHub Actions job into its own workflow
Since a Docker image is available for this platform there is no reason
not to support it in our builds.
…x-386_platform

Add support for the `linux/386` platform
@cisagovbot cisagovbot added the upstream update This issue or pull request pulls in upstream updates label Jul 2, 2025
Lineage pull request for: skeleton
@mcdonnnj mcdonnnj closed this Jul 2, 2025
@mcdonnnj mcdonnnj force-pushed the lineage/skeleton branch from dd170b4 to 418816e Compare July 2, 2025 15:03
@mcdonnnj mcdonnnj reopened this Jul 2, 2025
@jsf9k jsf9k unassigned dav3r Jul 2, 2025
mcdonnnj added 4 commits July 9, 2025 17:57
Capitalize Docker in comments, step names, etc. in the `build` workflow
since it is a proper noun in that context.
In places that are not documenting command line usage we capitalize
Docker Compose since it is a proper noun.
Scan the Docker image for vulnerabilities at build time
@mcdonnnj mcdonnnj force-pushed the lineage/skeleton branch 3 times, most recently from bd8339d to 305d02f Compare July 11, 2025 17:51
mcdonnnj added 5 commits July 11, 2025 14:54
This includes updating system package versions that are installed,
updating the image tag used in the build-stage to mirror both the new
version of Alpine Linux as well as match the version of Python with the
new system package version, and updating the Pipfile to match the new
versions of Python and any system Python packages used.
Update the dependencies installed in the Python virtual environment by
running `pipenv lock` in the `src/` directory.
@mcdonnnj mcdonnnj added documentation This issue or pull request improves or adds to documentation improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue labels Jul 11, 2025
@mcdonnnj mcdonnnj requested review from a team and Copilot July 11, 2025 19:19
@mcdonnnj mcdonnnj marked this pull request as ready for review July 11, 2025 19:19
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the project to release candidate 0.3.0-rc.6, refreshes base images and key dependencies, and adds automated vulnerability scanning and Docker Hub description updates.

  • Bump project version from 0.3.0-rc.5 to 0.3.0-rc.6 and refresh Python/Alpine package versions
  • Introduce a Trivy configuration file and integrate a vulnerability scan job in CI
  • Add a workflow to automatically update the Docker Hub description on README changes

Reviewed Changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
trivy.yml Add Trivy config to fail on high/critical vulnerabilities
src/version.txt Bump version to 0.3.0-rc.6
src/Pipfile Upgrade cryptography and Python full version
README.md Update badges and version references to 0.3.0-rc.6, add platforms
Dockerfile Bump Alpine/Python base images and system package versions
.pre-commit-config.yaml Update Ansible Lint to v25.4.0
.github/workflows/update-dockerhub-description.yml New workflow to sync README to Docker Hub description
.github/workflows/build.yml Refactor build workflow: add metadata job, scan job, separate build/push steps
.github/workflows/_repo-metadata.yml New reusable workflow to expose image name/platforms metadata
.github/dependabot.yml Add Trivy and Dockerhub-description to Dependabot updates
Comments suppressed due to low confidence (2)

.github/workflows/build.yml:409

  • The Trivy action step does not reference the custom trivy.yml file, so your severity filter and exit-code settings won’t be applied. Add config-file: trivy.yml under with: to ensure the scanner uses your configuration.
      - name: Run Trivy vulnerability scanner

trivy.yml:1

  • By default Trivy looks for a file named .trivy.yaml. Consider renaming trivy.yml to .trivy.yaml or explicitly pass config-file: trivy.yml in the action step so your rules are loaded.
---

Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a couple of minor questions, but nothing that should hold up this PR. Potent work!

Also, please have a look at Copilot's suppressed comments and make sure that it didn't catch something there.

@mcdonnnj
Copy link
Member

I have a couple of minor questions, but nothing that should hold up this PR. Potent work!

Also, please have a look at Copilot's suppressed comments and make sure that it didn't catch something there.

Yes I did check those comments. The config-file argument is not required and I verified with the trivy command's help the default configuration path:

  -c, --config string             config path (default "trivy.yaml")

I think Copilot was doing a bit of hallucination based on other tools commonly using a dotfile for configuration.

@mcdonnnj mcdonnnj merged commit 3cab4fb into develop Jul 13, 2025
27 checks passed
@mcdonnnj mcdonnnj deleted the lineage/skeleton branch July 13, 2025 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file docker Pull requests that update Docker code documentation This issue or pull request improves or adds to documentation github-actions Pull requests that update GitHub Actions code improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue upstream update This issue or pull request pulls in upstream updates version bump This issue or pull request increments the version number
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

5 participants