-
Notifications
You must be signed in to change notification settings - Fork 3
⚠️ CONFLICT! Lineage pull request for: skeleton #224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Version 25.4.0 is the first version to support Fedora 42 in the Ansible YAML metadata schema.
…sible-lint Upgrade to the latest version of the `ansible-lint` `pre-commit` hook
This includes updating the Pipfile configuration to reflect the updated Python version.
Bump the following Python packages installed in the Dockerfile: - pip from 25.0.1 to 25.1.1 - pipenv from 2024.4.1 to 2025.0.3 - setuptools from 75.8.0 to 80.9.0
Update the dependencies installed in the Python virtual environment by running `pipenv lock` in the `src/` directory.
Pipenv has deprecated the `pipenv check` command and un-vendored the safety package that is used to check Python dependencies. Additionally the safety package itself has moved to a model that requires the use of an API key to function. With these changes in mind we remove the use of `pipenv check` from the Dockerfile configuration.
Update Docker image dependencies
Version 25.4.0 is the first version to support Fedora 42 in the Ansible YAML metadata schema.
This reusable workflow will provide the image name and supported image platforms as outputs. This will allow us to access this information in any other workflow while storing this information in a centralized location.
Now that we have a reusable workflow for repository metadata we should use it where appropriate.
Also fix the order of the keys for the `output-repo-metadata` job.
…in_one_place Store repository metadata in a reusable workflow
Lineage pull request for: skeleton
Move the job that updates the description for the image on Docker Hub into its own workflow. This will ensure it only runs if the README is updated on the `develop` branch without any special logic.
…cription_as_separate_workflow Move GitHub Actions job into its own workflow
Since a Docker image is available for this platform there is no reason not to support it in our builds.
…x-386_platform Add support for the `linux/386` platform
Lineage pull request for: skeleton
dd170b4
to
418816e
Compare
Capitalize Docker in comments, step names, etc. in the `build` workflow since it is a proper noun in that context.
In places that are not documenting command line usage we capitalize Docker Compose since it is a proper noun.
Scan the Docker image for vulnerabilities at build time
Correct the case for mentions of Docker
bd8339d
to
305d02f
Compare
This includes updating system package versions that are installed, updating the image tag used in the build-stage to mirror both the new version of Alpine Linux as well as match the version of Python with the new system package version, and updating the Pipfile to match the new versions of Python and any system Python packages used.
Update the dependencies installed in the Python virtual environment by running `pipenv lock` in the `src/` directory.
305d02f
to
f41e500
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR updates the project to release candidate 0.3.0-rc.6, refreshes base images and key dependencies, and adds automated vulnerability scanning and Docker Hub description updates.
- Bump project version from 0.3.0-rc.5 to 0.3.0-rc.6 and refresh Python/Alpine package versions
- Introduce a Trivy configuration file and integrate a vulnerability scan job in CI
- Add a workflow to automatically update the Docker Hub description on README changes
Reviewed Changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
File | Description |
---|---|
trivy.yml | Add Trivy config to fail on high/critical vulnerabilities |
src/version.txt | Bump version to 0.3.0-rc.6 |
src/Pipfile | Upgrade cryptography and Python full version |
README.md | Update badges and version references to 0.3.0-rc.6, add platforms |
Dockerfile | Bump Alpine/Python base images and system package versions |
.pre-commit-config.yaml | Update Ansible Lint to v25.4.0 |
.github/workflows/update-dockerhub-description.yml | New workflow to sync README to Docker Hub description |
.github/workflows/build.yml | Refactor build workflow: add metadata job, scan job, separate build/push steps |
.github/workflows/_repo-metadata.yml | New reusable workflow to expose image name/platforms metadata |
.github/dependabot.yml | Add Trivy and Dockerhub-description to Dependabot updates |
Comments suppressed due to low confidence (2)
.github/workflows/build.yml:409
- The Trivy action step does not reference the custom
trivy.yml
file, so your severity filter and exit-code settings won’t be applied. Addconfig-file: trivy.yml
underwith:
to ensure the scanner uses your configuration.
- name: Run Trivy vulnerability scanner
trivy.yml:1
- By default Trivy looks for a file named
.trivy.yaml
. Consider renamingtrivy.yml
to.trivy.yaml
or explicitly passconfig-file: trivy.yml
in the action step so your rules are loaded.
---
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a couple of minor questions, but nothing that should hold up this PR. Potent work!
Also, please have a look at Copilot's suppressed comments and make sure that it didn't catch something there.
Yes I did check those comments. The
I think Copilot was doing a bit of hallucination based on other tools commonly using a dotfile for configuration. |
Lineage Pull Request: CONFLICT
Lineage has created this pull request to incorporate new changes found in an upstream repository:
Upstream repository:
https://github.com/cisagov/skeleton-docker.git
Remote branch:
HEAD
Check the changes in this pull request to ensure they won't cause issues with your project.
The
lineage/skeleton
branch has one or more unresolved merge conflicts that you must resolve before merging this pull request!How to resolve the conflicts
Take ownership of this pull request by removing any other assignees.
Clone the repository locally, and reapply the merge:
Review the changes displayed by the
status
command. Fix any conflicts and possibly incorrect auto-merges.After resolving each of the conflicts,
add
your changes to the branch,commit
, andpush
your changes:Note that you may append to the default merge commit message that git creates for you, but please do not delete the existing content. It provides useful information about the merge that is being performed.
Wait for all the automated tests to pass.
Confirm each item in the "Pre-approval checklist" below.
Remove any of the checklist items that do not apply.
Ensure every remaining checkbox has been checked.
Mark this draft pull request "Ready for review".
✅ Pre-approval checklist
Remove any of the following that do not apply. If you're unsure about any of these, don't hesitate to ask. We're here to help!
bump_version
script if this repository is versioned and the changes in this PR warrant a version bump.✅ Pre-merge checklist
Remove any of the following that do not apply. These boxes should remain unchecked until the pull request has been approved.
✅ Post-merge checklist
Note
You are seeing this because one of this repository's maintainers has configured Lineage to open pull requests.
For more information:
🛠 Lineage configurations for this project are stored in
.github/lineage.yml
📚 Read more about Lineage