Skip to content

Commit 8584d91

Browse files
author
mcdonnnj
committed
Merge https://github.com/cisagov/skeleton-docker into lineage/skeleton
# Conflicts: # .github/dependabot.yml # Dockerfile
2 parents cb7fd41 + 1ea8a3f commit 8584d91

9 files changed

+232
-79
lines changed

.bandit.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# https://bandit.readthedocs.io/en/latest/config.html
44

55
# Tests are first included by `tests`, and then excluded by `skips`.
6-
# If `tests` is empty, all tests are are considered included.
6+
# If `tests` is empty, all tests are considered included.
77

88
tests:
99
# - B101

.github/dependabot.yml

+30-12
Original file line numberDiff line numberDiff line change
@@ -5,26 +5,27 @@
55
# these updates when the pull request(s) in the appropriate skeleton are merged
66
# and Lineage processes these changes.
77

8-
version: 2
98
updates:
10-
- package-ecosystem: "docker"
11-
directory: "/"
9+
- directory: /
10+
package-ecosystem: docker
1211
schedule:
13-
interval: "weekly"
12+
interval: weekly
1413

15-
- package-ecosystem: "github-actions"
16-
directory: "/"
17-
schedule:
18-
interval: "weekly"
14+
- directory: /
1915
ignore:
2016
# Managed by cisagov/skeleton-generic
2117
- dependency-name: actions/cache
2218
- dependency-name: actions/checkout
2319
- dependency-name: actions/setup-go
2420
- dependency-name: actions/setup-python
21+
- dependency-name: crazy-max/ghaction-dump-context
22+
- dependency-name: crazy-max/ghaction-github-labeler
23+
- dependency-name: crazy-max/ghaction-github-status
2524
- dependency-name: hashicorp/setup-terraform
2625
- dependency-name: mxschmitt/action-tmate
26+
- dependency-name: step-security/harden-runner
2727
# Managed by cisagov/skeleton-docker
28+
<<<<<<< HEAD
2829
- dependency-name: actions/download-artifact
2930
- dependency-name: actions/github-script
3031
- dependency-name: actions/upload-artifact
@@ -36,10 +37,27 @@ updates:
3637

3738
- package-ecosystem: "pip"
3839
directory: "/"
40+
=======
41+
# - dependency-name: actions/download-artifact
42+
# - dependency-name: actions/github-script
43+
# - dependency-name: actions/upload-artifact
44+
# - dependency-name: docker/build-push-action
45+
# - dependency-name: docker/login-action
46+
# - dependency-name: docker/setup-buildx-action
47+
# - dependency-name: docker/setup-qemu-action
48+
# - dependency-name: github/codeql-action
49+
package-ecosystem: github-actions
50+
>>>>>>> 1ea8a3fa98e790d66f8d5e10375f73c5be4d5fd5
3951
schedule:
40-
interval: "weekly"
52+
interval: weekly
4153

42-
- package-ecosystem: "terraform"
43-
directory: "/"
54+
- directory: /
55+
package-ecosystem: pip
56+
schedule:
57+
interval: weekly
58+
59+
- directory: /
60+
package-ecosystem: terraform
4461
schedule:
45-
interval: "weekly"
62+
interval: weekly
63+
version: 2

.github/workflows/build.yml

+90-21
Original file line numberDiff line numberDiff line change
@@ -35,15 +35,39 @@ env:
3535
RUN_TMATE: ${{ secrets.RUN_TMATE }}
3636

3737
jobs:
38+
diagnostics:
39+
name: Run diagnostics
40+
runs-on: ubuntu-latest
41+
steps:
42+
# Note that a duplicate of this step must be added at the top of
43+
# each job.
44+
- id: harden-runner
45+
name: Harden the runner
46+
uses: step-security/harden-runner@v2
47+
with:
48+
egress-policy: audit
49+
- id: github-status
50+
name: Check GitHub status
51+
uses: crazy-max/ghaction-github-status@v3
52+
- id: dump-context
53+
name: Dump context
54+
uses: crazy-max/ghaction-dump-context@v2
3855
lint:
3956
# Checks out the source and runs pre-commit hooks. Detects coding errors
4057
# and style deviations.
41-
name: "Lint sources"
58+
name: Lint sources
59+
needs:
60+
- diagnostics
4261
runs-on: ubuntu-latest
4362
steps:
63+
- id: harden-runner
64+
name: Harden the runner
65+
uses: step-security/harden-runner@v2
66+
with:
67+
egress-policy: audit
4468
- id: setup-env
4569
uses: cisagov/setup-env-github-action@develop
46-
- uses: actions/checkout@v3
70+
- uses: actions/checkout@v4
4771
- id: setup-python
4872
uses: actions/setup-python@v4
4973
with:
@@ -104,11 +128,26 @@ jobs:
104128
- uses: hashicorp/setup-terraform@v2
105129
with:
106130
terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
131+
- name: Install go-critic
132+
env:
133+
PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
134+
PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
135+
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
136+
- name: Install gosec
137+
env:
138+
PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
139+
PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
140+
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
107141
- name: Install shfmt
108142
env:
109143
PACKAGE_URL: mvdan.cc/sh/v3/cmd/shfmt
110144
PACKAGE_VERSION: ${{ steps.setup-env.outputs.shfmt-version }}
111145
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
146+
- name: Install staticcheck
147+
env:
148+
PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
149+
PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
150+
run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
112151
- name: Install Terraform-docs
113152
env:
114153
PACKAGE_URL: github.com/terraform-docs/terraform-docs
@@ -166,15 +205,22 @@ jobs:
166205
# with the value specified by the user.
167206
#
168207
# Scheduled builds are tagged with `:nightly`.
169-
name: "Prepare build variables"
170-
runs-on: ubuntu-latest
208+
name: Prepare build variables
209+
needs:
210+
- diagnostics
171211
outputs:
172212
created: ${{ steps.prep.outputs.created }}
173213
repometa: ${{ steps.repo.outputs.result }}
174214
source_version: ${{ steps.prep.outputs.source_version }}
175215
tags: ${{ steps.prep.outputs.tags }}
216+
runs-on: ubuntu-latest
176217
steps:
177-
- uses: actions/checkout@v3
218+
- id: harden-runner
219+
name: Harden the runner
220+
uses: step-security/harden-runner@v2
221+
with:
222+
egress-policy: audit
223+
- uses: actions/checkout@v4
178224
- name: Gather repository metadata
179225
id: repo
180226
uses: actions/github-script@v6
@@ -228,16 +274,23 @@ jobs:
228274
build:
229275
# Builds a single test image for the native platform. This image is saved
230276
# as an artifact and loaded by the test job.
231-
name: "Build test image"
277+
name: Build test image
278+
needs:
279+
- diagnostics
280+
- prepare
232281
runs-on: ubuntu-latest
233-
needs: [prepare]
234282
steps:
283+
- id: harden-runner
284+
name: Harden the runner
285+
uses: step-security/harden-runner@v2
286+
with:
287+
egress-policy: audit
235288
- name: Checkout
236-
uses: actions/checkout@v3
289+
uses: actions/checkout@v4
237290
- name: Set up QEMU
238-
uses: docker/setup-qemu-action@v2
291+
uses: docker/setup-qemu-action@v3
239292
- name: Set up Docker Buildx
240-
uses: docker/setup-buildx-action@v2
293+
uses: docker/setup-buildx-action@v3
241294
- name: Cache Docker layers
242295
uses: actions/cache@v3
243296
env:
@@ -298,11 +351,18 @@ jobs:
298351
if: env.RUN_TMATE
299352
test:
300353
# Executes tests on the single-platform image created in the "build" job.
301-
name: "Test image"
354+
name: Test image
355+
needs:
356+
- diagnostics
357+
- build
302358
runs-on: ubuntu-latest
303-
needs: [build]
304359
steps:
305-
- uses: actions/checkout@v3
360+
- id: harden-runner
361+
name: Harden the runner
362+
uses: step-security/harden-runner@v2
363+
with:
364+
egress-policy: audit
365+
- uses: actions/checkout@v4
306366
- id: setup-python
307367
uses: actions/setup-python@v4
308368
with:
@@ -344,32 +404,41 @@ jobs:
344404
# GitHub Container Registry. The contents of README.md are pushed as the
345405
# image's description to Docker Hub. This job is skipped when the
346406
# triggering event is a pull request.
347-
name: "Build and push all platforms"
348-
runs-on: ubuntu-latest
349-
needs: [lint, prepare, test]
350407
if: github.event_name != 'pull_request'
408+
name: Build and push all platforms
409+
needs:
410+
- diagnostics
411+
- lint
412+
- prepare
413+
- test
351414
# When Dependabot creates a PR it requires this permission in
352415
# order to push Docker images to ghcr.io.
353416
permissions:
354417
packages: write
418+
runs-on: ubuntu-latest
355419
steps:
420+
- id: harden-runner
421+
name: Harden the runner
422+
uses: step-security/harden-runner@v2
423+
with:
424+
egress-policy: audit
356425
- name: Login to Docker Hub
357-
uses: docker/login-action@v2
426+
uses: docker/login-action@v3
358427
with:
359428
username: ${{ secrets.DOCKER_USERNAME }}
360429
password: ${{ secrets.DOCKER_PASSWORD }}
361430
- name: Login to GitHub Container Registry
362-
uses: docker/login-action@v2
431+
uses: docker/login-action@v3
363432
with:
364433
registry: ghcr.io
365434
username: ${{ github.actor }}
366435
password: ${{ secrets.GITHUB_TOKEN }}
367436
- name: Checkout
368-
uses: actions/checkout@v3
437+
uses: actions/checkout@v4
369438
- name: Set up QEMU
370-
uses: docker/setup-qemu-action@v2
439+
uses: docker/setup-qemu-action@v3
371440
- name: Set up Docker Buildx
372-
uses: docker/setup-buildx-action@v2
441+
uses: docker/setup-buildx-action@v3
373442
- name: Cache Docker layers
374443
uses: actions/cache@v3
375444
env:

.github/workflows/codeql-analysis.yml

+27-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
#
55
# You may wish to alter this file to override the set of languages analyzed,
66
# or to provide custom queries or build logic.
7-
name: "CodeQL"
7+
name: CodeQL
88

99
on:
1010
push:
@@ -20,8 +20,27 @@ on:
2020
- cron: '0 21 * * 6'
2121

2222
jobs:
23+
diagnostics:
24+
name: Run diagnostics
25+
runs-on: ubuntu-latest
26+
steps:
27+
# Note that a duplicate of this step must be added at the top of
28+
# each job.
29+
- id: harden-runner
30+
name: Harden the runner
31+
uses: step-security/harden-runner@v2
32+
with:
33+
egress-policy: audit
34+
- id: github-status
35+
name: Check GitHub status
36+
uses: crazy-max/ghaction-github-status@v3
37+
- id: dump-context
38+
name: Dump context
39+
uses: crazy-max/ghaction-dump-context@v2
2340
analyze:
2441
name: Analyze
42+
needs:
43+
- diagnostics
2544
runs-on: ubuntu-latest
2645
permissions:
2746
# required for all workflows
@@ -37,8 +56,14 @@ jobs:
3756
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
3857

3958
steps:
59+
- id: harden-runner
60+
name: Harden the runner
61+
uses: step-security/harden-runner@v2
62+
with:
63+
egress-policy: audit
64+
4065
- name: Checkout repository
41-
uses: actions/checkout@v3
66+
uses: actions/checkout@v4
4267

4368
# Initializes the CodeQL tools for scanning.
4469
- name: Initialize CodeQL

.github/workflows/sync-labels.yml

+2-2
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,10 @@ jobs:
1919
issues: write
2020
runs-on: ubuntu-latest
2121
steps:
22-
- uses: actions/checkout@v3
22+
- uses: actions/checkout@v4
2323
- name: Sync repository labels
2424
if: success()
25-
uses: crazy-max/ghaction-github-labeler@v4
25+
uses: crazy-max/ghaction-github-labeler@v5
2626
with:
2727
# This is a hideous ternary equivalent so we only do a dry run unless
2828
# this workflow is triggered by the develop branch.

0 commit comments

Comments
 (0)