Merge pull request #33 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

Author: jsf9k

.bandit.yml

@@ -18,7 +18,7 @@ dependencies:
           # Add any dependency files used.
           - .pre-commit-config.yaml
           - requirements*.txt
-          - setup.py
+          - pyproject.toml
 docker:
   - changed-files:
       - any-glob-to-any-file:
@@ -45,6 +45,14 @@ python:
   - changed-files:
       - any-glob-to-any-file:
           - "**/*.py"
+shell script:
+  - changed-files:
+      - any-glob-to-any-file:
+          # If this project has any shell scripts that do not end in the ".sh"
+          # extension, add them below.
+          - "**/*.sh"
+          - bump-version
+          - setup-env
 terraform:
   - changed-files:
       - any-glob-to-any-file:
@@ -54,12 +62,9 @@ test:
       - any-glob-to-any-file:
           # Add any test-related files or paths.
           - .ansible-lint
-          - .bandit.yml
-          - .flake8
-          - .isort.cfg
           - .mdl_config.yaml
           - .yamllint
-          - pytest.ini
+          - pyproject.toml
           - tests/**
 typescript:
   - changed-files:

.flake8

@@ -2,7 +2,7 @@
 # Rather than breaking up descriptions into multiline strings we disable that
 # specific rule in yamllint for this file.
 # yamllint disable rule:line-length
-- color: f15a53
+- color: ff5850
   description: Pull requests that update Ansible code
   name: ansible
 - color: eb6420
@@ -20,7 +20,7 @@
 - color: 0366d6
   description: Pull requests that update a dependency file
   name: dependencies
-- color: 2497ed
+- color: 1d63ed
   description: Pull requests that update Docker code
   name: docker
 - color: 5319e7
@@ -47,7 +47,7 @@
 - color: fef2c0
   description: This issue or pull request is not applicable, incorrect, or obsolete
   name: invalid
-- color: f1d642
+- color: f0db4f
   description: Pull requests that update JavaScript code
   name: javascript
 - color: ce099a
@@ -62,7 +62,7 @@
 - color: 02a8ef
   description: Pull requests that update Packer code
   name: packer
-- color: 3772a4
+- color: 3776ab
   description: Pull requests that update Python code
   name: python
 - color: ef476c
@@ -71,13 +71,16 @@
 - color: d73a4a
   description: This issue or pull request addresses a security issue
   name: security
+- color: 4eaa25
+  description: Pull requests that update shell scripts
+  name: shell script
 - color: 7b42bc
   description: Pull requests that update Terraform code
   name: terraform
 - color: 00008b
   description: This issue or pull request adds or otherwise modifies test code
   name: test
-- color: 2b6ebf
+- color: 2678c5
   description: Pull requests that update TypeScript code
   name: typescript
 - color: 1d76db

.github/labeler.yml

@@ -219,7 +219,6 @@ jobs:
           - ubuntu-latest
           - windows-latest
         python-version:
-          - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
@@ -347,7 +346,6 @@ jobs:
       fail-fast: false
       matrix:
         python-version:
-          - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
@@ -406,7 +404,7 @@ jobs:
       - name: Build artifacts
         run: python -m build
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: dist-${{ matrix.python-version }}
           path: dist
@@ -433,7 +431,6 @@ jobs:
           - ubuntu-latest
           - windows-latest
         python-version:
-          - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
@@ -487,7 +484,7 @@ jobs:
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
       - name: Retrieve the built wheel
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: dist-${{ matrix.python-version }}
           path: dist

.github/labels.yml

@@ -118,15 +118,15 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, or
       # Java). If this step fails, then you should remove it and run the build
       # manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -140,4 +140,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/build.yml

@@ -59,7 +59,6 @@ jobs:
     permissions:
       # Permissions required by actions/labeler
       contents: read
-      issues: write
       pull-requests: write
     runs-on: ubuntu-latest
     steps:

.github/workflows/codeql-analysis.yml

@@ -9,4 +9,5 @@ __pycache__
 .pytest_cache
 .python-version
 *.egg-info
+build
 dist

.github/workflows/label-prs.yml

@@ -63,20 +63,20 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.33.3
+    rev: 0.35.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: validate_manifest
 
   # Go hooks
   - repo: https://github.com/TekWizely/pre-commit-golang
-    rev: v1.0.0-rc.2
+    rev: v1.0.0-rc.4
     hooks:
       # Go Build
       - id: go-build-repo-mod
@@ -130,22 +130,24 @@ repos:
   # Python hooks
   # Run bandit on the "tests" tree with a configuration
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.6
+    rev: 1.9.1
     hooks:
       - id: bandit
         name: bandit (tests tree)
         files: tests
         args:
-          - --config=.bandit.yml
+          # Skip "assert used" check since assertions are used
+          # frequently in pytests.
+          - --skip=B101
   # Run bandit on everything except the "tests" tree
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.6
+    rev: 1.9.1
     hooks:
       - id: bandit
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.1.0
+    rev: 25.11.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -154,20 +156,22 @@ repos:
       - id: flake8
         additional_dependencies:
           - flake8-docstrings==1.7.0
+          # This is necessary to read the flake8 configuration from
+          # the pyproject.toml file.
+          - flake8-pyproject==1.2.3
   - repo: https://github.com/PyCQA/isort
-    rev: 6.0.1
+    rev: 7.0.0
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.18.1
+    rev: v1.18.2
     hooks:
       - id: mypy
         # IMPORTANT: Keep type hinting-related dependencies of the
         # mypy pre-commit hook additional_dependencies in sync with
         # the dev section of setup.py to avoid discrepancies in type
         # checking between environments.
-        additional_dependencies:
-          - types-setuptools
+        additional_dependencies: []
   - repo: https://github.com/pypa/pip-audit
     rev: v2.9.0
     hooks:
@@ -181,13 +185,13 @@ repos:
           - --requirement
           - requirements.txt
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.20.0
+    rev: v3.21.1
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.9.0
+    rev: v25.11.0
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -231,7 +235,7 @@ repos:
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.103.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate