cisagov
diff --git a/‎.github/dependabot.yml
+5 b/‎.github/dependabot.yml
+5
diff --git a/‎.github/labels.yml
+73 b/‎.github/labels.yml
+73
diff --git a/‎.github/workflows/build.yml
+19-19 b/‎.github/workflows/build.yml
+19-19
diff --git a/‎.github/workflows/codeql-analysis.yml
+20-22 b/‎.github/workflows/codeql-analysis.yml
+20-22
diff --git a/‎.github/workflows/sync-labels.yml
+29 b/‎.github/workflows/sync-labels.yml
+29
diff --git a/‎.lgtm.yml
-8 b/‎.lgtm.yml
-8
@@ -17,9 +17,13 @@ updates:
     schedule:
       interval: "weekly"
     ignore:
+      # Managed by cisagov/skeleton-generic
       - dependency-name: actions/cache
       - dependency-name: actions/checkout
+      - dependency-name: actions/setup-go
       - dependency-name: actions/setup-python
+      - dependency-name: hashicorp/setup-terraform
+      - dependency-name: mxschmitt/action-tmate
       # Managed by cisagov/skeleton-docker
       - dependency-name: actions/download-artifact
       - dependency-name: actions/github-script
@@ -28,6 +32,7 @@ updates:
       - dependency-name: docker/login-action
       - dependency-name: docker/setup-buildx-action
       - dependency-name: docker/setup-qemu-action
+      - dependency-name: github/codeql-action
 
   - package-ecosystem: "pip"
     directory: "/"
 
@@ -0,0 +1,73 @@
+---
+# Rather than breaking up descriptions into multiline strings we disable that
+# specific rule in yamllint for this file.
+# yamllint disable rule:line-length
+- color: "eb6420"
+  description: This issue or pull request is awaiting the outcome of another issue or pull request
+  name: blocked
+- color: "000000"
+  description: This issue or pull request involves changes to existing functionality
+  name: breaking change
+- color: "d73a4a"
+  description: This issue or pull request addresses broken functionality
+  name: bug
+- color: "07648d"
+  description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks)
+  name: code.gov
+- color: "0366d6"
+  description: Pull requests that update a dependency file
+  name: dependencies
+- color: "2497ed"
+  description: Pull requests that update Docker code
+  name: docker
+- color: "5319e7"
+  description: This issue or pull request improves or adds to documentation
+  name: documentation
+- color: "cfd3d7"
+  description: This issue or pull request already exists or is covered in another issue or pull request
+  name: duplicate
+- color: "b005bc"
+  description: A high-level objective issue encompassing multiple issues instead of a specific unit of work
+  name: epic
+- color: "000000"
+  description: Pull requests that update GitHub Actions code
+  name: github-actions
+- color: "0e8a16"
+  description: This issue or pull request is well-defined and good for newcomers
+  name: good first issue
+- color: "ff7518"
+  description: Pull request that should count toward Hacktoberfest participation
+  name: hacktoberfest-accepted
+- color: "a2eeef"
+  description: This issue or pull request will add or improve functionality, maintainability, or ease of use
+  name: improvement
+- color: "fef2c0"
+  description: This issue or pull request is not applicable, incorrect, or obsolete
+  name: invalid
+- color: "ce099a"
+  description: This pull request is ready to merge during the next Lineage Kraken release
+  name: kraken 🐙
+- color: "a4fc5d"
+  description: This issue or pull request requires further information
+  name: need info
+- color: "fcdb45"
+  description: This pull request is awaiting an action or decision to move forward
+  name: on hold
+- color: "ef476c"
+  description: This issue is a request for information or needs discussion
+  name: question
+- color: "d73a4a"
+  description: This issue or pull request addresses a security issue
+  name: security
+- color: "00008b"
+  description: This issue or pull request adds or otherwise modifies test code
+  name: test
+- color: "1d76db"
+  description: This issue or pull request pulls in upstream updates
+  name: upstream update
+- color: "d4c5f9"
+  description: This issue or pull request increments the version number
+  name: version bump
+- color: "ffffff"
+  description: This issue will not be incorporated
+  name: wontfix
@@ -44,28 +44,24 @@ jobs:
         uses: cisagov/setup-env-github-action@develop
       - uses: actions/checkout@v3
       - id: setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: "3.10"
       # We need the Go version and Go cache location for the actions/cache step,
       # so the Go installation must happen before that.
-      - uses: actions/setup-go@v2
+      - id: setup-go
+        uses: actions/setup-go@v3
         with:
-          go-version: "1.16"
-      - name: Store installed Go version
-        id: go-version
-        run: |
-          echo "::set-output name=version::"\
-          "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')"
+          go-version: "1.19"
       - name: Lookup Go cache directory
         id: go-cache
         run: |
-          echo "::set-output name=dir::$(go env GOCACHE)"
+          echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
       - uses: actions/cache@v3
         env:
           BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
             py${{ steps.setup-python.outputs.python-version }}-\
-            go${{ steps.go-version.outputs.version }}-\
+            go${{ steps.setup-go.outputs.go-version }}-\
             packer${{ steps.setup-env.outputs.packer-version }}-\
             tf${{ steps.setup-env.outputs.terraform-version }}-"
         with:
@@ -101,7 +97,7 @@ jobs:
             ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
           sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
           sudo ln -s /opt/packer/packer /usr/local/bin/packer
-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
       - name: Install shfmt
@@ -177,7 +173,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: Gather repository metadata
         id: repo
-        uses: actions/github-script@v5
+        uses: actions/github-script@v6
         with:
           script: |
             const repo = await github.rest.repos.get(context.repo)
@@ -218,9 +214,9 @@ jobs:
           do
             TAGS="${TAGS},ghcr.io/${i}"
           done
-          echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=source_version::$(./bump_version.sh show)
-          echo ::set-output name=tags::${TAGS}
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "source_version=$(./bump_version.sh show)" >> $GITHUB_OUTPUT
+          echo "tags=${TAGS}" >> $GITHUB_OUTPUT
           echo tags=${TAGS}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
@@ -251,7 +247,7 @@ jobs:
         run: mkdir -p dist
       - name: Build image
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           build-args: |
             VERSION=${{ needs.prepare.outputs.source_version }}
@@ -304,9 +300,9 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - id: setup-python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
-          python-version: 3.9
+          python-version: "3.10"
       - name: Cache testing environments
         uses: actions/cache@v3
         env:
@@ -348,6 +344,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint, prepare, test]
     if: github.event_name != 'pull_request'
+    # When Dependabot creates a PR it requires this permission in
+    # order to push Docker images to ghcr.io.
+    permissions:
+      packages: write
     steps:
       - name: Login to Docker Hub
         uses: docker/login-action@v2
@@ -379,7 +379,7 @@ jobs:
         run: ./buildx-dockerfile.sh
       - name: Build and push platform images to registries
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           build-args: |
             VERSION=${{ needs.prepare.outputs.source_version }}
 
@@ -1,5 +1,4 @@
 ---
-
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
@@ -11,59 +10,58 @@ on:
   push:
     # Dependabot triggered push events have read-only access, but uploading code
     # scanning requires write access.
-    branches-ignore: [dependabot/**]
+    branches-ignore:
+      - dependabot/**
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [develop]
+    branches:
+      - develop
   schedule:
     - cron: '0 21 * * 6'
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-
+    permissions:
+      # required for all workflows
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
         # Override automatic language detection by changing the below list
-        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript',
-        # 'python']
-        language: ['python']
+        # Supported options are go, javascript, csharp, python, cpp, and java
+        language:
+          - python
         # Learn more...
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
           languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a
-          # config file. By default, queries listed here will override any
-          # specified in a config file. Prefix the list here with "+" to use
-          # these queries and those in the config file. queries:
-          # ./path/to/local/query, your-org/your-repo/queries@main
 
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or
+      # Autobuild attempts to build any compiled languages (C/C++, C#, or
       # Java). If this step fails, then you should remove it and run the build
-      # manually (see below)
+      # manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
 
       # ✏️ If the Autobuild fails above, remove it and uncomment the following
-      # three lines and modify them (or add more) to build your code if your
-      # project uses a compiled language
+      #    three lines and modify them (or add more) to build your code if your
+      #    project uses a compiled language
 
       # - run: |
-      #   make bootstrap
-      #   make release
+      #     make bootstrap
+      #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
@@ -0,0 +1,29 @@
+---
+name: sync-labels
+
+on:
+  push:
+    paths:
+      - '.github/labels.yml'
+      - '.github/workflows/sync-labels.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  labeler:
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
+      # crazy-max/ghaction-github-labeler needs this to manage repository labels
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sync repository labels
+        if: success()
+        uses: crazy-max/ghaction-github-labeler@v4
+        with:
+          # This is a hideous ternary equivalent so we only do a dry run unless
+          # this workflow is triggered by the develop branch.
+          dry-run: ${{ github.ref_name == 'develop' && 'false' || 'true' }}