From 816d175d5f63a41c32347c6dff38219e5e01aba2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 20:23:46 +0000 Subject: [PATCH 01/24] Bump crazy-max/ghaction-github-labeler from 5 to 6 Bumps [crazy-max/ghaction-github-labeler](https://github.com/crazy-max/ghaction-github-labeler) from 5 to 6. - [Release notes](https://github.com/crazy-max/ghaction-github-labeler/releases) - [Commits](https://github.com/crazy-max/ghaction-github-labeler/compare/v5...v6) --- updated-dependencies: - dependency-name: crazy-max/ghaction-github-labeler dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/sync-labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index f60bc84..a8d01be 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -87,7 +87,7 @@ jobs: - uses: actions/checkout@v6 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v5 + uses: crazy-max/ghaction-github-labeler@v6 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. From 3d2fe82f2d0276635346e3a0807fc5974982b8c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 20:23:54 +0000 Subject: [PATCH 02/24] Bump hashicorp/setup-terraform from 3 to 4 Bumps [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) from 3 to 4. - [Release notes](https://github.com/hashicorp/setup-terraform/releases) - [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/setup-terraform/compare/v3...v4) --- updated-dependencies: - dependency-name: hashicorp/setup-terraform dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fddf200..a72c6be 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -149,7 +149,7 @@ jobs: - uses: hashicorp/setup-packer@v3 with: version: ${{ steps.setup-env.outputs.packer-version }} - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install go-critic From 2c37bcc1885b61bd610baa19cc964eab28e41c24 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 30 Aug 2021 10:47:57 -0400 Subject: [PATCH 03/24] Add E203 to ignore list for flake8 This warning contradicts the Black style so it must be ignored. --- .flake8 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.flake8 b/.flake8 index 92ff826..16008d5 100644 --- a/.flake8 +++ b/.flake8 @@ -14,6 +14,9 @@ max-line-length = 80 # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings select = C,D,E,F,W,B,B950 +# Ignore flake8's default warning about whitespace before ':' because Black +# enforces an equal amount of whitespace around slice operators (':'). +# # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,4 +25,4 @@ select = C,D,E,F,W,B,B950 # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 +ignore = E203,E501,W503 From 0f44a77f21e91b0c5f2f58b5e3aacb9d1f3e8145 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 30 Aug 2021 10:54:59 -0400 Subject: [PATCH 04/24] Reformat .flake8 configuration Make the ignore commenting consistent with the select commenting. Break up each comment/directive with an empty line. --- .flake8 | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.flake8 b/.flake8 index 16008d5..677c14c 100644 --- a/.flake8 +++ b/.flake8 @@ -1,5 +1,6 @@ [flake8] max-line-length = 80 + # Select (turn on) # * Complexity violations reported by mccabe (C) - # http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes @@ -14,15 +15,16 @@ max-line-length = 80 # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings select = C,D,E,F,W,B,B950 -# Ignore flake8's default warning about whitespace before ':' because Black -# enforces an equal amount of whitespace around slice operators (':'). -# -# Ignore flake8's default warning about maximum line length, which has -# a hard stop at the configured value. Instead we use -# flake8-bugbear's B950, which allows up to 10% overage. -# -# Also ignore flake8's warning about line breaks before binary -# operators. It no longer agrees with PEP8. See, for example, here: -# https://github.com/ambv/black/issues/21. Guido agrees here: -# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. + +# Ignore +# * flake8's default warning about whitespace before ':' because Black enforces +# an equal amount of whitespace around slice operators (':'). +# * flake8's default warning about maximum line length, which has a hard stop +# at the configured value. Instead we use flake8-bugbear's B950, which +# allows up to 10% overage. +# * flake8's warning about line breaks before binary operators. It no longer +# agrees with PEP8. See, for example, here: +# https://github.com/ambv/black/issues/21 +# Guido agrees here: +# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b ignore = E203,E501,W503 From 57ce57378b3937b31e1d1814518a0fe266d0f7e9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 30 Aug 2021 10:59:03 -0400 Subject: [PATCH 05/24] Add the flake8-bugbear plugin This adds the flake8-bugbear plugin to our pre-commit configuration. Note that flake8 is already configured to use this plugin's warnings. --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9a10fe9..4309a71 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -143,6 +143,7 @@ repos: hooks: - id: flake8 additional_dependencies: + - flake8-bugbear==25.11.29 - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort rev: 8.0.0 From d1356e92d4fa278149ebb5ade8e51618573da00d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 30 Aug 2021 11:15:42 -0400 Subject: [PATCH 06/24] Add dlint plugin for flake8 Add the dlint plugin to our flake8 configuration for pre-commit. Update the flake8 configuration to select these new warnings. --- .flake8 | 4 +++- .pre-commit-config.yaml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.flake8 b/.flake8 index 677c14c..e5603eb 100644 --- a/.flake8 +++ b/.flake8 @@ -6,6 +6,8 @@ max-line-length = 80 # http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes # * Documentation conventions compliance reported by pydocstyle (D) - # http://www.pydocstyle.org/en/stable/error_codes.html +# * Default errors and warnings reported by dlint (DUO) - +# https://github.com/dlint-py/dlint/tree/master/docs # * Default errors and warnings reported by pycodestyle (E and W) - # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes # * Default errors reported by pyflakes (F) - @@ -14,7 +16,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 +select = C,D,DUO,E,F,W,B,B950 # Ignore # * flake8's default warning about whitespace before ':' because Black enforces diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4309a71..bb100c5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -143,6 +143,7 @@ repos: hooks: - id: flake8 additional_dependencies: + - dlint==0.16.0 - flake8-bugbear==25.11.29 - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort From 0fd325635f0b007bbcb3ce1e2470980163f4e662 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 30 Aug 2021 11:38:27 -0400 Subject: [PATCH 07/24] Add the flake8-noqa plugin for flake8 Add the flake8-noqa plugin to the flake8 portion of our pre-commit configuration. Update the flake8 configuration to select these new warnings. --- .flake8 | 4 +++- .pre-commit-config.yaml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.flake8 b/.flake8 index e5603eb..3a8f950 100644 --- a/.flake8 +++ b/.flake8 @@ -12,11 +12,13 @@ max-line-length = 80 # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes # * Default errors reported by pyflakes (F) - # http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes +# * Default errors and warnings reported by flake8-noqa (NQA) - +# https://github.com/plinss/flake8-noqa#error-codes # * Default warnings reported by flake8-bugbear (B) - # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,DUO,E,F,W,B,B950 +select = C,D,DUO,E,F,NQA,W,B,B950 # Ignore # * flake8's default warning about whitespace before ':' because Black enforces diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bb100c5..29963cf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -146,6 +146,7 @@ repos: - dlint==0.16.0 - flake8-bugbear==25.11.29 - flake8-docstrings==1.7.0 + - flake8-noqa==1.5.0 - repo: https://github.com/PyCQA/isort rev: 8.0.0 hooks: From f3bf99fb1336519af559419b524733b3533cf8e9 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 30 Aug 2021 11:55:10 -0400 Subject: [PATCH 08/24] Add pep8-naming plugin for flake8 Add the pep8-naming plugin to the flake8 portion of our pre-commit configuration. Update the flake8 configuration to select these new warnings. --- .flake8 | 4 +++- .pre-commit-config.yaml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.flake8 b/.flake8 index 3a8f950..8d3ab95 100644 --- a/.flake8 +++ b/.flake8 @@ -12,13 +12,15 @@ max-line-length = 80 # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes # * Default errors reported by pyflakes (F) - # http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes +# * Default errors and warnings reported by pep8-naming (N) - +# https://github.com/PyCQA/pep8-naming#error-codes # * Default errors and warnings reported by flake8-noqa (NQA) - # https://github.com/plinss/flake8-noqa#error-codes # * Default warnings reported by flake8-bugbear (B) - # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,DUO,E,F,NQA,W,B,B950 +select = C,D,DUO,E,F,N,NQA,W,B,B950 # Ignore # * flake8's default warning about whitespace before ':' because Black enforces diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 29963cf..79a2874 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -147,6 +147,7 @@ repos: - flake8-bugbear==25.11.29 - flake8-docstrings==1.7.0 - flake8-noqa==1.5.0 + - pep8-naming==0.15.1 - repo: https://github.com/PyCQA/isort rev: 8.0.0 hooks: From b1503a090775baa5e6fad3893e51215ca74355a8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 10 Mar 2026 16:48:03 -0400 Subject: [PATCH 09/24] Add flake8-comprehensions plugin for flake8 Add the flake8-comprehensions plugin to the flake8 portion of our pre-commit configuration. Update the flake8 configuration to select these new warnings. --- .flake8 | 4 +++- .pre-commit-config.yaml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.flake8 b/.flake8 index 8d3ab95..bf6e896 100644 --- a/.flake8 +++ b/.flake8 @@ -4,6 +4,8 @@ max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - # http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes +# * Default errors and warnings reported by flake8-comprehensions (C4) - +# https://github.com/adamchainz/flake8-comprehensions#rules # * Documentation conventions compliance reported by pydocstyle (D) - # http://www.pydocstyle.org/en/stable/error_codes.html # * Default errors and warnings reported by dlint (DUO) - @@ -20,7 +22,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,DUO,E,F,N,NQA,W,B,B950 +select = C,C4,D,DUO,E,F,N,NQA,W,B,B950 # Ignore # * flake8's default warning about whitespace before ':' because Black enforces diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 79a2874..c0a4e61 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -145,6 +145,7 @@ repos: additional_dependencies: - dlint==0.16.0 - flake8-bugbear==25.11.29 + - flake8-comprehensions==3.17.0 - flake8-docstrings==1.7.0 - flake8-noqa==1.5.0 - pep8-naming==0.15.1 From 3056053a565e423585b52571420e0a68b9b3d09c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 10 Mar 2026 17:23:02 -0400 Subject: [PATCH 10/24] Adjust flake8 configuration comment format When explaining the items selected or ignored in the configuration we now preface each line with the prefix/code it pertains to in the configuration. Also break apart the pycodestyle prefixes into their own lines. --- .flake8 | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.flake8 b/.flake8 index bf6e896..d57a120 100644 --- a/.flake8 +++ b/.flake8 @@ -2,35 +2,37 @@ max-line-length = 80 # Select (turn on) -# * Complexity violations reported by mccabe (C) - +# * C: Complexity violations reported by mccabe - # http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes -# * Default errors and warnings reported by flake8-comprehensions (C4) - +# * C4: Default errors and warnings reported by flake8-comprehensions - # https://github.com/adamchainz/flake8-comprehensions#rules -# * Documentation conventions compliance reported by pydocstyle (D) - +# * D: Documentation conventions compliance reported by pydocstyle - # http://www.pydocstyle.org/en/stable/error_codes.html -# * Default errors and warnings reported by dlint (DUO) - +# * DUO: Default errors and warnings reported by dlint - # https://github.com/dlint-py/dlint/tree/master/docs -# * Default errors and warnings reported by pycodestyle (E and W) - +# * E: Default errors reported by pycodestyle - # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes -# * Default errors reported by pyflakes (F) - +# * F: Default errors reported by pyflakes - # http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes -# * Default errors and warnings reported by pep8-naming (N) - +# * N: Default errors and warnings reported by pep8-naming - # https://github.com/PyCQA/pep8-naming#error-codes -# * Default errors and warnings reported by flake8-noqa (NQA) - +# * NQA: Default errors and warnings reported by flake8-noqa - # https://github.com/plinss/flake8-noqa#error-codes -# * Default warnings reported by flake8-bugbear (B) - +# * W: Default warnings reported by pycodestyle - +# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes +# * B: Default warnings reported by flake8-bugbear - # https://github.com/PyCQA/flake8-bugbear#list-of-warnings -# * The B950 flake8-bugbear opinionated warning - +# * B950: Bugbear opinionated warning for line too long - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings select = C,C4,D,DUO,E,F,N,NQA,W,B,B950 # Ignore -# * flake8's default warning about whitespace before ':' because Black enforces +# * E203: flake8's default warning about whitespace before ':' because Black enforces # an equal amount of whitespace around slice operators (':'). -# * flake8's default warning about maximum line length, which has a hard stop +# * E501: flake8's default warning about maximum line length, which has a hard stop # at the configured value. Instead we use flake8-bugbear's B950, which # allows up to 10% overage. -# * flake8's warning about line breaks before binary operators. It no longer +# * W503: flake8's warning about line breaks before binary operators. It no longer # agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21 # Guido agrees here: From 2024429798e0c5bbc8608dc83ce9b86cbb1a7b02 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 10 Mar 2026 17:34:41 -0400 Subject: [PATCH 11/24] Install the `go-critic` command instead of `gocritic` The `go-critic` pre-commit hook from the TekWizely/pre-commit-golang repo expects the binary to be called `go-critic` now. As a result, the current tool installation in the `build.yml` workflow results in the following error when pre-commit is run in GitHub Actions: error: command not found: go-critic --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fddf200..1a95a03 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -154,7 +154,7 @@ jobs: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install go-critic env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_URL: github.com/go-critic/go-critic/cmd/go-critic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install goimports From ad4cd8092ae8f59804ab93014379d08a6168b66b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 10 Mar 2026 17:42:15 -0400 Subject: [PATCH 12/24] Remove the bandit configuration file The file is not used to configure anything bandit does by default so we can safely remove it and updated the pre-commit configuration. This is also acceptable because the configuration file has been removed downstream in cisagov/skeleton-python-library already. --- .bandit.yml | 13 ------------- .github/labeler.yml | 1 - .pre-commit-config.yaml | 2 -- 3 files changed, 16 deletions(-) delete mode 100644 .bandit.yml diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index ab3cb21..0000000 --- a/.bandit.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Configuration file for the Bandit python security scanner -# https://bandit.readthedocs.io/en/latest/config.html - -# Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are considered included. - -tests: -# - B101 -# - B102 - -skips: -# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/.github/labeler.yml b/.github/labeler.yml index 05478bd..b720437 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -61,7 +61,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .bandit.yml - .flake8 - .isort.cfg - .mdl_config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9a10fe9..eabc1cb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,8 +132,6 @@ repos: rev: 1.9.3 hooks: - id: bandit - args: - - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 26.1.0 hooks: From 175c4101f52b2f9e5f62b0a246c8502b7af450be Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Mar 2026 14:44:22 -0400 Subject: [PATCH 13/24] Use `https://` instead of `http://` in referenced URLs Change two reference URLs in the flake8 configuration to use `https://` instead of `http://`. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .flake8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.flake8 b/.flake8 index d57a120..e9f4859 100644 --- a/.flake8 +++ b/.flake8 @@ -3,7 +3,7 @@ max-line-length = 80 # Select (turn on) # * C: Complexity violations reported by mccabe - -# http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes +# https://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes # * C4: Default errors and warnings reported by flake8-comprehensions - # https://github.com/adamchainz/flake8-comprehensions#rules # * D: Documentation conventions compliance reported by pydocstyle - @@ -13,7 +13,7 @@ max-line-length = 80 # * E: Default errors reported by pycodestyle - # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes # * F: Default errors reported by pyflakes - -# http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes +# https://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes # * N: Default errors and warnings reported by pep8-naming - # https://github.com/PyCQA/pep8-naming#error-codes # * NQA: Default errors and warnings reported by flake8-noqa - From a2e2621929d231eb65cf00994f3421df7059299b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Mar 2026 14:46:10 -0400 Subject: [PATCH 14/24] Update a reference URL Change a reference URL in the flake8 configuration because `pydocstyle.org` domain ownership appears to have lapsed. Instead point to the source file in the archived GitHub repository. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .flake8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.flake8 b/.flake8 index e9f4859..b32c1f8 100644 --- a/.flake8 +++ b/.flake8 @@ -7,7 +7,7 @@ max-line-length = 80 # * C4: Default errors and warnings reported by flake8-comprehensions - # https://github.com/adamchainz/flake8-comprehensions#rules # * D: Documentation conventions compliance reported by pydocstyle - -# http://www.pydocstyle.org/en/stable/error_codes.html +# https://github.com/PyCQA/pydocstyle/blob/master/docs/error_codes.rst # * DUO: Default errors and warnings reported by dlint - # https://github.com/dlint-py/dlint/tree/master/docs # * E: Default errors reported by pycodestyle - From c85cbef578789c2f513c4598ef61043b5ffc62bb Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Mar 2026 14:56:49 -0400 Subject: [PATCH 15/24] Update ignore comment in the flake8 configuration Attribute the error codes we are ignoring to the correct source package. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .flake8 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.flake8 b/.flake8 index b32c1f8..e9271ff 100644 --- a/.flake8 +++ b/.flake8 @@ -27,12 +27,12 @@ max-line-length = 80 select = C,C4,D,DUO,E,F,N,NQA,W,B,B950 # Ignore -# * E203: flake8's default warning about whitespace before ':' because Black enforces +# * E203: pycodestyle's default warning about whitespace before ':' because Black enforces # an equal amount of whitespace around slice operators (':'). -# * E501: flake8's default warning about maximum line length, which has a hard stop +# * E501: pycodestyle's default warning about maximum line length, which has a hard stop # at the configured value. Instead we use flake8-bugbear's B950, which # allows up to 10% overage. -# * W503: flake8's warning about line breaks before binary operators. It no longer +# * W503: pycodestyle's warning about line breaks before binary operators. It no longer # agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21 # Guido agrees here: From f094a602a3a9f3e912e957b3dc5779575ebce98c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 11 Mar 2026 17:30:27 -0400 Subject: [PATCH 16/24] Add pre-commit hook to lock Terraform providers automatically This extends our usage of the antonbabenko/pre-commit-terraform hook collection. This new hook will automatically ensure that a Terraform lock file includes hashes for all of our supported platforms. --- .pre-commit-config.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9a10fe9..1a7eabf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -207,6 +207,15 @@ repos: hooks: - id: terraform_fmt - id: terraform_validate + # This needs to run after the terraform_validate hook so that any Terraform + # configurations are initialized. + - id: terraform_providers_lock + args: + - --args=-platform=darwin_amd64 + - --args=-platform=darwin_arm64 + - --args=-platform=linux_amd64 + - --args=-platform=linux_arm64 + - --hook-config=--mode=always-regenerate-lockfile # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit From ffe59bdd2f9ab7c5d70a8b91b25a40a04488be6d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 25 Mar 2026 12:52:24 -0400 Subject: [PATCH 17/24] Ignore a vulnerability originating from pygments We have to ignore this vulnerability for now since an update for pygments has not yet been released. In any event, this vulnerability is unlikely to cause us any problems since we don't feed any regexes to pygments directly. See also: - cisagov/skeleton-generic#257 - https://nvd.nist.gov/vuln/detail/CVE-2026-4539 - pygments/pygments#3058 Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9a10fe9..0c905ae 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -157,6 +157,22 @@ repos: hooks: - id: pip-audit args: + # We have to ignore this vulnerability for now since an + # update for pygments has not yet been released. + # + # In any event, this vulnerability is unlikely to cause us + # any problems since we don't feed any regexes to pygments + # directly. pygments is pulled in as a dependency of + # pytest. + # + # See also: + # - https://nvd.nist.gov/vuln/detail/CVE-2026-4539 + # - https://github.com/pygments/pygments/issues/3058 + # + # TODO: Remove this when it becomes possible. See + # cisagov/skeleton-docker#285 for more details. + - --ignore-vuln + - CVE-2026-4539 # Add any pip requirements files to scan - --requirement - requirements-dev.txt From a1cdc7884f2883d432f4c3b2e52832b9f5cfb306 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 25 Mar 2026 13:06:18 -0400 Subject: [PATCH 18/24] Correct reference to ticket in TODO comment --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0c905ae..0cbe0d9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -170,7 +170,7 @@ repos: # - https://github.com/pygments/pygments/issues/3058 # # TODO: Remove this when it becomes possible. See - # cisagov/skeleton-docker#285 for more details. + # cisagov/skeleton-generic#257 for more details. - --ignore-vuln - CVE-2026-4539 # Add any pip requirements files to scan From 811785c2a4a7457a75e9580c8e9ce425896c1920 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 25 Mar 2026 13:53:42 -0400 Subject: [PATCH 19/24] Update pre-commit hook versions This is done automatically with the pre-commit autoupdate command. --- .pre-commit-config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0cbe0d9..b35f18b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,7 +45,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.47.0 + rev: v0.48.0 hooks: - id: markdownlint args: @@ -63,7 +63,7 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.36.2 + rev: 0.37.0 hooks: - id: check-github-actions - id: check-github-workflows @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.12.0-2 + rev: v3.13.0-1 hooks: - id: shfmt args: @@ -129,13 +129,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.9.3 + rev: 1.9.4 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 26.1.0 + rev: 26.3.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -145,7 +145,7 @@ repos: additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 8.0.0 + rev: 8.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy @@ -193,7 +193,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v26.1.1 + rev: v26.3.0 hooks: - id: ansible-lint additional_dependencies: From df57f2a46d758a22d597793c3f8c17c6c5586f5a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 25 Mar 2026 15:12:58 -0400 Subject: [PATCH 20/24] Revert version bump of the `ansible-lint` pre-commit hook Newer versions of the hook require Python 3.14, but we are still using Python 3.13 in our GitHub Actions configuration. --- .pre-commit-config.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b35f18b..0b87517 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -193,7 +193,10 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v26.3.0 + # We need to stay on this version because we are still using Python 3.13 in + # our GitHub Actions configuration. Later versions require Python 3.14 for + # the hook to run. + rev: v26.1.1 hooks: - id: ansible-lint additional_dependencies: From c55c9d29825bc5043072997d919eb94a7ca77a45 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 26 Mar 2026 10:25:30 -0400 Subject: [PATCH 21/24] Remove scripts that are no longer used Our flake8 pre-commit hook was giving errors for these scripts, but since they are no longer in use there is no reason to update them. --- project_setup/scripts/iam-to-travis | 131 ---------------------------- project_setup/scripts/skeleton | 117 ------------------------- setup.py | 2 - 3 files changed, 250 deletions(-) delete mode 100755 project_setup/scripts/iam-to-travis delete mode 100755 project_setup/scripts/skeleton diff --git a/project_setup/scripts/iam-to-travis b/project_setup/scripts/iam-to-travis deleted file mode 100755 index e1233a3..0000000 --- a/project_setup/scripts/iam-to-travis +++ /dev/null @@ -1,131 +0,0 @@ -#!/usr/bin/env python - -"""Extract AWS credentials from terraform state, encrypt, and format for Travis. - -This command must be executed in the directory containing the .terraform state -within the a GitHub project. - -Usage: - iam-to-travis [--log-level=LEVEL] [--indent=SPACES] [--width=WIDTH] - iam-to-travis (-h | --help) - -Options: - -h --help Show this message. - -i --indent=SPACES Number of spaces to indent yaml block. Minimum 2. - [default: 6] - --log-level=LEVEL If specified, then the log level will be set to - the specified value. Valid values are "debug", "info", - "warning", "error", and "critical". [default: warning] - -w --width=WIDTH Maximum width of yaml block. Minimum 16. [default: 80] -""" - -# Standard Python Libraries -import json -import logging -import subprocess # nosec -import sys - -# Third-Party Libraries -import docopt - - -def creds_from_child(child_module): - """Search for IAM access keys in child resources. - - Returns (key_id, secret) if found, (None, None) otherwise. - """ - for resource in child_module["resources"]: - if resource["address"] == "aws_iam_access_key.key": - key_id = resource["values"]["id"] - secret = resource["values"]["secret"] - return key_id, secret - return None, None - - -def creds_from_terraform(): - """Retrieve IAM credentials from terraform state. - - Returns (key_id, secret) if found, (None, None) otherwise. - """ - c = subprocess.run( # nosec - "terraform show --json", shell=True, stdout=subprocess.PIPE # nosec - ) - j = json.loads(c.stdout) - - if not j.get("values"): - return None, None - - for child_module in j["values"]["root_module"]["child_modules"]: - key_id, secret = creds_from_child(child_module) - if key_id: - return key_id, secret - else: - return None, None - - -def wrap_for_yml(s, indent=6, width=75): - """Wrap a string in yamly way.""" - result = [] - width = width - 1 - while True: - result.append(s[:width]) - s = s[width:] - if not s: - break - s = " " * indent + s - return "\\\n".join(result) - - -def encrypt_for_travis(variable_name, value, indent, width): - """Encrypt a value for a variable and print it as yaml.""" - logging.debug(f"Encrypting {variable_name}.") - command = f'travis encrypt --com --no-interactive "{variable_name}={value}"' - c = subprocess.run(command, shell=True, stdout=subprocess.PIPE) # nosec - s = f"{' ' * (indent - 2)}- secure: {c.stdout.decode('utf-8')}" - print(f"{' ' * (indent - 2)}# {variable_name}") - print(wrap_for_yml(s, indent, width)) - - -def main(): - """Set up logging and call the requested commands.""" - args = docopt.docopt(__doc__, version="0.0.1") - - # Set up logging - log_level = args["--log-level"] - try: - logging.basicConfig( - format="%(asctime)-15s %(levelname)s %(message)s", level=log_level.upper() - ) - except ValueError: - logging.critical( - f'"{log_level}" is not a valid logging level. Possible values ' - "are debug, info, warning, and error." - ) - return 1 - - indent = int(args["--indent"]) - width = int(args["--width"]) - - if width < 16: - logging.error("Width must be 16 or greater.") - sys.exit(-1) - - if indent < 2 or indent > width - 10: - logging.error("Indent must be greater than 2, and less than (width - 10).") - sys.exit(-1) - - logging.info("Searching Terraform state for IAM credentials.") - key_id, secret = creds_from_terraform() - if key_id is None: - logging.error("Credentials not found in terraform state.") - logging.error("Is there a .terraform state directory here?") - sys.exit(-1) - - encrypt_for_travis("AWS_ACCESS_KEY_ID", key_id, indent, width) - encrypt_for_travis("AWS_SECRET_ACCESS_KEY", secret, indent, width) - - return 0 - - -if __name__ == "__main__": - sys.exit(main()) diff --git a/project_setup/scripts/skeleton b/project_setup/scripts/skeleton deleted file mode 100755 index 85700f4..0000000 --- a/project_setup/scripts/skeleton +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/env python - -"""Helper tool to start a new github project from a skeleton github repository. - -Usage: - skeleton (-h | --help) - skeleton list [--org=] - skeleton clone [options] - -Options: - -c --change-dir= Create clone in this directory. - -h --help Show this message. - -o --org= Organization to search [default: cisagov]. -""" - -# Standard Python Libraries -import os -from pathlib import Path -import subprocess # nosec -import sys - -# Third-Party Libraries -import docopt -from github import Github -import yaml - -LINEAGE_CONFIG = Path(".github/lineage.yml") -LINEAGE_CONFIG_VERSION = "1" -VERSION = "0.0.1" - - -def run(cmd, comment): - """Run a command and display its output and return code.""" - print("―" * 80) - if comment: - print(f"💬 {comment}") - print(f"➤ {cmd}") - proc = subprocess.run(cmd, shell=True) # nosec - if proc.returncode == 0: - print("✅ success") - else: - print(f"❌ ERROR! return code: {proc.returncode}") - sys.exit(proc.returncode) - - -def print_available_skeletons(org): - """Print a list of skeleton repos available for cloning.""" - g = Github() - skel_repos = g.search_repositories(query=f"org:{org} topic:skeleton archived:false") - print(f"Available skeletons in {org}:\n") - for repo in skel_repos: - print(f"{repo.name}\n\t{repo.description}\n") - - -def clone_repo(parent_repo, new_repo, org, dir=None): - """Clone a repository to a new name and prepare it for publication.""" - if dir: - os.chdir(dir) - run( - f"git clone --origin {parent_repo} git@github.com:{org}/{parent_repo}.git {new_repo}", - "Clone an existing remote repository to the new name locally.", - ) - os.chdir(new_repo) - run( - f"git remote set-url --push {parent_repo} no_push", - "Disable pushing to the upstream (parent) repository.", - ) - run( - f"git remote add origin git@github.com:{org}/{new_repo}.git", - "Add a new remote origin for the this repository.", - ) - run("git tag -d $(git tag -l)", f"Delete all local git tags from {parent_repo}") - run( - rf"find . \( ! -regex '.*/\.git/.*' \) -type f -exec " - rf"perl -pi -e s/{parent_repo}/{new_repo}/g {{}} \;", - "Search and replace repository name in source files.", - ) - lineage = { - "version": LINEAGE_CONFIG_VERSION, - "lineage": { - "skeleton": {"remote-url": f"https://github.com/{org}/{parent_repo}.git"} - }, - } - with LINEAGE_CONFIG.open("w") as f: - yaml.dump(lineage, stream=f, explicit_start=True) - run("git add --verbose .", "Stage modified files.") - run( - 'git commit --message "Rename repository references after clone."', - "Commit staged files to the new repository.", - ) - print("―" * 80) - print(f""" -The repository "{parent_repo}" has been cloned and renamed to "{new_repo}". -Use the following commands to push the new repository to github: - cd {os.path.join(dir, new_repo) if dir else new_repo} - git push --set-upstream origin develop - """) - - -def main(): - """Parse arguments and perform requested actions.""" - args = docopt.docopt(__doc__, version=VERSION) - - org = args["--org"] - - if args["list"]: - print_available_skeletons(org) - elif args["clone"]: - parent_repo = args[""] - new_repo = args[""] - dir = args["--change-dir"] - clone_repo(parent_repo, new_repo, org, dir) - return 0 - - -if __name__ == "__main__": - sys.exit(main()) diff --git a/setup.py b/setup.py index bb6342d..f64453a 100644 --- a/setup.py +++ b/setup.py @@ -107,9 +107,7 @@ def get_version(version_file): }, scripts=[ "project_setup/scripts/ansible-roles", - "project_setup/scripts/iam-to-travis", "project_setup/scripts/terraform-to-secrets", - "project_setup/scripts/skeleton", "project_setup/scripts/ssm-param", ], entry_points={}, From 68ea13aaacd6cc93d15e15d929b773e39529b208 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 26 Mar 2026 10:29:11 -0400 Subject: [PATCH 22/24] Prefer dict literals ({}) to dict() This gets rid of several errors from our flake8 pre-commit hook. --- project_setup/scripts/terraform-to-secrets | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/project_setup/scripts/terraform-to-secrets b/project_setup/scripts/terraform-to-secrets index 0d555f3..b5a4c65 100755 --- a/project_setup/scripts/terraform-to-secrets +++ b/project_setup/scripts/terraform-to-secrets @@ -109,7 +109,7 @@ def find_tagged_secret( # its value is not None. Both of these cases can occur. tags: dict[str, str] if "tags" not in resource_data or resource_data.get("tags") is None: - tags = dict() + tags = {} else: tags = resource_data["tags"] @@ -150,7 +150,7 @@ def find_outputs( and resource.get("type") == "terraform_remote_state" ): continue - if resource.get("values", dict()).get("outputs", dict()): + if resource.get("values", {}).get("outputs", {}): yield resource["values"]["outputs"] @@ -314,7 +314,7 @@ def get_users(terraform_state: dict) -> dict[str, tuple[str, str]]: aws_user: str | None = None aws_key_id: str | None = None aws_secret: str | None = None - user_creds: dict[str, tuple[str, str]] = dict() + user_creds: dict[str, tuple[str, str]] = {} logging.info("Searching Terraform state for IAM credentials.") for aws_user, aws_key_id, aws_secret in parse_creds(terraform_state): @@ -330,7 +330,7 @@ def get_resource_secrets( terraform_state: dict, include_remote_state: bool ) -> dict[str, str]: """Collect secrets from tagged Terraform resources.""" - secrets: dict[str, str] = dict() + secrets: dict[str, str] = {} logging.info("Searching Terraform state for tagged resources.") for secret_name, secret_value in parse_tagged_resources( terraform_state, include_remote_state @@ -347,7 +347,7 @@ def get_resource_secrets( def create_user_secrets(user_creds: dict[str, tuple[str, str]]) -> dict[str, str]: """Create secrets for user key IDs and key values.""" - secrets: dict[str, str] = dict() + secrets: dict[str, str] = {} for user_name, creds in user_creds.items(): # If there is more than one user add the name as a suffix if len(user_creds) > 1: From 5e9c99757f0debe15ac786b289be141d2b6d6f33 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 26 Mar 2026 10:31:06 -0400 Subject: [PATCH 23/24] Break up an overly long line This gets rid of an error from our flake8 pre-commit hook. --- project_setup/scripts/terraform-to-secrets | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/project_setup/scripts/terraform-to-secrets b/project_setup/scripts/terraform-to-secrets index b5a4c65..12695b5 100755 --- a/project_setup/scripts/terraform-to-secrets +++ b/project_setup/scripts/terraform-to-secrets @@ -269,7 +269,10 @@ def set_secret( """Create a secret in a repository or environment.""" if github_env: logging.info(f"Creating secret {secret_name} in environment {github_env}") - api_url = f"https://api.github.com/repos/{repo_name}/environments/{github_env}/secrets/{secret_name}" + api_url = ( + f"https://api.github.com/repos/{repo_name}/environments/" + f"{github_env}/secrets/{secret_name}" + ) else: logging.info(f"Creating repository secret {secret_name}") api_url = ( From 0c15a8e838834697643166545a56dbcb6fb9b7ed Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 26 Mar 2026 10:32:37 -0400 Subject: [PATCH 24/24] Bump version from 1.0.0 to 1.1.0 --- setup.py | 2 +- version.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup.py b/setup.py index f64453a..6c02b9b 100644 --- a/setup.py +++ b/setup.py @@ -43,7 +43,7 @@ def get_version(version_file): setup( name="project_setup", # Versions should comply with PEP440 - version="1.0.0", + version="1.1.0", description="Documentation for Github projects in the cisagov organization.", long_description=readme(), long_description_content_type="text/markdown", diff --git a/version.txt b/version.txt index 3eefcb9..9084fa2 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -1.0.0 +1.1.0