Merge pull request #40 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

Author: jsf9k

.github/workflows/build.yml

@@ -100,7 +100,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: setup-env
         uses: cisagov/setup-env-github-action@v1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -253,7 +253,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -326,7 +326,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Finished coveralls reports
         uses: coverallsapp/github-action@v2
         with:
@@ -380,7 +380,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -406,7 +406,7 @@ jobs:
       - name: Build artifacts
         run: python -m build
       - name: Upload artifacts
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: dist-${{ matrix.python-version }}
           path: dist
@@ -467,7 +467,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:
@@ -488,7 +488,7 @@ jobs:
           restore-keys: |
             ${{ env.BASE_CACHE_KEY }}
       - name: Retrieve the built wheel
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: dist-${{ matrix.python-version }}
           path: dist

.github/workflows/codeql-analysis.yml

@@ -114,7 +114,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
 
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -89,7 +89,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: checkout-repo
         name: Checkout the repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - id: dependency-review
         name: Review dependency changes for vulnerabilities and license changes
         uses: actions/dependency-review-action@v4

.github/workflows/sync-labels.yml

@@ -84,7 +84,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Sync repository labels
         if: success()
         uses: crazy-max/ghaction-github-labeler@v5

.pre-commit-config.yaml

@@ -169,8 +169,8 @@ repos:
       - id: mypy
         # IMPORTANT: Keep type hinting-related dependencies of the
         # mypy pre-commit hook additional_dependencies in sync with
-        # the dev section of setup.py to avoid discrepancies in type
-        # checking between environments.
+        # the dev section of pyproject.toml to avoid discrepancies in
+        # type checking between environments.
         additional_dependencies:
           - types-docopt
           - types-requests
@@ -190,10 +190,16 @@ repos:
     rev: v3.21.1
     hooks:
       - id: pyupgrade
+        args:
+          # Python 3.10 is currently the oldest non-EOL version of
+          # Python, so we want to apply all rules that apply to this
+          # version or later.  See here for more details:
+          # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/
+          - --py310-plus
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.11.0
+    rev: v25.11.1
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -209,31 +215,13 @@ repos:
           # hook identifies a vulnerability in ansible-core 2.16.13,
           # but all versions of ansible 9 have a dependency on
           # ~=2.16.X.
-          #
-          # It is also a good idea to go ahead and upgrade to version
-          # 10 since version 9 is going EOL at the end of November:
-          # https://endoflife.date/ansible
           # - ansible>=10,<11
-          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
-          # discussed in ansible/ansible#82702, which breaks any
-          # symlinked files in vars, tasks, etc. for any Ansible role
-          # installed via ansible-galaxy.  Hence we never want to
-          # install those versions.
-          #
-          # Note that the pip-audit pre-commit hook identifies a
-          # vulnerability in ansible-core 2.16.13.  The pin of
-          # ansible-core to >=2.17 effectively also pins ansible to
-          # >=10.
-          #
-          # It is also a good idea to go ahead and upgrade to
-          # ansible-core 2.17 since security support for ansible-core
-          # 2.16 ends this month:
-          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+          # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78.
           #
           # Note that any changes made to this dependency must also be
           # made in requirements.txt in cisagov/skeleton-packer and
           # requirements-test.txt in cisagov/skeleton-ansible-role.
-          - ansible-core>=2.17
+          - ansible-core>=2.17.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform

pyproject.toml

@@ -3,7 +3,17 @@
 # https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
 [build-system]
 build-backend = "setuptools.build_meta"
-requires = ["setuptools"]
+requires = [
+    # 61.0.0 was the first version of setuptools to offer a full-fledged
+    # backend that uses pyproject.toml for metadata configuration (in
+    # compliance with PEP 621):
+    # https://setuptools.pypa.io/en/stable/history.html#v61-0-0
+    #
+    # 77.0.0 was the first version of setuptools to support license
+    # expressions (in compliance with PEP 639):
+    # https://setuptools.pypa.io/en/stable/history.html#v77-0-0
+    "setuptools>=77.0.0"
+]
 
 [project]
 authors = [
@@ -53,6 +63,8 @@ requires-python = ">=3.10"
 # field of the mypy pre-commit hook to avoid discrepancies in type
 # checking between environments.
 dev = [
+    "build",
+    "twine",
     "types-docopt",
     "types-requests",
 ]

src/cyhy_runner/__init__.py

@@ -1,12 +1,9 @@
 """The Cyber Hygiene job runner."""
 
-# Standard Python Libraries
-from typing import List
-
 # We disable a Flake8 check for "Module imported but unused (F401)" here because
 # although this import is not directly used, it populates the value
 # package_name.__version__, which is used to get version information about this
 # Python package.
 from ._version import __version__  # noqa: F401
 
-__all__: List[str] = []
+__all__: list[str] = []

src/cyhy_runner/cyhy_runner.py

@@ -25,7 +25,6 @@
 import subprocess  # nosec
 import sys
 import time
-from typing import Set
 
 # Third-Party Libraries
 import daemon
@@ -51,7 +50,7 @@
 
 logger = logging.getLogger(__name__)
 
-running_dirs: Set[str] = set()
+running_dirs: set[str] = set()
 processes = []
 IS_RUNNING = True
 
@@ -187,7 +186,7 @@ def main():
 
     group = args["--group"]
     if group:
-        print('Setting effective group to "{}".'.format(group), file=sys.stderr)
+        print(f'Setting effective group to "{group}".', file=sys.stderr)
 
         new_gid = grp.getgrnam(group).gr_gid
         os.setegid(new_gid)
@@ -197,7 +196,7 @@ def main():
     working_dir = os.path.join(os.getcwd(), args["<working-dir>"])
     if not os.path.exists(working_dir):
         print(
-            'Working directory "{}" does not exist.'.format(working_dir),
+            f'Working directory "{working_dir}" does not exist.',
             end="",
             file=sys.stderr,
         )