diff --git a/.github/labeler.yml b/.github/labeler.yml index 40a9c8c..fac9aac 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -48,6 +48,14 @@ python: - changed-files: - any-glob-to-any-file: - "**/*.py" +shell script: + - changed-files: + - any-glob-to-any-file: + # If this project has any shell scripts that do not end in the ".sh" + # extension, add them below. + - "**/*.sh" + - bump-version + - setup-env terraform: - changed-files: - any-glob-to-any-file: diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..69f0a2d 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,7 +2,7 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: f15a53 +- color: ff5850 description: Pull requests that update Ansible code name: ansible - color: eb6420 @@ -20,7 +20,7 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: 2497ed +- color: 1d63ed description: Pull requests that update Docker code name: docker - color: 5319e7 @@ -47,7 +47,7 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: f1d642 +- color: f0db4f description: Pull requests that update JavaScript code name: javascript - color: ce099a @@ -62,7 +62,7 @@ - color: 02a8ef description: Pull requests that update Packer code name: packer -- color: 3772a4 +- color: 3776ab description: Pull requests that update Python code name: python - color: ef476c @@ -71,13 +71,16 @@ - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 4eaa25 + description: Pull requests that update shell scripts + name: shell script - color: 7b42bc description: Pull requests that update Terraform code name: terraform - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: 2b6ebf +- color: 2678c5 description: Pull requests that update TypeScript code name: typescript - color: 1d76db diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f0bb859..fc710a9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: @@ -246,7 +246,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: @@ -324,7 +324,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0722fa3..5458e86 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,11 +113,11 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} @@ -125,7 +125,7 @@ jobs: # Java). If this step fails, then you should remove it and run the build # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -139,4 +139,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bc859d1..580fa9c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 9d78e39..412cc4a 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -59,7 +59,6 @@ jobs: permissions: # Permissions required by actions/labeler contents: read - issues: write pull-requests: write runs-on: ubuntu-latest steps: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index ee00ece..2203c56 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -98,7 +98,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 650414c..df3bd12 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -105,7 +105,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 19e0129..f60bc84 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6a74e8b..ec44f7b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.33.3 + rev: 0.35.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.3.0 + rev: v4.4.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.2 + rev: v1.0.0-rc.4 hooks: # Go Build - id: go-build-repo-mod @@ -130,7 +130,7 @@ repos: # Python hooks # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.1 hooks: - id: bandit name: bandit (tests tree) @@ -139,13 +139,13 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.1 hooks: - id: bandit name: bandit (everything else) exclude: tests - repo: https://github.com/psf/black-pre-commit-mirror - rev: 25.1.0 + rev: 25.11.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -155,11 +155,11 @@ repos: additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 6.0.1 + rev: 7.0.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.18.1 + rev: v1.18.2 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -167,11 +167,19 @@ repos: hooks: - id: pip-audit args: - # We have to ignore this particular vulnerability in - # ansible-core>=2.11 as there is currently no fix. See - # cisagov/skeleton-packer#380 for more details. + # We have to ignore this vulnerability since we need to pin + # to ansible 10 for now to support our CyHy code that must + # still run on Debian Buster. This vulnerability is fixed + # in ansible>=12. + # + # This isn't a big deal since the vulnerability only impacts + # users of the Keycloak modules in + # ansible.community.general, and we don't use these modules. + # + # TODO: Remove this when it becomes possible. See + # cisagov/skeleton-packer#486 for more details. - --ignore-vuln - - GHSA-99w6-3xph-cx78 + - GHSA-8ggh-xwr9-3373 # Add any pip requirements files to scan - --requirement - requirements-dev.txt @@ -180,13 +188,19 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.20.0 + rev: v3.21.1 hooks: - id: pyupgrade + args: + # Python 3.10 is currently the oldest non-EOL version of + # Python, so we want to apply all rules that apply to this + # version or later. See here for more details: + # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/ + - --py310-plus # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.9.0 + rev: v25.11.1 hooks: - id: ansible-lint additional_dependencies: @@ -202,35 +216,17 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. - # - # It is also a good idea to go ahead and upgrade to version - # 10 since version 9 is going EOL at the end of November: - # https://endoflife.date/ansible - ansible>=10,<11 - # ansible-core 2.16.3 through 2.16.6 suffer from the bug - # discussed in ansible/ansible#82702, which breaks any - # symlinked files in vars, tasks, etc. for any Ansible role - # installed via ansible-galaxy. Hence we never want to - # install those versions. - # - # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. The pin of - # ansible-core to >=2.17 effectively also pins ansible to - # >=10. - # - # It is also a good idea to go ahead and upgrade to - # ansible-core 2.17 since security support for ansible-core - # 2.16 ends this month: - # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.17 + - ansible-core>=2.17.7 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.100.0 + rev: v1.103.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/README.md b/README.md index 3c179c1..bb00360 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # samba-packer 💀đŸ“Ļ # [![GitHub Build Status](https://github.com/cisagov/samba-packer/workflows/build/badge.svg)](https://github.com/cisagov/samba-packer/actions) +[![License](https://img.shields.io/github/license/cisagov/samba-packer)](https://spdx.org/licenses/) +[![CodeQL](https://github.com/cisagov/samba-packer/workflows/CodeQL/badge.svg)](https://github.com/cisagov/samba-packer/actions/workflows/codeql-analysis.yml) This repository contains [Packer](https://packer.io) code to build a [Samba](https://www.samba.org/)-enabled AWS AMI. diff --git a/requirements.txt b/requirements.txt index d949179..9aa635e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,44 +1,18 @@ -# With the release of version 2.10, Ansible finally correctly -# identifies Kali Linux as being the Kali distribution of the Debian -# OS family. This simplifies a lot of things for roles that support -# Kali Linux, so it makes sense to force the installation of Ansible -# 2.10 or newer. -# -# We need at least version 6 to correctly identify Amazon Linux 2023 -# as using the dnf package manager, and version 8 is currently the -# oldest supported version. -# # Version 10 is required because the pip-audit pre-commit hook # identifies a vulnerability in ansible-core 2.16.13, but all versions # of ansible 9 have a dependency on ~=2.16.X. # -# It is also a good idea to go ahead and upgrade to version 10 since -# version 9 is going EOL at the end of November: -# https://endoflife.date/ansible -# # We have tested against version 10. We want to avoid automatically # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. ansible>=10,<11 -# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in -# ansible/ansible#82702, which breaks any symlinked files in vars, -# tasks, etc. for any Ansible role installed via ansible-galaxy. -# Hence we never want to install those versions. -# -# Note that the pip-audit pre-commit hook identifies a vulnerability -# in ansible-core 2.16.13. Normally we would pin ansible-core -# accordingly (>2.16.13), but the above pin of ansible>=10 effectively -# pins ansible-core to >=2.17 anyway so that's what we use. -# -# It is also a good idea to go ahead and upgrade to ansible-core 2.17 -# since security support for ansible-core 2.16 ends this month: -# https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix +# ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. # # Note that any changes made to this dependency must also be made in # requirements-test.txt in cisagov/skeleton-ansible-role and # .pre-commit-config.yaml in cisagov/skeleton-generic. -ansible-core>=2.17 +ansible-core>=2.17.7 boto3 docopt # The bump-version script requires at least version 3 of semver. diff --git a/terraform-build-user/.terraform.lock.hcl b/terraform-build-user/.terraform.lock.hcl index 90e0ee9..bff9dfa 100644 --- a/terraform-build-user/.terraform.lock.hcl +++ b/terraform-build-user/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.15.0" + version = "6.25.0" constraints = ">= 4.9.0, ~> 6.7" hashes = [ - "h1:fHH8H5xoptQywVxVEX0vsWYeBeKR1uuQJmaOfZirr54=", - "zh:05a3d3b268761cd90cabd6106bff2bf27f480ab31305cd8ef8c749060855f84d", - "zh:0edae750ebaee784624e41b1e18fe6179a513d63c5bb8fbffab4631391092b4f", - "zh:17f3d20951662ffd6a610d9c7f44afa281db6f220685796147e4ffb6374cc8b8", - "zh:373a5446fca3aeff76bc5637babd732d6c78d9a66c82a828a1b009e8b21f33bc", - "zh:3ce69866d23b7d0bb5bfa06f5407147ed90713924cd65246858c414313a96ffc", - "zh:40ab0ca19845890df706784bb62d9fc9961a15c23c894f0e9f89b66524c4be55", - "zh:66bd5554c582c1f01c1a509eedf4a81c861065b48a49d1be3e3ea98a89b1f801", - "zh:798b66f98cc8d8ff9c6844a8238d2639f951ef3956d412fb438708ba3e4ae9e3", - "zh:943e5f918d3b470fbfb9ea1c8bcc3b97a8218a0842e77a0fdbac0941dd461cdf", + "h1:0XEc9eHELD/BtPNybqkzzaS3bYp2HSv9LwAfaGyCpOU=", + "zh:0f9621f719ec2051eabb94ca59aa4f13574487fbc1517b183293431c9d388e38", + "zh:2ffbedb2e3afcd82da8bfc540bd74e9611527bdafd00d6d1885f62e7d13bac74", + "zh:30fb4ab8b4af19da7b9ce95cb41fa9399f81383e1adc91801b770e7eeab651c3", + "zh:377cbaffe3ec8aa5bb594071df0e91f17ac9292a325ed73cebd69fe78c51f7ec", + "zh:3b65f5c98e03f1bfc5b71fa69521e785552ff9656860b25e211287910874037d", + "zh:4478fab7b111c40a9a2a9db6ec5331618cc8e5a8b591f651095c77b87e9f22b1", + "zh:4fdaa559c57aed5d24fa3d5cb59fed59e1e689c21d038fd336a3ba93b258803f", + "zh:7a751ecd0f2654746dd4041d0f6d894c3a1876a152ba4bb7805ec2c715259065", + "zh:866725b83f8d5587dab0559ac208ee6c181746871faa99ce551b535e19c7bb6a", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9e95f017fae84d07d6cd627949715dbe8749d4d819c13c8b0bef1a679a26671b", - "zh:aac7e07599a17fccbdd21b092a7741534af5bec60b492299f2bcd3d7279be4a9", - "zh:c6292faaf05a6dc45e170f67f251aaad9b7e1159b5946219908dd11025f4146b", - "zh:df892b9eca5ecfb3c0a0e829511aea7e6b30f08b862c7fba9de67d2ae9729983", - "zh:fb8c5ff7296d01bf60d983c64f45969ec664a40bdd768d90a35a6afe7df1aeb7", + "zh:b16e3e2a8ccba4ceeeee961c708ef572c4a65e0001eaf09d08fa14cef01ab179", + "zh:dc897b2037bbb7f8d6456a4aa1ed82cbd4daddb173a184efdfe8c03a57557771", + "zh:de2344f23c980093a46dda3185f9052cda950d1b8ca9cf3c6e16b8c45fa23779", + "zh:ef538ec8a917715a1804c6735d44b756c32972d4fab71e15df87a59eb75dd57c", + "zh:f25cdfdac6798e7de4a1d3dd577a97c1ca200a12317a1fd5a4b9ea54cb05e868", ] } diff --git a/terraform-post-packer/.terraform.lock.hcl b/terraform-post-packer/.terraform.lock.hcl index 90e0ee9..bff9dfa 100644 --- a/terraform-post-packer/.terraform.lock.hcl +++ b/terraform-post-packer/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.15.0" + version = "6.25.0" constraints = ">= 4.9.0, ~> 6.7" hashes = [ - "h1:fHH8H5xoptQywVxVEX0vsWYeBeKR1uuQJmaOfZirr54=", - "zh:05a3d3b268761cd90cabd6106bff2bf27f480ab31305cd8ef8c749060855f84d", - "zh:0edae750ebaee784624e41b1e18fe6179a513d63c5bb8fbffab4631391092b4f", - "zh:17f3d20951662ffd6a610d9c7f44afa281db6f220685796147e4ffb6374cc8b8", - "zh:373a5446fca3aeff76bc5637babd732d6c78d9a66c82a828a1b009e8b21f33bc", - "zh:3ce69866d23b7d0bb5bfa06f5407147ed90713924cd65246858c414313a96ffc", - "zh:40ab0ca19845890df706784bb62d9fc9961a15c23c894f0e9f89b66524c4be55", - "zh:66bd5554c582c1f01c1a509eedf4a81c861065b48a49d1be3e3ea98a89b1f801", - "zh:798b66f98cc8d8ff9c6844a8238d2639f951ef3956d412fb438708ba3e4ae9e3", - "zh:943e5f918d3b470fbfb9ea1c8bcc3b97a8218a0842e77a0fdbac0941dd461cdf", + "h1:0XEc9eHELD/BtPNybqkzzaS3bYp2HSv9LwAfaGyCpOU=", + "zh:0f9621f719ec2051eabb94ca59aa4f13574487fbc1517b183293431c9d388e38", + "zh:2ffbedb2e3afcd82da8bfc540bd74e9611527bdafd00d6d1885f62e7d13bac74", + "zh:30fb4ab8b4af19da7b9ce95cb41fa9399f81383e1adc91801b770e7eeab651c3", + "zh:377cbaffe3ec8aa5bb594071df0e91f17ac9292a325ed73cebd69fe78c51f7ec", + "zh:3b65f5c98e03f1bfc5b71fa69521e785552ff9656860b25e211287910874037d", + "zh:4478fab7b111c40a9a2a9db6ec5331618cc8e5a8b591f651095c77b87e9f22b1", + "zh:4fdaa559c57aed5d24fa3d5cb59fed59e1e689c21d038fd336a3ba93b258803f", + "zh:7a751ecd0f2654746dd4041d0f6d894c3a1876a152ba4bb7805ec2c715259065", + "zh:866725b83f8d5587dab0559ac208ee6c181746871faa99ce551b535e19c7bb6a", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9e95f017fae84d07d6cd627949715dbe8749d4d819c13c8b0bef1a679a26671b", - "zh:aac7e07599a17fccbdd21b092a7741534af5bec60b492299f2bcd3d7279be4a9", - "zh:c6292faaf05a6dc45e170f67f251aaad9b7e1159b5946219908dd11025f4146b", - "zh:df892b9eca5ecfb3c0a0e829511aea7e6b30f08b862c7fba9de67d2ae9729983", - "zh:fb8c5ff7296d01bf60d983c64f45969ec664a40bdd768d90a35a6afe7df1aeb7", + "zh:b16e3e2a8ccba4ceeeee961c708ef572c4a65e0001eaf09d08fa14cef01ab179", + "zh:dc897b2037bbb7f8d6456a4aa1ed82cbd4daddb173a184efdfe8c03a57557771", + "zh:de2344f23c980093a46dda3185f9052cda950d1b8ca9cf3c6e16b8c45fa23779", + "zh:ef538ec8a917715a1804c6735d44b756c32972d4fab71e15df87a59eb75dd57c", + "zh:f25cdfdac6798e7de4a1d3dd577a97c1ca200a12317a1fd5a4b9ea54cb05e868", ] } diff --git a/version.txt b/version.txt index 227cea2..38f77a6 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.0.0 +2.0.1