From 59f893b034e472e35ae79f2503a6d0cf6a65c6e4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 18:01:12 +0000 Subject: [PATCH 01/41] Bump github/codeql-action from 3 to 4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0722fa3..ac19c95 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -117,7 +117,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} @@ -125,7 +125,7 @@ jobs: # Java). If this step fails, then you should remove it and run the build # manually (see below). - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -139,4 +139,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 From a44c47daa5cc09ed51cfd9930efdb1c0d6e51f50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:26:46 -0400 Subject: [PATCH 02/41] Remove an unnecessary permission from the PR label workflow There should be no reason for the actions/labeler action to create new labels so we can remove the permission that would allow this to occur. --- .github/workflows/label-prs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 9d78e39..412cc4a 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -59,7 +59,6 @@ jobs: permissions: # Permissions required by actions/labeler contents: read - issues: write pull-requests: write runs-on: ubuntu-latest steps: From 629a0cc616bd06540bddc3ccd39de55bab61403a Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 28 Oct 2025 16:11:15 -0400 Subject: [PATCH 03/41] Add a license badge --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index cb6c85a..4034ce6 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,9 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) +[![License](https://img.shields.io/github/license/cisagov/skeleton-generic +)](https://spdx.org/licenses/) + This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub project started. This skeleton project contains [licensing information](LICENSE), as From e1331191e7858857c72cac55107e37508e744b6a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 28 Oct 2025 21:41:06 -0400 Subject: [PATCH 04/41] Update the color used for the `python` label This updates the existing color, which was pulled from the Python logo, to the color used in the Python website's CSS for the "Python" item in the site's top menu. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..1a8399b 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -62,7 +62,7 @@ - color: 02a8ef description: Pull requests that update Packer code name: packer -- color: 3772a4 +- color: 3776ab description: Pull requests that update Python code name: python - color: ef476c From 15771ca992f125f5e4c9516e7645b7b79908cad2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:29:59 -0400 Subject: [PATCH 05/41] Update the color used for the `javascript` label This reflects the value defined by JSConf and used in their unofficially official logo for JS. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 1a8399b..3801ada 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -47,7 +47,7 @@ - color: fef2c0 description: This issue or pull request is not applicable, incorrect, or obsolete name: invalid -- color: f1d642 +- color: f0db4f description: Pull requests that update JavaScript code name: javascript - color: ce099a From a7eeb15808fccae45d6010641192f341f7013f50 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:40:49 -0400 Subject: [PATCH 06/41] Update the color used for the `typescript` label This reflects the color of the logo from the TypeScript branding page at https://www.typescriptlang.org/branding/. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 3801ada..6f63095 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -77,7 +77,7 @@ - color: 00008b description: This issue or pull request adds or otherwise modifies test code name: test -- color: 2b6ebf +- color: 2678c5 description: Pull requests that update TypeScript code name: typescript - color: 1d76db From fb7a73609e7d45eae2d566a39368a5ad5ea3ddb4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:51:12 -0400 Subject: [PATCH 07/41] Update the color used for the `ansible` label This mirrors the value used as a background for the mango Ansible community mark logo found in the ansible/logos repository. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 6f63095..4862f3c 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -2,7 +2,7 @@ # Rather than breaking up descriptions into multiline strings we disable that # specific rule in yamllint for this file. # yamllint disable rule:line-length -- color: f15a53 +- color: ff5850 description: Pull requests that update Ansible code name: ansible - color: eb6420 From 55031516e97274377694f2974d210054444c406b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 03:59:50 -0400 Subject: [PATCH 08/41] Update the color used for the `docker` label This is the "Moby Blue" primary color as defined in the Docker brand guidelines color section found at https://www.docker.com/company/newsroom/media-resources/. --- .github/labels.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/labels.yml b/.github/labels.yml index 4862f3c..a539e6e 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -20,7 +20,7 @@ - color: 0366d6 description: Pull requests that update a dependency file name: dependencies -- color: 2497ed +- color: 1d63ed description: Pull requests that update Docker code name: docker - color: 5319e7 From dc0d9a0be70aab4c4f47f884ec649ac4fb086fff Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 05:21:25 -0400 Subject: [PATCH 09/41] Add a label and auto-label configuration for shell scripts Since we use shell scripts throughout our projects it makes sense to have a dedicated label. --- .github/labeler.yml | 7 +++++++ .github/labels.yml | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..5ccd8fe 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -44,6 +44,13 @@ python: - changed-files: - any-glob-to-any-file: - "**/*.py" +shell script: + - changed-files: + - any-glob-to-any-file: + # Add any shell scripts that do not end in the ".sh" extension. + - "**/*.sh" + - bump-version + - setup-env terraform: - changed-files: - any-glob-to-any-file: diff --git a/.github/labels.yml b/.github/labels.yml index 650ed7c..aa77db7 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -71,6 +71,9 @@ - color: d73a4a description: This issue or pull request addresses a security issue name: security +- color: 4eaa25 + description: Pull requests that update shell scripts + name: shell script - color: 7b42bc description: Pull requests that update Terraform code name: terraform From 586af7c89d29858b80f9abc150204858e281b4b3 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Wed, 29 Oct 2025 08:52:57 -0400 Subject: [PATCH 10/41] Remove needless blank line --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 4034ce6..22134a3 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # skeleton-generic # [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) - [![License](https://img.shields.io/github/license/cisagov/skeleton-generic )](https://spdx.org/licenses/) From 8b5f6d215931b0252a33f92899e75aea082b9f70 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 Oct 2025 13:28:50 -0400 Subject: [PATCH 11/41] Improve a labeler configuration's explanatory comment Co-authored-by: dav3r --- .github/labeler.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 5ccd8fe..05478bd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -47,7 +47,8 @@ python: shell script: - changed-files: - any-glob-to-any-file: - # Add any shell scripts that do not end in the ".sh" extension. + # If this project has any shell scripts that do not end in the ".sh" + # extension, add them below. - "**/*.sh" - bump-version - setup-env From ad708bd9fad93d23f837f71d975ddee4060a4aec Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:21:25 -0500 Subject: [PATCH 12/41] Rename .flake8 to pyproject.toml and update syntax We can configure all our Python tooling in a single pyproject.toml file. Note that using pyproject.toml to configure flake8 requires the addition of the flake8-pyproject Python library. --- .flake8 => pyproject.toml | 6 +++--- requirements-test.txt | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) rename .flake8 => pyproject.toml (92%) diff --git a/.flake8 b/pyproject.toml similarity index 92% rename from .flake8 rename to pyproject.toml index 92ff826..574223c 100644 --- a/.flake8 +++ b/pyproject.toml @@ -1,4 +1,4 @@ -[flake8] +[tool.flake8] max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - @@ -13,7 +13,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 +select = ["C", "D", "E", "F", "W", "B", "B950"] # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,4 +22,4 @@ select = C,D,E,F,W,B,B950 # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 +extend-ignore = ["E501", "W503"] diff --git a/requirements-test.txt b/requirements-test.txt index 66f74db..3fd2ff1 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,2 +1,3 @@ --requirement requirements.txt +flake8-pyproject pre-commit From 2a3bb8b44d9597078b1add4c6b649edf45955e91 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:25:57 -0500 Subject: [PATCH 13/41] Add flake8-pyproject as an additional dependency of the flake8 pre-commit hook This will ensure that, even when run as a pre-commit hook, flake8 reads its configuration from the pyproject.toml file. --- .pre-commit-config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bc76d85..2193233 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -144,6 +144,9 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 + # This is necessary to read the flake8 configuration from + # the pyproject.toml file. + - flake8-pyproject - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: From a70cf3c5a12b8dcd116867484ca76eed3e2b1c7c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:32:02 -0500 Subject: [PATCH 14/41] Move isort config to pyproject.toml file --- .isort.cfg | 10 ---------- pyproject.toml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) delete mode 100644 .isort.cfg diff --git a/.isort.cfg b/.isort.cfg deleted file mode 100644 index 46d45f3..0000000 --- a/.isort.cfg +++ /dev/null @@ -1,10 +0,0 @@ -[settings] -combine_star=true -force_sort_within_sections=true - -import_heading_stdlib=Standard Python Libraries -import_heading_thirdparty=Third-Party Libraries -import_heading_firstparty=cisagov Libraries - -# Run isort under the black profile to align with our other Python linting -profile=black diff --git a/pyproject.toml b/pyproject.toml index 574223c..eec000b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,3 +23,15 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. extend-ignore = ["E501", "W503"] + +[tool.isort] +combine_star = true +force_sort_within_sections = true + +import_heading_stdlib = "Standard Python Libraries" +import_heading_thirdparty = "Third-Party Libraries" +import_heading_firstparty = "cisagov Libraries" + +# Run isort under the black profile to align with our other Python +# linting +profile = "black" From c1861e6027848854dc975180e1e44b18cee73367 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:38:38 -0500 Subject: [PATCH 15/41] Add pyproject.toml as a trigger for the test label Also remove .flake8 and .isort.cfg as triggers for the same label. --- .github/labeler.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index a4e2186..d6c77d0 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -54,10 +54,9 @@ test: # Add any test-related files or paths. - .ansible-lint - .bandit.yml - - .flake8 - - .isort.cfg - .mdl_config.yaml - .yamllint + - pyproject.toml typescript: - changed-files: - any-glob-to-any-file: From 22c6f4019add36d3b9ff3e830f0f018be5aeedd2 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:40:19 -0500 Subject: [PATCH 16/41] Remove the .bandit.yml file This file was doing nothing due to its contents. --- .bandit.yml | 13 ------------- .github/labeler.yml | 1 - .pre-commit-config.yaml | 2 -- 3 files changed, 16 deletions(-) delete mode 100644 .bandit.yml diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index ab3cb21..0000000 --- a/.bandit.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Configuration file for the Bandit python security scanner -# https://bandit.readthedocs.io/en/latest/config.html - -# Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are considered included. - -tests: -# - B101 -# - B102 - -skips: -# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/.github/labeler.yml b/.github/labeler.yml index d6c77d0..914ddd1 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -53,7 +53,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .bandit.yml - .mdl_config.yaml - .yamllint - pyproject.toml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2193233..e2e557e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,8 +132,6 @@ repos: rev: 1.8.6 hooks: - id: bandit - args: - - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 25.1.0 hooks: From 15cb60196e1a5d71c6039ec2081acbe80d4c37a0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Thu, 6 Nov 2025 16:48:16 -0500 Subject: [PATCH 17/41] Pin the flake8-pyproject dependency in the pre-commit configuration The flake8-docstrings dependency is pinned, so this one should be too. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e2e557e..a8c71b5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -144,7 +144,7 @@ repos: - flake8-docstrings==1.7.0 # This is necessary to read the flake8 configuration from # the pyproject.toml file. - - flake8-pyproject + - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 6.0.1 hooks: From bc6bf8c2d3b47d56d189ece182cb0389e3b96358 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 7 Nov 2025 13:31:17 -0500 Subject: [PATCH 18/41] Remove flake8-pyproject dependency from requirements-test.txt flake8 itself isn't installed here, so this dependency shouldn't be either. This jibes with the fact that we don't install flake8-docstrings (another dependency of the flake8 pre-commit hook) into the virtual environment either. --- requirements-test.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements-test.txt b/requirements-test.txt index 3fd2ff1..66f74db 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,3 +1,2 @@ --requirement requirements.txt -flake8-pyproject pre-commit From c7c0c0ad2acaff7d34c19fe54929f0291fc226a6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Nov 2025 10:27:14 -0500 Subject: [PATCH 19/41] Upgrade pre-commit hooks via pre-commit autoupdate --- .pre-commit-config.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bc76d85..316366f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,20 +63,20 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.33.3 + rev: 0.35.0 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.3.0 + rev: v4.4.0 hooks: - id: validate_manifest # Go hooks - repo: https://github.com/TekWizely/pre-commit-golang - rev: v1.0.0-rc.2 + rev: v1.0.0-rc.4 hooks: # Go Build - id: go-build-repo-mod @@ -129,13 +129,13 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.0 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 25.1.0 + rev: 25.11.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -145,11 +145,11 @@ repos: additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 6.0.1 + rev: 7.0.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.18.1 + rev: v1.18.2 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -165,13 +165,13 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.20.0 + rev: v3.21.1 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.9.0 + rev: v25.11.0 hooks: - id: ansible-lint additional_dependencies: @@ -215,7 +215,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.100.0 + rev: v1.103.0 hooks: - id: terraform_fmt - id: terraform_validate From 2d88e72d0f403e64d43d8d1c240ad561475dce51 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 17 Jul 2025 12:50:32 -0400 Subject: [PATCH 20/41] Add a CodeQL badge to the README We added a CodeQL configuration in #202 but did not add a badge. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 22134a3..33fc585 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![GitHub Build Status](https://github.com/cisagov/skeleton-generic/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-generic/actions) [![License](https://img.shields.io/github/license/cisagov/skeleton-generic )](https://spdx.org/licenses/) +[![CodeQL](https://github.com/cisagov/skeleton-generic/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-generic/actions/workflows/codeql-analysis.yml) This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub project started. From bb937739cb2b85343f5d053dd2bf3041d0ad671d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 20:01:59 +0000 Subject: [PATCH 21/41] Bump hashicorp/aws from 6.15.0 to 6.21.0 in /terraform-build-user Bumps [hashicorp/aws](https://github.com/hashicorp/terraform-provider-aws) from 6.15.0 to 6.21.0. - [Release notes](https://github.com/hashicorp/terraform-provider-aws/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/terraform-provider-aws/compare/v6.15.0...v6.21.0) --- updated-dependencies: - dependency-name: hashicorp/aws dependency-version: 6.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- terraform-build-user/.terraform.lock.hcl | 32 ++++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/terraform-build-user/.terraform.lock.hcl b/terraform-build-user/.terraform.lock.hcl index 90e0ee9..32aa765 100644 --- a/terraform-build-user/.terraform.lock.hcl +++ b/terraform-build-user/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.15.0" + version = "6.21.0" constraints = ">= 4.9.0, ~> 6.7" hashes = [ - "h1:fHH8H5xoptQywVxVEX0vsWYeBeKR1uuQJmaOfZirr54=", - "zh:05a3d3b268761cd90cabd6106bff2bf27f480ab31305cd8ef8c749060855f84d", - "zh:0edae750ebaee784624e41b1e18fe6179a513d63c5bb8fbffab4631391092b4f", - "zh:17f3d20951662ffd6a610d9c7f44afa281db6f220685796147e4ffb6374cc8b8", - "zh:373a5446fca3aeff76bc5637babd732d6c78d9a66c82a828a1b009e8b21f33bc", - "zh:3ce69866d23b7d0bb5bfa06f5407147ed90713924cd65246858c414313a96ffc", - "zh:40ab0ca19845890df706784bb62d9fc9961a15c23c894f0e9f89b66524c4be55", - "zh:66bd5554c582c1f01c1a509eedf4a81c861065b48a49d1be3e3ea98a89b1f801", - "zh:798b66f98cc8d8ff9c6844a8238d2639f951ef3956d412fb438708ba3e4ae9e3", - "zh:943e5f918d3b470fbfb9ea1c8bcc3b97a8218a0842e77a0fdbac0941dd461cdf", + "h1:YfPC5vxQr014wnHI6tBqLxaHZcZQvkaVr19ipqXijdw=", + "zh:03b65e7d275a48bbe5de9aed2bcacf841ea0a85352744587729d179ceb227994", + "zh:1a50fc50365602769b6844c6eba920b5c6941161508c2ebd5c1a60f7577edd18", + "zh:1bcbf2575e462849baa01554be469ac68dbd43fe7929819ab43eb8a849605ce9", + "zh:28466d206962bfe00a32ecf0a4fa8553a5099521629fce010f486bae2a5f194f", + "zh:3627c098788e4fc3eb88271101717212f260aa117dad15e648bde6f2889d3536", + "zh:3f8ae239d1b60a5de3f089810728947c19854eff3c16f22c31e1c8b039dd93a0", + "zh:62201751f1fc46b6e2720e5d7ea6bab75b98a7eb1f4c3460c258106be5bc5495", + "zh:86c89c7dd5866fcb57c4d35e7ba6ec849caf70c2fdd2d23c9d05da919ec06c8b", + "zh:94186ec3908ce6e89eaf98767b6b1e40acfb258de9fe8c09f2a100eb5cfca597", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9e95f017fae84d07d6cd627949715dbe8749d4d819c13c8b0bef1a679a26671b", - "zh:aac7e07599a17fccbdd21b092a7741534af5bec60b492299f2bcd3d7279be4a9", - "zh:c6292faaf05a6dc45e170f67f251aaad9b7e1159b5946219908dd11025f4146b", - "zh:df892b9eca5ecfb3c0a0e829511aea7e6b30f08b862c7fba9de67d2ae9729983", - "zh:fb8c5ff7296d01bf60d983c64f45969ec664a40bdd768d90a35a6afe7df1aeb7", + "zh:9d5863a6970735c9e428be91c301789c1e228a3105f711d77efe9c6056bb8295", + "zh:a94f9abe91656d68a0657d877665766931ae381825fa0b5121da26b3aa3ed15d", + "zh:df2b293078bb3d31b45bcc6e83c17e790dca40198b8d7069dc3e3b387146937f", + "zh:e7666954631899756e3bb428c64abcff1c94b7355f7d92eba29541c3d401e472", + "zh:f142320e9d4a5c663f6e9924abe05274bbbc4031700bac3387e0a67ec6c951ef", ] } From f2169693746a2b802cbce0675e5018b940e183c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 20:02:09 +0000 Subject: [PATCH 22/41] Bump hashicorp/aws from 6.15.0 to 6.21.0 in /terraform-post-packer Bumps [hashicorp/aws](https://github.com/hashicorp/terraform-provider-aws) from 6.15.0 to 6.21.0. - [Release notes](https://github.com/hashicorp/terraform-provider-aws/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/terraform-provider-aws/compare/v6.15.0...v6.21.0) --- updated-dependencies: - dependency-name: hashicorp/aws dependency-version: 6.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- terraform-post-packer/.terraform.lock.hcl | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/terraform-post-packer/.terraform.lock.hcl b/terraform-post-packer/.terraform.lock.hcl index 90e0ee9..32aa765 100644 --- a/terraform-post-packer/.terraform.lock.hcl +++ b/terraform-post-packer/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.15.0" + version = "6.21.0" constraints = ">= 4.9.0, ~> 6.7" hashes = [ - "h1:fHH8H5xoptQywVxVEX0vsWYeBeKR1uuQJmaOfZirr54=", - "zh:05a3d3b268761cd90cabd6106bff2bf27f480ab31305cd8ef8c749060855f84d", - "zh:0edae750ebaee784624e41b1e18fe6179a513d63c5bb8fbffab4631391092b4f", - "zh:17f3d20951662ffd6a610d9c7f44afa281db6f220685796147e4ffb6374cc8b8", - "zh:373a5446fca3aeff76bc5637babd732d6c78d9a66c82a828a1b009e8b21f33bc", - "zh:3ce69866d23b7d0bb5bfa06f5407147ed90713924cd65246858c414313a96ffc", - "zh:40ab0ca19845890df706784bb62d9fc9961a15c23c894f0e9f89b66524c4be55", - "zh:66bd5554c582c1f01c1a509eedf4a81c861065b48a49d1be3e3ea98a89b1f801", - "zh:798b66f98cc8d8ff9c6844a8238d2639f951ef3956d412fb438708ba3e4ae9e3", - "zh:943e5f918d3b470fbfb9ea1c8bcc3b97a8218a0842e77a0fdbac0941dd461cdf", + "h1:YfPC5vxQr014wnHI6tBqLxaHZcZQvkaVr19ipqXijdw=", + "zh:03b65e7d275a48bbe5de9aed2bcacf841ea0a85352744587729d179ceb227994", + "zh:1a50fc50365602769b6844c6eba920b5c6941161508c2ebd5c1a60f7577edd18", + "zh:1bcbf2575e462849baa01554be469ac68dbd43fe7929819ab43eb8a849605ce9", + "zh:28466d206962bfe00a32ecf0a4fa8553a5099521629fce010f486bae2a5f194f", + "zh:3627c098788e4fc3eb88271101717212f260aa117dad15e648bde6f2889d3536", + "zh:3f8ae239d1b60a5de3f089810728947c19854eff3c16f22c31e1c8b039dd93a0", + "zh:62201751f1fc46b6e2720e5d7ea6bab75b98a7eb1f4c3460c258106be5bc5495", + "zh:86c89c7dd5866fcb57c4d35e7ba6ec849caf70c2fdd2d23c9d05da919ec06c8b", + "zh:94186ec3908ce6e89eaf98767b6b1e40acfb258de9fe8c09f2a100eb5cfca597", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9e95f017fae84d07d6cd627949715dbe8749d4d819c13c8b0bef1a679a26671b", - "zh:aac7e07599a17fccbdd21b092a7741534af5bec60b492299f2bcd3d7279be4a9", - "zh:c6292faaf05a6dc45e170f67f251aaad9b7e1159b5946219908dd11025f4146b", - "zh:df892b9eca5ecfb3c0a0e829511aea7e6b30f08b862c7fba9de67d2ae9729983", - "zh:fb8c5ff7296d01bf60d983c64f45969ec664a40bdd768d90a35a6afe7df1aeb7", + "zh:9d5863a6970735c9e428be91c301789c1e228a3105f711d77efe9c6056bb8295", + "zh:a94f9abe91656d68a0657d877665766931ae381825fa0b5121da26b3aa3ed15d", + "zh:df2b293078bb3d31b45bcc6e83c17e790dca40198b8d7069dc3e3b387146937f", + "zh:e7666954631899756e3bb428c64abcff1c94b7355f7d92eba29541c3d401e472", + "zh:f142320e9d4a5c663f6e9924abe05274bbbc4031700bac3387e0a67ec6c951ef", ] } From 2759cc5e4110bb170f5a2661b93b7b634265bb89 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 17 Nov 2025 22:16:49 -0500 Subject: [PATCH 23/41] Update Bandit pre-commit hook The 1.9.0 release of Bandit was flawed due to a failure of the GHA workflows that publish to PyPI and Test PyPI. The 1.9.1 release resolved the issue. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f3570eb..93493c9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -129,7 +129,7 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.9.0 + rev: 1.9.1 hooks: - id: bandit - repo: https://github.com/psf/black-pre-commit-mirror From 12101f04dca8475fd566b6ba40322fec219d0e64 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Tue, 18 Nov 2025 14:35:18 -0500 Subject: [PATCH 24/41] Revert "Move all Python tool configs to `pyproject.toml`" --- .bandit.yml | 13 +++++++++++++ pyproject.toml => .flake8 | 18 +++--------------- .github/labeler.yml | 4 +++- .isort.cfg | 10 ++++++++++ .pre-commit-config.yaml | 5 ++--- 5 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 .bandit.yml rename pyproject.toml => .flake8 (75%) create mode 100644 .isort.cfg diff --git a/.bandit.yml b/.bandit.yml new file mode 100644 index 0000000..ab3cb21 --- /dev/null +++ b/.bandit.yml @@ -0,0 +1,13 @@ +--- +# Configuration file for the Bandit python security scanner +# https://bandit.readthedocs.io/en/latest/config.html + +# Tests are first included by `tests`, and then excluded by `skips`. +# If `tests` is empty, all tests are considered included. + +tests: +# - B101 +# - B102 + +skips: +# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/pyproject.toml b/.flake8 similarity index 75% rename from pyproject.toml rename to .flake8 index eec000b..92ff826 100644 --- a/pyproject.toml +++ b/.flake8 @@ -1,4 +1,4 @@ -[tool.flake8] +[flake8] max-line-length = 80 # Select (turn on) # * Complexity violations reported by mccabe (C) - @@ -13,7 +13,7 @@ max-line-length = 80 # https://github.com/PyCQA/flake8-bugbear#list-of-warnings # * The B950 flake8-bugbear opinionated warning - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = ["C", "D", "E", "F", "W", "B", "B950"] +select = C,D,E,F,W,B,B950 # Ignore flake8's default warning about maximum line length, which has # a hard stop at the configured value. Instead we use # flake8-bugbear's B950, which allows up to 10% overage. @@ -22,16 +22,4 @@ select = ["C", "D", "E", "F", "W", "B", "B950"] # operators. It no longer agrees with PEP8. See, for example, here: # https://github.com/ambv/black/issues/21. Guido agrees here: # https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -extend-ignore = ["E501", "W503"] - -[tool.isort] -combine_star = true -force_sort_within_sections = true - -import_heading_stdlib = "Standard Python Libraries" -import_heading_thirdparty = "Third-Party Libraries" -import_heading_firstparty = "cisagov Libraries" - -# Run isort under the black profile to align with our other Python -# linting -profile = "black" +ignore = E501,W503 diff --git a/.github/labeler.yml b/.github/labeler.yml index ff74248..05478bd 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -61,9 +61,11 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint + - .bandit.yml + - .flake8 + - .isort.cfg - .mdl_config.yaml - .yamllint - - pyproject.toml typescript: - changed-files: - any-glob-to-any-file: diff --git a/.isort.cfg b/.isort.cfg new file mode 100644 index 0000000..46d45f3 --- /dev/null +++ b/.isort.cfg @@ -0,0 +1,10 @@ +[settings] +combine_star=true +force_sort_within_sections=true + +import_heading_stdlib=Standard Python Libraries +import_heading_thirdparty=Third-Party Libraries +import_heading_firstparty=cisagov Libraries + +# Run isort under the black profile to align with our other Python linting +profile=black diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 93493c9..471cdc3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -132,6 +132,8 @@ repos: rev: 1.9.1 hooks: - id: bandit + args: + - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror rev: 25.11.0 hooks: @@ -142,9 +144,6 @@ repos: - id: flake8 additional_dependencies: - flake8-docstrings==1.7.0 - # This is necessary to read the flake8 configuration from - # the pyproject.toml file. - - flake8-pyproject==1.2.3 - repo: https://github.com/PyCQA/isort rev: 7.0.0 hooks: From 25dabee055af3ba42c02f614471ee2cb51342f84 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 19 Nov 2025 13:18:56 -0500 Subject: [PATCH 25/41] Keep two Bandit blocks in sync wrt version --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4bf5fc5..ef3b925 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -139,7 +139,7 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.8.6 + rev: 1.9.1 hooks: - id: bandit name: bandit (everything else) From 3713933197c77a6b3d6e528496040efd8ca90f84 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 11:08:28 -0500 Subject: [PATCH 26/41] Ignore vulnerability when running pip-audit We have to ignore this vulnerability since we need to pin to Ansible 10 for now to support our CyHy code that must still run on Debian Buster. This vulnerability is fixed in ansible>=12. This isn't a big deal since the vulnerability only impacts users of the Keycloak modules in ansible.community.general, and we don't use these modules. --- .pre-commit-config.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ef3b925..d9d4ef3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -172,6 +172,19 @@ repos: # cisagov/skeleton-packer#380 for more details. - --ignore-vuln - GHSA-99w6-3xph-cx78 + # We have to ignore this vulnerability since we need to pin + # to ansible 10 for now to support our CyHy code that must + # still run on Debian Buster. This vulnerability is fixed + # in ansible>=12. + # + # This isn't a big deal since the vulnerability only impacts + # users of the Keycloak modules in + # ansible.community.general, and we don't use these modules. + # + # TODO: Remove this when it becomes possible. See + # cisagov/skeleton-packer#486 for more details. + - --ignore-vuln + - GHSA-8ggh-xwr9-3373 # Add any pip requirements files to scan - --requirement - requirements-dev.txt From 22a337d0fe4ffb1998963ee87956efa7734470f1 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 26 Nov 2025 09:30:21 -0500 Subject: [PATCH 27/41] Add --py310-plus argument to pyupgrade Python 3.10 is currently the oldest non-EOL version of Python, so we want to apply all rules that apply to this version or later. See here for more details: https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/ --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d9d4ef3..1f3881d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -196,6 +196,12 @@ repos: rev: v3.21.1 hooks: - id: pyupgrade + args: + # Python 3.10 is currently the oldest non-EOL version of + # Python, so we want to apply all rules that apply to this + # version or later. See here for more details: + # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/ + - --py310-plus # Ansible hooks - repo: https://github.com/ansible/ansible-lint From 270ab7a91665dbfa337280d113b485e624863c62 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 24 Nov 2025 21:55:42 -0500 Subject: [PATCH 28/41] Upgrade the ansible-line pre-commit hook This is necessary for cisagov/skeleton-ansible-role#243 (Fedora 43 support). See here for more details about this release: https://github.com/ansible/ansible-lint/releases/tag/v25.11.1 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1f3881d..2fdafa6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -205,7 +205,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.11.0 + rev: v25.11.1 hooks: - id: ansible-lint additional_dependencies: From ab1d12c7b753e6600a1d96a4cfaa611e68277e30 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 18:37:26 +0000 Subject: [PATCH 29/41] Bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/sync-labels.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5e59a2e..aab22ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -108,7 +108,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ac19c95..5458e86 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -113,7 +113,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bc859d1..580fa9c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -89,7 +89,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: checkout-repo name: Checkout the repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - id: dependency-review name: Review dependency changes for vulnerabilities and license changes uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 19e0129..f60bc84 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -84,7 +84,7 @@ jobs: # monitoring configuration *does not* require you to modify # this workflow. permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Sync repository labels if: success() uses: crazy-max/ghaction-github-labeler@v5 From 57008ccbe3d8ea7ce003d4bce185517212c44fe6 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 12:19:20 -0500 Subject: [PATCH 30/41] Remove comments that are no longer relevant --- .pre-commit-config.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2fdafa6..382a74c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -221,22 +221,7 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. - # - # It is also a good idea to go ahead and upgrade to version - # 10 since version 9 is going EOL at the end of November: - # https://endoflife.date/ansible # - ansible>=10,<11 - # ansible-core 2.16.3 through 2.16.6 suffer from the bug - # discussed in ansible/ansible#82702, which breaks any - # symlinked files in vars, tasks, etc. for any Ansible role - # installed via ansible-galaxy. Hence we never want to - # install those versions. - # - # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. The pin of - # ansible-core to >=2.17 effectively also pins ansible to - # >=10. - # # It is also a good idea to go ahead and upgrade to # ansible-core 2.17 since security support for ansible-core # 2.16 ends this month: From f9ee243785acbb4fb22ec94ea38b9b9a668c1fd4 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 12:20:29 -0500 Subject: [PATCH 31/41] Pin ansible-core to 2.17.7 or later ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. --- .pre-commit-config.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 382a74c..bca8f96 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -222,15 +222,12 @@ repos: # but all versions of ansible 9 have a dependency on # ~=2.16.X. # - ansible>=10,<11 - # It is also a good idea to go ahead and upgrade to - # ansible-core 2.17 since security support for ansible-core - # 2.16 ends this month: - # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.17 + - ansible-core>=2.17.7 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From c85778361b710c0d13322b75a13da52b64f1a184 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 14:25:02 -0500 Subject: [PATCH 32/41] Upgrade to actions/checkout@v6 --- .github/workflows/build.yml | 4 ++-- .github/workflows/prerelease.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index aab22ad..8532911 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -246,7 +246,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: @@ -324,7 +324,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 40c8ea7..f6dbc37 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -98,7 +98,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 06a9572..ff5ccba 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -105,7 +105,7 @@ jobs: permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: setup-env uses: cisagov/setup-env-github-action@v1 - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - id: setup-python uses: actions/setup-python@v6 with: From 344149a01be9aee4876ddb2d3be12eb074a6e25b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 14:29:51 -0500 Subject: [PATCH 33/41] Remove comments that are no longer relevant --- requirements.txt | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/requirements.txt b/requirements.txt index d949179..f89f24f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,36 +1,12 @@ -# With the release of version 2.10, Ansible finally correctly -# identifies Kali Linux as being the Kali distribution of the Debian -# OS family. This simplifies a lot of things for roles that support -# Kali Linux, so it makes sense to force the installation of Ansible -# 2.10 or newer. -# -# We need at least version 6 to correctly identify Amazon Linux 2023 -# as using the dnf package manager, and version 8 is currently the -# oldest supported version. -# # Version 10 is required because the pip-audit pre-commit hook # identifies a vulnerability in ansible-core 2.16.13, but all versions # of ansible 9 have a dependency on ~=2.16.X. # -# It is also a good idea to go ahead and upgrade to version 10 since -# version 9 is going EOL at the end of November: -# https://endoflife.date/ansible -# # We have tested against version 10. We want to avoid automatically # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. ansible>=10,<11 -# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in -# ansible/ansible#82702, which breaks any symlinked files in vars, -# tasks, etc. for any Ansible role installed via ansible-galaxy. -# Hence we never want to install those versions. -# -# Note that the pip-audit pre-commit hook identifies a vulnerability -# in ansible-core 2.16.13. Normally we would pin ansible-core -# accordingly (>2.16.13), but the above pin of ansible>=10 effectively -# pins ansible-core to >=2.17 anyway so that's what we use. -# # It is also a good idea to go ahead and upgrade to ansible-core 2.17 # since security support for ansible-core 2.16 ends this month: # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix From 49da8d8369a8c0ccbe44d24f977b3cbf048d0700 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 14:30:49 -0500 Subject: [PATCH 34/41] Pin ansible-core to 2.17.7 or later ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. --- requirements.txt | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/requirements.txt b/requirements.txt index f89f24f..9aa635e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,14 +7,12 @@ # often breaking changes across major versions. This is the reason # for the upper bound. ansible>=10,<11 -# It is also a good idea to go ahead and upgrade to ansible-core 2.17 -# since security support for ansible-core 2.16 ends this month: -# https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix +# ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78. # # Note that any changes made to this dependency must also be made in # requirements-test.txt in cisagov/skeleton-ansible-role and # .pre-commit-config.yaml in cisagov/skeleton-generic. -ansible-core>=2.17 +ansible-core>=2.17.7 boto3 docopt # The bump-version script requires at least version 3 of semver. From 7fdeca30658b43ca3c5f4bcff966c4a71264f24f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 14:36:18 -0500 Subject: [PATCH 35/41] Bump version from 3.0.0 to 3.0.1-rc.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 4a36342..cc9d86d 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -3.0.0 +3.0.1-rc.1 From e59f3ecccb17c57e5bf35f81c94f1e05e4207cec Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 5 Dec 2025 15:41:27 -0500 Subject: [PATCH 36/41] Stop ignoring vulnerability when running pip-audit Pinning ansible-core to >=2.17.7 removes the need to ignore this vulnerability. --- .pre-commit-config.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bca8f96..184218d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -167,11 +167,6 @@ repos: hooks: - id: pip-audit args: - # We have to ignore this particular vulnerability in - # ansible-core>=2.11 as there is currently no fix. See - # cisagov/skeleton-packer#380 for more details. - - --ignore-vuln - - GHSA-99w6-3xph-cx78 # We have to ignore this vulnerability since we need to pin # to ansible 10 for now to support our CyHy code that must # still run on Debian Buster. This vulnerability is fixed From 02a55ca12d7dcbdc45db182ae4db4842d4a90164 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 8 Dec 2025 10:42:42 -0500 Subject: [PATCH 37/41] Finalize version from 3.0.1-rc.1 to 3.0.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index cc9d86d..cb2b00e 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -3.0.1-rc.1 +3.0.1 From d3d54afba0459ca2613577baf1d4895c74c86bee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 20:01:55 +0000 Subject: [PATCH 38/41] Bump hashicorp/aws from 6.21.0 to 6.25.0 in /terraform-build-user Bumps [hashicorp/aws](https://github.com/hashicorp/terraform-provider-aws) from 6.21.0 to 6.25.0. - [Release notes](https://github.com/hashicorp/terraform-provider-aws/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/terraform-provider-aws/compare/v6.21.0...v6.25.0) --- updated-dependencies: - dependency-name: hashicorp/aws dependency-version: 6.25.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- terraform-build-user/.terraform.lock.hcl | 32 ++++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/terraform-build-user/.terraform.lock.hcl b/terraform-build-user/.terraform.lock.hcl index 32aa765..bff9dfa 100644 --- a/terraform-build-user/.terraform.lock.hcl +++ b/terraform-build-user/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.21.0" + version = "6.25.0" constraints = ">= 4.9.0, ~> 6.7" hashes = [ - "h1:YfPC5vxQr014wnHI6tBqLxaHZcZQvkaVr19ipqXijdw=", - "zh:03b65e7d275a48bbe5de9aed2bcacf841ea0a85352744587729d179ceb227994", - "zh:1a50fc50365602769b6844c6eba920b5c6941161508c2ebd5c1a60f7577edd18", - "zh:1bcbf2575e462849baa01554be469ac68dbd43fe7929819ab43eb8a849605ce9", - "zh:28466d206962bfe00a32ecf0a4fa8553a5099521629fce010f486bae2a5f194f", - "zh:3627c098788e4fc3eb88271101717212f260aa117dad15e648bde6f2889d3536", - "zh:3f8ae239d1b60a5de3f089810728947c19854eff3c16f22c31e1c8b039dd93a0", - "zh:62201751f1fc46b6e2720e5d7ea6bab75b98a7eb1f4c3460c258106be5bc5495", - "zh:86c89c7dd5866fcb57c4d35e7ba6ec849caf70c2fdd2d23c9d05da919ec06c8b", - "zh:94186ec3908ce6e89eaf98767b6b1e40acfb258de9fe8c09f2a100eb5cfca597", + "h1:0XEc9eHELD/BtPNybqkzzaS3bYp2HSv9LwAfaGyCpOU=", + "zh:0f9621f719ec2051eabb94ca59aa4f13574487fbc1517b183293431c9d388e38", + "zh:2ffbedb2e3afcd82da8bfc540bd74e9611527bdafd00d6d1885f62e7d13bac74", + "zh:30fb4ab8b4af19da7b9ce95cb41fa9399f81383e1adc91801b770e7eeab651c3", + "zh:377cbaffe3ec8aa5bb594071df0e91f17ac9292a325ed73cebd69fe78c51f7ec", + "zh:3b65f5c98e03f1bfc5b71fa69521e785552ff9656860b25e211287910874037d", + "zh:4478fab7b111c40a9a2a9db6ec5331618cc8e5a8b591f651095c77b87e9f22b1", + "zh:4fdaa559c57aed5d24fa3d5cb59fed59e1e689c21d038fd336a3ba93b258803f", + "zh:7a751ecd0f2654746dd4041d0f6d894c3a1876a152ba4bb7805ec2c715259065", + "zh:866725b83f8d5587dab0559ac208ee6c181746871faa99ce551b535e19c7bb6a", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9d5863a6970735c9e428be91c301789c1e228a3105f711d77efe9c6056bb8295", - "zh:a94f9abe91656d68a0657d877665766931ae381825fa0b5121da26b3aa3ed15d", - "zh:df2b293078bb3d31b45bcc6e83c17e790dca40198b8d7069dc3e3b387146937f", - "zh:e7666954631899756e3bb428c64abcff1c94b7355f7d92eba29541c3d401e472", - "zh:f142320e9d4a5c663f6e9924abe05274bbbc4031700bac3387e0a67ec6c951ef", + "zh:b16e3e2a8ccba4ceeeee961c708ef572c4a65e0001eaf09d08fa14cef01ab179", + "zh:dc897b2037bbb7f8d6456a4aa1ed82cbd4daddb173a184efdfe8c03a57557771", + "zh:de2344f23c980093a46dda3185f9052cda950d1b8ca9cf3c6e16b8c45fa23779", + "zh:ef538ec8a917715a1804c6735d44b756c32972d4fab71e15df87a59eb75dd57c", + "zh:f25cdfdac6798e7de4a1d3dd577a97c1ca200a12317a1fd5a4b9ea54cb05e868", ] } From 0fc76cc8c8b7ca36af15cc8c5ba5c2d741c621fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 20:01:56 +0000 Subject: [PATCH 39/41] Bump hashicorp/aws from 6.21.0 to 6.25.0 in /terraform-post-packer Bumps [hashicorp/aws](https://github.com/hashicorp/terraform-provider-aws) from 6.21.0 to 6.25.0. - [Release notes](https://github.com/hashicorp/terraform-provider-aws/releases) - [Changelog](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/terraform-provider-aws/compare/v6.21.0...v6.25.0) --- updated-dependencies: - dependency-name: hashicorp/aws dependency-version: 6.25.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- terraform-post-packer/.terraform.lock.hcl | 32 +++++++++++------------ 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/terraform-post-packer/.terraform.lock.hcl b/terraform-post-packer/.terraform.lock.hcl index 32aa765..bff9dfa 100644 --- a/terraform-post-packer/.terraform.lock.hcl +++ b/terraform-post-packer/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.21.0" + version = "6.25.0" constraints = ">= 4.9.0, ~> 6.7" hashes = [ - "h1:YfPC5vxQr014wnHI6tBqLxaHZcZQvkaVr19ipqXijdw=", - "zh:03b65e7d275a48bbe5de9aed2bcacf841ea0a85352744587729d179ceb227994", - "zh:1a50fc50365602769b6844c6eba920b5c6941161508c2ebd5c1a60f7577edd18", - "zh:1bcbf2575e462849baa01554be469ac68dbd43fe7929819ab43eb8a849605ce9", - "zh:28466d206962bfe00a32ecf0a4fa8553a5099521629fce010f486bae2a5f194f", - "zh:3627c098788e4fc3eb88271101717212f260aa117dad15e648bde6f2889d3536", - "zh:3f8ae239d1b60a5de3f089810728947c19854eff3c16f22c31e1c8b039dd93a0", - "zh:62201751f1fc46b6e2720e5d7ea6bab75b98a7eb1f4c3460c258106be5bc5495", - "zh:86c89c7dd5866fcb57c4d35e7ba6ec849caf70c2fdd2d23c9d05da919ec06c8b", - "zh:94186ec3908ce6e89eaf98767b6b1e40acfb258de9fe8c09f2a100eb5cfca597", + "h1:0XEc9eHELD/BtPNybqkzzaS3bYp2HSv9LwAfaGyCpOU=", + "zh:0f9621f719ec2051eabb94ca59aa4f13574487fbc1517b183293431c9d388e38", + "zh:2ffbedb2e3afcd82da8bfc540bd74e9611527bdafd00d6d1885f62e7d13bac74", + "zh:30fb4ab8b4af19da7b9ce95cb41fa9399f81383e1adc91801b770e7eeab651c3", + "zh:377cbaffe3ec8aa5bb594071df0e91f17ac9292a325ed73cebd69fe78c51f7ec", + "zh:3b65f5c98e03f1bfc5b71fa69521e785552ff9656860b25e211287910874037d", + "zh:4478fab7b111c40a9a2a9db6ec5331618cc8e5a8b591f651095c77b87e9f22b1", + "zh:4fdaa559c57aed5d24fa3d5cb59fed59e1e689c21d038fd336a3ba93b258803f", + "zh:7a751ecd0f2654746dd4041d0f6d894c3a1876a152ba4bb7805ec2c715259065", + "zh:866725b83f8d5587dab0559ac208ee6c181746871faa99ce551b535e19c7bb6a", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9d5863a6970735c9e428be91c301789c1e228a3105f711d77efe9c6056bb8295", - "zh:a94f9abe91656d68a0657d877665766931ae381825fa0b5121da26b3aa3ed15d", - "zh:df2b293078bb3d31b45bcc6e83c17e790dca40198b8d7069dc3e3b387146937f", - "zh:e7666954631899756e3bb428c64abcff1c94b7355f7d92eba29541c3d401e472", - "zh:f142320e9d4a5c663f6e9924abe05274bbbc4031700bac3387e0a67ec6c951ef", + "zh:b16e3e2a8ccba4ceeeee961c708ef572c4a65e0001eaf09d08fa14cef01ab179", + "zh:dc897b2037bbb7f8d6456a4aa1ed82cbd4daddb173a184efdfe8c03a57557771", + "zh:de2344f23c980093a46dda3185f9052cda950d1b8ca9cf3c6e16b8c45fa23779", + "zh:ef538ec8a917715a1804c6735d44b756c32972d4fab71e15df87a59eb75dd57c", + "zh:f25cdfdac6798e7de4a1d3dd577a97c1ca200a12317a1fd5a4b9ea54cb05e868", ] } From 755cbd375d3f12ace93ded3d67a4d62d4576d2c3 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 9 Dec 2025 11:22:14 -0500 Subject: [PATCH 40/41] Bump version from 2.0.0 to 2.0.1-rc.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 227cea2..e9036af 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.0.0 +2.0.1-rc.1 From 18b6f82466dc305fd4a95f188b3ea5ed69528683 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 10 Dec 2025 15:12:03 -0500 Subject: [PATCH 41/41] Finalize version from 2.0.1-rc.1 to 2.0.1 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index e9036af..38f77a6 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -2.0.1-rc.1 +2.0.1