diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0d3fbbd..1410a9f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,8 @@ on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: push: repository_dispatch: @@ -126,18 +128,20 @@ jobs: name: Lookup Go cache directory run: | echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-\ - go${{ steps.setup-go.outputs.go-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}-\ - tf${{ steps.setup-env.outputs.terraform-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ runner.os + }}-py${{ steps.setup-python.outputs.python-version + }}-go${{ steps.setup-go.outputs.go-version + }}-packer${{ steps.setup-env.outputs.packer-version + }}-tf${{ steps.setup-env.outputs.terraform-version }}- with: - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('**/.pre-commit-config.yaml') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('**/requirements-test.txt') }}-${{ + hashFiles('**/requirements.txt') }}-${{ + hashFiles('**/.pre-commit-config.yaml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the @@ -195,7 +199,7 @@ jobs: -o $(go env GOPATH)/bin/terraform-docs - name: Install dependencies run: | - python -m pip install --upgrade pip setuptools wheel + python -m pip install --upgrade pip setuptools pip install --upgrade --requirement requirements-test.txt - name: Install Ansible roles run: ansible-galaxy install --force --role-file ansible/requirements.yml @@ -251,17 +255,19 @@ jobs: uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ runner.os }}-py${{ + steps.setup-python.outputs.python-version }}-packer${{ + steps.setup-env.outputs.packer-version }}- with: path: | ${{ env.PIP_CACHE_DIR }} - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements-test.txt') }}-\ - ${{ hashFiles('**/requirements.txt') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('**/requirements-test.txt') }}-${{ + hashFiles('**/requirements.txt') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - uses: hashicorp/setup-packer@v3 @@ -329,17 +335,19 @@ jobs: uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}-\ - tf-${{ steps.setup-env.outputs.terraform-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ runner.os }}-py${{ + steps.setup-python.outputs.python-version }}-packer${{ + steps.setup-env.outputs.packer-version }}-tf-${{ + steps.setup-env.outputs.terraform-version }}- with: path: | ${{ env.PIP_CACHE_DIR }} - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements.txt') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('**/requirements.txt') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - uses: hashicorp/setup-packer@v3 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5458e86..68ac7da 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -12,6 +12,8 @@ on: merge_group: types: - checks_requested + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: # The branches here must be a subset of the ones in the push key branches: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 580fa9c..2b71638 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -5,6 +5,8 @@ on: # yamllint disable-line rule:truthy merge_group: types: - checks_requested + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml index 412cc4a..45d317b 100644 --- a/.github/workflows/label-prs.yml +++ b/.github/workflows/label-prs.yml @@ -2,11 +2,9 @@ name: Label pull requests on: # yamllint disable-line rule:truthy + # We use the default activity types for the pull_request event as specified here: + # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request pull_request: - types: - - edited - - opened - - synchronize # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace, # nounset, errexit, and pipefail. The `-x` will print all commands as they are diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index fe55f58..f07856d 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -103,17 +103,19 @@ jobs: uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}-\ - tf-${{ steps.setup-env.outputs.terraform-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ runner.os }}-py${{ + steps.setup-python.outputs.python-version }}-packer${{ + steps.setup-env.outputs.packer-version }}-tf-${{ + steps.setup-env.outputs.terraform-version }}- with: path: | ${{ env.PIP_CACHE_DIR }} - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements.txt') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('**/requirements.txt') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - uses: hashicorp/setup-packer@v3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2cb5860..52c3dfd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -110,17 +110,19 @@ jobs: uses: actions/setup-python@v6 with: python-version: ${{ steps.setup-env.outputs.python-version }} - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-\ - packer${{ steps.setup-env.outputs.packer-version }}-\ - tf-${{ steps.setup-env.outputs.terraform-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ runner.os }}-py${{ + steps.setup-python.outputs.python-version }}-packer${{ + steps.setup-env.outputs.packer-version }}-tf-${{ + steps.setup-env.outputs.terraform-version }}- with: path: | ${{ env.PIP_CACHE_DIR }} - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('**/requirements.txt') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('**/requirements.txt') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - uses: hashicorp/setup-packer@v3 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ec44f7b..43f4d6c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,17 +45,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.45.0 + rev: v0.47.0 hooks: - id: markdownlint args: - --config=.mdl_config.yaml - repo: https://github.com/rbubley/mirrors-prettier - rev: v3.6.2 + rev: v3.8.1 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.37.1 + rev: v1.38.0 hooks: - id: yamllint args: @@ -63,14 +63,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.35.0 + rev: 0.36.2 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v4.4.0 + rev: v4.5.1 hooks: - id: validate_manifest @@ -130,7 +130,7 @@ repos: # Python hooks # Run bandit on the "tests" tree with a configuration - repo: https://github.com/PyCQA/bandit - rev: 1.9.1 + rev: 1.9.3 hooks: - id: bandit name: bandit (tests tree) @@ -139,13 +139,13 @@ repos: - --config=.bandit.yml # Run bandit on everything except the "tests" tree - repo: https://github.com/PyCQA/bandit - rev: 1.9.1 + rev: 1.9.3 hooks: - id: bandit name: bandit (everything else) exclude: tests - repo: https://github.com/psf/black-pre-commit-mirror - rev: 25.11.0 + rev: 26.1.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -155,15 +155,15 @@ repos: additional_dependencies: - flake8-docstrings==1.7.0 - repo: https://github.com/PyCQA/isort - rev: 7.0.0 + rev: 8.0.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.18.2 + rev: v1.19.1 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit - rev: v2.9.0 + rev: v2.10.0 hooks: - id: pip-audit args: @@ -188,7 +188,7 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.21.1 + rev: v3.21.2 hooks: - id: pyupgrade args: @@ -200,7 +200,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v25.11.1 + rev: v26.1.1 hooks: - id: ansible-lint additional_dependencies: @@ -226,7 +226,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.103.0 + rev: v1.105.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/README.md b/README.md index 3108820..fc03983 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ No requirements. ## Providers ## | Name | Version | -|------|---------| +| ---- | ------- | | amazon-ami | n/a | ## Modules ## @@ -277,14 +277,14 @@ No modules. ## Resources ## | Name | Type | -|------|------| +| ---- | ---- | | [amazon-ami_amazon-ami.debian_trixie_arm64](https://registry.terraform.io/providers/hashicorp/amazon-ami/latest/docs/data-sources/amazon-ami) | data source | | [amazon-ami_amazon-ami.debian_trixie_x86_64](https://registry.terraform.io/providers/hashicorp/amazon-ami/latest/docs/data-sources/amazon-ami) | data source | ## Inputs ## | Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| +| ---- | ----------- | ---- | ------- | :------: | | ami\_regions | The list of AWS regions to copy the AMI to once it has been created. Example: ["us-east-1"] | `list(string)` | `[]` | no | | build\_region | The region in which to retrieve the base AMI from and build the new AMI. | `string` | `"us-east-1"` | no | | build\_region\_kms | The ID or ARN of the KMS key to use for AMI encryption. | `string` | `"alias/cool-amis"` | no | diff --git a/requirements.txt b/requirements.txt index e74266a..6c02901 100644 --- a/requirements.txt +++ b/requirements.txt @@ -19,5 +19,4 @@ ansible-core>=2.17.7 jmespath # The bump-version script requires at least version 3 of semver. semver>=3 -setuptools -wheel +setuptools>=70.1 diff --git a/setup-env b/setup-env index 7a39ddb..258de33 100755 --- a/setup-env +++ b/setup-env @@ -271,7 +271,7 @@ fi pyenv local "${env_name}" # Upgrade pip and friends -python3 -m pip install --upgrade pip setuptools wheel +python3 -m pip install --upgrade pip setuptools # Find a requirements file (if possible) and install for req_file in "requirements-dev.txt" "requirements-test.txt" "requirements.txt"; do diff --git a/terraform-build-user/README.md b/terraform-build-user/README.md index 7c4c5dd..c12da27 100644 --- a/terraform-build-user/README.md +++ b/terraform-build-user/README.md @@ -12,27 +12,27 @@ description of how this code is intended to be used. ## Requirements ## | Name | Version | -|------|---------| +| ---- | ------- | | terraform | ~> 1.1 | | aws | ~> 6.7 | ## Providers ## | Name | Version | -|------|---------| +| ---- | ------- | | aws.cool-terraform-backend | ~> 6.7 | | terraform | n/a | ## Modules ## | Name | Source | Version | -|------|--------|---------| +| ---- | ------ | ------- | | iam\_user | github.com/cisagov/ami-build-iam-user-tf-module | n/a | ## Resources ## | Name | Type | -|------|------| +| ---- | ---- | | [aws_caller_identity.terraform_backend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [terraform_remote_state.images](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | | [terraform_remote_state.images_parameterstore](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | @@ -41,7 +41,7 @@ description of how this code is intended to be used. ## Inputs ## | Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| +| ---- | ----------- | ---- | ------- | :------: | | terraform\_state\_bucket | The name of the S3 bucket where Terraform state is stored. | `string` | n/a | yes | ## Outputs ## diff --git a/terraform-post-packer/README.md b/terraform-post-packer/README.md index 65b258a..f69cfeb 100644 --- a/terraform-post-packer/README.md +++ b/terraform-post-packer/README.md @@ -12,27 +12,27 @@ details. ## Requirements ## | Name | Version | -|------|---------| +| ---- | ------- | | terraform | ~> 1.1 | | aws | ~> 6.7 | ## Providers ## | Name | Version | -|------|---------| +| ---- | ------- | | aws | ~> 6.7 | ## Modules ## | Name | Source | Version | -|------|--------|---------| +| ---- | ------ | ------- | | ami\_launch\_permission\_arm64 | github.com/cisagov/ami-launch-permission-tf-module | n/a | | ami\_launch\_permission\_x86\_64 | github.com/cisagov/ami-launch-permission-tf-module | n/a | ## Resources ## | Name | Type | -|------|------| +| ---- | ---- | | [aws_ami_ids.historical_amis_arm64](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami_ids) | data source | | [aws_ami_ids.historical_amis_x86_64](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami_ids) | data source | | [aws_caller_identity.images](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -40,7 +40,7 @@ details. ## Inputs ## | Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| +| ---- | ----------- | ---- | ------- | :------: | | ami\_share\_account\_name\_regex | A regular expression that matches the names of AWS accounts with which to share the AMIs created by this repository. This variable is used to share the AMIs with accounts that are members of the same AWS Organization as the account that owns the AMIs. | `string` | `"^env[[:digit:]]+"` | no | | extraorg\_account\_ids | A list of AWS account IDs corresponding to "extra" accounts with which you want to share this AMI (e.g. ["123456789012"]). Normally this variable is used to share an AMI with accounts that are not a member of the same AWS Organization as the account that owns the AMI. | `list(string)` | `[]` | no | | recent\_ami\_count | The number of most-recent AMIs (per architecture) for which to grant launch permission (e.g. "3"). If this variable is set to three, for example, then accounts will be granted permission to launch the three most recent AMIs (or all most recent AMIs, if there are only one or two of them in existence). | `number` | `12` | no | @@ -48,7 +48,7 @@ details. ## Outputs ## | Name | Description | -|------|-------------| +| ---- | ----------- | | launch\_permissions\_arm64 | The cisagov/ami-launch-permission-tf-module for each ARM64 AMI to which launch permission is being granted. | | launch\_permissions\_x86\_64 | The cisagov/ami-launch-permission-tf-module for each x86\_64 AMI to which launch permission is being granted. |