Merge remote-tracking branch 'skeleton/develop' into lineage/skeleton

Author: jsf9k

.github/labeler.yml

@@ -46,6 +46,14 @@ python:
   - changed-files:
       - any-glob-to-any-file:
           - "**/*.py"
+shell script:
+  - changed-files:
+      - any-glob-to-any-file:
+          # If this project has any shell scripts that do not end in the ".sh"
+          # extension, add them below.
+          - "**/*.sh"
+          - bump-version
+          - setup-env
 terraform:
   - changed-files:
       - any-glob-to-any-file:

.github/labels.yml

@@ -2,7 +2,7 @@
 # Rather than breaking up descriptions into multiline strings we disable that
 # specific rule in yamllint for this file.
 # yamllint disable rule:line-length
-- color: f15a53
+- color: ff5850
   description: Pull requests that update Ansible code
   name: ansible
 - color: eb6420
@@ -20,7 +20,7 @@
 - color: 0366d6
   description: Pull requests that update a dependency file
   name: dependencies
-- color: 2497ed
+- color: 1d63ed
   description: Pull requests that update Docker code
   name: docker
 - color: 5319e7
@@ -47,7 +47,7 @@
 - color: fef2c0
   description: This issue or pull request is not applicable, incorrect, or obsolete
   name: invalid
-- color: f1d642
+- color: f0db4f
   description: Pull requests that update JavaScript code
   name: javascript
 - color: ce099a
@@ -62,7 +62,7 @@
 - color: 02a8ef
   description: Pull requests that update Packer code
   name: packer
-- color: 3772a4
+- color: 3776ab
   description: Pull requests that update Python code
   name: python
 - color: ef476c
@@ -71,13 +71,16 @@
 - color: d73a4a
   description: This issue or pull request addresses a security issue
   name: security
+- color: 4eaa25
+  description: Pull requests that update shell scripts
+  name: shell script
 - color: 7b42bc
   description: Pull requests that update Terraform code
   name: terraform
 - color: 00008b
   description: This issue or pull request adds or otherwise modifies test code
   name: test
-- color: 2b6ebf
+- color: 2678c5
   description: Pull requests that update TypeScript code
   name: typescript
 - color: 1d76db

.github/workflows/build.yml

@@ -100,7 +100,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: setup-env
         uses: cisagov/setup-env-github-action@v1
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: setup-python
         uses: actions/setup-python@v6
         with:

.github/workflows/codeql-analysis.yml

@@ -113,19 +113,19 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
 
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, or
       # Java). If this step fails, then you should remove it and run the build
       # manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -139,4 +139,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/dependency-review.yml

@@ -89,7 +89,7 @@ jobs:
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
       - id: checkout-repo
         name: Checkout the repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - id: dependency-review
         name: Review dependency changes for vulnerabilities and license changes
         uses: actions/dependency-review-action@v4

.github/workflows/label-prs.yml

@@ -59,7 +59,6 @@ jobs:
     permissions:
       # Permissions required by actions/labeler
       contents: read
-      issues: write
       pull-requests: write
     runs-on: ubuntu-latest
     steps:

.github/workflows/sync-labels.yml

@@ -84,7 +84,7 @@ jobs:
           # monitoring configuration *does not* require you to modify
           # this workflow.
           permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Sync repository labels
         if: success()
         uses: crazy-max/ghaction-github-labeler@v5

.pre-commit-config.yaml

@@ -63,20 +63,20 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.33.3
+    rev: 0.35.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: validate_manifest
 
   # Go hooks
   - repo: https://github.com/TekWizely/pre-commit-golang
-    rev: v1.0.0-rc.2
+    rev: v1.0.0-rc.4
     hooks:
       # Go Build
       - id: go-build-repo-mod
@@ -129,13 +129,13 @@ repos:
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.8.6
+    rev: 1.9.1
     hooks:
       - id: bandit
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.1.0
+    rev: 25.11.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -145,11 +145,11 @@ repos:
         additional_dependencies:
           - flake8-docstrings==1.7.0
   - repo: https://github.com/PyCQA/isort
-    rev: 6.0.1
+    rev: 7.0.0
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.18.1
+    rev: v1.18.2
     hooks:
       - id: mypy
   - repo: https://github.com/pypa/pip-audit
@@ -165,13 +165,19 @@ repos:
           - --requirement
           - requirements.txt
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.20.0
+    rev: v3.21.1
     hooks:
       - id: pyupgrade
+        args:
+          # Python 3.10 is currently the oldest non-EOL version of
+          # Python, so we want to apply all rules that apply to this
+          # version or later.  See here for more details:
+          # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/
+          - --py310-plus
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v25.9.0
+    rev: v25.11.1
     hooks:
       - id: ansible-lint
         additional_dependencies:
@@ -187,35 +193,17 @@ repos:
           # hook identifies a vulnerability in ansible-core 2.16.13,
           # but all versions of ansible 9 have a dependency on
           # ~=2.16.X.
-          #
-          # It is also a good idea to go ahead and upgrade to version
-          # 10 since version 9 is going EOL at the end of November:
-          # https://endoflife.date/ansible
           # - ansible>=10,<11
-          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
-          # discussed in ansible/ansible#82702, which breaks any
-          # symlinked files in vars, tasks, etc. for any Ansible role
-          # installed via ansible-galaxy.  Hence we never want to
-          # install those versions.
-          #
-          # Note that the pip-audit pre-commit hook identifies a
-          # vulnerability in ansible-core 2.16.13.  The pin of
-          # ansible-core to >=2.17 effectively also pins ansible to
-          # >=10.
-          #
-          # It is also a good idea to go ahead and upgrade to
-          # ansible-core 2.17 since security support for ansible-core
-          # 2.16 ends this month:
-          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+          # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78.
           #
           # Note that any changes made to this dependency must also be
           # made in requirements.txt in cisagov/skeleton-packer and
           # requirements-test.txt in cisagov/skeleton-ansible-role.
-          - ansible-core>=2.17
+          - ansible-core>=2.17.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.103.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -1,6 +1,8 @@
 # ssm-read-role-tf-module #
 
 [![GitHub Build Status](https://github.com/cisagov/ssm-read-role-tf-module/workflows/build/badge.svg)](https://github.com/cisagov/ssm-read-role-tf-module/actions)
+[![License](https://img.shields.io/github/license/cisagov/ssm-read-role-tf-module)](https://spdx.org/licenses/)
+[![CodeQL](https://github.com/cisagov/ssm-read-role-tf-module/workflows/CodeQL/badge.svg)](https://github.com/cisagov/ssm-read-role-tf-module/actions/workflows/codeql-analysis.yml)
 
 A Terraform module for creating an IAM role and policy for reading SSM parameters.