From 771490a42e57012a759b2b85c57e752c979b9a4c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 20 Apr 2024 04:01:47 -0400 Subject: [PATCH 01/27] Update the bandit configuration in pre-commit We removed the systemd_enabled scenario in cisagov/skeleton-ansible-role#175 but we missed updating the `exclude` directive for the `bandit` hook. Instead of just removing the unused scenario the regex is instead updated to match the `tests` subdirectory for any molecule scenario. --- .pre-commit-config.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 48846e6..9f40b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -125,8 +125,9 @@ repos: rev: 1.7.7 hooks: - id: bandit - # Bandit complains about the use of assert() in tests - exclude: molecule/(default|systemd_enabled)/tests + # Bandit complains about the use of assert() in tests. This should cover + # the tests/ subdirectory for any molecule scenario. + exclude: molecule/[^/]+/tests args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror From 33947a63ae470d65a4678e1b9669102d3795fc1b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 13:44:11 -0400 Subject: [PATCH 02/27] Change the license so that it is an SPDX string This is what is expected by Ansible Galaxy: https://docs.ansible.com/ansible/latest/dev_guide/collections_galaxy_meta.html --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index f7f30e7..383000a 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -11,7 +11,7 @@ galaxy_info: description: Skeleton Ansible role galaxy_tags: - skeleton - license: CC0 + license: CC0-1.0 # With the release of version 2.10, Ansible finally correctly # identifies Kali Linux as being the Kali distribution of the Debian # OS family. This simplifies a lot of things for roles that support From 07e2b60f912ada6de4de0dcf0573bbecc0f2037c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 4 May 2024 10:09:12 -0400 Subject: [PATCH 03/27] Pin ansible-core when running the ansible-lint linter New versions of ansible-core (2.16.7 and 2.17.0) have been released that do not suffer from the bug discussed in ansible/ansible#82702. This bug broke any symlinked files in vars, tasks, etc. for any Ansible role installed via ansible-galaxy. All versions later than ansible-core 2.16.7 and 2.17.0 should function as expected. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..895384c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -155,6 +155,17 @@ repos: rev: v24.2.0 hooks: - id: ansible-lint + additional_dependencies: + # ansible-core 2.16.3 through 2.16.6 suffer from the bug + # discussed in ansible/ansible#82702, which breaks any + # symlinked files in vars, tasks, etc. for any Ansible role + # installed via ansible-galaxy. Hence we never want to + # install those versions. + # + # Note that any changes made to this dependency must also be + # made in requirements.txt in cisagov/skeleton-packer and + # requirements-test.txt in cisagov/skeleton-ansible-role. + - ansible-core>=2.16.7 # files: molecule/default/playbook.yml # Terraform hooks From c74e5db75b7e3785a3f7196365b7ba99f9a004ea Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 4 May 2024 10:11:08 -0400 Subject: [PATCH 04/27] Remove unnecessary line The line is not only unnecessary, it was commented out to boot! --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 895384c..11772d9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -166,7 +166,6 @@ repos: # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - ansible-core>=2.16.7 - # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From 2e53e0de98caa5d5a42320618d8e604c770da7d9 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 7 May 2024 15:21:06 -0400 Subject: [PATCH 05/27] Explain why ansible may need to be added as a dependency for ansible-lint On its own ansible-lint does not pull in ansible, only ansible-core. Therefore, if an Ansible module lives in ansible instead of ansible-core, the linter will complain that the module is unknown. In these cases it is necessary to add the ansible package itself as an additional dependency, with the same pinning as is done in requirements-test.txt of cisagov/skeleton-ansible-role. --- .pre-commit-config.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 11772d9..a48e196 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -156,6 +156,14 @@ repos: hooks: - id: ansible-lint additional_dependencies: + # On its own ansible-lint does not pull in ansible, only + # ansible-core. Therefore, if an Ansible module lives in + # ansible instead of ansible-core, the linter will complain + # that the module is unknown. In these cases it is + # necessary to add the ansible package itself as an + # additional dependency, with the same pinning as is done in + # requirements-test.txt of cisagov/skeleton-ansible-role. + # - ansible>=8,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role From c000a6d307a7618aec651019480680e98494c604 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 29 May 2024 12:38:56 -0400 Subject: [PATCH 06/27] Add `community.docker` as a requirement for molecule testing We explicitly add the `community.docker` collection with a minimum version as a requirement to the molecule configuration. This will allow us to ensure that a version of this collection that is compatible with 2.32.0 and newer of the Python requests library is installed. --- molecule/default/requirements.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index d5927d8..1854da0 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,3 +1,11 @@ --- -- name: upgrade - src: https://github.com/cisagov/ansible-role-upgrade +# This is necessary to ensure a version of this collection that is compatible +# with version 2.32.0+ of the Python requests library. This should be removed when +# it is no longer required per https://github.com/cisagov/skeleton-ansible-role/issues/195 +collections: + - name: community.docker + version: ">=3.10.2" + +roles: + - name: upgrade + src: https://github.com/cisagov/ansible-role-upgrade From 670748b0d53042bab6da53ef08bdebfa5260e389 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 21 May 2024 11:29:18 -0400 Subject: [PATCH 07/27] Modify the ansible-core pin to ensure a good version is used We can do this because new versions of ansible-core (2.16.7 and 2.17.0) have been released that do not suffer from the bug discussed in ansible/ansible#82702. This bug broke any symlinked files in vars, tasks, etc. for any Ansible role installed via ansible-galaxy. All versions later than ansible-core 2.16.7 and 2.17.0 should function as expected. --- requirements-test.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements-test.txt b/requirements-test.txt index 09f58a0..e74b270 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -14,15 +14,15 @@ # often breaking changes across major versions. This is the reason # for the upper bound. ansible>=8,<10 -# TODO: Remove this pin when possible. See -# cisagov/skeleton-ansible-role#178 for more details. -# -# ansible-core 2.16.3 and later suffer from the bug discussed in +# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. +# Hence we never want to install those versions. # -# See also cisagov/skeleton-packer#312. -ansible-core<2.16.3 +# Note that any changes made to this dependency must also be made in +# requirements.txt in cisagov/skeleton-packer and +# .pre-commit-config.yaml in cisagov/skeleton-generic. +ansible-core>=2.16.7 # With the release of molecule v5 there were some breaking changes so # we need to pin at v5 or newer. However, v5.0.0 had an internal # dependency issue so we must use the bugfix release as the actual From db61055ffcef2121aee0c24dc0b74110844274b1 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 31 May 2024 17:14:37 -0400 Subject: [PATCH 08/27] Update ansible pin With the updated ansible-core pin we can support ansible 9. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- requirements-test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-test.txt b/requirements-test.txt index e74b270..d680733 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -13,7 +13,7 @@ # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. -ansible>=8,<10 +ansible>=9,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. From fc7b883cee53770e7de04c05889b350d65b094ca Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 26 Apr 2024 17:30:44 -0400 Subject: [PATCH 09/27] Restore externally managed Python environment indicator In SystemD-enabled Docker images sources from geerlingguy he has made the decision to remove the indicator for an externally managed Python environment if the host is configured with one. This impacts Debian Bookworm and Trixie, as well as Ubuntu 24.04 (Noble Numbat), and as far as we know any future versions of these distributions. This will help ensure that our Ansible role testing is done against images that reflect how a host will be configured when used to create AMIs. --- .../default/externally-managed-python.yml | 31 +++++++++++++++++++ molecule/default/prepare.yml | 3 ++ .../default/templates/EXTERNALLY-MANAGED.j2 | 15 +++++++++ molecule/default/vars/Debian.yml | 2 ++ molecule/default/vars/Ubuntu.yml | 2 ++ 5 files changed, 53 insertions(+) create mode 100644 molecule/default/externally-managed-python.yml create mode 100644 molecule/default/templates/EXTERNALLY-MANAGED.j2 create mode 100644 molecule/default/vars/Debian.yml create mode 100644 molecule/default/vars/Ubuntu.yml diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml new file mode 100644 index 0000000..41b915e --- /dev/null +++ b/molecule/default/externally-managed-python.yml @@ -0,0 +1,31 @@ +--- +# This is in place to restore a destructive action in geerlingguy's Ansible +# Docker images that we use for testing. The change is fine for the intended +# purpose of the images but not for how we use them. +- name: Ensure Python is marked as externally managed if appropriate + hosts: all + become: true + become_method: ansible.builtin.sudo + tasks: + - name: Ensure Python is marked as externally managed + when: + - ansible_os_family == "Debian" + - ansible_distribution != "Kali" + - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] + block: + - name: Load var file with Python version based on the OS type + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + paths: + - "vars" + + - name: Restore EXTERNALLY-MANAGED file for Python + ansible.builtin.template: + dest: /usr/lib/python{{ python_version }}/EXTERNALLY-MANAGED + mode: 0644 + src: EXTERNALLY-MANAGED.j2 diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index d3eb8f5..26bca50 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,3 +1,6 @@ --- - name: Import upgrade playbook ansible.builtin.import_playbook: upgrade.yml + +- name: Import externally-managed-python playbook + ansible.builtin.import_playbook: externally-managed-python.yml diff --git a/molecule/default/templates/EXTERNALLY-MANAGED.j2 b/molecule/default/templates/EXTERNALLY-MANAGED.j2 new file mode 100644 index 0000000..df806f8 --- /dev/null +++ b/molecule/default/templates/EXTERNALLY-MANAGED.j2 @@ -0,0 +1,15 @@ +[externally-managed] +Error=To install Python packages system-wide, try apt install + python3-xyz, where xyz is the package you are trying to + install. + + If you wish to install a non-Debian-packaged Python package, + create a virtual environment using python3 -m venv path/to/venv. + Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make + sure you have python3-full installed. + + If you wish to install a non-Debian packaged Python application, + it may be easiest to use pipx install xyz, which will manage a + virtual environment for you. Make sure you have pipx installed. + + See /usr/share/doc/python{{ python_version }}/README.venv for more information. diff --git a/molecule/default/vars/Debian.yml b/molecule/default/vars/Debian.yml new file mode 100644 index 0000000..154e841 --- /dev/null +++ b/molecule/default/vars/Debian.yml @@ -0,0 +1,2 @@ +--- +python_version: "3.11" diff --git a/molecule/default/vars/Ubuntu.yml b/molecule/default/vars/Ubuntu.yml new file mode 100644 index 0000000..8fb3904 --- /dev/null +++ b/molecule/default/vars/Ubuntu.yml @@ -0,0 +1,2 @@ +--- +python_version: "3.12" From 4958184745368b4f4f91bdff01f356da2c20d121 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 1 May 2024 12:56:50 -0400 Subject: [PATCH 10/27] Determine Python version on host dynamically Remove the hard-coded values used in to restore the externally managed Python environment file. Instead check that Python 3 is installed and derive the major.minor version of the Python 3 package that is on the host. Co-authored-by: dav3r Co-authored-by: Shane Frasier --- .../default/externally-managed-python.yml | 47 +++++++++++++------ .../default/templates/EXTERNALLY-MANAGED.j2 | 2 +- molecule/default/vars/Debian.yml | 2 - molecule/default/vars/Ubuntu.yml | 2 - 4 files changed, 33 insertions(+), 20 deletions(-) delete mode 100644 molecule/default/vars/Debian.yml delete mode 100644 molecule/default/vars/Ubuntu.yml diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index 41b915e..f0ec5f0 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -13,19 +13,36 @@ - ansible_distribution != "Kali" - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] block: - - name: Load var file with Python version based on the OS type - ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" - vars: - params: - files: - - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}.yml" - paths: - - "vars" + - name: Gather package facts + ansible.builtin.package_facts: + manager: auto - - name: Restore EXTERNALLY-MANAGED file for Python - ansible.builtin.template: - dest: /usr/lib/python{{ python_version }}/EXTERNALLY-MANAGED - mode: 0644 - src: EXTERNALLY-MANAGED.j2 + - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed + when: '"python3" in ansible_facts.packages' + block: + # This gets a list of unique list of installed Python packages in the form of major.minor + # by taking the list of installed Python packages and: + # 1. Extracting the version from each package's information + # 2. Removing any version information after the major.minor version + # 3. Ensuring there are no duplicates + # + # NOTE: + # The regex expressions used in the regex_replace filter must use double backslashes if + # the value of python_versions is changed from a multiline string. This is due to how the + # YAML is processed when Ansible reads the playbook. + - name: Extract version information about installed Python packages + ansible.builtin.set_fact: + python_versions: >- + {{ + ansible_facts.packages["python3"] + | map(attribute="version") + | map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1") + | unique + }} + + - name: Restore EXTERNALLY-MANAGED file for Python + ansible.builtin.template: + dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED + mode: 0644 + src: EXTERNALLY-MANAGED.j2 + loop: "{{ python_versions }}" diff --git a/molecule/default/templates/EXTERNALLY-MANAGED.j2 b/molecule/default/templates/EXTERNALLY-MANAGED.j2 index df806f8..e2ee56f 100644 --- a/molecule/default/templates/EXTERNALLY-MANAGED.j2 +++ b/molecule/default/templates/EXTERNALLY-MANAGED.j2 @@ -12,4 +12,4 @@ Error=To install Python packages system-wide, try apt install it may be easiest to use pipx install xyz, which will manage a virtual environment for you. Make sure you have pipx installed. - See /usr/share/doc/python{{ python_version }}/README.venv for more information. + See /usr/share/doc/python{{ item }}/README.venv for more information. diff --git a/molecule/default/vars/Debian.yml b/molecule/default/vars/Debian.yml deleted file mode 100644 index 154e841..0000000 --- a/molecule/default/vars/Debian.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -python_version: "3.11" diff --git a/molecule/default/vars/Ubuntu.yml b/molecule/default/vars/Ubuntu.yml deleted file mode 100644 index 8fb3904..0000000 --- a/molecule/default/vars/Ubuntu.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -python_version: "3.12" From 4e1659e8e363725c3f95da5eb4a00d89eef769f8 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 1 May 2024 13:20:35 -0400 Subject: [PATCH 11/27] Streamline logic checking for applicable host platforms In the playbook that restores the externally managed Python environment file we can just check for supported distributions instead of checking for Debian-based and then excluding distributions (like Kali). --- molecule/default/externally-managed-python.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index f0ec5f0..c9c7bcf 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -9,8 +9,7 @@ tasks: - name: Ensure Python is marked as externally managed when: - - ansible_os_family == "Debian" - - ansible_distribution != "Kali" + - ansible_distribution in ["Debian", "Ubuntu"] - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"] block: - name: Gather package facts From b967e9de158b4ae3db3755e1535ad4934b5ae0ef Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 21 May 2024 03:10:22 -0400 Subject: [PATCH 12/27] Fix typo in comment Co-authored-by: dav3r --- molecule/default/externally-managed-python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index c9c7bcf..54bec7b 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -19,7 +19,7 @@ - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed when: '"python3" in ansible_facts.packages' block: - # This gets a list of unique list of installed Python packages in the form of major.minor + # This gets a unique list of installed Python packages in the form of major.minor # by taking the list of installed Python packages and: # 1. Extracting the version from each package's information # 2. Removing any version information after the major.minor version From b25f1fca4d821fbdafd7ee71026aad9ef3ad745f Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 21 May 2024 03:13:50 -0400 Subject: [PATCH 13/27] Improve explanatory comment Improve the comment that explains the backslash usage in a YAML multiline string used to define a regex pattern. Co-authored-by: dav3r --- molecule/default/externally-managed-python.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/molecule/default/externally-managed-python.yml b/molecule/default/externally-managed-python.yml index 54bec7b..ce43622 100644 --- a/molecule/default/externally-managed-python.yml +++ b/molecule/default/externally-managed-python.yml @@ -26,9 +26,11 @@ # 3. Ensuring there are no duplicates # # NOTE: - # The regex expressions used in the regex_replace filter must use double backslashes if - # the value of python_versions is changed from a multiline string. This is due to how the - # YAML is processed when Ansible reads the playbook. + # Since the value of python_versions is a multiline string, the regex expressions used in + # the regex_replace filter must use single backslashes for special sequences. If the value + # of python_versions were to be changed from a multiline string, the special sequences + # must be modified to use double backslashes instead. This is due to how the YAML is + # processed when Ansible reads the playbook. - name: Extract version information about installed Python packages ansible.builtin.set_fact: python_versions: >- From 706151e5948e9727f3d17bb741c616d690d8cd51 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 26 Apr 2024 13:56:38 -0400 Subject: [PATCH 14/27] Add support for Ubuntu 24.04 (Noble Numbat) --- meta/main.yml | 1 + molecule/default/molecule.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index f7f30e7..9226b97 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -40,5 +40,6 @@ galaxy_info: versions: - focal - jammy + - noble role_name: skeleton standalone: true diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b4b3c96..7e4cc90 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -94,6 +94,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd + platform: amd64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: name: default verifier: From e7d3969e84c32e69c05996f44dbe92a6b3591c4e Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 26 Apr 2024 14:41:19 -0400 Subject: [PATCH 15/27] Add support for Fedora 40 Remove support for Fedora 38 as it is now EOL. --- meta/main.yml | 2 +- molecule/default/molecule.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index f7f30e7..14e29ba 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -31,8 +31,8 @@ galaxy_info: - trixie - name: Fedora versions: - - "38" - "39" + - "40" - name: Kali versions: - "2023" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index b4b3c96..71ce996 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -60,8 +60,8 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora38-ansible:latest - name: fedora38-systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd platform: amd64 pre_build_image: true privileged: true @@ -69,8 +69,8 @@ platforms: - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd - image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd platform: amd64 pre_build_image: true privileged: true From 581a55c994c542a3cd6996bb0b933f778fdde155 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 11:57:10 -0400 Subject: [PATCH 16/27] Add GH actions to setup QEMU and buildx This idea was stolen from felddy/reusable-workflows. --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b57fa87..e3cce0b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -204,6 +204,10 @@ jobs: run: | python -m pip install --upgrade pip pip install --upgrade --requirement requirements-test.txt + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Run molecule tests run: molecule test --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session From 5759b776bb0e245c457c72d7115d34e3fa88e530 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 22 Apr 2024 12:17:44 -0400 Subject: [PATCH 17/27] Add Molecule testing support for aarch where possible --- .github/workflows/build.yml | 29 +++++++- molecule/default/molecule.yml | 124 +++++++++++++++++++++++++++++++--- 2 files changed, 141 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e3cce0b..a9ad548 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -174,6 +174,30 @@ jobs: strategy: fail-fast: false matrix: + architecture: + - aarch64 + - amd64 + exclude: + # The Docker images we use for these platforms do not + # support aarch64. + - architecture: aarch64 + platform: amazonlinux2023-systemd + - architecture: aarch64 + platform: fedora39-systemd + - architecture: aarch64 + platform: fedora40-systemd + platform: + - amazonlinux2023-systemd + - debian10-systemd + - debian11-systemd + - debian12-systemd + - debian13-systemd + - kali-systemd + - fedora39-systemd + - fedora40-systemd + - ubuntu-20-systemd + - ubuntu-22-systemd + - ubuntu-24-systemd scenario: - default steps: @@ -209,7 +233,10 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Run molecule tests - run: molecule test --scenario-name ${{ matrix.scenario }} + run: >- + molecule test + --platform-name ${{ matrix.platform }}-${{ matrix.architecture }} + --scenario-name ${{ matrix.scenario }} - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 8e47275..ec5bdcb 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -7,102 +7,204 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd + name: amazonlinux2023-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + # name: amazonlinux2023-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd + name: debian10-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian10-ansible:latest + name: debian10-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd + name: debian11-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian11-ansible:latest + name: debian11-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd + name: debian12-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-debian12-ansible:latest + name: debian12-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd + name: debian13-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-debian13-ansible:latest + name: debian13-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd + name: kali-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/cisagov/docker-kali-ansible:latest + name: kali-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd + name: fedora39-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-fedora39-ansible:latest + # name: fedora39-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd + name: fedora40-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + # There is no aarch64 version of this Docker image. + # - cgroupns_mode: host + # command: /lib/systemd/systemd + # image: docker.io/geerlingguy/docker-fedora40-ansible:latest + # name: fedora40-systemd-aarch64 + # platform: aarch64 + # pre_build_image: true + # privileged: true + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd + name: ubuntu-20-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest + name: ubuntu-20-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd + name: ubuntu-22-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest + name: ubuntu-22-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd + name: ubuntu-24-systemd-amd64 platform: amd64 pre_build_image: true privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest + name: ubuntu-24-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw scenario: name: default verifier: From 234ac0387b533627b40e0d5e0cc6a3eb14ab86d1 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 22 Apr 2024 16:08:22 -0400 Subject: [PATCH 18/27] Alphabetize platforms Co-authored-by: dav3r --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a9ad548..e79e643 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -192,9 +192,9 @@ jobs: - debian11-systemd - debian12-systemd - debian13-systemd - - kali-systemd - fedora39-systemd - fedora40-systemd + - kali-systemd - ubuntu-20-systemd - ubuntu-22-systemd - ubuntu-24-systemd From 77f62e3687bcf27b319e865b8f99868fde40f9c0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 27 Apr 2024 16:15:14 -0400 Subject: [PATCH 19/27] Add support for the aarch64 platform for Fedora 39, Fedora 40, and AL2023 These platforms can now be included because the following PRs have been merged: - geerlingguy/docker-fedora39-ansible#2 - geerlingguy/docker-fedora40-ansible#1 - geerlingguy/docker-amazonlinux2023-ansible#4 --- .github/workflows/build.yml | 9 ------ molecule/default/molecule.yml | 57 +++++++++++++++++------------------ 2 files changed, 27 insertions(+), 39 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e79e643..22f1c43 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,15 +177,6 @@ jobs: architecture: - aarch64 - amd64 - exclude: - # The Docker images we use for these platforms do not - # support aarch64. - - architecture: aarch64 - platform: amazonlinux2023-systemd - - architecture: aarch64 - platform: fedora39-systemd - - architecture: aarch64 - platform: fedora40-systemd platform: - amazonlinux2023-systemd - debian10-systemd diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ec5bdcb..19df511 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -13,16 +13,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - # name: amazonlinux2023-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest + name: amazonlinux2023-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest @@ -122,16 +121,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-fedora39-ansible:latest - # name: fedora39-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora39-ansible:latest + name: fedora39-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest @@ -141,16 +139,15 @@ platforms: privileged: true volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw - # There is no aarch64 version of this Docker image. - # - cgroupns_mode: host - # command: /lib/systemd/systemd - # image: docker.io/geerlingguy/docker-fedora40-ansible:latest - # name: fedora40-systemd-aarch64 - # platform: aarch64 - # pre_build_image: true - # privileged: true - # volumes: - # - /sys/fs/cgroup:/sys/fs/cgroup:rw + - cgroupns_mode: host + command: /lib/systemd/systemd + image: docker.io/geerlingguy/docker-fedora40-ansible:latest + name: fedora40-systemd-aarch64 + platform: aarch64 + pre_build_image: true + privileged: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest From 6158bae37a986ff9604b2b52ef42169832d369ea Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 31 May 2024 14:41:06 -0400 Subject: [PATCH 20/27] Prefer the name arm64 to aarch64 Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- molecule/default/molecule.yml | 44 +++++++++++++++++------------------ 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 22f1c43..1cf405b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -175,8 +175,8 @@ jobs: fail-fast: false matrix: architecture: - - aarch64 - amd64 + - arm64 platform: - amazonlinux2023-systemd - debian10-systemd diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 19df511..20b8324 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -16,8 +16,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-amazonlinux2023-ansible:latest - name: amazonlinux2023-systemd-aarch64 - platform: aarch64 + name: amazonlinux2023-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -34,8 +34,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian10-ansible:latest - name: debian10-systemd-aarch64 - platform: aarch64 + name: debian10-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -52,8 +52,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian11-ansible:latest - name: debian11-systemd-aarch64 - platform: aarch64 + name: debian11-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -70,8 +70,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-debian12-ansible:latest - name: debian12-systemd-aarch64 - platform: aarch64 + name: debian12-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -88,8 +88,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-debian13-ansible:latest - name: debian13-systemd-aarch64 - platform: aarch64 + name: debian13-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -106,8 +106,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/cisagov/docker-kali-ansible:latest - name: kali-systemd-aarch64 - platform: aarch64 + name: kali-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -124,8 +124,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora39-ansible:latest - name: fedora39-systemd-aarch64 - platform: aarch64 + name: fedora39-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -142,8 +142,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-fedora40-ansible:latest - name: fedora40-systemd-aarch64 - platform: aarch64 + name: fedora40-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -160,8 +160,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2004-ansible:latest - name: ubuntu-20-systemd-aarch64 - platform: aarch64 + name: ubuntu-20-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -178,8 +178,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2204-ansible:latest - name: ubuntu-22-systemd-aarch64 - platform: aarch64 + name: ubuntu-22-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: @@ -196,8 +196,8 @@ platforms: - cgroupns_mode: host command: /lib/systemd/systemd image: docker.io/geerlingguy/docker-ubuntu2404-ansible:latest - name: ubuntu-24-systemd-aarch64 - platform: aarch64 + name: ubuntu-24-systemd-arm64 + platform: arm64 pre_build_image: true privileged: true volumes: From 357a701ba723f1161e1e953b87147ee8d48826b8 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 31 May 2024 14:42:35 -0400 Subject: [PATCH 21/27] Assign a name to the test job in the build GHA workflow This helps keep the job name in line with the molecule configuration. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1cf405b..3b88a29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -168,6 +168,9 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE test: + name: >- + test (${{ matrix.scenario }}) - + ${{ matrix.platform }}-${{ matrix.architecture }} needs: - diagnostics runs-on: ubuntu-latest From 4d2653d8d53ae6591d45705bfcfb573f0dfb8240 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 31 May 2024 16:10:05 -0400 Subject: [PATCH 22/27] Update the `update_molecule_images.sh` helper script Adjust the script to pull down platform specific images instead of just the image of the running system's platform. This will ensure that all images needed by the molecule configuration are retrieved regardless of the system platform. --- update_molecule_images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/update_molecule_images.sh b/update_molecule_images.sh index 2c8cccc..f7fc267 100755 --- a/update_molecule_images.sh +++ b/update_molecule_images.sh @@ -45,4 +45,4 @@ check_dependencies # Note that we can't use --max-args in place of -n in the xargs # command since the version of xargs distributed with macOS does not # support it. -yq '.platforms[].image' < "$source_file" | xargs -n 1 docker pull +yq '.platforms[] | "\(.platform) \(.image)"' < "$source_file" | xargs -n 2 docker pull --platform From ba48f714c14ffdb240f21ac1497dc88be5006c58 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 1 Jun 2024 23:34:00 -0400 Subject: [PATCH 23/27] Add new dependabot ignore directives Adds commented out ignore statements for the following new Action dependencies added to the `test` job: - docker/setup-buildx-action - docker/setup-qemu-action Once uncommented in downstream repositories this will ensure that these dependencies are managed in a centralized place. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 986c3cb..d219c14 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,6 +20,8 @@ updates: - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-ansible-role + # - dependency-name: docker/setup-buildx-action + # - dependency-name: docker/setup-qemu-action # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: From f51fe623bb34e68bb874cd30756fee2692d34b5a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 11 May 2024 00:38:50 -0400 Subject: [PATCH 24/27] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. The pre-commit/mirrors-prettier was manually held back because the latest tags are for alpha releases of the next major version. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c5b3c8..d315345 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,7 +31,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.39.0 + rev: v0.41.0 hooks: - id: markdownlint args: @@ -56,14 +56,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.28.0 + rev: 0.28.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.6.2 + rev: v3.7.1 hooks: - id: validate_manifest @@ -98,7 +98,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.7.0-4 + rev: v3.8.0-1 hooks: - id: shfmt args: @@ -116,19 +116,19 @@ repos: # Redirect operators are followed by a space - --space-redirects - repo: https://github.com/shellcheck-py/shellcheck-py - rev: v0.9.0.6 + rev: v0.10.0.1 hooks: - id: shellcheck # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.7.7 + rev: 1.7.8 hooks: - id: bandit args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.2.0 + rev: 24.4.2 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -142,24 +142,24 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.8.0 + rev: v1.10.0 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v3.15.1 + rev: v3.15.2 hooks: - id: pyupgrade # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.2.0 + rev: v24.6.0 hooks: - id: ansible-lint # files: molecule/default/playbook.yml # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.90.0 hooks: - id: terraform_fmt - id: terraform_validate From 8e55b8e24e047008b1fa80bc87a76163888e4e5e Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 6 Jun 2024 13:58:38 -0400 Subject: [PATCH 25/27] Manually update the prettier hook Use the latest v3 release available from NPM. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d315345..2ece2c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: # mirror does not pull tags for old major versions once a new major # version tag is published. additional_dependencies: - - prettier@3.2.5 + - prettier@3.3.1 - repo: https://github.com/adrienverge/yamllint rev: v1.35.1 hooks: From c617bb92af0bd01d0ef9bb7e51c007e34f91a915 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Thu, 6 Jun 2024 16:42:24 -0400 Subject: [PATCH 26/27] Correct commented-out ansible pin The pin now agrees with what is in cisagov/skeleton-ansible-role. Co-authored-by: Nick <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a48e196..3071c44 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -163,7 +163,7 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=8,<10 + # - ansible>=9,<10 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role From 8a80d42597075fe8390a77645aca0492095fff58 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 10 Jun 2024 11:39:58 -0400 Subject: [PATCH 27/27] Uncomment new Dependabot ignore directives from upstream --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6c9c1bc..bddd051 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,8 +20,8 @@ updates: - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner # Managed by cisagov/skeleton-ansible-role - # - dependency-name: docker/setup-buildx-action - # - dependency-name: docker/setup-qemu-action + - dependency-name: docker/setup-buildx-action + - dependency-name: docker/setup-qemu-action - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: