Improvements from upstream skeleton (#140)

* Insist that the cisagov devs are the owners of the .github directory

This additional clause must remain at the _end_ of the CODEOWNERS file
so that it cannot be overridden by a later clause.

We want to make it so that all the .github files including CODEOWNERS
are protected so only code owners (the dev team) can approve
modifications to them.

This will prevent configuration changes from breaking Actions and
other management-type functions that the files in this directory
control. By setting the .github files/folder to require code owner
approval for changes, workflow and management changes will require dev
team review and checking.

Resolves #56.

* Remove offending slash

Thanks to @dav3r and @mcdonnnj for the suggestion.

* Use the python version output by actions/setup-python

There is no need to run python code to determine the python version.
Resolves #58.

See here for details:
https://github.com/actions/setup-python/blob/main/action.yml#L14-L16

* Organize pre-commit hooks

Group related pre-commit hooks together. Make sure that hooks are
alphabetically sorted within those groups.

* Fix test job missing Python version in cache key

* Clean up our actions/cache step

Removed name because it was not more informative than the default. Swapped out
a hardcoded job reference for the github.job context value. Switch the base
cache key to a step environment value so we can set it once and reuse. Removed
additional restore-key value that might have undesirable results.

* Update remaining actions/cache uses

Make sure all actions/cache steps are in-line with the changes made to the lint
job's step.

* Update prettier hook details

Per prettier/prettier#8937 the pre-commit hook has
been moved to https://github.com/pre-commit/mirrors-prettier. I have also
updated to the latest version in that repository.

* Update black hook repo url

At some point the python GitHub organization renamed to psf (Python Software
Foundation). Although it redirects with no issue, I think it should be updated
to reflect the current repository URL.

* Remove trailing '.git's from repository URLs

Two hooks had trailing '.git's in the URLs. Although this is not a problem, we
should be consistent in how we format things.

* Enable two additional hooks from default pre-commit-hooks

Enabled 'check-case-conflict' because of our mixed Linux and macOS development.
Although APFS supports case-sensitive containers, it is not the default as far
as I am aware. Linux filesystems are typically case-sensitive however.

With the merge of cisagov/development-guide#42 we now
have a TOML file in a repository, so it does not hurt to add this hook in case
more are added in the future.

* Run pre-commit autoupdate

* Update repo URL for the isort hook

I missed that this repository was transfered from the creator, Timothy Crosley,
to the PyCQA organization.

* Update ansible-lint hook URL

* Run pre-commit autoupdate

* Add the pre-commit-packer repo and hooks

* Add the --strict flag to the yamllint pre-commot hook

The --strict flag will cause the yamllint hook to exit with a non-zero exit
code when warnings are found instead of only when errors are found.

Co-authored-by: Jeremy Frasier <jeremy.frasier@trio.dhs.gov>
Co-authored-by: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Co-authored-by: felddy <felddy@github.com>

.github/CODEOWNERS

@@ -1,7 +1,10 @@
 # Each line is a file pattern followed by one or more owners.
 
-# These owners will be the default owners for everything in
-# the repo. Unless a later match takes precedence,
-# these owners will be requested for review when someone
-# opens a pull request.
-*       @felddy
+# These owners will be the default owners for everything in the
+# repo. Unless a later match takes precedence, these owners will be
+# requested for review when someone opens a pull request.
+* @felddy
+
+# These folks own any files in the .github directory at the root of
+# the repository and any of its subdirectories.
+/.github/ @felddy

.github/ISSUE_TEMPLATE/config.yml

@@ -1,3 +1,4 @@
+---
 blank_issues_enabled: false
 contact_links:
   - name: 💬 Questions / Help

.github/workflows/build.yml

@@ -41,27 +41,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - id: setup-python
+        uses: actions/setup-python@v2
         with:
           python-version: 3.9
-      - name: Store installed Python version
-        run: |
-          echo "PY_VERSION="\
-          "$(python -c "import platform;print(platform.python_version())")" \
-          >> $GITHUB_ENV
-      - name: Cache linting environments
-        uses: actions/cache@v2
+      - uses: actions/cache@v2
+        env:
+          BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
+            py${{ steps.setup-python.outputs.python-version }}-"
         with:
           path: |
             ${{ env.PIP_CACHE_DIR }}
             ${{ env.PRE_COMMIT_CACHE_DIR }}
-          key: "lint-${{ runner.os }}-py${{ env.PY_VERSION }}-\
+          key: "${{ env.BASE_CACHE_KEY }}\
             ${{ hashFiles('**/requirements-test.txt') }}-\
             ${{ hashFiles('**/requirements.txt') }}-\
             ${{ hashFiles('**/.pre-commit-config.yaml') }}"
           restore-keys: |
-            lint-${{ runner.os }}-py${{ env.PY_VERSION }}-
-            lint-${{ runner.os }}-
+            ${{ env.BASE_CACHE_KEY }}
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -181,11 +178,13 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Cache Docker layers
         uses: actions/cache@v2
+        env:
+          BASE_CACHE_KEY: buildx-${{ runner.os }}-
         with:
           path: ${{ env.BUILDX_CACHE_DIR }}
-          key: buildx-${{ runner.os }}-${{ github.sha }}
+          key: ${{ env.BASE_CACHE_KEY }}${{ github.sha }}
           restore-keys: |
-            buildx-${{ runner.os }}-
+            ${{ env.BASE_CACHE_KEY }}
       - name: Create dist directory
         run: mkdir -p dist
       - name: Build image
@@ -305,18 +304,22 @@ jobs:
     needs: [build-normal]
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - id: setup-python
+        uses: actions/setup-python@v2
         with:
           python-version: 3.9
-      - name: Cache pip test requirements
+      - name: Cache testing environments
         uses: actions/cache@v2
+        env:
+          BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\
+            py${{ steps.setup-python.outputs.python-version }}-"
         with:
           path: ${{ env.PIP_CACHE_DIR }}
-          key: "test-${{ runner.os }}-\
+          key: "${{ env.BASE_CACHE_KEY }}\
             ${{ hashFiles('**/requirements-test.txt') }}-\
             ${{ hashFiles('**/requirements.txt') }}"
           restore-keys: |
-            test-${{ runner.os }}-
+            ${{ env.BASE_CACHE_KEY }}
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
@@ -410,11 +413,13 @@ jobs:
         uses: docker/setup-buildx-action@v1
       - name: Cache Docker layers
         uses: actions/cache@v2
+        env:
+          BASE_CACHE_KEY: buildx-${{ runner.os }}-
         with:
           path: ${{ env.BUILDX_CACHE_DIR }}
-          key: buildx-${{ runner.os }}-${{ github.sha }}
+          key: ${{ env.BASE_CACHE_KEY }}${{ github.sha }}
           restore-keys: |
-            buildx-${{ runner.os }}-
+            ${{ env.BASE_CACHE_KEY }}
       - name: Create cross-platform support Dockerfile-x
         run: ./buildx-dockerfile.sh
       - name: Build and push platform images to Docker Hub

.pre-commit-config.yaml

@@ -5,11 +5,13 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.2.0
+    rev: v3.4.0
     hooks:
+      - id: check-case-conflict
       - id: check-executables-have-shebangs
       - id: check-json
       - id: check-merge-conflict
+      - id: check-toml
       - id: check-xml
       - id: debug-statements
       - id: detect-aws-credentials
@@ -27,33 +29,34 @@ repos:
           - --autofix
       - id: requirements-txt-fixer
       - id: trailing-whitespace
+
+  # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.24.0
+    rev: v0.26.0
     hooks:
       - id: markdownlint
         args:
           - --config=.mdl_config.json
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: v2.2.1
+    hooks:
+      - id: prettier
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.25.0
     hooks:
       - id: yamllint
+        args:
+          - --strict
+
+  # Shell script hooks
   - repo: https://github.com/detailyang/pre-commit-shell
     rev: 1.0.5
     hooks:
       - id: shell-lint
-  - repo: https://gitlab.com/pycqa/flake8
-    rev: 3.8.4
-    hooks:
-      - id: flake8
-        additional_dependencies:
-          - flake8-docstrings
-  - repo: https://github.com/asottile/pyupgrade
-    rev: v2.7.2
-    hooks:
-      - id: pyupgrade
-  # Run bandit on "tests" tree with a configuration
+
+  # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.6.2
+    rev: 1.7.0
     hooks:
       - id: bandit
         name: bandit (tests tree)
@@ -62,7 +65,7 @@ repos:
           - --config=.bandit.yml
   # Run bandit everything but tests directory
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.6.1
+    rev: 1.7.0
     hooks:
       - id: bandit
         name: bandit (everything else)
@@ -71,16 +74,35 @@ repos:
     rev: 20.8b1
     hooks:
       - id: black
-  - repo: https://github.com/timothycrosley/isort
-    rev: 5.6.4
+  - repo: https://gitlab.com/pycqa/flake8
+    rev: 3.8.4
+    hooks:
+      - id: flake8
+        additional_dependencies:
+          - flake8-docstrings
+  - repo: https://github.com/PyCQA/isort
+    rev: 5.7.0
     hooks:
       - id: isort
-  - repo: https://github.com/ansible/ansible-lint.git
-    rev: v4.3.5
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v0.790
+    hooks:
+      - id: mypy
+  - repo: https://github.com/asottile/pyupgrade
+    rev: v2.7.4
+    hooks:
+      - id: pyupgrade
+
+  # Ansible hooks
+  - repo: https://github.com/ansible-community/ansible-lint
+    rev: v4.3.7
     hooks:
       - id: ansible-lint
-  - repo: https://github.com/antonbabenko/pre-commit-terraform.git
-    rev: v1.43.0
+      # files: molecule/default/playbook.yml
+
+  # Terraform hooks
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.45.0
     hooks:
       - id: terraform_fmt
       # There are ongoing issues with how this command works. This issue
@@ -99,15 +121,16 @@ repos:
       # above have been resolved, which we hope will be with the release of
       # Terraform 0.13.
       # - id: terraform_validate
+
+  # Docker hooks
   - repo: https://github.com/IamTheFij/docker-pre-commit
     rev: v2.0.0
     hooks:
       - id: docker-compose-check
-  - repo: https://github.com/prettier/pre-commit
-    rev: v2.1.2
-    hooks:
-      - id: prettier
-  - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.790
+
+  # Packer hooks
+  - repo: https://github.com/cisagov/pre-commit-packer
+    rev: v0.0.2
     hooks:
-      - id: mypy
+      - id: packer_validate
+      - id: packer_fmt