From 7f23014e5a994ed555c52e329191934d108da05c Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 7 Jan 2021 14:47:41 -0500 Subject: [PATCH] Improvements from upstream skeleton (#140) * Insist that the cisagov devs are the owners of the .github directory This additional clause must remain at the _end_ of the CODEOWNERS file so that it cannot be overridden by a later clause. We want to make it so that all the .github files including CODEOWNERS are protected so only code owners (the dev team) can approve modifications to them. This will prevent configuration changes from breaking Actions and other management-type functions that the files in this directory control. By setting the .github files/folder to require code owner approval for changes, workflow and management changes will require dev team review and checking. Resolves #56. * Remove offending slash Thanks to @dav3r and @mcdonnnj for the suggestion. * Use the python version output by actions/setup-python There is no need to run python code to determine the python version. Resolves #58. See here for details: https://github.com/actions/setup-python/blob/main/action.yml#L14-L16 * Organize pre-commit hooks Group related pre-commit hooks together. Make sure that hooks are alphabetically sorted within those groups. * Fix test job missing Python version in cache key * Clean up our actions/cache step Removed name because it was not more informative than the default. Swapped out a hardcoded job reference for the github.job context value. Switch the base cache key to a step environment value so we can set it once and reuse. Removed additional restore-key value that might have undesirable results. * Update remaining actions/cache uses Make sure all actions/cache steps are in-line with the changes made to the lint job's step. * Update prettier hook details Per https://github.com/prettier/prettier/pull/8937 the pre-commit hook has been moved to https://github.com/pre-commit/mirrors-prettier. I have also updated to the latest version in that repository. * Update black hook repo url At some point the python GitHub organization renamed to psf (Python Software Foundation). Although it redirects with no issue, I think it should be updated to reflect the current repository URL. * Remove trailing '.git's from repository URLs Two hooks had trailing '.git's in the URLs. Although this is not a problem, we should be consistent in how we format things. * Enable two additional hooks from default pre-commit-hooks Enabled 'check-case-conflict' because of our mixed Linux and macOS development. Although APFS supports case-sensitive containers, it is not the default as far as I am aware. Linux filesystems are typically case-sensitive however. With the merge of https://github.com/cisagov/development-guide/pull/42 we now have a TOML file in a repository, so it does not hurt to add this hook in case more are added in the future. * Run pre-commit autoupdate * Update repo URL for the isort hook I missed that this repository was transfered from the creator, Timothy Crosley, to the PyCQA organization. * Update ansible-lint hook URL * Run pre-commit autoupdate * Add the pre-commit-packer repo and hooks * Add the --strict flag to the yamllint pre-commot hook The --strict flag will cause the yamllint hook to exit with a non-zero exit code when warnings are found instead of only when errors are found. Co-authored-by: Jeremy Frasier Co-authored-by: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Co-authored-by: felddy --- .github/CODEOWNERS | 13 +++-- .github/ISSUE_TEMPLATE/config.yml | 1 + .github/workflows/build.yml | 43 +++++++++-------- .pre-commit-config.yaml | 79 ++++++++++++++++++++----------- 4 files changed, 84 insertions(+), 52 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0918a36e..f2b493d9 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,7 +1,10 @@ # Each line is a file pattern followed by one or more owners. -# These owners will be the default owners for everything in -# the repo. Unless a later match takes precedence, -# these owners will be requested for review when someone -# opens a pull request. -* @felddy +# These owners will be the default owners for everything in the +# repo. Unless a later match takes precedence, these owners will be +# requested for review when someone opens a pull request. +* @felddy + +# These folks own any files in the .github directory at the root of +# the repository and any of its subdirectories. +/.github/ @felddy diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index dce0efb1..a43b5508 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,3 +1,4 @@ +--- blank_issues_enabled: false contact_links: - name: 💬 Questions / Help diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index aab20a2d..42efd60f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,27 +41,24 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - id: setup-python + uses: actions/setup-python@v2 with: python-version: 3.9 - - name: Store installed Python version - run: | - echo "PY_VERSION="\ - "$(python -c "import platform;print(platform.python_version())")" \ - >> $GITHUB_ENV - - name: Cache linting environments - uses: actions/cache@v2 + - uses: actions/cache@v2 + env: + BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}-" with: path: | ${{ env.PIP_CACHE_DIR }} ${{ env.PRE_COMMIT_CACHE_DIR }} - key: "lint-${{ runner.os }}-py${{ env.PY_VERSION }}-\ + key: "${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: | - lint-${{ runner.os }}-py${{ env.PY_VERSION }}- - lint-${{ runner.os }}- + ${{ env.BASE_CACHE_KEY }} - name: Install dependencies run: | python -m pip install --upgrade pip @@ -181,11 +178,13 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Cache Docker layers uses: actions/cache@v2 + env: + BASE_CACHE_KEY: buildx-${{ runner.os }}- with: path: ${{ env.BUILDX_CACHE_DIR }} - key: buildx-${{ runner.os }}-${{ github.sha }} + key: ${{ env.BASE_CACHE_KEY }}${{ github.sha }} restore-keys: | - buildx-${{ runner.os }}- + ${{ env.BASE_CACHE_KEY }} - name: Create dist directory run: mkdir -p dist - name: Build image @@ -305,18 +304,22 @@ jobs: needs: [build-normal] steps: - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - id: setup-python + uses: actions/setup-python@v2 with: python-version: 3.9 - - name: Cache pip test requirements + - name: Cache testing environments uses: actions/cache@v2 + env: + BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ + py${{ steps.setup-python.outputs.python-version }}-" with: path: ${{ env.PIP_CACHE_DIR }} - key: "test-${{ runner.os }}-\ + key: "${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}" restore-keys: | - test-${{ runner.os }}- + ${{ env.BASE_CACHE_KEY }} - name: Install dependencies run: | python -m pip install --upgrade pip @@ -410,11 +413,13 @@ jobs: uses: docker/setup-buildx-action@v1 - name: Cache Docker layers uses: actions/cache@v2 + env: + BASE_CACHE_KEY: buildx-${{ runner.os }}- with: path: ${{ env.BUILDX_CACHE_DIR }} - key: buildx-${{ runner.os }}-${{ github.sha }} + key: ${{ env.BASE_CACHE_KEY }}${{ github.sha }} restore-keys: | - buildx-${{ runner.os }}- + ${{ env.BASE_CACHE_KEY }} - name: Create cross-platform support Dockerfile-x run: ./buildx-dockerfile.sh - name: Build and push platform images to Docker Hub diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f1c3ba1e..2857f39a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,11 +5,13 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v3.4.0 hooks: + - id: check-case-conflict - id: check-executables-have-shebangs - id: check-json - id: check-merge-conflict + - id: check-toml - id: check-xml - id: debug-statements - id: detect-aws-credentials @@ -27,33 +29,34 @@ repos: - --autofix - id: requirements-txt-fixer - id: trailing-whitespace + + # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.24.0 + rev: v0.26.0 hooks: - id: markdownlint args: - --config=.mdl_config.json + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v2.2.1 + hooks: + - id: prettier - repo: https://github.com/adrienverge/yamllint rev: v1.25.0 hooks: - id: yamllint + args: + - --strict + + # Shell script hooks - repo: https://github.com/detailyang/pre-commit-shell rev: 1.0.5 hooks: - id: shell-lint - - repo: https://gitlab.com/pycqa/flake8 - rev: 3.8.4 - hooks: - - id: flake8 - additional_dependencies: - - flake8-docstrings - - repo: https://github.com/asottile/pyupgrade - rev: v2.7.2 - hooks: - - id: pyupgrade - # Run bandit on "tests" tree with a configuration + + # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.6.2 + rev: 1.7.0 hooks: - id: bandit name: bandit (tests tree) @@ -62,7 +65,7 @@ repos: - --config=.bandit.yml # Run bandit everything but tests directory - repo: https://github.com/PyCQA/bandit - rev: 1.6.1 + rev: 1.7.0 hooks: - id: bandit name: bandit (everything else) @@ -71,16 +74,35 @@ repos: rev: 20.8b1 hooks: - id: black - - repo: https://github.com/timothycrosley/isort - rev: 5.6.4 + - repo: https://gitlab.com/pycqa/flake8 + rev: 3.8.4 + hooks: + - id: flake8 + additional_dependencies: + - flake8-docstrings + - repo: https://github.com/PyCQA/isort + rev: 5.7.0 hooks: - id: isort - - repo: https://github.com/ansible/ansible-lint.git - rev: v4.3.5 + - repo: https://github.com/pre-commit/mirrors-mypy + rev: v0.790 + hooks: + - id: mypy + - repo: https://github.com/asottile/pyupgrade + rev: v2.7.4 + hooks: + - id: pyupgrade + + # Ansible hooks + - repo: https://github.com/ansible-community/ansible-lint + rev: v4.3.7 hooks: - id: ansible-lint - - repo: https://github.com/antonbabenko/pre-commit-terraform.git - rev: v1.43.0 + # files: molecule/default/playbook.yml + + # Terraform hooks + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.45.0 hooks: - id: terraform_fmt # There are ongoing issues with how this command works. This issue @@ -99,15 +121,16 @@ repos: # above have been resolved, which we hope will be with the release of # Terraform 0.13. # - id: terraform_validate + + # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit rev: v2.0.0 hooks: - id: docker-compose-check - - repo: https://github.com/prettier/pre-commit - rev: v2.1.2 - hooks: - - id: prettier - - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.790 + + # Packer hooks + - repo: https://github.com/cisagov/pre-commit-packer + rev: v0.0.2 hooks: - - id: mypy + - id: packer_validate + - id: packer_fmt