Skip to content

Commit

Permalink
Merge pull request #55 from cisagov/lineage/skeleton
Browse files Browse the repository at this point in the history
⚠️ CONFLICT! Lineage pull request for: skeleton
  • Loading branch information
jsf9k authored Jun 26, 2024
2 parents be9ebca + fbcaae9 commit d504cb6
Show file tree
Hide file tree
Showing 11 changed files with 273 additions and 41 deletions.
2 changes: 2 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ updates:
- dependency-name: mxschmitt/action-tmate
- dependency-name: step-security/harden-runner
# Managed by cisagov/skeleton-ansible-role
- dependency-name: docker/setup-buildx-action
- dependency-name: docker/setup-qemu-action
- dependency-name: github/codeql-action
# Managed by cisagov/skeleton-ansible-role-with-test-user
- dependency-name: aws-actions/configure-aws-credentials
Expand Down
30 changes: 29 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -169,12 +169,33 @@ jobs:
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
test:
name: >-
test (${{ matrix.scenario }}) -
${{ matrix.platform }}-${{ matrix.architecture }}
needs:
- diagnostics
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
architecture:
- amd64
- arm64
platform:
# The cyhy-archive command from cyhy-core is still Python 2
# and with distributions ending support for Python 2 we can
# only support a limited number of platforms.
# - amazonlinux2023-systemd
- debian10-systemd
# - debian11-systemd
# - debian12-systemd
# - debian13-systemd
# - fedora39-systemd
# - fedora40-systemd
# - kali-systemd
# - ubuntu-20-systemd
# - ubuntu-22-systemd
# - ubuntu-24-systemd
scenario:
- default
steps:
Expand Down Expand Up @@ -205,6 +226,10 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install --upgrade --requirement requirements-test.txt
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Assume AWS test role
uses: aws-actions/configure-aws-credentials@v4
with:
Expand All @@ -214,7 +239,10 @@ jobs:
role-to-assume: ${{ secrets.TEST_ROLE_TO_ASSUME }}
role-duration-seconds: 3600
- name: Run molecule tests
run: molecule test --scenario-name ${{ matrix.scenario }}
run: >-
molecule test
--platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
--scenario-name ${{ matrix.scenario }}
- name: Setup tmate debug session
uses: mxschmitt/action-tmate@v3
if: env.RUN_TMATE
51 changes: 35 additions & 16 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ default_language_version:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
rev: v4.6.0
hooks:
- id: check-case-conflict
- id: check-executables-have-shebangs
Expand All @@ -31,7 +31,7 @@ repos:

# Text file hooks
- repo: https://github.com/igorshubovych/markdownlint-cli
rev: v0.39.0
rev: v0.41.0
hooks:
- id: markdownlint
args:
Expand All @@ -46,7 +46,7 @@ repos:
# mirror does not pull tags for old major versions once a new major
# version tag is published.
additional_dependencies:
- prettier@3.2.5
- prettier@3.3.1
- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
Expand All @@ -56,14 +56,14 @@ repos:

# GitHub Actions hooks
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.28.0
rev: 0.28.4
hooks:
- id: check-github-actions
- id: check-github-workflows

# pre-commit hooks
- repo: https://github.com/pre-commit/pre-commit
rev: v3.6.2
rev: v3.7.1
hooks:
- id: validate_manifest

Expand Down Expand Up @@ -98,7 +98,7 @@ repos:

# Shell script hooks
- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.7.0-4
rev: v3.8.0-1
hooks:
- id: shfmt
args:
Expand All @@ -116,21 +116,22 @@ repos:
# Redirect operators are followed by a space
- --space-redirects
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.9.0.6
rev: v0.10.0.1
hooks:
- id: shellcheck

# Python hooks
- repo: https://github.com/PyCQA/bandit
rev: 1.7.7
rev: 1.7.8
hooks:
- id: bandit
# Bandit complains about the use of assert() in tests
exclude: molecule/(default|systemd_enabled)/tests
# Bandit complains about the use of assert() in tests. This should cover
# the tests/ subdirectory for any molecule scenario.
exclude: molecule/[^/]+/tests
args:
- --config=.bandit.yml
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 24.2.0
rev: 24.4.2
hooks:
- id: black
- repo: https://github.com/PyCQA/flake8
Expand All @@ -144,24 +145,42 @@ repos:
hooks:
- id: isort
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.8.0
rev: v1.10.0
hooks:
- id: mypy
- repo: https://github.com/asottile/pyupgrade
rev: v3.15.1
rev: v3.15.2
hooks:
- id: pyupgrade

# Ansible hooks
- repo: https://github.com/ansible/ansible-lint
rev: v24.2.0
rev: v24.6.0
hooks:
- id: ansible-lint
# files: molecule/default/playbook.yml
additional_dependencies:
# On its own ansible-lint does not pull in ansible, only
# ansible-core. Therefore, if an Ansible module lives in
# ansible instead of ansible-core, the linter will complain
# that the module is unknown. In these cases it is
# necessary to add the ansible package itself as an
# additional dependency, with the same pinning as is done in
# requirements-test.txt of cisagov/skeleton-ansible-role.
# - ansible>=9,<10
# ansible-core 2.16.3 through 2.16.6 suffer from the bug
# discussed in ansible/ansible#82702, which breaks any
# symlinked files in vars, tasks, etc. for any Ansible role
# installed via ansible-galaxy. Hence we never want to
# install those versions.
#
# Note that any changes made to this dependency must also be
# made in requirements.txt in cisagov/skeleton-packer and
# requirements-test.txt in cisagov/skeleton-ansible-role.
- ansible-core>=2.16.7

# Terraform hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.0
rev: v1.90.0
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
2 changes: 1 addition & 1 deletion meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ galaxy_info:
galaxy_tags:
- cyhy
- archive
license: CC0
license: CC0-1.0
# With the release of version 2.10, Ansible finally correctly
# identifies Kali Linux as being the Kali distribution of the Debian
# OS family. This simplifies a lot of things for roles that support
Expand Down
49 changes: 49 additions & 0 deletions molecule/default/externally-managed-python.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
# This is in place to restore a destructive action in geerlingguy's Ansible
# Docker images that we use for testing. The change is fine for the intended
# purpose of the images but not for how we use them.
- name: Ensure Python is marked as externally managed if appropriate
hosts: all
become: true
become_method: ansible.builtin.sudo
tasks:
- name: Ensure Python is marked as externally managed
when:
- ansible_distribution in ["Debian", "Ubuntu"]
- ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"]
block:
- name: Gather package facts
ansible.builtin.package_facts:
manager: auto

- name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed
when: '"python3" in ansible_facts.packages'
block:
# This gets a unique list of installed Python packages in the form of major.minor
# by taking the list of installed Python packages and:
# 1. Extracting the version from each package's information
# 2. Removing any version information after the major.minor version
# 3. Ensuring there are no duplicates
#
# NOTE:
# Since the value of python_versions is a multiline string, the regex expressions used in
# the regex_replace filter must use single backslashes for special sequences. If the value
# of python_versions were to be changed from a multiline string, the special sequences
# must be modified to use double backslashes instead. This is due to how the YAML is
# processed when Ansible reads the playbook.
- name: Extract version information about installed Python packages
ansible.builtin.set_fact:
python_versions: >-
{{
ansible_facts.packages["python3"]
| map(attribute="version")
| map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1")
| unique
}}
- name: Restore EXTERNALLY-MANAGED file for Python
ansible.builtin.template:
dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED
mode: 0644
src: EXTERNALLY-MANAGED.j2
loop: "{{ python_versions }}"
Loading

0 comments on commit d504cb6

Please sign in to comment.