diff --git a/.bandit.yml b/.bandit.yml deleted file mode 100644 index ab3cb21..0000000 --- a/.bandit.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Configuration file for the Bandit python security scanner -# https://bandit.readthedocs.io/en/latest/config.html - -# Tests are first included by `tests`, and then excluded by `skips`. -# If `tests` is empty, all tests are considered included. - -tests: -# - B101 -# - B102 - -skips: -# - B101 # skip "assert used" check since assertions are required in pytests diff --git a/.flake8 b/.flake8 index 92ff826..e9271ff 100644 --- a/.flake8 +++ b/.flake8 @@ -1,25 +1,40 @@ [flake8] max-line-length = 80 + # Select (turn on) -# * Complexity violations reported by mccabe (C) - -# http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes -# * Documentation conventions compliance reported by pydocstyle (D) - -# http://www.pydocstyle.org/en/stable/error_codes.html -# * Default errors and warnings reported by pycodestyle (E and W) - +# * C: Complexity violations reported by mccabe - +# https://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes +# * C4: Default errors and warnings reported by flake8-comprehensions - +# https://github.com/adamchainz/flake8-comprehensions#rules +# * D: Documentation conventions compliance reported by pydocstyle - +# https://github.com/PyCQA/pydocstyle/blob/master/docs/error_codes.rst +# * DUO: Default errors and warnings reported by dlint - +# https://github.com/dlint-py/dlint/tree/master/docs +# * E: Default errors reported by pycodestyle - # https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes -# * Default errors reported by pyflakes (F) - -# http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes -# * Default warnings reported by flake8-bugbear (B) - +# * F: Default errors reported by pyflakes - +# https://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes +# * N: Default errors and warnings reported by pep8-naming - +# https://github.com/PyCQA/pep8-naming#error-codes +# * NQA: Default errors and warnings reported by flake8-noqa - +# https://github.com/plinss/flake8-noqa#error-codes +# * W: Default warnings reported by pycodestyle - +# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes +# * B: Default warnings reported by flake8-bugbear - # https://github.com/PyCQA/flake8-bugbear#list-of-warnings -# * The B950 flake8-bugbear opinionated warning - +# * B950: Bugbear opinionated warning for line too long - # https://github.com/PyCQA/flake8-bugbear#opinionated-warnings -select = C,D,E,F,W,B,B950 -# Ignore flake8's default warning about maximum line length, which has -# a hard stop at the configured value. Instead we use -# flake8-bugbear's B950, which allows up to 10% overage. -# -# Also ignore flake8's warning about line breaks before binary -# operators. It no longer agrees with PEP8. See, for example, here: -# https://github.com/ambv/black/issues/21. Guido agrees here: -# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b. -ignore = E501,W503 +select = C,C4,D,DUO,E,F,N,NQA,W,B,B950 + +# Ignore +# * E203: pycodestyle's default warning about whitespace before ':' because Black enforces +# an equal amount of whitespace around slice operators (':'). +# * E501: pycodestyle's default warning about maximum line length, which has a hard stop +# at the configured value. Instead we use flake8-bugbear's B950, which +# allows up to 10% overage. +# * W503: pycodestyle's warning about line breaks before binary operators. It no longer +# agrees with PEP8. See, for example, here: +# https://github.com/ambv/black/issues/21 +# Guido agrees here: +# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b +ignore = E203,E501,W503 diff --git a/.github/labeler.yml b/.github/labeler.yml index 05478bd..b720437 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -61,7 +61,6 @@ test: - any-glob-to-any-file: # Add any test-related files or paths. - .ansible-lint - - .bandit.yml - .flake8 - .isort.cfg - .mdl_config.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fddf200..b28c58b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -149,12 +149,12 @@ jobs: - uses: hashicorp/setup-packer@v3 with: version: ${{ steps.setup-env.outputs.packer-version }} - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: ${{ steps.setup-env.outputs.terraform-version }} - name: Install go-critic env: - PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic + PACKAGE_URL: github.com/go-critic/go-critic/cmd/go-critic PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }} run: go install ${PACKAGE_URL}@${PACKAGE_VERSION} - name: Install goimports diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index f60bc84..a8d01be 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -87,7 +87,7 @@ jobs: - uses: actions/checkout@v6 - name: Sync repository labels if: success() - uses: crazy-max/ghaction-github-labeler@v5 + uses: crazy-max/ghaction-github-labeler@v6 with: # This is a hideous ternary equivalent so we only do a dry run unless # this workflow is triggered by the develop branch. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9a10fe9..ba843d6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,7 +45,7 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.47.0 + rev: v0.48.0 hooks: - id: markdownlint args: @@ -63,7 +63,7 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.36.2 + rev: 0.37.0 hooks: - id: check-github-actions - id: check-github-workflows @@ -105,7 +105,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.12.0-2 + rev: v3.13.0-1 hooks: - id: shfmt args: @@ -129,13 +129,11 @@ repos: # Python hooks - repo: https://github.com/PyCQA/bandit - rev: 1.9.3 + rev: 1.9.4 hooks: - id: bandit - args: - - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 26.1.0 + rev: 26.3.1 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -143,9 +141,14 @@ repos: hooks: - id: flake8 additional_dependencies: + - dlint==0.16.0 + - flake8-bugbear==25.11.29 + - flake8-comprehensions==3.17.0 - flake8-docstrings==1.7.0 + - flake8-noqa==1.5.0 + - pep8-naming==0.15.1 - repo: https://github.com/PyCQA/isort - rev: 8.0.0 + rev: 8.0.1 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy @@ -157,6 +160,22 @@ repos: hooks: - id: pip-audit args: + # We have to ignore this vulnerability for now since an + # update for pygments has not yet been released. + # + # In any event, this vulnerability is unlikely to cause us + # any problems since we don't feed any regexes to pygments + # directly. pygments is pulled in as a dependency of + # pytest. + # + # See also: + # - https://nvd.nist.gov/vuln/detail/CVE-2026-4539 + # - https://github.com/pygments/pygments/issues/3058 + # + # TODO: Remove this when it becomes possible. See + # cisagov/skeleton-generic#257 for more details. + - --ignore-vuln + - CVE-2026-4539 # Add any pip requirements files to scan - --requirement - requirements-dev.txt @@ -177,6 +196,9 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint + # We need to stay on this version because we are still using Python 3.13 in + # our GitHub Actions configuration. Later versions require Python 3.14 for + # the hook to run. rev: v26.1.1 hooks: - id: ansible-lint @@ -207,6 +229,15 @@ repos: hooks: - id: terraform_fmt - id: terraform_validate + # This needs to run after the terraform_validate hook so that any Terraform + # configurations are initialized. + - id: terraform_providers_lock + args: + - --args=-platform=darwin_amd64 + - --args=-platform=darwin_arm64 + - --args=-platform=linux_amd64 + - --args=-platform=linux_arm64 + - --hook-config=--mode=always-regenerate-lockfile # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit