From 942c0dc98f605282fdf3c0ac6b9a549647f89f41 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:17:33 -0400 Subject: [PATCH 01/19] Add a new trigger for the sync-labels GitHub Actions workflow Add a `workflow_dispatch` trigger so we can manually run the workflow if needed. --- .github/workflows/sync-labels.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd414..59aefe4a 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -6,6 +6,7 @@ on: paths: - '.github/labels.yml' - '.github/workflows/sync-labels.yml' + workflow_dispatch: permissions: contents: read From a267662455c30986086d4ca14173cc20af7161d4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Aug 2024 06:19:38 -0400 Subject: [PATCH 02/19] Remove unnecessary quotes in the sync-labels workflow --- .github/workflows/sync-labels.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 59aefe4a..5d5ab41f 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -4,8 +4,8 @@ name: sync-labels on: push: paths: - - '.github/labels.yml' - - '.github/workflows/sync-labels.yml' + - .github/labels.yml + - .github/workflows/sync-labels.yml workflow_dispatch: permissions: From dc7f09e29b8466af0fa2f788761e22dd2fcbd0ce Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sat, 14 Sep 2024 18:44:01 -0400 Subject: [PATCH 03/19] Add four new hooks from pre-commit/pre-commit-hooks --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f850..c98ded8c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,9 +16,13 @@ repos: - id: check-executables-have-shebangs - id: check-json - id: check-merge-conflict + - id: check-shebang-scripts-are-executable + - id: check-symlinks - id: check-toml + - id: check-vcs-permalinks - id: check-xml - id: debug-statements + - id: destroyed-symlinks - id: detect-aws-credentials args: - --allow-missing-credentials From 343d2ccbd1cd983374235e5d3bfcecd3187c00d5 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:47:53 -0400 Subject: [PATCH 04/19] Add the GitHubSecurityLab/actions-permissions/monitor Action This Action will provide information about the usage of GITHUB_TOKEN in the workflow. It should be added to _every_ job in _any_ workflow to provide information for analysis. --- .github/dependabot.yml | 1 + .github/workflows/build.yml | 10 ++++++++++ .github/workflows/sync-labels.yml | 10 ++++++++++ 3 files changed, 21 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 17220c6d..4a6667f0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,7 @@ updates: # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status + # - dependency-name: GitHubSecurityLab/actions-permissions # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7a60b20..2cdd9219 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,6 +34,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -50,6 +56,10 @@ jobs: - diagnostics runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd414..d2458d13 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -17,6 +17,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -38,6 +44,10 @@ jobs: issues: write runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 8a77a8b77a7d5e5247e8ff563d93a14510e09b9a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 28 Oct 2024 17:09:15 -0400 Subject: [PATCH 05/19] Restrict permissions of GITHUB_TOKEN This changes the default permissions for the GITHUB_TOKEN used in our GitHub Actions configuration to the minimum required to successfully run. --- .github/workflows/build.yml | 5 +++++ .github/workflows/sync-labels.yml | 2 ++ 2 files changed, 7 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e7a60b20..d4340af5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,6 +30,8 @@ env: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of @@ -48,6 +50,9 @@ jobs: lint: needs: - diagnostics + permissions: + # actions/checkout needs this to fetch code + contents: read runs-on: ubuntu-latest steps: - id: harden-runner diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index e83bd414..39e73794 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -13,6 +13,8 @@ permissions: jobs: diagnostics: name: Run diagnostics + # This job does not need any permissions + permissions: {} runs-on: ubuntu-latest steps: # Note that a duplicate of this step must be added at the top of From 3b1d4ef0fae08e6444e9b414ce1315841e681322 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 16 Oct 2024 12:53:42 -0400 Subject: [PATCH 06/19] Update pre-commit hook versions This is done automatically with the `pre-commit autoupdate` command. --- .pre-commit-config.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f850..26b399d7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,7 +10,7 @@ repos: - id: check-useless-excludes - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -53,14 +53,14 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.2 + rev: 0.29.4 hooks: - id: check-github-actions - id: check-github-workflows # pre-commit hooks - repo: https://github.com/pre-commit/pre-commit - rev: v3.8.0 + rev: v4.0.1 hooks: - id: validate_manifest @@ -95,7 +95,7 @@ repos: # Shell script hooks - repo: https://github.com/scop/pre-commit-shfmt - rev: v3.9.0-1 + rev: v3.10.0-1 hooks: - id: shfmt args: @@ -125,7 +125,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.8.0 + rev: 24.10.0 hooks: - id: black - repo: https://github.com/PyCQA/flake8 @@ -139,7 +139,7 @@ repos: hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v1.11.2 + rev: v1.13.0 hooks: - id: mypy - repo: https://github.com/pypa/pip-audit @@ -155,7 +155,7 @@ repos: - --requirement - requirements.txt - repo: https://github.com/asottile/pyupgrade - rev: v3.17.0 + rev: v3.19.0 hooks: - id: pyupgrade @@ -199,7 +199,7 @@ repos: # Packer hooks - repo: https://github.com/cisagov/pre-commit-packer - rev: v0.1.0 + rev: v0.3.0 hooks: - id: packer_validate - id: packer_fmt From 1d285f2d851926effdbfbdcf58853ce70d1bf016 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 29 Oct 2024 16:36:27 -0400 Subject: [PATCH 07/19] Sort hook ids in each pre-commit hook entry Ensure that all hook ids are sorted alphabetically in each hook entry in our pre-commit configuration. --- .pre-commit-config.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3cb1f850..0fd32346 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -68,25 +68,25 @@ repos: - repo: https://github.com/TekWizely/pre-commit-golang rev: v1.0.0-rc.1 hooks: - # Style Checkers - - id: go-critic - # StaticCheck - - id: go-staticcheck-repo-mod # Go Build - id: go-build-repo-mod + # Style Checkers + - id: go-critic + # goimports + - id: go-imports-repo + args: + # Write changes to files + - -w # Go Mod Tidy - id: go-mod-tidy-repo + # GoSec + - id: go-sec-repo-mod + # StaticCheck + - id: go-staticcheck-repo-mod # Go Test - id: go-test-repo-mod # Go Vet - id: go-vet-repo-mod - # GoSec - - id: go-sec-repo-mod - # goimports - - id: go-imports-repo - args: - # Write changes to files - - -w # Nix hooks - repo: https://github.com/nix-community/nixpkgs-fmt rev: v1.3.0 @@ -201,5 +201,5 @@ repos: - repo: https://github.com/cisagov/pre-commit-packer rev: v0.1.0 hooks: - - id: packer_validate - id: packer_fmt + - id: packer_validate From 8824475dfadd1a9cbc9ce9bd1c9f31e4a688994b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 1 Nov 2024 12:25:35 -0400 Subject: [PATCH 08/19] Update the commented out dependabot ignore directives Add a directive for hashicorp/setup-packer that was missed when it was added to the `build` workflow. Add a directive for cisagov/setup-env-github-action that is not strictly necessary since we currently just pull from the `develop` branch, but is good to have in case we were to change that in the future. --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4a6667f0..81cd6bdc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,10 +13,12 @@ updates: # - dependency-name: actions/checkout # - dependency-name: actions/setup-go # - dependency-name: actions/setup-python + # - dependency-name: cisagov/setup-env-github-action # - dependency-name: crazy-max/ghaction-dump-context # - dependency-name: crazy-max/ghaction-github-labeler # - dependency-name: crazy-max/ghaction-github-status # - dependency-name: GitHubSecurityLab/actions-permissions + # - dependency-name: hashicorp/setup-packer # - dependency-name: hashicorp/setup-terraform # - dependency-name: mxschmitt/action-tmate # - dependency-name: step-security/harden-runner From 2a90bd71631c398e17533aa2719a4d9107221427 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 5 Nov 2024 04:57:36 -0500 Subject: [PATCH 09/19] Enable new dependabot ignore directives --- .github/dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e960a329..4159e30b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -13,12 +13,12 @@ updates: - dependency-name: actions/checkout - dependency-name: actions/setup-go - dependency-name: actions/setup-python - # - dependency-name: cisagov/setup-env-github-action + - dependency-name: cisagov/setup-env-github-action - dependency-name: crazy-max/ghaction-dump-context - dependency-name: crazy-max/ghaction-github-labeler - dependency-name: crazy-max/ghaction-github-status - # - dependency-name: GitHubSecurityLab/actions-permissions - # - dependency-name: hashicorp/setup-packer + - dependency-name: GitHubSecurityLab/actions-permissions + - dependency-name: hashicorp/setup-packer - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate - dependency-name: step-security/harden-runner From 37ab2e469b59fe4cedc06c7a06fe18b008e1cb9a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 5 Nov 2024 04:58:52 -0500 Subject: [PATCH 10/19] Add Actions permissions analysis to the `CodeQL` workflow Add the GitHubSecurityLab/actions-permissions/monitor Action just as it is in the `build` and `sync-labels` workflows. --- .github/workflows/codeql-analysis.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d0973601..6dfac939 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,6 +26,12 @@ jobs: steps: # Note that a duplicate of this step must be added at the top of # each job. + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + # Note that a duplicate of this step must be added at the top of + # each job. - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 @@ -56,6 +62,10 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + # Uses the organization variable unless overridden + config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} - id: harden-runner name: Harden the runner uses: step-security/harden-runner@v2 From 8c8e75e9ffe326782d19079e44950b7c5b18f10a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 5 Nov 2024 05:02:55 -0500 Subject: [PATCH 11/19] Bump crazy-max/ghaction-github-status from v3 to v4 This brings the `CodeQL` workflow in alignment with the version used in the other workflows in this repository. --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6dfac939..96c3e1a1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: egress-policy: audit - id: github-status name: Check GitHub status - uses: crazy-max/ghaction-github-status@v3 + uses: crazy-max/ghaction-github-status@v4 - id: dump-context name: Dump context uses: crazy-max/ghaction-dump-context@v2 From 12a91ad97e76cd2f221fffaef4f66956533f6540 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 8 Nov 2024 13:40:44 -0500 Subject: [PATCH 12/19] Bump up the lower bound on ansible-core This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up ansible to version 10 since all versions of ansible 9 have a dependency on ~=2.16.X. --- .pre-commit-config.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5e1096f..8b402fb9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -176,17 +176,25 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=9,<10 + # + # Version 10 is required because the pip-audit pre-commit + # hook identifies a vulnerability in ansible-core 2.16.13, + # but all versions of ansible 9 have a dependency on + # ~=2.16.X. + # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role # installed via ansible-galaxy. Hence we never want to # install those versions. # + # Note that the pip-audit pre-commit hook identifies a + # vulnerability in ansible-core 2.16.13. + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.16.7 + - ansible-core>2.16.13 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From b9f798d03afb72f33ffa625982dd5b548dea5132 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 10:29:42 -0500 Subject: [PATCH 13/19] Update the version of the ansible-lint pre-commit hook Version 24.10.0 is the first version that supports Fedora 41 as a valid platform. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c5e1096f..ebd61382 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -165,7 +165,7 @@ repos: # Ansible hooks - repo: https://github.com/ansible/ansible-lint - rev: v24.9.2 + rev: v24.10.0 hooks: - id: ansible-lint additional_dependencies: From 45b05d8a4f1c43086cd80f6d8d7d09aa75047068 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Nov 2024 16:12:07 -0500 Subject: [PATCH 14/19] Ensure files with shebangs are executable --- terraform/cloud-init/fix_dhcp.tpl.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 terraform/cloud-init/fix_dhcp.tpl.py diff --git a/terraform/cloud-init/fix_dhcp.tpl.py b/terraform/cloud-init/fix_dhcp.tpl.py old mode 100644 new mode 100755 From cca133a2710c5ed99e4c0ce3d06a57ec118bcf13 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 13 Nov 2024 21:33:32 -0500 Subject: [PATCH 15/19] Adjust pin for ansible-core The pin of ansible-core was originally put in place because the pip-audit pre-commit hook identifies a vulnerability in ansible-core 2.16.13. Normally we would pin ansible-core to >2.16.13, but in the spirit of the earlier, optional pin of ansible>=10 we pin ansible-core to >=2.17. This effectively also pins ansible to >=10. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8b402fb9..b61a8f54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -189,12 +189,14 @@ repos: # install those versions. # # Note that the pip-audit pre-commit hook identifies a - # vulnerability in ansible-core 2.16.13. + # vulnerability in ansible-core 2.16.13. The pin of + # ansible-core to >=2.17 effectively also pins ansible to + # >=10. # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>2.16.13 + - ansible-core>=2.17 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform From 0b5865013c7ee44ec54ec92d297b03644966a1b6 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Tue, 19 Nov 2024 11:24:12 -0500 Subject: [PATCH 16/19] Bump up the lower bounds on ansible and ansible-core This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up ansible to version 10 since all versions of ansible 9 have a dependency on ~=2.16.X. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> Co-authored-by: Jeremy Frasier --- .pre-commit-config.yaml | 14 ++++++++++++-- requirements.txt | 25 +++++++++++++++---------- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0a3f1bbc..f9dffc56 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -181,17 +181,27 @@ repos: # necessary to add the ansible package itself as an # additional dependency, with the same pinning as is done in # requirements-test.txt of cisagov/skeleton-ansible-role. - # - ansible>=9,<10 + # + # Version 10 is required because the pip-audit pre-commit + # hook identifies a vulnerability in ansible-core 2.16.13, + # but all versions of ansible 9 have a dependency on + # ~=2.16.X. + # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any # symlinked files in vars, tasks, etc. for any Ansible role # installed via ansible-galaxy. Hence we never want to # install those versions. # + # Note that the pip-audit pre-commit hook identifies a vulnerability + # in ansible-core 2.16.13. Normally we would pin ansible-core + # accordingly (>2.16.13), but the above pin of ansible>=10 effectively + # pins ansible-core to >=2.17 so that's what we do here. + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. - - ansible-core>=2.16.7 + - ansible-core>=2.17 # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform diff --git a/requirements.txt b/requirements.txt index 4c84eb61..c53f725c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,24 +8,29 @@ # as using the dnf package manager, and version 8 is currently the # oldest supported version. # -# We have tested against version 9. We want to avoid automatically +# Version 10 is required because the pip-audit pre-commit hook +# identifies a vulnerability in ansible-core 2.16.13, but all versions +# of ansible 9 have a dependency on ~=2.16.X. +# +# We have tested against version 10. We want to avoid automatically # jumping to another major version without testing, since there are # often breaking changes across major versions. This is the reason # for the upper bound. -# -# Note that this dependency should be kept in sync with the version -# pin found in the requirements-test.txt file in -# cisagov/skeleton-ansible-role. -ansible>=9,<10 +ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in # ansible/ansible#82702, which breaks any symlinked files in vars, # tasks, etc. for any Ansible role installed via ansible-galaxy. # Hence we never want to install those versions. # -# Note that this dependency should be kept in sync with the version -# pin found in the requirements-test.txt file in -# cisagov/skeleton-ansible-role. -ansible-core>=2.16.7 +# Note that the pip-audit pre-commit hook identifies a vulnerability +# in ansible-core 2.16.13. Normally we would pin ansible-core +# accordingly (>2.16.13), but the above pin of ansible>=10 effectively +# pins ansible-core to >=2.17 so that's what we do here. +# +# Note that any changes made to this dependency must also be made in +# requirements.txt in cisagov/skeleton-packer and +# .pre-commit-config.yaml in cisagov/skeleton-generic. +ansible-core>=2.17 boto3 setuptools wheel From d8b5718ab551670884e11a3147a70c677ac128e1 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Tue, 19 Nov 2024 11:31:44 -0500 Subject: [PATCH 17/19] Ignore a particular ansible-core vulnerability This is being done only temporarily, and only because there is no recent version of ansible-core that does not exhibit the vulnerability. Without this change we get a failure from the pip-audit pre-commit hook that we cannot do anything about. Co-authored-by: Jeremy Frasier --- .pre-commit-config.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f9dffc56..bb2f8113 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -156,6 +156,11 @@ repos: hooks: - id: pip-audit args: + # We have to ignore this particular vulnerability in + # ansible-core>=2.11 as there is currently no fix. See + # cisagov/cyhy_amis#842 for more details. + - --ignore-vuln + - GHSA-99w6-3xph-cx78 # Add any pip requirements files to scan - --requirement - requirements-dev.txt From bd852610595fdd2eee77f489d4b184f88d90643b Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 12:21:14 -0500 Subject: [PATCH 18/19] Add comments about looming EOL issues for ansible and ansible-core This adds even more evidence for why it is a good idea to go ahead and upgrade ansible and ansible-core, in addition to the vulnerability that pip-audit turned up. Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .pre-commit-config.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b61a8f54..97fbf1ce 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -181,6 +181,10 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. + # + # It is also a good idea to go ahead and upgrade to version + # 10 since version 9 is going EOL at the end of November: + # https://endoflife.date/ansible # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any @@ -193,6 +197,11 @@ repos: # ansible-core to >=2.17 effectively also pins ansible to # >=10. # + # It is also a good idea to go ahead and upgrade to + # ansible-core 2.17 since security support for ansible-core + # 2.16 ends this month: + # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix + # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and # requirements-test.txt in cisagov/skeleton-ansible-role. From 9789fb3cbe1ede23269f74d18595b5984c50ba56 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 20 Nov 2024 13:39:34 -0500 Subject: [PATCH 19/19] Resolve conflicts from follow-on Lineage changes --- .pre-commit-config.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e4fb71a1..40758a71 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -191,13 +191,10 @@ repos: # hook identifies a vulnerability in ansible-core 2.16.13, # but all versions of ansible 9 have a dependency on # ~=2.16.X. -<<<<<<< HEAD -======= # # It is also a good idea to go ahead and upgrade to version # 10 since version 9 is going EOL at the end of November: # https://endoflife.date/ansible ->>>>>>> a7947357cfeee58bc121243a2c76c5bbdc064e35 # - ansible>=10,<11 # ansible-core 2.16.3 through 2.16.6 suffer from the bug # discussed in ansible/ansible#82702, which breaks any @@ -205,12 +202,6 @@ repos: # installed via ansible-galaxy. Hence we never want to # install those versions. # -<<<<<<< HEAD - # Note that the pip-audit pre-commit hook identifies a vulnerability - # in ansible-core 2.16.13. Normally we would pin ansible-core - # accordingly (>2.16.13), but the above pin of ansible>=10 effectively - # pins ansible-core to >=2.17 so that's what we do here. -======= # Note that the pip-audit pre-commit hook identifies a # vulnerability in ansible-core 2.16.13. The pin of # ansible-core to >=2.17 effectively also pins ansible to @@ -220,7 +211,6 @@ repos: # ansible-core 2.17 since security support for ansible-core # 2.16 ends this month: # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix ->>>>>>> a7947357cfeee58bc121243a2c76c5bbdc064e35 # # Note that any changes made to this dependency must also be # made in requirements.txt in cisagov/skeleton-packer and