Merge pull request #47 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton
cisagov · Jun 25, 2024 · 761e993 · 761e993
2 parents ea01703 + 915a52c
commit 761e993
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 23 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -20,6 +20,8 @@ updates:
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-ansible-role
+      - dependency-name: docker/setup-buildx-action
+      - dependency-name: docker/setup-qemu-action
       - dependency-name: github/codeql-action
     package-ecosystem: github-actions
     schedule:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint
         args:
@@ -46,7 +46,7 @@ repos:
         # mirror does not pull tags for old major versions once a new major
         # version tag is published.
         additional_dependencies:
-          - prettier@3.2.5
+          - prettier@3.3.1
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
     hooks:
@@ -56,14 +56,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.28.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.6.2
+    rev: v3.7.1
     hooks:
       - id: validate_manifest
 
@@ -98,7 +98,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.7.0-4
+    rev: v3.8.0-1
     hooks:
       - id: shfmt
         args:
@@ -116,21 +116,22 @@ repos:
           # Redirect operators are followed by a space
           - --space-redirects
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.9.0.6
+    rev: v0.10.0.1
     hooks:
       - id: shellcheck
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
-        # Bandit complains about the use of assert() in tests
-        exclude: molecule/(default|systemd_enabled)/tests
+        # Bandit complains about the use of assert() in tests. This should cover
+        # the tests/ subdirectory for any molecule scenario.
+        exclude: molecule/[^/]+/tests
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -144,24 +145,42 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.2.0
+    rev: v24.6.0
     hooks:
       - id: ansible-lint
-      # files: molecule/default/playbook.yml
+        additional_dependencies:
+          # On its own ansible-lint does not pull in ansible, only
+          # ansible-core.  Therefore, if an Ansible module lives in
+          # ansible instead of ansible-core, the linter will complain
+          # that the module is unknown.  In these cases it is
+          # necessary to add the ansible package itself as an
+          # additional dependency, with the same pinning as is done in
+          # requirements-test.txt of cisagov/skeleton-ansible-role.
+          # - ansible>=9,<10
+          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
+          # discussed in ansible/ansible#82702, which breaks any
+          # symlinked files in vars, tasks, etc. for any Ansible role
+          # installed via ansible-galaxy.  Hence we never want to
+          # install those versions.
+          #
+          # Note that any changes made to this dependency must also be
+          # made in requirements.txt in cisagov/skeleton-packer and
+          # requirements-test.txt in cisagov/skeleton-ansible-role.
+          - ansible-core>=2.16.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

diff --git a/requirements.txt b/requirements.txt
@@ -12,15 +12,15 @@
 # jumping to another major version without testing, since there are
 # often breaking changes across major versions.  This is the reason
 # for the upper bound.
-ansible>=8,<10
-# TODO: Remove this pin when possible.  See
-# cisagov/skeleton-ansible-role#178 for more details.
-#
-# ansible-core 2.16.3 and later suffer from the bug discussed in
+ansible>=9,<10
+# ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
 # ansible/ansible#82702, which breaks any symlinked files in vars,
 # tasks, etc. for any Ansible role installed via ansible-galaxy.
+# Hence we never want to install those versions.
 #
-# See also cisagov/skeleton-packer#312.
-ansible-core<2.16.3
+# Note that any changes made to this dependency must also be made in
+# requirements.txt in cisagov/skeleton-packer and
+# .pre-commit-config.yaml in cisagov/skeleton-generic.
+ansible-core>=2.16.7
 setuptools
 wheel