22name : build
33
44on :
5- push :
5+ merge_group :
6+ types :
7+ - checks_requested
68 pull_request :
9+ push :
710 repository_dispatch :
8- types : [apb]
11+ types :
12+ - apb
13+
14+ # Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
15+ # nounset, errexit, and pipefail. The `-x` will print all commands as they are
16+ # run. Please see the GitHub Actions documentation for more information:
17+ # https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
18+ defaults :
19+ run :
20+ shell : bash -Eueo pipefail -x {0}
921
1022env :
1123 CURL_CACHE_DIR : ~/.cache/curl
1224 PIP_CACHE_DIR : ~/.cache/pip
1325 PRE_COMMIT_CACHE_DIR : ~/.cache/pre-commit
1426 RUN_TMATE : ${{ secrets.RUN_TMATE }}
27+ TERRAFORM_DOCS_REPO_BRANCH_NAME : improvement/support_atx_closed_markdown_headers
28+ TERRAFORM_DOCS_REPO_DEPTH : 1
29+ TERRAFORM_DOCS_REPO_URL : https://github.com/mcdonnnj/terraform-docs.git
1530
1631jobs :
1732 diagnostics :
2742 egress-policy : audit
2843 - id : github-status
2944 name : Check GitHub status
30- uses : crazy-max/ghaction-github-status@v3
45+ uses : crazy-max/ghaction-github-status@v4
3146 - id : dump-context
3247 name : Dump context
3348 uses : crazy-max/ghaction-dump-context@v2
@@ -45,20 +60,20 @@ jobs:
4560 uses : cisagov/setup-env-github-action@develop
4661 - uses : actions/checkout@v4
4762 - id : setup-python
48- uses : actions/setup-python@v4
63+ uses : actions/setup-python@v5
4964 with :
50- python-version : " 3.11 "
65+ python-version : ${{ steps.setup-env.outputs.python-version }}
5166 # We need the Go version and Go cache location for the actions/cache step,
5267 # so the Go installation must happen before that.
5368 - id : setup-go
54- uses : actions/setup-go@v4
69+ uses : actions/setup-go@v5
5570 with :
5671 # There is no expectation for actual Go code so we disable caching as
5772 # it relies on the existence of a go.sum file.
5873 cache : false
59- go-version : " 1.20 "
60- - name : Lookup Go cache directory
61- id : go- cache
74+ go-version : ${{ steps.setup-env.outputs.go-version }}
75+ - id : go- cache
76+ name : Lookup Go cache directory
6277 run : |
6378 echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
6479uses : actions/cache@v3
6984 packer${{ steps.setup-env.outputs.packer-version }}-\
7085 tf${{ steps.setup-env.outputs.terraform-version }}-"
7186 with :
87+ # We do not use '**/setup.py' in the cache key so only the 'setup.py'
88+ # file in the root of the repository is used. This is in case a Python
89+ # package were to have a 'setup.py' as part of its internal codebase.
90+ key : " ${{ env.BASE_CACHE_KEY }}\
91+ ${{ hashFiles('**/requirements-test.txt') }}-\
92+ ${{ hashFiles('**/requirements.txt') }}-\
93+ ${{ hashFiles('**/.pre-commit-config.yaml') }}-\
94+ ${{ hashFiles('setup.py') }}"
7295 # Note that the .terraform directory IS NOT included in the
7396 # cache because if we were caching, then we would need to use
7497 # the `-upgrade=true` option. This option blindly pulls down the
@@ -80,14 +103,6 @@ jobs:
80103 ${{ env.PRE_COMMIT_CACHE_DIR }}
81104 ${{ env.CURL_CACHE_DIR }}
82105 ${{ steps.go-cache.outputs.dir }}
83- # We do not use '**/setup.py' in the cache key so only the 'setup.py'
84- # file in the root of the repository is used. This is in case a Python
85- # package were to have a 'setup.py' as part of its internal codebase.
86- key : " ${{ env.BASE_CACHE_KEY }}\
87- ${{ hashFiles('**/requirements-test.txt') }}-\
88- ${{ hashFiles('**/requirements.txt') }}-\
89- ${{ hashFiles('**/.pre-commit-config.yaml') }}-\
90- ${{ hashFiles('setup.py') }}"
91106restore-keys : |
92107 ${{ env.BASE_CACHE_KEY }}
93108name : Setup curl cache
@@ -105,37 +120,55 @@ jobs:
105120 ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}"
106121 sudo mv /usr/local/bin/packer /usr/local/bin/packer-default
107122 sudo ln -s /opt/packer/packer /usr/local/bin/packer
108- uses : hashicorp/setup-terraform@v2
123+ uses : hashicorp/setup-terraform@v3
109124 with :
110125 terraform_version : ${{ steps.setup-env.outputs.terraform-version }}
111126 - name : Install go-critic
112127 env :
113128 PACKAGE_URL : github.com/go-critic/go-critic/cmd/gocritic
114129 PACKAGE_VERSION : ${{ steps.setup-env.outputs.go-critic-version }}
115130 run : go install ${PACKAGE_URL}@${PACKAGE_VERSION}
131+ - name : Install goimports
132+ env :
133+ PACKAGE_URL : golang.org/x/tools/cmd/goimports
134+ PACKAGE_VERSION : ${{ steps.setup-env.outputs.goimports-version }}
135+ run : go install ${PACKAGE_URL}@${PACKAGE_VERSION}
116136 - name : Install gosec
117137 env :
118138 PACKAGE_URL : github.com/securego/gosec/v2/cmd/gosec
119139 PACKAGE_VERSION : ${{ steps.setup-env.outputs.gosec-version }}
120140 run : go install ${PACKAGE_URL}@${PACKAGE_VERSION}
121- - name : Install shfmt
122- env :
123- PACKAGE_URL : mvdan.cc/sh/v3/cmd/shfmt
124- PACKAGE_VERSION : ${{ steps.setup-env.outputs.shfmt-version }}
125- run : go install ${PACKAGE_URL}@${PACKAGE_VERSION}
126141 - name : Install staticcheck
127142 env :
128143 PACKAGE_URL : honnef.co/go/tools/cmd/staticcheck
129144 PACKAGE_VERSION : ${{ steps.setup-env.outputs.staticcheck-version }}
130145 run : go install ${PACKAGE_URL}@${PACKAGE_VERSION}
131- - name : Install Terraform-docs
132- env :
133- PACKAGE_URL : github.com/terraform-docs/terraform-docs
134- PACKAGE_VERSION : ${{ steps.setup-env.outputs.terraform-docs-version }}
135- run : go install ${PACKAGE_URL}@${PACKAGE_VERSION}
146+ # TODO: https://github.com/cisagov/skeleton-generic/issues/165
147+ # We are temporarily using @mcdonnnj's forked branch of terraform-docs
148+ # until his PR: https://github.com/terraform-docs/terraform-docs/pull/745
149+ # is approved. This temporary fix will allow for ATX header support when
150+ # terraform-docs is run during linting.
151+ - name : Clone ATX headers branch from terraform-docs fork
152+ run : |
153+ git clone \
154+ --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
155+ --depth $TERRAFORM_DOCS_REPO_DEPTH \
156+ --single-branch \
157+ $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs
158+ name : Build and install terraform-docs binary
159+ run : |
160+ go build \
161+ -C /tmp/terraform-docs \
162+ -o $(go env GOPATH)/bin/terraform-docs
136163name : Install dependencies
164+ # We don't upgrade setuptools here because the versions of
165+ # gophish on PYPI are ancient and depend on an equally ancient
166+ # version of setuptools. The gophish package installation
167+ # will fail if we let pip pull in the latest setuptools;
168+ # instead, we let the gophish package installation itself
169+ # choose the version of setuptools to install.
137170 run : |
138- python -m pip install --upgrade pip setuptools wheel
171+ python -m pip install --upgrade pip wheel
139172 pip install --upgrade --requirement requirements-test.txt
140173name : Set up pre-commit hook environments
141174 run : pre-commit install-hooks
@@ -148,12 +181,10 @@ jobs:
148181 name : test source - py${{ matrix.python-version }}
149182 needs :
150183 - diagnostics
151- runs-on : ${{ matrix.os }}
184+ runs-on : ubuntu-latest
152185 strategy :
153186 fail-fast : false
154187 matrix :
155- os :
156- - ubuntu-latest
157188 python-version :
158189 - " 3.8"
159190 - " 3.9"
@@ -172,7 +203,7 @@ jobs:
172203 egress-policy : audit
173204 - uses : actions/checkout@v4
174205 - id : setup-python
175- uses : actions/setup-python@v4
206+ uses : actions/setup-python@v5
176207 with :
177208 python-version : ${{ matrix.python-version }}
178209 - uses : actions/cache@v3
@@ -221,10 +252,12 @@ jobs:
221252 with :
222253 egress-policy : audit
223254 - uses : actions/checkout@v4
255+ - id : setup-env
256+ uses : cisagov/setup-env-github-action@develop
224257 - id : setup-python
225- uses : actions/setup-python@v4
258+ uses : actions/setup-python@v5
226259 with :
227- python-version : " 3.10 "
260+ python-version : ${{ steps.setup-env.outputs.python-version }}
228261 - uses : actions/cache@v3
229262 env :
230263 BASE_CACHE_KEY : " ${{ github.job }}-${{ runner.os }}-\
@@ -241,9 +274,12 @@ jobs:
241274 restore-keys : |
242275 ${{ env.BASE_CACHE_KEY }}
243276name : Install dependencies
277+ # We manually upgrade urllib3 here because coveralls needs it
278+ # but gophish-tools (really gophish) doesn't allow it.
244279 run : |
245280 python -m pip install --upgrade pip
246281 pip install --upgrade --requirement requirements-test.txt
282+ pip install --upgrade urllib3
247283name : Finished coveralls reports
248284 run : coveralls --finish
249285 env :
@@ -257,12 +293,10 @@ jobs:
257293 - diagnostics
258294 - lint
259295 - test
260- runs-on : ${{ matrix.os }}
296+ runs-on : ubuntu-latest
261297 strategy :
262298 fail-fast : false
263299 matrix :
264- os :
265- - ubuntu-latest
266300 python-version :
267301 - " 3.8"
268302 - " 3.9"
@@ -281,7 +315,7 @@ jobs:
281315 egress-policy : audit
282316 - uses : actions/checkout@v4
283317 - id : setup-python
284- uses : actions/setup-python@v4
318+ uses : actions/setup-python@v5
285319 with :
286320 python-version : ${{ matrix.python-version }}
287321 - uses : actions/cache@v3
@@ -299,13 +333,18 @@ jobs:
299333 restore-keys : |
300334 ${{ env.BASE_CACHE_KEY }}
301335name : Install build dependencies
336+ # We don't upgrade setuptools here because gophish is ancient
337+ # code that depends on an ancient version of setuptools. The
338+ # pip install command fails if we let the python -m pip
339+ # command pull in the latest setuptools; it is safer to let
340+ # the pip install command pull in setuptools itself.
302341 run : |
303- python -m pip install --upgrade pip setuptools wheel
342+ python -m pip install --upgrade pip wheel
304343 python -m pip install --upgrade build
305344name : Build artifacts
306345 run : python -m build
307346 - name : Upload artifacts
308- uses : actions/upload-artifact@v3
347+ uses : actions/upload-artifact@v4
309348 with :
310349 name : dist-${{ matrix.python-version }}
311350 path : dist
@@ -317,12 +356,10 @@ jobs:
317356 needs :
318357 - diagnostics
319358 - build
320- runs-on : ${{ matrix.os }}
359+ runs-on : ubuntu-latest
321360 strategy :
322361 fail-fast : false
323362 matrix :
324- os :
325- - ubuntu-latest
326363 python-version :
327364 - " 3.8"
328365 - " 3.9"
@@ -341,7 +378,7 @@ jobs:
341378 egress-policy : audit
342379 - uses : actions/checkout@v4
343380 - id : setup-python
344- uses : actions/setup-python@v4
381+ uses : actions/setup-python@v5
345382 with :
346383 python-version : ${{ matrix.python-version }}
347384 - uses : actions/cache@v3
@@ -359,15 +396,21 @@ jobs:
359396 restore-keys : |
360397 ${{ env.BASE_CACHE_KEY }}
361398name : Retrieve the built wheel
362- uses : actions/download-artifact@v3
399+ uses : actions/download-artifact@v4
363400 with :
364401 name : dist-${{ matrix.python-version }}
365402 path : dist
366403 - id : find-wheel
367404 name : Get the name of the retrieved wheel (there should only be one)
368405 run : echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT
369406 - name : Update core Python packages
370- run : python -m pip install --upgrade pip setuptools wheel
407+ # We don't upgrade setuptools here because the versions of
408+ # gophish on PYPI are ancient and depend on an equally ancient
409+ # version of setuptools. The gophish package installation
410+ # will fail if we let pip pull in the latest setuptools;
411+ # instead, we let the gophish package installation itself
412+ # choose the version of setuptools to install.
413+ run : python -m pip install --upgrade pip wheel
371414 - name : Install the built wheel (along with testing dependencies)
372415 run : python -m pip install ${{ steps.find-wheel.outputs.wheel }}[test]
373416 - name : Run tests
0 commit comments