[ { "path": ".ansible-lint", "content": "---\n# See https://ansible-lint.readthedocs.io/configuring/ for a list of\n# the configuration elements that can exist in this file.\nenable_list:\n # Useful checks that one must opt-into. See here for more details:\n # https://ansible-lint.readthedocs.io/rules/\n - fcqn-builtins\n - no-log-password\n - no-same-owner\nexclude_paths:\n # This exclusion is implicit, unless exclude_paths is defined\n - .cache\n # Seems wise to ignore this too\n - .github\nkinds:\n # This will force our systemd specific molecule configurations to be treated\n # as plain yaml files by ansible-lint. This mirrors the default kind\n # configuration in ansible-lint for molecule configurations:\n # yaml: \"**/molecule/*/{base,molecule}.{yaml,yml}\"\n - yaml: \"**/molecule/*/molecule-{no,with}-systemd.yml\"\nuse_default_rules: true\n" }, { "path": ".flake8", "content": "[flake8]\nmax-line-length = 80\n\n# Select (turn on)\n# * C: Complexity violations reported by mccabe -\n# https://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes\n# * C4: Default errors and warnings reported by flake8-comprehensions -\n# https://github.com/adamchainz/flake8-comprehensions#rules\n# * D: Documentation conventions compliance reported by pydocstyle -\n# https://github.com/PyCQA/pydocstyle/blob/master/docs/error_codes.rst\n# * DUO: Default errors and warnings reported by dlint -\n# https://github.com/dlint-py/dlint/tree/master/docs\n# * E: Default errors reported by pycodestyle -\n# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes\n# * F: Default errors reported by pyflakes -\n# https://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes\n# * N: Default errors and warnings reported by pep8-naming -\n# https://github.com/PyCQA/pep8-naming#error-codes\n# * NQA: Default errors and warnings reported by flake8-noqa -\n# https://github.com/plinss/flake8-noqa#error-codes\n# * W: Default warnings reported by pycodestyle -\n# https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes\n# * B: Default warnings reported by flake8-bugbear -\n# https://github.com/PyCQA/flake8-bugbear#list-of-warnings\n# * B950: Bugbear opinionated warning for line too long -\n# https://github.com/PyCQA/flake8-bugbear#opinionated-warnings\nselect = C,C4,D,DUO,E,F,N,NQA,W,B,B950\n\n# Ignore\n# * E203: pycodestyle's default warning about whitespace before ':' because Black enforces\n# an equal amount of whitespace around slice operators (':').\n# * E501: pycodestyle's default warning about maximum line length, which has a hard stop\n# at the configured value. Instead we use flake8-bugbear's B950, which\n# allows up to 10% overage.\n# * W503: pycodestyle's warning about line breaks before binary operators. It no longer\n# agrees with PEP8. See, for example, here:\n# https://github.com/ambv/black/issues/21\n# Guido agrees here:\n# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b\nignore = E203,E501,W503\n" }, { "path": ".github/CODEOWNERS", "content": "# Each line is a file pattern followed by one or more owners.\n\n# These owners will be the default owners for everything in the\n# repo. Unless a later match takes precedence, these owners will be\n# requested for review when someone opens a pull request.\n* @rm-sbin-sh @cisagov/vm-dev\n\n# These folks own any files in the .github directory at the root of\n# the repository and any of its subdirectories.\n/.github/ @dav3r @felddy @jsf9k @mcdonnnj\n\n# These folks own all linting configuration files.\n/.ansible-lint @dav3r @felddy @jsf9k @mcdonnnj\n/.bandit.yml @dav3r @felddy @jsf9k @mcdonnnj\n/.flake8 @dav3r @felddy @jsf9k @mcdonnnj\n/.isort.cfg @dav3r @felddy @jsf9k @mcdonnnj\n/.mdl_config.yaml @dav3r @felddy @jsf9k @mcdonnnj\n/.pre-commit-config.yaml @dav3r @felddy @jsf9k @mcdonnnj\n/.prettierignore @dav3r @felddy @jsf9k @mcdonnnj\n/.yamllint @dav3r @felddy @jsf9k @mcdonnnj\n/requirements.txt @dav3r @felddy @jsf9k @mcdonnnj\n/requirements-dev.txt @dav3r @felddy @jsf9k @mcdonnnj\n/requirements-test.txt @dav3r @felddy @jsf9k @mcdonnnj\n/setup-env @dav3r @felddy @jsf9k @mcdonnnj\n" }, { "path": ".github/dependabot.yml", "content": "---\n\n# Any ignore directives should be uncommented in downstream projects to disable\n# Dependabot updates for the given dependency. Downstream projects will get\n# these updates when the pull request(s) in the appropriate skeleton are merged\n# and Lineage processes these changes.\n\nupdates:\n - directory: /\n ignore:\n # Managed by cisagov/skeleton-generic\n - dependency-name: actions/cache\n - dependency-name: actions/checkout\n - dependency-name: actions/dependency-review-action\n - dependency-name: actions/labeler\n - dependency-name: actions/setup-go\n - dependency-name: actions/setup-python\n - dependency-name: cisagov/action-job-preamble\n - dependency-name: cisagov/setup-env-github-action\n - dependency-name: crazy-max/ghaction-github-labeler\n - dependency-name: github/codeql-action\n - dependency-name: hashicorp/setup-packer\n - dependency-name: hashicorp/setup-terraform\n - dependency-name: mxschmitt/action-tmate\n labels:\n # dependabot default we need to replicate\n - dependencies\n # This matches our label definition in .github/labels.yml as opposed to\n # dependabot's default of `github_actions`.\n - github-actions\n package-ecosystem: github-actions\n schedule:\n interval: weekly\n\n - directory: /\n package-ecosystem: pip\n schedule:\n interval: weekly\n\n - directory: /\n package-ecosystem: terraform\n schedule:\n interval: weekly\nversion: 2\n" }, { "path": ".github/labeler.yml", "content": "---\n# Each entry in this file is a label that will be applied to pull requests\n# if there is a match based on the matching rules for the entry. Please see\n# the actions/labeler documentation for more information:\n# https://github.com/actions/labeler#match-object\n#\n# Note: Verify that the label you want to use is defined in the\n# crazy-max/ghaction-github-labeler configuration file located at\n# .github/labels.yml.\n\nansible:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/ansible/**\"\ndependencies:\n - changed-files:\n - any-glob-to-any-file:\n # Add any dependency files used.\n - .pre-commit-config.yaml\n - requirements*.txt\ndocker:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/compose*.yml\"\n - \"**/docker-compose*.yml\"\n - \"**/Dockerfile*\"\ndocumentation:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/*.md\"\ngithub-actions:\n - changed-files:\n - any-glob-to-any-file:\n - .github/workflows/**\njavascript:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/*.js\"\npacker:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/*.pkr.hcl\"\npython:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/*.py\"\nshell script:\n - changed-files:\n - any-glob-to-any-file:\n # If this project has any shell scripts that do not end in the \".sh\"\n # extension, add them below.\n - \"**/*.sh\"\n - bump-version\n - setup-env\nterraform:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/*.tf\"\ntest:\n - changed-files:\n - any-glob-to-any-file:\n # Add any test-related files or paths.\n - .ansible-lint\n - .flake8\n - .isort.cfg\n - .mdl_config.yaml\n - .yamllint\ntypescript:\n - changed-files:\n - any-glob-to-any-file:\n - \"**/*.ts\"\nupstream update:\n - head-branch:\n # Any Lineage pull requests should use this branch.\n - lineage/skeleton\nversion bump:\n - changed-files:\n - any-glob-to-any-file:\n # Ensure this matches your version tracking file(s).\n - version.txt\n" }, { "path": ".github/labels.yml", "content": "---\n# Rather than breaking up descriptions into multiline strings we disable that\n# specific rule in yamllint for this file.\n# yamllint disable rule:line-length\n- color: ff5850\n description: Pull requests that update Ansible code\n name: ansible\n- color: eb6420\n description: This issue or pull request is awaiting the outcome of another issue or pull request\n name: blocked\n- color: \"000000\"\n description: This issue or pull request involves changes to existing functionality\n name: breaking change\n- color: d73a4a\n description: This issue or pull request addresses broken functionality\n name: bug\n- color: 07648d\n description: This issue will be advertised on code.gov's Open Tasks page (https://code.gov/open-tasks)\n name: code.gov\n- color: 0366d6\n description: Pull requests that update a dependency file\n name: dependencies\n- color: 1d63ed\n description: Pull requests that update Docker code\n name: docker\n- color: 5319e7\n description: This issue or pull request improves or adds to documentation\n name: documentation\n- color: cfd3d7\n description: This issue or pull request already exists or is covered in another issue or pull request\n name: duplicate\n- color: b005bc\n description: A high-level objective issue encompassing multiple issues instead of a specific unit of work\n name: epic\n- color: \"000000\"\n description: Pull requests that update GitHub Actions code\n name: github-actions\n- color: 0e8a16\n description: This issue or pull request is well-defined and good for newcomers\n name: good first issue\n- color: ff7518\n description: Pull request that should count toward Hacktoberfest participation\n name: hacktoberfest-accepted\n- color: a2eeef\n description: This issue or pull request will add or improve functionality, maintainability, or ease of use\n name: improvement\n- color: fef2c0\n description: This issue or pull request is not applicable, incorrect, or obsolete\n name: invalid\n- color: f0db4f\n description: Pull requests that update JavaScript code\n name: javascript\n- color: ce099a\n description: This pull request is ready to merge during the next Lineage Kraken release\n name: kraken ๐Ÿ™\n- color: a4fc5d\n description: This issue or pull request requires further information\n name: need info\n- color: fcdb45\n description: This pull request is awaiting an action or decision to move forward\n name: on hold\n- color: 02a8ef\n description: Pull requests that update Packer code\n name: packer\n- color: 3776ab\n description: Pull requests that update Python code\n name: python\n- color: ef476c\n description: This issue is a request for information or needs discussion\n name: question\n- color: d73a4a\n description: This issue or pull request addresses a security issue\n name: security\n- color: 4eaa25\n description: Pull requests that update shell scripts\n name: shell script\n- color: 7b42bc\n description: Pull requests that update Terraform code\n name: terraform\n- color: 00008b\n description: This issue or pull request adds or otherwise modifies test code\n name: test\n- color: 2678c5\n description: Pull requests that update TypeScript code\n name: typescript\n- color: 1d76db\n description: This issue or pull request pulls in upstream updates\n name: upstream update\n- color: d4c5f9\n description: This issue or pull request increments the version number\n name: version bump\n- color: ffffff\n description: This issue will not be incorporated\n name: wontfix\n" }, { "path": ".github/lineage.yml", "content": "---\nlineage:\n skeleton:\n remote-url: https://github.com/cisagov/skeleton-generic.git\nversion: \"1\"\n" }, { "path": ".github/workflows/build.yml", "content": "---\nname: build\n\non: # yamllint disable-line rule:truthy\n merge_group:\n types:\n - checks_requested\n # We use the default activity types for the pull_request event as specified here:\n # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request\n pull_request:\n push:\n repository_dispatch:\n types:\n - apb\n\n# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,\n# nounset, errexit, and pipefail. The `-x` will print all commands as they are\n# run. Please see the GitHub Actions documentation for more information:\n# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs\ndefaults:\n run:\n shell: bash -Eueo pipefail -x {0}\n\nenv:\n PIP_CACHE_DIR: ~/.cache/pip\n PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit\n RUN_TMATE: ${{ secrets.RUN_TMATE }}\n TERRAFORM_DOCS_REPO_BRANCH_NAME: cisagov\n TERRAFORM_DOCS_REPO_DEPTH: 1\n TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git\n\njobs:\n diagnostics:\n name: Run diagnostics\n # This job does not need any permissions\n permissions: {}\n runs-on: ubuntu-latest\n steps:\n # Note that a duplicate of this step must be added at the top of\n # each job.\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n check_github_status: \"true\"\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n output_workflow_context: \"true\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n lint:\n needs:\n - diagnostics\n permissions:\n # actions/checkout needs this to fetch code\n contents: read\n runs-on: ubuntu-latest\n steps:\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n - id: setup-env\n uses: cisagov/setup-env-github-action@v1\n - uses: actions/checkout@v6\n - id: setup-python\n uses: actions/setup-python@v6\n with:\n python-version: ${{ steps.setup-env.outputs.python-version }}\n # We need the Go version and Go cache location for the actions/cache step,\n # so the Go installation must happen before that.\n - id: setup-go\n uses: actions/setup-go@v6\n with:\n # There is no expectation for actual Go code so we disable caching as\n # it relies on the existence of a go.sum file.\n cache: false\n go-version: ${{ steps.setup-env.outputs.go-version }}\n - id: go-cache\n name: Lookup Go cache directory\n run: |\n echo \"dir=$(go env GOCACHE)\" >> $GITHUB_OUTPUT\n - uses: actions/cache@v5\n env:\n BASE_CACHE_KEY: >-\n ${{ github.job }}-${{ runner.os\n }}-py${{ steps.setup-python.outputs.python-version\n }}-go${{ steps.setup-go.outputs.go-version\n }}-packer${{ steps.setup-env.outputs.packer-version\n }}-tf${{ steps.setup-env.outputs.terraform-version }}-\n with:\n key: >-\n ${{ env.BASE_CACHE_KEY }}${{\n hashFiles('**/requirements-test.txt') }}-${{\n hashFiles('**/requirements.txt') }}-${{\n hashFiles('**/.pre-commit-config.yaml') }}\n # Note that the .terraform directory IS NOT included in the\n # cache because if we were caching, then we would need to use\n # the `-upgrade=true` option. This option blindly pulls down the\n # latest modules and providers instead of checking to see if an\n # update is required. That behavior defeats the benefits of caching.\n # so there is no point in doing it for the .terraform directory.\n path: |\n ${{ env.PIP_CACHE_DIR }}\n ${{ env.PRE_COMMIT_CACHE_DIR }}\n ${{ steps.go-cache.outputs.dir }}\n restore-keys: |\n ${{ env.BASE_CACHE_KEY }}\n - uses: hashicorp/setup-packer@v3\n with:\n version: ${{ steps.setup-env.outputs.packer-version }}\n - uses: hashicorp/setup-terraform@v4\n with:\n terraform_version: ${{ steps.setup-env.outputs.terraform-version }}\n - name: Install go-critic\n env:\n PACKAGE_URL: github.com/go-critic/go-critic/cmd/go-critic\n PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}\n run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}\n - name: Install goimports\n env:\n PACKAGE_URL: golang.org/x/tools/cmd/goimports\n PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }}\n run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}\n - name: Install gosec\n env:\n PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec\n PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}\n run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}\n - name: Install staticcheck\n env:\n PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck\n PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}\n run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}\n # TODO: https://github.com/cisagov/skeleton-generic/issues/165\n # We are temporarily using a branch of @mcdonnnj's fork of terraform-docs that\n # groups changes from his PRs until they are approved and merged:\n # https://github.com/terraform-docs/terraform-docs/pull/745\n # https://github.com/terraform-docs/terraform-docs/pull/901\n # This temporary fix will allow for ATX header support when terraform-docs is run\n # during linting and output delimiter rows with cell spacing that passes\n # Markdownlint's MD060/table-column-style rule.\n - name: Clone ATX headers branch from terraform-docs fork\n run: |\n git clone \\\n --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \\\n --depth $TERRAFORM_DOCS_REPO_DEPTH \\\n --single-branch \\\n $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs\n - name: Build and install terraform-docs binary\n run: |\n go build \\\n -C /tmp/terraform-docs \\\n -o $(go env GOPATH)/bin/terraform-docs\n - name: Install dependencies\n run: |\n python -m pip install --upgrade pip setuptools\n pip install --upgrade --requirement requirements-test.txt\n - name: Set up pre-commit hook environments\n run: pre-commit install-hooks\n - name: Run pre-commit on all files\n run: pre-commit run --all-files\n - name: Setup tmate debug session\n uses: mxschmitt/action-tmate@v3\n if: env.RUN_TMATE\n" }, { "path": ".github/workflows/codeql-analysis.yml", "content": "---\n# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# You may wish to alter this file to override the set of languages analyzed,\n# or to provide custom queries or build logic.\nname: CodeQL\n\n# The use of on here as a key is part of the GitHub actions syntax.\n# yamllint disable-line rule:truthy\non:\n merge_group:\n types:\n - checks_requested\n # We use the default activity types for the pull_request event as specified here:\n # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request\n pull_request:\n # The branches here must be a subset of the ones in the push key\n branches:\n - develop\n push:\n # Dependabot-triggered push events have read-only access, but uploading code\n # scanning requires write access.\n branches-ignore:\n - dependabot/**\n schedule:\n - cron: 0 2 * * 6\n\njobs:\n diagnostics:\n name: Run diagnostics\n # This job does not need any permissions\n permissions: {}\n runs-on: ubuntu-latest\n steps:\n # Note that a duplicate of this step must be added at the top of\n # each job.\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n check_github_status: \"true\"\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n output_workflow_context: \"true\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n analyze:\n name: Analyze\n needs:\n - diagnostics\n runs-on: ubuntu-latest\n permissions:\n # actions/checkout needs this to fetch code\n contents: read\n # required for all workflows\n security-events: write\n strategy:\n fail-fast: false\n matrix:\n # Override automatic language detection by changing the below\n # list\n #\n # Supported options are actions, c-cpp, csharp, go,\n # java-kotlin, javascript-typescript, python, ruby, and swift.\n language:\n - actions\n # Learn more...\n # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection\n\n steps:\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n\n - name: Checkout repository\n uses: actions/checkout@v6\n\n # Initializes the CodeQL tools for scanning.\n - name: Initialize CodeQL\n uses: github/codeql-action/init@v4\n with:\n languages: ${{ matrix.language }}\n\n # Autobuild attempts to build any compiled languages (C/C++, C#, or\n # Java). If this step fails, then you should remove it and run the build\n # manually (see below).\n - name: Autobuild\n uses: github/codeql-action/autobuild@v4\n\n # โ„น๏ธ Command-line programs to run using the OS shell.\n # ๐Ÿ“š https://git.io/JvXDl\n\n # โœ๏ธ If the Autobuild fails above, remove it and uncomment the following\n # three lines and modify them (or add more) to build your code if your\n # project uses a compiled language\n\n # - run: |\n # make bootstrap\n # make release\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@v4\n" }, { "path": ".github/workflows/dependency-review.yml", "content": "---\nname: Dependency review\n\non: # yamllint disable-line rule:truthy\n merge_group:\n types:\n - checks_requested\n # We use the default activity types for the pull_request event as specified here:\n # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request\n pull_request:\n\n# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,\n# nounset, errexit, and pipefail. The `-x` will print all commands as they are\n# run. Please see the GitHub Actions documentation for more information:\n# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs\ndefaults:\n run:\n shell: bash -Eueo pipefail -x {0}\n\njobs:\n diagnostics:\n name: Run diagnostics\n # This job does not need any permissions\n permissions: {}\n runs-on: ubuntu-latest\n steps:\n # Note that a duplicate of this step must be added at the top of\n # each job.\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n check_github_status: \"true\"\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n output_workflow_context: \"true\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n dependency-review:\n name: Dependency review\n needs:\n - diagnostics\n permissions:\n # actions/checkout needs this to fetch code\n contents: read\n runs-on: ubuntu-latest\n steps:\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n - id: checkout-repo\n name: Checkout the repository\n uses: actions/checkout@v6\n - id: dependency-review\n name: Review dependency changes for vulnerabilities and license changes\n uses: actions/dependency-review-action@v4\n" }, { "path": ".github/workflows/label-prs.yml", "content": "---\nname: Label pull requests\n\non: # yamllint disable-line rule:truthy\n # We use the default activity types for the pull_request event as specified here:\n # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request\n pull_request:\n\n# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,\n# nounset, errexit, and pipefail. The `-x` will print all commands as they are\n# run. Please see the GitHub Actions documentation for more information:\n# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs\ndefaults:\n run:\n shell: bash -Eueo pipefail -x {0}\n\njobs:\n diagnostics:\n name: Run diagnostics\n # This job does not need any permissions\n permissions: {}\n runs-on: ubuntu-latest\n steps:\n # Note that a duplicate of this step must be added at the top of\n # each job.\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n check_github_status: \"true\"\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n output_workflow_context: \"true\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n label:\n needs:\n - diagnostics\n permissions:\n # Permissions required by actions/labeler\n contents: read\n pull-requests: write\n runs-on: ubuntu-latest\n steps:\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n - name: Apply suitable labels to a pull request\n uses: actions/labeler@v6\n" }, { "path": ".github/workflows/sync-labels.yml", "content": "---\nname: sync-labels\n\non: # yamllint disable-line rule:truthy\n push:\n paths:\n - .github/labels.yml\n - .github/workflows/sync-labels.yml\n workflow_dispatch:\n\npermissions:\n contents: read\n\njobs:\n diagnostics:\n name: Run diagnostics\n # This job does not need any permissions\n permissions: {}\n runs-on: ubuntu-latest\n steps:\n # Note that a duplicate of this step must be added at the top of\n # each job.\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n check_github_status: \"true\"\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n output_workflow_context: \"true\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n labeler:\n needs:\n - diagnostics\n permissions:\n # actions/checkout needs this to fetch code\n contents: read\n # crazy-max/ghaction-github-labeler needs this to manage repository labels\n issues: write\n runs-on: ubuntu-latest\n steps:\n - name: Apply standard cisagov job preamble\n uses: cisagov/action-job-preamble@v1\n with:\n # This functionality is poorly implemented and has been\n # causing problems due to the MITM implementation hogging or\n # leaking memory. As a result we disable it by default. If\n # you want to temporarily enable it, simply set\n # monitor_permissions equal to \"true\".\n #\n # TODO: Re-enable this functionality when practical. See\n # cisagov/skeleton-generic#207 for more details.\n monitor_permissions: \"false\"\n # Use a variable to specify the permissions monitoring\n # configuration. By default this will yield the\n # configuration stored in the cisagov organization-level\n # variable, but if you want to use a different configuration\n # then simply:\n # 1. Create a repository-level variable with the name\n # ACTIONS_PERMISSIONS_CONFIG.\n # 2. Set this new variable's value to the configuration you\n # want to use for this repository.\n #\n # Note in particular that changing the permissions\n # monitoring configuration *does not* require you to modify\n # this workflow.\n permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}\n - uses: actions/checkout@v6\n - name: Sync repository labels\n if: success()\n uses: crazy-max/ghaction-github-labeler@v6\n with:\n # This is a hideous ternary equivalent so we only do a dry run unless\n # this workflow is triggered by the develop branch.\n dry-run: ${{ github.ref_name == 'develop' && 'false' || 'true' }}\n" }, { "path": ".gitignore", "content": "# This file specifies intentionally untracked files that Git should ignore.\n# Files already tracked by Git are not affected.\n# See: https://git-scm.com/docs/gitignore\n\n## Python ##\n__pycache__\n.mypy_cache\n.python-version\n" }, { "path": ".isort.cfg", "content": "[settings]\ncombine_star=true\nforce_sort_within_sections=true\n\nimport_heading_stdlib=Standard Python Libraries\nimport_heading_thirdparty=Third-Party Libraries\nimport_heading_firstparty=cisagov Libraries\n\n# Run isort under the black profile to align with our other Python linting\nprofile=black\n" }, { "path": ".mdl_config.yaml", "content": "---\n\n# Default state for all rules\ndefault: true\n\n# MD003/heading-style/header-style - Heading style\nMD003:\n # Enforce the ATX-closed style of header\n style: atx_closed\n\n# MD004/ul-style - Unordered list style\nMD004:\n # Enforce dashes for unordered lists\n style: dash\n\n# MD013/line-length - Line length\nMD013:\n # Do not enforce for code blocks\n code_blocks: false\n # Do not enforce for tables\n tables: false\n\n# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the\n# same content\nMD024:\n # Allow headers with the same content as long as they are not in the same\n # parent heading\n allow_different_nesting: true\n\n# MD029/ol-prefix - Ordered list item prefix\nMD029:\n # Enforce the `1.` style for ordered lists\n style: one\n\n# MD033/no-inline-html - Inline HTML\nMD033:\n # The h1 and img elements are allowed to permit header images\n allowed_elements:\n - div\n - h1\n - img\n\n# MD035/hr-style - Horizontal rule style\nMD035:\n # Enforce dashes for horizontal rules\n style: ---\n\n# MD046/code-block-style - Code block style\nMD046:\n # Enforce the fenced style for code blocks\n style: fenced\n\n# MD049/emphasis-style - Emphasis style should be consistent\nMD049:\n # Enforce asterisks as the style to use for emphasis\n style: asterisk\n\n# MD050/strong-style - Strong style should be consistent\nMD050:\n # Enforce asterisks as the style to use for strong\n style: asterisk\n" }, { "path": ".pre-commit-config.yaml", "content": "---\nci:\n # Do not commit changes from running pre-commit for pull requests.\n autofix_prs: false\n # Autoupdate hooks weekly (this is the default).\n autoupdate_schedule: weekly\n\ndefault_language_version:\n # force all unspecified python hooks to run python3\n python: python3\n\nrepos:\n # Check the pre-commit configuration\n - repo: meta\n hooks:\n - id: check-useless-excludes\n\n - repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v6.0.0\n hooks:\n - id: check-case-conflict\n - id: check-executables-have-shebangs\n - id: check-json\n - id: check-merge-conflict\n - id: check-shebang-scripts-are-executable\n - id: check-symlinks\n - id: check-toml\n - id: check-vcs-permalinks\n - id: check-xml\n - id: debug-statements\n - id: destroyed-symlinks\n - id: detect-aws-credentials\n args:\n - --allow-missing-credentials\n - id: detect-private-key\n - id: end-of-file-fixer\n - id: mixed-line-ending\n args:\n - --fix=lf\n - id: pretty-format-json\n args:\n - --autofix\n - id: requirements-txt-fixer\n - id: trailing-whitespace\n\n # Text file hooks\n - repo: https://github.com/igorshubovych/markdownlint-cli\n rev: v0.48.0\n hooks:\n - id: markdownlint\n args:\n - --config=.mdl_config.yaml\n - repo: https://github.com/rbubley/mirrors-prettier\n rev: v3.8.1\n hooks:\n - id: prettier\n - repo: https://github.com/adrienverge/yamllint\n rev: v1.38.0\n hooks:\n - id: yamllint\n args:\n - --strict\n\n # GitHub Actions hooks\n - repo: https://github.com/python-jsonschema/check-jsonschema\n rev: 0.37.0\n hooks:\n - id: check-github-actions\n - id: check-github-workflows\n\n # pre-commit hooks\n - repo: https://github.com/pre-commit/pre-commit\n rev: v4.5.1\n hooks:\n - id: validate_manifest\n\n # Go hooks\n - repo: https://github.com/TekWizely/pre-commit-golang\n rev: v1.0.0-rc.4\n hooks:\n # Go Build\n - id: go-build-repo-mod\n # Style Checkers\n - id: go-critic\n # goimports\n - id: go-imports-repo\n args:\n # Write changes to files\n - -w\n # Go Mod Tidy\n - id: go-mod-tidy-repo\n # GoSec\n - id: go-sec-repo-mod\n # StaticCheck\n - id: go-staticcheck-repo-mod\n # Go Test\n - id: go-test-repo-mod\n # Go Vet\n - id: go-vet-repo-mod\n # Nix hooks\n - repo: https://github.com/nix-community/nixpkgs-fmt\n rev: v1.3.0\n hooks:\n - id: nixpkgs-fmt\n\n # Shell script hooks\n - repo: https://github.com/scop/pre-commit-shfmt\n rev: v3.13.0-1\n hooks:\n - id: shfmt\n args:\n # List files that will be formatted\n - --list\n # Write result to file instead of stdout\n - --write\n # Indent by two spaces\n - --indent\n - \"2\"\n # Binary operators may start a line\n - --binary-next-line\n # Switch cases are indented\n - --case-indent\n # Redirect operators are followed by a space\n - --space-redirects\n - repo: https://github.com/shellcheck-py/shellcheck-py\n rev: v0.11.0.1\n hooks:\n - id: shellcheck\n\n # Python hooks\n - repo: https://github.com/PyCQA/bandit\n rev: 1.9.4\n hooks:\n - id: bandit\n - repo: https://github.com/psf/black-pre-commit-mirror\n rev: 26.3.1\n hooks:\n - id: black\n - repo: https://github.com/PyCQA/flake8\n rev: 7.3.0\n hooks:\n - id: flake8\n additional_dependencies:\n - dlint==0.16.0\n - flake8-bugbear==25.11.29\n - flake8-comprehensions==3.17.0\n - flake8-docstrings==1.7.0\n - flake8-noqa==1.5.0\n - pep8-naming==0.15.1\n - repo: https://github.com/PyCQA/isort\n rev: 8.0.1\n hooks:\n - id: isort\n - repo: https://github.com/pre-commit/mirrors-mypy\n rev: v1.19.1\n hooks:\n - id: mypy\n - repo: https://github.com/pypa/pip-audit\n rev: v2.10.0\n hooks:\n - id: pip-audit\n args:\n # We have to ignore this vulnerability for now since an\n # update for pygments has not yet been released.\n #\n # In any event, this vulnerability is unlikely to cause us\n # any problems since we don't feed any regexes to pygments\n # directly. pygments is pulled in as a dependency of\n # pytest.\n #\n # See also:\n # - https://nvd.nist.gov/vuln/detail/CVE-2026-4539\n # - https://github.com/pygments/pygments/issues/3058\n #\n # TODO: Remove this when it becomes possible. See\n # cisagov/skeleton-generic#257 for more details.\n - --ignore-vuln\n - CVE-2026-4539\n # Add any pip requirements files to scan\n - --requirement\n - requirements-dev.txt\n - --requirement\n - requirements-test.txt\n - --requirement\n - requirements.txt\n - repo: https://github.com/asottile/pyupgrade\n rev: v3.21.2\n hooks:\n - id: pyupgrade\n args:\n # Python 3.10 is currently the oldest non-EOL version of\n # Python, so we want to apply all rules that apply to this\n # version or later. See here for more details:\n # https://www.gyford.com/phil/writing/2025/08/26/how-to-use-pyupgrade/\n - --py310-plus\n\n # Ansible hooks\n - repo: https://github.com/ansible/ansible-lint\n # We need to stay on this version because we are still using Python 3.13 in\n # our GitHub Actions configuration. Later versions require Python 3.14 for\n # the hook to run.\n rev: v26.1.1\n hooks:\n - id: ansible-lint\n additional_dependencies:\n # On its own ansible-lint does not pull in ansible, only\n # ansible-core. Therefore, if an Ansible module lives in\n # ansible instead of ansible-core, the linter will complain\n # that the module is unknown. In these cases it is\n # necessary to add the ansible package itself as an\n # additional dependency, with the same pinning as is done in\n # requirements-test.txt of cisagov/skeleton-ansible-role.\n #\n # Version 10 is required because the pip-audit pre-commit\n # hook identifies a vulnerability in ansible-core 2.16.13,\n # but all versions of ansible 9 have a dependency on\n # ~=2.16.X.\n # - ansible>=10,<11\n # ansible-core<2.17.7 suffers from GHSA-99w6-3xph-cx78.\n #\n # Note that any changes made to this dependency must also be\n # made in requirements.txt in cisagov/skeleton-packer and\n # requirements-test.txt in cisagov/skeleton-ansible-role.\n - ansible-core>=2.17.7\n\n # Terraform hooks\n - repo: https://github.com/antonbabenko/pre-commit-terraform\n rev: v1.105.0\n hooks:\n - id: terraform_fmt\n - id: terraform_validate\n # This needs to run after the terraform_validate hook so that any Terraform\n # configurations are initialized.\n - id: terraform_providers_lock\n args:\n - --args=-platform=darwin_amd64\n - --args=-platform=darwin_arm64\n - --args=-platform=linux_amd64\n - --args=-platform=linux_arm64\n - --hook-config=--mode=always-regenerate-lockfile\n\n # Docker hooks\n - repo: https://github.com/IamTheFij/docker-pre-commit\n rev: v3.0.1\n hooks:\n - id: docker-compose-check\n\n # Packer hooks\n - repo: https://github.com/cisagov/pre-commit-packer\n rev: v0.3.1\n hooks:\n - id: packer_fmt\n - id: packer_validate\n" }, { "path": ".prettierignore", "content": "# Already being linted by pretty-format-json\n*.json\n# Already being linted by mdl\n*.md\n# Already being linted by yamllint\n*.yaml\n*.yml\n" }, { "path": ".yamllint", "content": "---\nextends: default\n\nrules:\n braces:\n # Do not allow non-empty flow mappings\n forbid: non-empty\n # Allow up to one space inside braces. This is required for Ansible compatibility.\n max-spaces-inside: 1\n\n brackets:\n # Do not allow non-empty flow sequences\n forbid: non-empty\n\n comments:\n # Ensure that inline comments have at least one space before the preceding content.\n # This is required for Ansible compatibility.\n min-spaces-from-content: 1\n\n # yamllint does not like it when you comment out different parts of\n # dictionaries in a list. You can see\n # https://github.com/adrienverge/yamllint/issues/384 for some examples of\n # this behavior.\n comments-indentation: disable\n\n indentation:\n # Ensure that block sequences inside of a mapping are indented\n indent-sequences: true\n # Enforce a specific number of spaces\n spaces: 2\n\n # yamllint does not allow inline mappings that exceed the line length by\n # default. There are many scenarios where the inline mapping may be a key,\n # hash, or other long value that would exceed the line length but cannot\n # reasonably be broken across lines.\n line-length:\n # This rule implies the allow-non-breakable-words rule\n allow-non-breakable-inline-mappings: true\n # Allows a 10% overage from the default limit of 80\n max: 88\n\n # Using anything other than strings to express octal values can lead to unexpected\n # and potentially unsafe behavior. Ansible strongly recommends against such practices\n # and these rules are needed for Ansible compatibility. Please see the following for\n # more information:\n # https://ansible.readthedocs.io/projects/lint/rules/risky-octal/\n octal-values:\n # Do not allow explicit octal values (those beginning with a leading 0o).\n forbid-explicit-octal: true\n # Do not allow implicit octal values (those beginning with a leading 0).\n forbid-implicit-octal: true\n\n quoted-strings:\n # Allow disallowed quotes (single quotes) for strings that contain allowed quotes\n # (double quotes).\n allow-quoted-quotes: true\n # Apply these rules to keys in mappings as well\n check-keys: true\n # We prefer double quotes for strings when they are needed\n quote-type: double\n # Only require quotes when they are necessary for proper processing\n required: only-when-needed\n" }, { "path": "CONTRIBUTING.md", "content": "# Welcome #\n\nWe're so glad you're thinking about contributing to this open source\nproject! If you're unsure or afraid of anything, just ask or submit\nthe issue or pull request anyway. The worst that can happen is that\nyou'll be politely asked to change something. We appreciate any sort\nof contribution, and don't want a wall of rules to get in the way of\nthat.\n\nBefore contributing, we encourage you to read our CONTRIBUTING policy\n(you are here), our [LICENSE](LICENSE), and our [README](README.md),\nall of which should be in this repository.\n\n## Issues ##\n\nIf you want to report a bug or request a new feature, the most direct\nmethod is to [create an\nissue](https://github.com/cisagov/bad-practices/issues) in this\nrepository. We recommend that you first search through existing\nissues (both open and closed) to check if your particular issue has\nalready been reported. If it has then you might want to add a comment\nto the existing issue. If it hasn't then feel free to create a new\none.\n\n## Pull requests ##\n\nIf you choose to [submit a pull\nrequest](https://github.com/cisagov/bad-practices/pulls), you will\nnotice that our continuous integration (CI) system runs a fairly\nextensive set of linters and syntax checkers. Your pull request may\nfail these checks, and that's OK. If you want you can stop there and\nwait for us to make the necessary corrections to ensure your code\npasses the CI checks.\n\nIf you want to make the changes yourself, or if you want to become a\nregular contributor, then you will want to set up\n[pre-commit](https://pre-commit.com/) on your local machine. Once you\ndo that, the CI checks will run locally before you even write your\ncommit message. This speeds up your development cycle considerably.\n\n### Setting up pre-commit ###\n\nThere are a few ways to do this, but we prefer to use\n[`pyenv`](https://github.com/pyenv/pyenv) and\n[`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv) to\ncreate and manage a Python virtual environment specific to this\nproject.\n\nWe recommend using the `setup-env` script located in this repository,\nas it automates the entire environment configuration process. The\ndependencies required to run this script are\n[GNU `getopt`](https://github.com/util-linux/util-linux/blob/master/misc-utils/getopt.1.adoc),\n[`pyenv`](https://github.com/pyenv/pyenv), and [`pyenv-virtualenv`](https://github.com/pyenv/pyenv-virtualenv).\nIf these tools are already configured on your system, you can simply run the\nfollowing command:\n\n```console\n./setup-env\n```\n\nOtherwise, follow the steps below to manually configure your\nenvironment.\n\n#### Installing and using GNU `getopt`, `pyenv`, and `pyenv-virtualenv` ####\n\nOn macOS, we recommend installing [brew](https://brew.sh/). Then\ninstallation is as simple as `brew install gnu-getopt pyenv pyenv-virtualenv` and\nadding this to your profile:\n\n```bash\n# GNU getopt must be explicitly added to the path since it is\n# keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean)\nexport PATH=\"$(brew --prefix)/opt/gnu-getopt/bin:$PATH\"\n\n# Setup pyenv\nexport PYENV_ROOT=\"$HOME/.pyenv\"\nexport PATH=\"$PYENV_ROOT/bin:$PATH\"\neval \"$(pyenv init --path)\"\neval \"$(pyenv init -)\"\neval \"$(pyenv virtualenv-init -)\"\n```\n\nFor Linux, Windows Subsystem for Linux (WSL), or macOS (if you\ndon't want to use `brew`) you can use\n[pyenv/pyenv-installer](https://github.com/pyenv/pyenv-installer) to\ninstall the necessary tools. Before running this ensure that you have\ninstalled the prerequisites for your platform according to the\n[`pyenv` wiki\npage](https://github.com/pyenv/pyenv/wiki/common-build-problems).\nGNU `getopt` is included in most Linux distributions as part of the\n[`util-linux`](https://github.com/util-linux/util-linux) package.\n\nOn WSL you should treat your platform as whatever Linux distribution\nyou've chosen to install.\n\nOnce you have installed `pyenv` you will need to add the following\nlines to your `.bash_profile` (or `.profile`):\n\n```bash\nexport PYENV_ROOT=\"$HOME/.pyenv\"\nexport PATH=\"$PYENV_ROOT/bin:$PATH\"\neval \"$(pyenv init --path)\"\n```\n\nand then add the following lines to your `.bashrc`:\n\n```bash\neval \"$(pyenv init -)\"\neval \"$(pyenv virtualenv-init -)\"\n```\n\nIf you want more information about setting up `pyenv` once installed, please run\n\n```console\npyenv init\n```\n\nand\n\n```console\npyenv virtualenv-init\n```\n\nfor the current configuration instructions.\n\nIf you are using a shell other than `bash` you should follow the\ninstructions that the `pyenv-installer` script outputs.\n\nYou will need to reload your shell for these changes to take effect so\nyou can begin to use `pyenv`.\n\nFor a list of Python versions that are already installed and ready to\nuse with `pyenv`, use the command `pyenv versions`. To see a list of\nthe Python versions available to be installed and used with `pyenv`\nuse the command `pyenv install --list`. You can read more about\nthe [many things that `pyenv` can do](https://github.com/pyenv/pyenv/blob/master/COMMANDS.md).\nSee the [usage information](https://github.com/pyenv/pyenv-virtualenv#usage)\nfor the additional capabilities that pyenv-virtualenv adds to the `pyenv`\ncommand.\n\n#### Creating the Python virtual environment ####\n\nOnce `pyenv` and `pyenv-virtualenv` are installed on your system, you\ncan create and configure the Python virtual environment with these\ncommands:\n\n```console\ncd bad-practices\npyenv virtualenv bad-practices\npyenv local bad-practices\npip install --requirement requirements-dev.txt\n```\n\n#### Installing the pre-commit hook ####\n\nNow setting up pre-commit is as simple as:\n\n```console\npre-commit install\n```\n\nAt this point the pre-commit checks will run against any files that\nyou attempt to commit. If you want to run the checks against the\nentire repo, just execute `pre-commit run --all-files`.\n\n## Public domain ##\n\nThis project is in the public domain within the United States, and\ncopyright and related rights in the work worldwide are waived through\nthe [CC0 1.0 Universal public domain\ndedication](https://creativecommons.org/publicdomain/zero/1.0/).\n\nAll contributions to this project will be released under the CC0\ndedication. By submitting a pull request, you are agreeing to comply\nwith this waiver of copyright interest.\n" }, { "path": "LICENSE", "content": "CC0 1.0 Universal\n\nStatement of Purpose\n\nThe laws of most jurisdictions throughout the world automatically confer\nexclusive Copyright and Related Rights (defined below) upon the creator and\nsubsequent owner(s) (each and all, an \"owner\") of an original work of\nauthorship and/or a database (each, a \"Work\").\n\nCertain owners wish to permanently relinquish those rights to a Work for the\npurpose of contributing to a commons of creative, cultural and scientific\nworks (\"Commons\") that the public can reliably and without fear of later\nclaims of infringement build upon, modify, incorporate in other works, reuse\nand redistribute as freely as possible in any form whatsoever and for any\npurposes, including without limitation commercial purposes. These owners may\ncontribute to the Commons to promote the ideal of a free culture and the\nfurther production of creative, cultural and scientific works, or to gain\nreputation or greater distribution for their Work in part through the use and\nefforts of others.\n\nFor these and/or other purposes and motivations, and without any expectation\nof additional consideration or compensation, the person associating CC0 with a\nWork (the \"Affirmer\"), to the extent that he or she is an owner of Copyright\nand Related Rights in the Work, voluntarily elects to apply CC0 to the Work\nand publicly distribute the Work under its terms, with knowledge of his or her\nCopyright and Related Rights in the Work and the meaning and intended legal\neffect of CC0 on those rights.\n\n1. Copyright and Related Rights. A Work made available under CC0 may be\nprotected by copyright and related or neighboring rights (\"Copyright and\nRelated Rights\"). Copyright and Related Rights include, but are not limited\nto, the following:\n\n i. the right to reproduce, adapt, distribute, perform, display, communicate,\n and translate a Work;\n\n ii. moral rights retained by the original author(s) and/or performer(s);\n\n iii. publicity and privacy rights pertaining to a person's image or likeness\n depicted in a Work;\n\n iv. rights protecting against unfair competition in regards to a Work,\n subject to the limitations in paragraph 4(a), below;\n\n v. rights protecting the extraction, dissemination, use and reuse of data in\n a Work;\n\n vi. database rights (such as those arising under Directive 96/9/EC of the\n European Parliament and of the Council of 11 March 1996 on the legal\n protection of databases, and under any national implementation thereof,\n including any amended or successor version of such directive); and\n\n vii. other similar, equivalent or corresponding rights throughout the world\n based on applicable law or treaty, and any national implementations thereof.\n\n2. Waiver. To the greatest extent permitted by, but not in contravention of,\napplicable law, Affirmer hereby overtly, fully, permanently, irrevocably and\nunconditionally waives, abandons, and surrenders all of Affirmer's Copyright\nand Related Rights and associated claims and causes of action, whether now\nknown or unknown (including existing as well as future claims and causes of\naction), in the Work (i) in all territories worldwide, (ii) for the maximum\nduration provided by applicable law or treaty (including future time\nextensions), (iii) in any current or future medium and for any number of\ncopies, and (iv) for any purpose whatsoever, including without limitation\ncommercial, advertising or promotional purposes (the \"Waiver\"). Affirmer makes\nthe Waiver for the benefit of each member of the public at large and to the\ndetriment of Affirmer's heirs and successors, fully intending that such Waiver\nshall not be subject to revocation, rescission, cancellation, termination, or\nany other legal or equitable action to disrupt the quiet enjoyment of the Work\nby the public as contemplated by Affirmer's express Statement of Purpose.\n\n3. Public License Fallback. Should any part of the Waiver for any reason be\njudged legally invalid or ineffective under applicable law, then the Waiver\nshall be preserved to the maximum extent permitted taking into account\nAffirmer's express Statement of Purpose. In addition, to the extent the Waiver\nis so judged Affirmer hereby grants to each affected person a royalty-free,\nnon transferable, non sublicensable, non exclusive, irrevocable and\nunconditional license to exercise Affirmer's Copyright and Related Rights in\nthe Work (i) in all territories worldwide, (ii) for the maximum duration\nprovided by applicable law or treaty (including future time extensions), (iii)\nin any current or future medium and for any number of copies, and (iv) for any\npurpose whatsoever, including without limitation commercial, advertising or\npromotional purposes (the \"License\"). The License shall be deemed effective as\nof the date CC0 was applied by Affirmer to the Work. Should any part of the\nLicense for any reason be judged legally invalid or ineffective under\napplicable law, such partial invalidity or ineffectiveness shall not\ninvalidate the remainder of the License, and in such case Affirmer hereby\naffirms that he or she will not (i) exercise any of his or her remaining\nCopyright and Related Rights in the Work or (ii) assert any associated claims\nand causes of action with respect to the Work, in either case contrary to\nAffirmer's express Statement of Purpose.\n\n4. Limitations and Disclaimers.\n\n a. No trademark or patent rights held by Affirmer are waived, abandoned,\n surrendered, licensed or otherwise affected by this document.\n\n b. Affirmer offers the Work as-is and makes no representations or warranties\n of any kind concerning the Work, express, implied, statutory or otherwise,\n including without limitation warranties of title, merchantability, fitness\n for a particular purpose, non infringement, or the absence of latent or\n other defects, accuracy, or the present or absence of errors, whether or not\n discoverable, all to the greatest extent permissible under applicable law.\n\n c. Affirmer disclaims responsibility for clearing rights of other persons\n that may apply to the Work or any use thereof, including without limitation\n any person's Copyright and Related Rights in the Work. Further, Affirmer\n disclaims responsibility for obtaining any necessary consents, permissions\n or other rights required for any use of the Work.\n\n d. Affirmer understands and acknowledges that Creative Commons is not a\n party to this document and has no duty or obligation with respect to this\n CC0 or use of the Work.\n\nFor more information, please see\n\n" }, { "path": "README.md", "content": "# ๐Ÿ‘‹ Welcome to CISA's Bad Practices Catalog #\n\n[![GitHub Build Status](https://github.com/cisagov/bad-practices/workflows/build/badge.svg)](https://github.com/cisagov/bad-practices/actions)\n[![License](https://img.shields.io/github/license/cisagov/bad-practices)](https://spdx.org/licenses/)\n[![CodeQL](https://github.com/cisagov/bad-practices/workflows/CodeQL/badge.svg)](https://github.com/cisagov/bad-practices/actions/workflows/codeql-analysis.yml)\n\n
\n\"Banner\"\n
\n\nWeโ€™re using [GitHub\ndiscussions](https://github.com/cisagov/bad-practices/discussions) as a place to\nconnect and engage in a critical conversations with other members in the\ncommunity. We hope that you will:\n\n- Ask questions if something doesn't make sense.\n- Share your thoughts on existing, and ideas for future, bad practice entries.\n- Engage with us and other community members on ideas and actions to eradicate\n bad practices.\n- Welcome others and maintain an open mind.\n\n---\n\n## Bad Practices ##\n\nAs recent incidents have demonstrated, cyber attacks against critical\ninfrastructure can have significant impacts on the critical functions of\ngovernment and the private sector. All organizations, and particularly those\nsupporting designated critical infrastructure or [national critical functions\n(NCF)](https://www.cisa.gov/national-critical-functions) should implement an\neffective cybersecurity program to protect against cyber threats and manage\ncyber risk in a manner commensurate with the criticality of those NCFs to\nnational security, national economic security, and/or national public health and\nsafety.\n\nCISA is developing a catalog of bad practices that are exceptionally risky,\nespecially in organizations supporting critical infrastructure or NCFs. The\npresence of these bad practices in organizations that support critical\ninfrastructure or NCFs is exceptionally dangerous and increases risk to our\ncritical infrastructure, on which we rely for national security, economic\nstability, and life, health, and safety of the public. Entries in the catalog\nwill be listed here as they are added.\n\n1. Use of unsupported (or end-of-life) software in service of critical\n infrastructure and national critical functions is dangerous and significantly\n elevates risk to national security, national economic security, and national\n public health and safety. This dangerous practice is especially egregious in\n technologies accessible from the internet.\n\n1. Use of known/fixed/default passwords and credentials in service of Critical\n Infrastructure and national critical functions is dangerous and significantly\n elevates risk to national security, national economic security, and national\n public health and safety. This dangerous practice is especially egregious in\n technologies accessible from the internet.\n\n1. The use of single-factor authentication for remote or administrative access\n to systems supporting the operation of Critical Infrastructure and national\n critical functions (NCF) is dangerous and significantly elevates risk to\n national security, national economic security, and national public health and\n safety. This dangerous practice is especially egregious in technologies\n accessible from the internet.\n\nWhile these practices are dangerous for critical infrastructure and NCFs, CISA\nencourages all organizations to engage in the necessary actions and critical\nconversations to address bad practices.\n\n*Note: This list is focused and does not include every possible inadvisable\ncybersecurity practice. The lack of inclusion of any particular cybersecurity\npractice does not indicate that CISA endorses such a practice or deems such a\npractice to present acceptable levels of risk.*\n\n## Contributing ##\n\nJoin the [bad practices\ndiscussion](https://github.com/cisagov/bad-practices/discussions). We welcome\nfeedback about our current catalog of bad practices and want to hear your\nsuggestions for additions.\n\n## License ##\n\nThis project is in the worldwide [public domain](LICENSE).\n\nThis project is in the public domain within the United States, and\ncopyright and related rights in the work worldwide are waived through\nthe [CC0 1.0 Universal public domain\ndedication](https://creativecommons.org/publicdomain/zero/1.0/).\n\nAll contributions to this project will be released under the CC0\ndedication. By submitting a pull request, you are agreeing to comply\nwith this waiver of copyright interest.\n" }, { "path": "bump-version", "content": "#!/usr/bin/env bash\n\n# bump-version [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show)\n# bump-version --list-files\n\nset -o nounset\nset -o errexit\nset -o pipefail\n\n# Stores the canonical version for the project.\nVERSION_FILE=version.txt\n# Files that should be updated with the new version.\nVERSION_FILES=(\"$VERSION_FILE\")\n\nUSAGE=$(\n cat << END_OF_LINE\nUpdate the version of the project.\n\nUsage:\n ${0##*/} [--push] [--label LABEL] (major | minor | patch | prerelease | build | finalize | show)\n ${0##*/} --list-files\n ${0##*/} (-h | --help)\n\nOptions:\n -h | --help Show this message.\n --push Perform a \\`git push\\` after updating the version.\n --label LABEL Specify the label to use when updating the build or prerelease version.\n --list-files List the files that will be updated when the version is bumped.\nEND_OF_LINE\n)\n\nold_version=$(< \"$VERSION_FILE\")\n# Comment out periods so they are interpreted as periods and don't\n# just match any character\nold_version_regex=${old_version//\\./\\\\\\.}\nnew_version=\"$old_version\"\n\nbump_part=\"\"\nlabel=\"\"\ncommit_prefix=\"Bump\"\nwith_push=false\ncommands_with_label=(\"build\" \"prerelease\")\ncommands_with_prerelease=(\"major\" \"minor\" \"patch\")\nwith_prerelease=false\n\n#######################################\n# Display an error message, the help information, and exit with a non-zero status.\n# Arguments:\n# Error message.\n#######################################\nfunction invalid_option() {\n echo \"$1\"\n echo \"$USAGE\"\n exit 1\n}\n\n#######################################\n# Bump the version using the provided command.\n# Arguments:\n# The version to bump.\n# The command to bump the version.\n# Returns:\n# The new version.\n#######################################\nfunction bump_version() {\n local temp_version\n temp_version=$(python -c \"import semver; print(semver.parse_version_info('$1').${2})\")\n echo \"$temp_version\"\n}\n\nif [ $# -eq 0 ]; then\n echo \"$USAGE\"\n exit 1\nelse\n while [ $# -gt 0 ]; do\n case $1 in\n --push)\n if [ \"$with_push\" = true ]; then\n invalid_option \"Push has already been set.\"\n fi\n\n with_push=true\n shift\n ;;\n --label)\n if [ -n \"$label\" ]; then\n invalid_option \"Label has already been set.\"\n fi\n\n label=\"$2\"\n shift 2\n ;;\n build | finalize | major | minor | patch)\n if [ -n \"$bump_part\" ]; then\n invalid_option \"Only one version part should be bumped at a time.\"\n fi\n\n bump_part=\"$1\"\n shift\n ;;\n prerelease)\n with_prerelease=true\n shift\n ;;\n show)\n echo \"$old_version\"\n exit 0\n ;;\n -h | --help)\n echo \"$USAGE\"\n exit 0\n ;;\n --list-files)\n printf '%s\\n' \"${VERSION_FILES[@]}\"\n exit 0\n ;;\n *)\n invalid_option \"Invalid option: $1\"\n ;;\n esac\n done\nfi\n\nif [ -n \"$label\" ] && [ \"$with_prerelease\" = false ] && [[ ! \" ${commands_with_label[*]} \" =~ [[:space:]]${bump_part}[[:space:]] ]]; then\n invalid_option \"Setting the label is only allowed for the following commands: ${commands_with_label[*]}\"\nfi\n\nif [ \"$with_prerelease\" = true ] && [ -n \"$bump_part\" ] && [[ ! \" ${commands_with_prerelease[*]} \" =~ [[:space:]]${bump_part}[[:space:]] ]]; then\n invalid_option \"Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}\"\nfi\n\nlabel_option=\"\"\nif [ -n \"$label\" ]; then\n label_option=\"token='$label'\"\nfi\n\nif [ -n \"$bump_part\" ]; then\n if [ \"$bump_part\" = \"finalize\" ]; then\n commit_prefix=\"Finalize\"\n bump_command=\"finalize_version()\"\n elif [ \"$bump_part\" = \"build\" ]; then\n bump_command=\"bump_${bump_part}($label_option)\"\n else\n bump_command=\"bump_${bump_part}()\"\n fi\n new_version=$(bump_version \"$old_version\" \"$bump_command\")\n echo Changing version from \"$old_version\" to \"$new_version\"\nfi\n\nif [ \"$with_prerelease\" = true ]; then\n bump_command=\"bump_prerelease($label_option)\"\n temp_version=$(bump_version \"$new_version\" \"$bump_command\")\n echo Changing version from \"$new_version\" to \"$temp_version\"\n new_version=\"$temp_version\"\nfi\n\ntmp_file=/tmp/version.$$\nfor version_file in \"${VERSION_FILES[@]}\"; do\n if [ ! -f \"$version_file\" ]; then\n echo Missing expected file: \"$version_file\"\n exit 1\n fi\n sed \"s/$old_version_regex/$new_version/\" \"$version_file\" > $tmp_file\n mv $tmp_file \"$version_file\"\ndone\n\ngit add \"${VERSION_FILES[@]}\"\ngit commit --message \"$commit_prefix version from $old_version to $new_version\"\n\nif [ \"$with_push\" = true ]; then\n git push\nfi\n" }, { "path": "requirements-dev.txt", "content": "--requirement requirements-test.txt\nipython\n# The bump-version script requires at least version 3 of semver.\nsemver>=3\n" }, { "path": "requirements-test.txt", "content": "--requirement requirements.txt\npre-commit\n" }, { "path": "requirements.txt", "content": "setuptools>=70.1\n" }, { "path": "setup-env", "content": "#!/usr/bin/env bash\n\nset -o nounset\nset -o errexit\nset -o pipefail\n\nUSAGE=$(\n cat << 'END_OF_LINE'\nConfigure a development environment for this repository.\n\nIt does the following:\n - Allows the user to specify the Python version to use for the virtual environment.\n - Allows the user to specify a name for the virtual environment.\n - Verifies pyenv and pyenv-virtualenv are installed.\n - Creates the Python virtual environment.\n - Configures the activation of the virtual enviroment for the repo directory.\n - Installs the requirements needed for development.\n - Installs git pre-commit hooks.\n - Configures git remotes for upstream \"lineage\" repositories.\n\nUsage:\n setup-env [--venv-name venv_name] [--python-version python_version]\n setup-env (-h | --help)\n\nOptions:\n -f | --force Delete virtual enviroment if it already exists.\n -h | --help Show this message.\n -i | --install-hooks Install hook environments for all environments in the\n pre-commit config file.\n -l | --list-versions List available Python versions and select one interactively.\n -v | --venv-name Specify the name of the virtual environment.\n -p | --python-version Specify the Python version for the virtual environment.\n\nEND_OF_LINE\n)\n\n# Display pyenv's installed Python versions\npython_versions() {\n pyenv versions --bare --skip-aliases --skip-envs\n}\n\ncheck_python_version() {\n local version=$1\n\n # This is a valid regex for semantically correct Python version strings.\n # For more information see here:\n # https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string\n # Break down the regex into readable parts major.minor.patch\n local major=\"0|[1-9]\\d*\"\n local minor=\"0|[1-9]\\d*\"\n local patch=\"0|[1-9]\\d*\"\n\n # Splitting the prerelease part for readability\n # Start of the prerelease\n local prerelease=\"(?:-\"\n # Numeric or alphanumeric identifiers\n local prerelease+=\"(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)\"\n # Additional dot-separated identifiers\n local prerelease+=\"(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*\"\n # End of the prerelease, making it optional\n local prerelease+=\")?\"\n # Optional build metadata\n local build=\"(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?\"\n\n # Final regex composed of parts\n local regex=\"^($major)\\.($minor)\\.($patch)$prerelease$build$\"\n\n # This checks if the Python version does not match the regex pattern specified in $regex,\n # using Perl for regex matching. If the pattern is not found, then prompt the user with\n # the invalid version message.\n if ! echo \"$version\" | perl -ne \"exit(!/$regex/)\"; then\n echo \"Invalid version of Python: Python follows semantic versioning,\" \\\n \"so any version string that is not a valid semantic version is an\" \\\n \"invalid version of Python.\"\n exit 1\n # Else if the Python version isn't installed then notify the user.\n # grep -E is used for searching through text lines that match the\n # specific version.\n elif ! python_versions | grep -E \"^${version}$\" > /dev/null; then\n echo \"Error: Python version $version is not installed.\"\n echo \"Installed Python versions are:\"\n python_versions\n exit 1\n else\n echo \"Using Python version $version\"\n fi\n}\n\n# Flag to force deletion and creation of virtual environment\nFORCE=0\n\n# Initialize the other flags\nINSTALL_HOOKS=0\nLIST_VERSIONS=0\nPYTHON_VERSION=\"\"\nVENV_NAME=\"\"\n\n# Define long options\nLONGOPTS=\"force,help,install-hooks,list-versions,python-version:,venv-name:\"\n\n# Define short options for getopt\nSHORTOPTS=\"fhilp:v:\"\n\n# Check for GNU getopt by testing for long option support. GNU getopt supports\n# the \"--test\" option and will return exit code 4 while POSIX/BSD getopt does\n# not and will return exit code 0.\nif getopt --test > /dev/null 2>&1; then\n cat << 'END_OF_LINE'\n\n Please note, this script requires GNU getopt due to its enhanced\n functionality and compatibility with certain script features that\n are not supported by the POSIX getopt found in some systems, particularly\n those with a non-GNU version of getopt. This distinction is crucial\n as a system might have a non-GNU version of getopt installed by default,\n which could lead to unexpected behavior.\n\n On macOS, we recommend installing brew (https://brew.sh/). Then installation\n is as simple as `brew install gnu-getopt` and adding this to your\n profile:\n\n export PATH=\"$(brew --prefix)/opt/gnu-getopt/bin:$PATH\"\n\n GNU getopt must be explicitly added to the PATH since it\n is keg-only (https://docs.brew.sh/FAQ#what-does-keg-only-mean).\n\nEND_OF_LINE\n exit 1\nfi\n\n# Check to see if pyenv is installed\nif [ -z \"$(command -v pyenv)\" ] || { [ -z \"$(command -v pyenv-virtualenv)\" ] && [ ! -f \"$(pyenv root)/plugins/pyenv-virtualenv/bin/pyenv-virtualenv\" ]; }; then\n echo \"pyenv and pyenv-virtualenv are required.\"\n if [[ \"$OSTYPE\" == \"darwin\"* ]]; then\n cat << 'END_OF_LINE'\n\n On macOS, we recommend installing brew, https://brew.sh/. Then installation\n is as simple as `brew install pyenv pyenv-virtualenv` and adding this to your\n profile:\n\n eval \"$(pyenv init -)\"\n eval \"$(pyenv virtualenv-init -)\"\n\nEND_OF_LINE\n\n fi\n cat << 'END_OF_LINE'\n For Linux, Windows Subsystem for Linux (WSL), or macOS (if you don't want\n to use \"brew\") you can use https://github.com/pyenv/pyenv-installer to install\n the necessary tools. Before running this ensure that you have installed the\n prerequisites for your platform according to the pyenv wiki page,\n https://github.com/pyenv/pyenv/wiki/common-build-problems.\n\n On WSL you should treat your platform as whatever Linux distribution you've\n chosen to install.\n\n Once you have installed \"pyenv\" you will need to add the following lines to\n your \".bashrc\":\n\n export PATH=\"$PATH:$HOME/.pyenv/bin\"\n eval \"$(pyenv init -)\"\n eval \"$(pyenv virtualenv-init -)\"\nEND_OF_LINE\n exit 1\nfi\n\n# Use GNU getopt to parse options\nif ! PARSED=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS --name \"$0\" -- \"$@\"); then\n echo \"Error parsing options\"\n exit 1\nfi\neval set -- \"$PARSED\"\n\nwhile true; do\n case \"$1\" in\n -f | --force)\n FORCE=1\n shift\n ;;\n -h | --help)\n echo \"$USAGE\"\n exit 0\n ;;\n -i | --install-hooks)\n INSTALL_HOOKS=1\n shift\n ;;\n -l | --list-versions)\n LIST_VERSIONS=1\n shift\n ;;\n -p | --python-version)\n PYTHON_VERSION=\"$2\"\n shift 2\n # Check the Python version being passed in.\n check_python_version \"$PYTHON_VERSION\"\n ;;\n -v | --venv-name)\n VENV_NAME=\"$2\"\n shift 2\n ;;\n --)\n shift\n break\n ;;\n *)\n # Unreachable due to GNU getopt handling all options\n echo \"Programming error\"\n exit 64\n ;;\n esac\ndone\n\n# Determine the virtual environment name\nif [ -n \"$VENV_NAME\" ]; then\n # Use the user-provided environment name\n env_name=\"$VENV_NAME\"\nelse\n # Set the environment name to the last part of the working directory.\n env_name=${PWD##*/}\nfi\n\n# List Python versions and select one interactively.\nif [ $LIST_VERSIONS -ne 0 ]; then\n echo Available Python versions:\n python_versions\n # Read the user's desired Python version.\n # -r: treat backslashes as literal, -p: display prompt before input.\n read -r -p \"Enter the desired Python version: \" PYTHON_VERSION\n # Check the Python version being passed in.\n check_python_version \"$PYTHON_VERSION\"\nfi\n\n# Remove any lingering local configuration.\nif [ $FORCE -ne 0 ]; then\n rm -f .python-version\n pyenv virtualenv-delete --force \"${env_name}\" || true\nelif [[ -f .python-version ]]; then\n cat << 'END_OF_LINE'\n An existing .python-version file was found. Either remove this file yourself\n or re-run with the --force option to have it deleted along with the associated\n virtual environment.\n\n rm .python-version\n\nEND_OF_LINE\n exit 1\nfi\n\n# Create a new virtual environment for this project\n#\n# If $PYTHON_VERSION is undefined then the current pyenv Python version will be used.\n#\n# We can't quote ${PYTHON_VERSION:=} below since if the variable is\n# undefined then we want nothing to appear; this is the reason for the\n# \"shellcheck disable\" line below.\n#\n# shellcheck disable=SC2086\nif ! pyenv virtualenv ${PYTHON_VERSION:=} \"${env_name}\"; then\n cat << END_OF_LINE\n An existing virtual environment named $env_name was found. Either delete this\n environment yourself or re-run with the --force option to have it deleted.\n\n pyenv virtualenv-delete ${env_name}\n\nEND_OF_LINE\n exit 1\nfi\n\n# Set the local application-specific Python version(s) by writing the\n# version name to a file named `.python-version'.\npyenv local \"${env_name}\"\n\n# Upgrade pip and friends\npython3 -m pip install --upgrade pip setuptools\n\n# Find a requirements file (if possible) and install\nfor req_file in \"requirements-dev.txt\" \"requirements-test.txt\" \"requirements.txt\"; do\n if [[ -f $req_file ]]; then\n pip install --requirement $req_file\n break\n fi\ndone\n\n# Install git pre-commit hooks now or later.\npre-commit install ${INSTALL_HOOKS:+\"--install-hooks\"}\n\n# Setup git remotes from lineage configuration\n# This could fail if the remotes are already setup, but that is ok.\nset +o errexit\n\neval \"$(\n python3 << 'END_OF_LINE'\nfrom pathlib import Path\nimport yaml\nimport sys\n\nLINEAGE_CONFIG = Path(\".github/lineage.yml\")\n\nif not LINEAGE_CONFIG.exists():\n print(\"No lineage configuration found.\", file=sys.stderr)\n sys.exit(0)\n\nwith LINEAGE_CONFIG.open(\"r\") as f:\n lineage = yaml.safe_load(stream=f)\n\nif lineage[\"version\"] == \"1\":\n for parent_name, v in lineage[\"lineage\"].items():\n remote_url = v[\"remote-url\"]\n print(f\"git remote add {parent_name} {remote_url};\")\n print(f\"git remote set-url --push {parent_name} no_push;\")\nelse:\n print(f'Unsupported lineage version: {lineage[\"version\"]}', file=sys.stderr)\nEND_OF_LINE\n)\"\n\n# Qapla'\necho \"Success!\"\n" }, { "path": "version.txt", "content": "1.0.0\n" } ]