From 8e92286049b45da9eb219368ab3a6c29092665ff Mon Sep 17 00:00:00 2001 From: Felddy Date: Thu, 25 Mar 2021 17:37:30 -0400 Subject: [PATCH 01/63] Enable container publication to GitHub Container Registry. * Duplicates DockerHub tags for ghcr.io * Adds login to GitHub Container Registry using the GITHUB_TOKEN secret. * Documentation update to reflect multi-registry publication. --- .github/workflows/build.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ce70bf5..a45d7f8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -156,6 +156,10 @@ jobs: if [ "${{ github.event_name }}" = "push" ]; then TAGS="${TAGS},${IMAGE_NAME}:sha-${GITHUB_SHA::8}" fi + for i in ${TAGS//,/ } + do + TAGS="${TAGS},ghcr.io/${i}" + done echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') echo ::set-output name=source_version::$(./bump_version.sh show) echo ::set-output name=tags::${TAGS} @@ -275,9 +279,10 @@ jobs: build-push-all: # Builds the final set of images for each of the platforms listed in # PLATFORMS environment variable. These images are tagged with the Docker - # tags calculated in the "prepare" job and pushed to DockerHub. The - # contents of README.md is pushed as the image's description. This job is - # skipped when the triggering event is a pull request. + # tags calculated in the "prepare" job and pushed to DockerHub and the + # GitHub Container Registry. The contents of README.md is pushed as the + # image's description to DockerHub. This job is skipped when the triggering + # event is a pull request. name: "Build and push all platforms" runs-on: ubuntu-latest needs: [lint, prepare, test] @@ -288,6 +293,12 @@ jobs: with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Checkout uses: actions/checkout@v2 - name: Set up QEMU @@ -305,7 +316,7 @@ jobs: ${{ env.BASE_CACHE_KEY }} - name: Create cross-platform support Dockerfile-x run: ./buildx-dockerfile.sh - - name: Build and push platform images to Docker Hub + - name: Build and push platform images to registries id: docker_build uses: docker/build-push-action@v2 with: From 27c0451a4f18c6d0d3b87df4783b6b13795cff73 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Fri, 26 Mar 2021 12:38:26 -0400 Subject: [PATCH 02/63] Update .github/workflows/build.yml Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a45d7f8..9afe401 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -280,7 +280,7 @@ jobs: # Builds the final set of images for each of the platforms listed in # PLATFORMS environment variable. These images are tagged with the Docker # tags calculated in the "prepare" job and pushed to DockerHub and the - # GitHub Container Registry. The contents of README.md is pushed as the + # GitHub Container Registry. The contents of README.md are pushed as the # image's description to DockerHub. This job is skipped when the triggering # event is a pull request. name: "Build and push all platforms" From 6427dfaede0d45de6e425cb42936e4a3e9de37e3 Mon Sep 17 00:00:00 2001 From: Felddy Date: Tue, 6 Apr 2021 16:17:57 -0400 Subject: [PATCH 03/63] Add better build instructions to the README. * Add instructions for cross-platform builds * Clean up shields * Clean up tables for each Docker configuration item * Add section about supported tags --- README.md | 210 +++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 183 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 99246a9..42faa08 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # skeleton-docker 💀🐳 # -[![GitHub Build Status](https://github.com/cisagov/skeleton-docker/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-docker/actions) -[![Total alerts](https://img.shields.io/lgtm/alerts/g/cisagov/skeleton-docker.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-docker/alerts/) -[![Language grade: Python](https://img.shields.io/lgtm/grade/python/g/cisagov/skeleton-docker.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/cisagov/skeleton-docker/context:python) +[![GitHub Build Status](https://github.com/cisagov/skeleton-docker/workflows/build/badge.svg)](https://github.com/cisagov/skeleton-docker/actions/workflows/build.yml) +[![CodeQL](https://github.com/cisagov/skeleton-docker/workflows/CodeQL/badge.svg)](https://github.com/cisagov/skeleton-docker/actions/workflows/codeql-analysis.yml) +[![Known Vulnerabilities](https://snyk.io/test/github/cisagov/skeleton-docker/badge.svg)](https://snyk.io/test/github/cisagov/skeleton-docker) ## Docker Image ## @@ -17,49 +17,205 @@ information](LICENSE), as well as [pre-commit hooks](https://pre-commit.com) and [GitHub Actions](https://github.com/features/actions) configurations appropriate for docker containers and the major languages that we use. -## Usage ## +## Running ## -### Install ### +### Using Docker ### -Pull `cisagov/example` from the Docker repository: +```console +docker run cisagov/example:0.0.1 +``` - docker pull cisagov/example +## Using a Docker composition ### -Or build `cisagov/example` from source: +1. Create a `docker-compose.yml` file similar to the one below. - git clone https://github.com/cisagov/skeleton-docker.git - cd skeleton-docker - docker-compose build --build-arg VERSION=0.0.1 + ```yaml + version: "3.8" -### Run ### + services: + example: + image: cisagov/example:0.0.1 + volumes: + - type: bind + source: + target: /var/log + environment: + - ECHO_MESSAGE="Hello from docker-compose" + ports: + - target: "8080" + published: "8080" + protocol: tcp + ``` - docker-compose run --rm example +1. Start the container and detach: -## Ports ## + ```console + docker-compose up --detach + ``` -This container exposes the following ports: +## Using secrets ## -| Port | Protocol | Service | -|-------|----------|----------| -| 8080 | TCP | http | +This container also supports passing sensitive values via [Docker +secrets](https://docs.docker.com/engine/swarm/secrets/). Passing sensitive +values like your credentials can be more secure using secrets than using +environment variables. See the +[secrets](#secrets) section below for a table of all supported secret files. -## Environment Variables ## +1. To use secrets, create a `quote.txt` file containing the values you want set: -| Variable | Default Value | Purpose | -|---------------|-------------------------------|--------------| -| ECHO_MESSAGE | `Hello World from Dockerfile` | Text to echo | + ```text + Better lock it in your pocket. + ``` -## Secrets ## +1. Then add the secret to your `docker-compose.yml` file: + + ```yaml + version: "3.8" + + secrets: + quote_txt: + file: quote.txt + + services: + example: + image: cisagov/example:0.0.1 + volumes: + - type: bind + source: + target: /var/log + environment: + - ECHO_MESSAGE="Hello from docker-compose" + ports: + - target: "8080" + published: "8080" + protocol: tcp + secrets: + - source: quote_txt + target: quote.txt + ``` + +## Updating ## + +### Docker-compose ### + +1. Pull the new image from Docker hub: + + ```console + docker-compose pull + ``` + +1. Recreate the running container: + + ```console + docker-compose up --detach + ``` -| Filename | Purpose | -|---------------|----------------------| -| quote.txt | Secret text to echo | +### Docker ### + +1. Stop the running container: + + ```console + docker stop + ``` + +1. Pull the new image: + + ```console + docker pull cisagov/example:0.0.1 + ``` + +1. Follow the previous instructions for [running](#running) the container above. + +## Image tags ## + +The images of this container are tagged with [semantic +versions](https://semver.org) of the underlying example project that they +containerize. It is recommended that most users use a version tag. e.g., +`:0.0.1` + +| Image:tag | Description | +|-----------|-------------| +|`cisagov/example:1.2.3`| An exact release version. | +|`cisagov/example:1.2`| The most recent release matching the major and minor version numbers. | +|`cisagov/example:1`| The most recent release matching the major version number. | +|`cisagov/example:edge` | The most recent image built from a merge into the `develop` branch of this repository. | +|`cisagov/example:nightly` | A nightly build of the `develop` branch of this repository. | +|`cisagov/example:latest`| The most recent release image pushed to a container registry. Pulling an image using the `:latest` tag [should be avoided.](https://vsupalov.com/docker-latest-tag/) | + +See the [tags tab](https://hub.docker.com/r/cisagov/example/tags) on Docker +Hub for a list of all the supported tags. ## Volumes ## | Mount point | Purpose | |-------------|----------------| -| /var/log | logging output | +| `/var/log` | Log storage | + +## Environment variables ## + +### Required ### + +There are no required environment variables. + + + +### Optional ### + +| Name | Purpose | Default | +|-------|---------|---------| +| `ECHO_MESSAGE` | Sets the message echoed by this container. | `Hello World from Dockerfile` | + +## Secrets ## + +| Filename | Purpose | +|--------------|---------| +| `quote.txt` | Replaces the secret stored in the example library's package data. | + +## Building from source ## + +Build the image locally using this git repository as the [build context](https://docs.docker.com/engine/reference/commandline/build/#git-repositories): + +```console +docker build \ + --build-arg VERSION=0.0.1 \ + --tag cisagov/example:0.0.1 \ + https://github.com/cisagov/example.git#develop +``` + +## Cross-platform builds ## + +To create images that are compatible with other platforms you can use the +[`buildx`](https://docs.docker.com/buildx/working-with-buildx/) feature of +Docker: + +1. Copy the project to your machine using the `Code` button above + or the command line: + + ```console + git clone https://github.com/cisagov/example.git + cd example + ``` + +1. Create the `Dockerfile-x` file with `buildx` platform support: + + ```console + ./buildx-dockerfile.sh + ``` + +1. Build the image using `buildx`: + + ```console + docker buildx build \ + --file Dockerfile-x \ + --platform linux/amd64 \ + --build-arg VERSION=0.0.1 \ + --output type=docker \ + --tag cisagov/example:0.0.1 . + ``` ## New Repositories from a Skeleton ## From cd0d27203224b0a3edac3295435f7c26c15aa3cf Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 7 Apr 2021 17:02:24 -0400 Subject: [PATCH 04/63] Skip CodeQL workflow for Dependabot branches on push events This should resolve the following error: Error: Workflows triggered by Dependabot on the "push" event run with read-only access. Uploading Code Scanning results requires write access. To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events. --- .github/workflows/codeql-analysis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 127ef08..33d1999 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,6 +9,9 @@ name: "CodeQL" on: push: + # Dependabot triggered push events have read-only access, but uploading code + # scanning requires write access. + branches-ignore: [dependabot/**] pull_request: # The branches below must be a subset of the branches above branches: [develop] From d354a54ede128286a4ac09287ac4e513e2a202b1 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 14:55:33 -0400 Subject: [PATCH 05/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 42faa08..a2a30af 100644 --- a/README.md +++ b/README.md @@ -217,7 +217,7 @@ Docker: --tag cisagov/example:0.0.1 . ``` -## New Repositories from a Skeleton ## +## New repositories from a skeleton ## Please see our [Project Setup guide](https://github.com/cisagov/development-guide/tree/develop/project_setup) for step-by-step instructions on how to start a new repository from From 267e56bb80c2832c243a488d22e8cc8644b1cb78 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 14:55:46 -0400 Subject: [PATCH 06/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a2a30af..754ff79 100644 --- a/README.md +++ b/README.md @@ -188,7 +188,7 @@ docker build \ ## Cross-platform builds ## -To create images that are compatible with other platforms you can use the +To create images that are compatible with other platforms, you can use the [`buildx`](https://docs.docker.com/buildx/working-with-buildx/) feature of Docker: From d0d474c1a6ef4b44cec5221cf5199a37bb57e8b9 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 14:56:12 -0400 Subject: [PATCH 07/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 754ff79..96a5768 100644 --- a/README.md +++ b/README.md @@ -124,7 +124,7 @@ environment variables. See the docker pull cisagov/example:0.0.1 ``` -1. Follow the previous instructions for [running](#running) the container above. +1. Recreate and run the container by following the [previous instructions](#running-with-docker). ## Image tags ## From d58e50c628abc2c5c6bc7dd33d93863447cbc2be Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 14:56:24 -0400 Subject: [PATCH 08/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 96a5768..a83610f 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ appropriate for docker containers and the major languages that we use. ## Running ## -### Using Docker ### +### Running with Docker ### ```console docker run cisagov/example:0.0.1 From c8ea90222231a011fe1a4e1c078c8020b4a74c43 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 14:56:36 -0400 Subject: [PATCH 09/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a83610f..7c2792b 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ environment variables. See the docker-compose pull ``` -1. Recreate the running container: +1. Recreate the running container by following the [previous instructions](#running-with-docker-compose): ```console docker-compose up --detach From f014b4c36577b771fb3be7173241fec0fe494da1 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 15:04:48 -0400 Subject: [PATCH 10/63] Update README.md Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7c2792b..4d21a3b 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ environment variables. See the ## Updating ## -### Docker-compose ### +### Docker Compose ### 1. Pull the new image from Docker hub: From 4df9da2402287a0c6db58a61e5aa48dfded8e2c5 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 15:07:41 -0400 Subject: [PATCH 11/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4d21a3b..5778527 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ appropriate for docker containers and the major languages that we use. docker run cisagov/example:0.0.1 ``` -## Using a Docker composition ### +### Running with Docker Compose ### 1. Create a `docker-compose.yml` file similar to the one below. From 2c06a69890aa98b687db6de6c0c378a859aa76dd Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 15:07:54 -0400 Subject: [PATCH 12/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5778527..3fa2d03 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ docker run cisagov/example:0.0.1 ### Running with Docker Compose ### -1. Create a `docker-compose.yml` file similar to the one below. +1. Create a `docker-compose.yml` file similar to the one below to use [Docker Compose](https://docs.docker.com/compose/). ```yaml version: "3.8" From 6a11d943849b17cbcd2ee2e5ae22102bd85bba06 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Thu, 8 Apr 2021 15:08:15 -0400 Subject: [PATCH 13/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3fa2d03..2df2c8c 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ environment variables. See the target: quote.txt ``` -## Updating ## +## Updating your container ## ### Docker Compose ### From ba49077ab48d1ac7ad45b2bb05d1db346950284b Mon Sep 17 00:00:00 2001 From: Felddy Date: Mon, 12 Apr 2021 10:37:49 -0400 Subject: [PATCH 14/63] Improve gitignore file comments and organization. * Add a comment describing what the files does. * Add sections to organize patterns. --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index 4b15d77..937e21d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,8 @@ +# This file specifies intentionally untracked files that Git should ignore. +# Files already tracked by Git are not affected. +# See: https://git-scm.com/docs/gitignore + +## Python ## __pycache__ .mypy_cache .python-version From 2c4d7a2504a08f9ebbcc728b35bcd41bfc74ec63 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 15 Apr 2021 11:53:57 -0400 Subject: [PATCH 15/63] Remove user from CODEOWNERS Due to her departure this removes hillaryj from the default CODEOWNERS we use in our projects. --- .github/CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 9c3d21f..371258c 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -3,8 +3,8 @@ # These owners will be the default owners for everything in the # repo. Unless a later match takes precedence, these owners will be # requested for review when someone opens a pull request. -* @dav3r @felddy @hillaryj @jsf9k @mcdonnnj +* @dav3r @felddy @jsf9k @mcdonnnj # These folks own any files in the .github directory at the root of # the repository and any of its subdirectories. -/.github/ @dav3r @felddy @hillaryj @jsf9k @mcdonnnj +/.github/ @dav3r @felddy @jsf9k @mcdonnnj From 5fb5dbc9445abe5bb45de679f19e24d7bb44b985 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Sun, 25 Apr 2021 19:11:24 -0400 Subject: [PATCH 16/63] Add semver package to development requirements The semver package is needed by the bump_version.sh script, but it is not included in requirements-dev.txt. --- requirements-dev.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements-dev.txt b/requirements-dev.txt index d84ee68..cb51627 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,2 +1,3 @@ --requirement requirements-test.txt ipython +semver From 9938f67eecb591f7255cc4e4984b0799386803aa Mon Sep 17 00:00:00 2001 From: Felddy Date: Mon, 26 Apr 2021 11:46:30 -0400 Subject: [PATCH 17/63] Unquote port integers as this is now a parse error in Docker. --- README.md | 8 ++++---- docker-compose.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2df2c8c..0becc17 100644 --- a/README.md +++ b/README.md @@ -42,8 +42,8 @@ docker run cisagov/example:0.0.1 environment: - ECHO_MESSAGE="Hello from docker-compose" ports: - - target: "8080" - published: "8080" + - target: 8080 + published: 8080 protocol: tcp ``` @@ -86,8 +86,8 @@ environment variables. See the environment: - ECHO_MESSAGE="Hello from docker-compose" ports: - - target: "8080" - published: "8080" + - target: 8080 + published: 8080 protocol: tcp secrets: - source: quote_txt diff --git a/docker-compose.yml b/docker-compose.yml index 6774387..0fc7ee5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,8 +21,8 @@ services: environment: - ECHO_MESSAGE=Hello World from docker-compose! ports: - - target: "8080" - published: "8080" + - target: 8080 + published: 8080 protocol: tcp mode: host secrets: From 67f3a0cf6abe393d6bd5fc85e466d02d303fd9f8 Mon Sep 17 00:00:00 2001 From: Felddy Date: Mon, 26 Apr 2021 12:32:39 -0400 Subject: [PATCH 18/63] Change compose specification version to match pyenv testing composition. The version attribute has been depricated and will be removed once our systems move to a more recent release. --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0becc17..1215880 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,8 @@ docker run cisagov/example:0.0.1 1. Create a `docker-compose.yml` file similar to the one below to use [Docker Compose](https://docs.docker.com/compose/). ```yaml - version: "3.8" + --- + version: "3.7" services: example: @@ -70,7 +71,8 @@ environment variables. See the 1. Then add the secret to your `docker-compose.yml` file: ```yaml - version: "3.8" + --- + version: "3.7" secrets: quote_txt: From 0d696361c5ac3e3b45874ec1dc6925552efd3fd2 Mon Sep 17 00:00:00 2001 From: Felddy Date: Mon, 26 Apr 2021 12:43:04 -0400 Subject: [PATCH 19/63] Add context around command-line instructions for non-technical folks. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1215880..f8289ca 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,8 @@ appropriate for docker containers and the major languages that we use. ### Running with Docker ### +To run the `cisagov/example` image via Docker: + ```console docker run cisagov/example:0.0.1 ``` From 3b62397eed3421840f3c06b8a7a859855aca5ef9 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Mon, 26 Apr 2021 12:47:40 -0400 Subject: [PATCH 20/63] Update README.md Co-authored-by: Hillary --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f8289ca..b43f663 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ docker run cisagov/example:0.0.1 docker-compose up --detach ``` -## Using secrets ## +## Using secrets with your container ## This container also supports passing sensitive values via [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). Passing sensitive From bc46deb02b618a4efe15187abbdfecf67834d71b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 10 May 2021 17:04:00 -0400 Subject: [PATCH 21/63] Add the tag.sh script to this repository Since the GitHub Actions configuration builds images on tag pushes, we should use the standard tagging script we use for the same purpose in other repositories. This will make it easier to tag, build, and push Docker images of a specific version in a standardized manner. --- tag.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100755 tag.sh diff --git a/tag.sh b/tag.sh new file mode 100755 index 0000000..e1f7447 --- /dev/null +++ b/tag.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -o nounset +set -o errexit +set -o pipefail + +version=$(./bump_version.sh show) + +git tag "v$version" && git push --tags From d405a7683240221871ecf492f12021d5e3c603c5 Mon Sep 17 00:00:00 2001 From: Mark Feldhousen Date: Tue, 25 May 2021 17:12:10 -0400 Subject: [PATCH 22/63] Update README.md Co-authored-by: Shane Frasier --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b43f663..6066cbf 100644 --- a/README.md +++ b/README.md @@ -134,8 +134,8 @@ environment variables. See the The images of this container are tagged with [semantic versions](https://semver.org) of the underlying example project that they -containerize. It is recommended that most users use a version tag. e.g., -`:0.0.1` +containerize. It is recommended that most users use a version tag (e.g. +`:0.0.1`). | Image:tag | Description | |-----------|-------------| From 03494999d60d682a882a5191b16a41cdcdf96214 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 15 Apr 2021 11:36:21 -0400 Subject: [PATCH 23/63] Update pre-commit hooks Hooks updated with the `pre-commit autoupdate` command. Note: The `ansible-lint` hook is intentionally being held back on 4.3.7 because of ongoing issues with the 5.x version and how we use Ansible (standalone Galaxy roles). --- .pre-commit-config.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c851317..cf0330d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ default_language_version: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 + rev: v4.0.1 hooks: - id: check-case-conflict - id: check-executables-have-shebangs @@ -31,17 +31,17 @@ repos: # Text file hooks - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.26.0 + rev: v0.27.1 hooks: - id: markdownlint args: - --config=.mdl_config.json - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.2.1 + rev: v2.3.0 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint - rev: v1.26.0 + rev: v1.26.1 hooks: - id: yamllint args: @@ -49,7 +49,7 @@ repos: # Shell script hooks - repo: https://github.com/lovesegfault/beautysh - rev: 6.0.1 + rev: v6.1.0 hooks: - id: beautysh args: @@ -68,25 +68,25 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 20.8b1 + rev: 21.5b2 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 - rev: 3.8.4 + rev: 3.9.2 hooks: - id: flake8 additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.7.0 + rev: 5.8.0 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.800 + rev: v0.812 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.10.0 + rev: v2.19.1 hooks: - id: pyupgrade @@ -101,7 +101,7 @@ repos: # Terraform hooks - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.45.0 + rev: v1.50.0 hooks: - id: terraform_fmt # There are ongoing issues with how this command works. This issue From 23b324befc9cdc26ffcf1af6f333b63c545dfb7b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 1 Jun 2021 11:14:31 -0400 Subject: [PATCH 24/63] Update configuration instructions for pyenv With the release of pyenv v2.0.0 there is a breaking change around startup logic that necessitates an update for our pyenv setup instructions. Also add a statement about how to get configuration instructions from pyenv itself. --- CONTRIBUTING.md | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6434d30..27bb9e7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -64,6 +64,9 @@ installation is as simple as `brew install pyenv pyenv-virtualenv` and adding this to your profile: ```bash +export PYENV_ROOT="$HOME/.pyenv" +export PATH="$PYENV_ROOT/bin:$PATH" +eval "$(pyenv init --path)" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" ``` @@ -80,14 +83,35 @@ On WSL you should treat your platform as whatever Linux distribution you've chosen to install. Once you have installed `pyenv` you will need to add the following -lines to your `.bashrc`: +lines to your `.bash_profile` (or `.profile`): + +```bash +export PYENV_ROOT="$HOME/.pyenv" +export PATH="$PYENV_ROOT/bin:$PATH" +eval "$(pyenv init --path)" +``` + +and then add the following lines to your `.bashrc`: ```bash -export PATH="$PATH:$HOME/.pyenv/bin" eval "$(pyenv init -)" eval "$(pyenv virtualenv-init -)" ``` +If you want more information about setting up `pyenv` once installed, please run + +```console +pyenv init +``` + +and + +```console +pyenv virtualenv-init +``` + +for the current configuration instructions. + If you are using a shell other than `bash` you should follow the instructions that the `pyenv-installer` script outputs. From 8c517079fc308b3a7445edd252a306d196f13b1c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 2 Jun 2021 15:22:09 -0400 Subject: [PATCH 25/63] Add Docker section to the gitignore file Mirror changes in cisagov/skeleton-generic by adding a Docker section to the gitignore file and moving appropriate entries to that section. --- .gitignore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 157a18e..b1efc19 100644 --- a/.gitignore +++ b/.gitignore @@ -2,9 +2,11 @@ # Files already tracked by Git are not affected. # See: https://git-scm.com/docs/gitignore +## Docker ## +Dockerfile-x + ## Python ## __pycache__ .mypy_cache .pytest_cache .python-version -Dockerfile-x From ca4306ac06cb5437be7f1bf6a1f799876ec413cc Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 7 Jun 2021 08:26:02 -0400 Subject: [PATCH 26/63] Standardize the layout of the Lineage configuration file --- .github/lineage.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/lineage.yml b/.github/lineage.yml index 8dfc20b..49f9c4f 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -1,6 +1,5 @@ --- -version: "1" - lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-generic.git +version: '1' From 77dae2bf701a90737a08a8eb86a741d8a2a44f76 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Mon, 14 Jun 2021 17:21:12 -0400 Subject: [PATCH 27/63] Correct capitalization --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0ddac36..0e7e7c6 100644 --- a/README.md +++ b/README.md @@ -222,7 +222,7 @@ The following ports are exposed by this container: | 587 | Mail submission | | 993 | IMAPS | -The sample [docker composition](docker-compose.yml) publishes the +The sample [Docker composition](docker-compose.yml) publishes the exposed ports at 1025, 1587, and 1993. ## Environment variables ## From 68948bb06154b3dd1b0d57139eec473b236bcd12 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 15 Jun 2021 09:54:13 -0400 Subject: [PATCH 28/63] Update the README to reference the latest version of the Docker container This change was discussed among @cisagov/team-ois here: https://github.com/cisagov/gatherer/pull/60#pullrequestreview-683086244 Also correct git comments to use the imperative mood. --- bump_version.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/bump_version.sh b/bump_version.sh index 81a394f..ec9313d 100755 --- a/bump_version.sh +++ b/bump_version.sh @@ -7,6 +7,7 @@ set -o errexit set -o pipefail VERSION_FILE=src/version.txt +README_FILE=README.md HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|finalize)" @@ -23,8 +24,10 @@ else tmp_file=/tmp/version.$$ sed "s/$old_version/$new_version/" $VERSION_FILE > $tmp_file mv $tmp_file $VERSION_FILE - git add $VERSION_FILE - git commit -m"Bumping version from $old_version to $new_version" + sed "s/$old_version/$new_version/" $README_FILE > $tmp_file + mv $tmp_file $README_FILE + git add $VERSION_FILE $README_FILE + git commit -m"Bump version from $old_version to $new_version" git push ;; finalize) @@ -33,8 +36,10 @@ else tmp_file=/tmp/version.$$ sed "s/$old_version/$new_version/" $VERSION_FILE > $tmp_file mv $tmp_file $VERSION_FILE - git add $VERSION_FILE - git commit -m"Bumping version from $old_version to $new_version" + sed "s/$old_version/$new_version/" $README_FILE > $tmp_file + mv $tmp_file $README_FILE + git add $VERSION_FILE $README_FILE + git commit -m"Bump version from $old_version to $new_version" git push ;; show) From d09151887a5e3dd4f6adbdc811ba6ff71a2a1b61 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 15 Jun 2021 09:42:02 -0400 Subject: [PATCH 29/63] Add a section to the README for ports Co-authored-by: dav3r --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index 6066cbf..86a3873 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,20 @@ Hub for a list of all the supported tags. |-------------|----------------| | `/var/log` | Log storage | +## Ports ## + +There are no ports exposed by this container. + + + + + + + + + + + ## Environment variables ## ### Required ### From 1f6d0906a3fbfc19963d1bf7832315494c908329 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 16 Jun 2021 10:10:52 -0400 Subject: [PATCH 30/63] Document the single exposed (but non-functional) port Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 86a3873..446c7ab 100644 --- a/README.md +++ b/README.md @@ -157,17 +157,14 @@ Hub for a list of all the supported tags. ## Ports ## -There are no ports exposed by this container. +The following ports are exposed by this container: - +| Port | Purpose | +|------|----------------| +| 8080 | Example only; nothing is actually listening on the port | - - - - - - - +The sample [Docker composition](docker-compose.yml) publishes the +exposed port at 8080. ## Environment variables ## From 0cb1b41da06c0ece164b9b0622a54fd6f529453e Mon Sep 17 00:00:00 2001 From: David Redmin Date: Wed, 16 Jun 2021 15:04:09 -0400 Subject: [PATCH 31/63] Remove duplicate section inherited from skeleton --- README.md | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/README.md b/README.md index 871b366..06eac46 100644 --- a/README.md +++ b/README.md @@ -223,18 +223,7 @@ The following ports are exposed by this container: | 993 | IMAPS | The sample [Docker composition](docker-compose.yml) publishes the -exposed ports at 1025, 1587, and 1993. - -## Ports ## - -The following ports are exposed by this container: - -| Port | Purpose | -|------|----------------| -| 8080 | Example only; nothing is actually listening on the port | - -The sample [Docker composition](docker-compose.yml) publishes the -exposed port at 8080. +exposed ports at 1025, 1587, and 1993, respectively. ## Environment variables ## From 01d45c98245d913d94f0d9af50dda0e1d5855f73 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Wed, 16 Jun 2021 15:05:14 -0400 Subject: [PATCH 32/63] Update version numbers in README to reference current container version --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 06eac46..3e0ac92 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ of sent email. All email is BCC'd to the `mailarchive` account. To run the `cisagov/postfix` image via Docker: ```console -docker run cisagov/postfix:0.0.1 +docker run cisagov/postfix:0.0.4 ``` ### Running with Docker Compose ### @@ -39,7 +39,7 @@ this repository. postfix: build: # VERSION must be specified on the command line: - # e.g., --build-arg VERSION=0.0.1 + # e.g., --build-arg VERSION=0.0.4 context: . dockerfile: Dockerfile image: cisagov/postfix @@ -112,7 +112,7 @@ environment variables. See the postfix: build: # VERSION must be specified on the command line: - # e.g., --build-arg VERSION=0.0.1 + # e.g., --build-arg VERSION=0.0.4 context: . dockerfile: Dockerfile image: cisagov/postfix @@ -181,7 +181,7 @@ environment variables. See the 1. Pull the new image: ```console - docker pull cisagov/postfix:0.0.1 + docker pull cisagov/postfix:0.0.4 ``` 1. Recreate and run the container by following the [previous instructions](#running-with-docker). @@ -191,13 +191,13 @@ environment variables. See the The images of this container are tagged with [semantic versions](https://semver.org) of the underlying postfix project that they containerize. It is recommended that most users use a version tag (e.g. -`:0.0.1`). +`:0.0.4`). | Image:tag | Description | |-----------|-------------| -|`cisagov/postfix:1.2.3`| An exact release version. | -|`cisagov/postfix:1.2`| The most recent release matching the major and minor version numbers. | -|`cisagov/postfix:1`| The most recent release matching the major version number. | +|`cisagov/postfix:0.0.4`| An exact release version. | +|`cisagov/postfix:0.4`| The most recent release matching the major and minor version numbers. | +|`cisagov/postfix:0`| The most recent release matching the major version number. | |`cisagov/postfix:edge` | The most recent image built from a merge into the `develop` branch of this repository. | |`cisagov/postfix:nightly` | A nightly build of the `develop` branch of this repository. | |`cisagov/postfix:latest`| The most recent release image pushed to a container registry. Pulling an image using the `:latest` tag [should be avoided.](https://vsupalov.com/docker-latest-tag/) | @@ -253,8 +253,8 @@ Build the image locally using this git repository as the [build context](https:/ ```console docker build \ - --build-arg VERSION=0.0.1 \ - --tag cisagov/postfix:0.0.1 \ + --build-arg VERSION=0.0.4 \ + --tag cisagov/postfix:0.0.4 \ https://github.com/cisagov/postfix-docker.git#develop ``` @@ -284,9 +284,9 @@ Docker: docker buildx build \ --file Dockerfile-x \ --platform linux/amd64 \ - --build-arg VERSION=0.0.1 \ + --build-arg VERSION=0.0.4 \ --output type=docker \ - --tag cisagov/postfix:0.0.1 . + --tag cisagov/postfix:0.0.4 . ``` ## Contributing ## From 1e8f8223910f41294c16bfebea332c80fd83573c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 18 Jun 2021 03:33:26 -0400 Subject: [PATCH 33/63] Add style enforcement rules Add rules to enforce ATX-closed headers, dashes for unordered list elements, and `1.` for ordered list elements. --- .mdl_config.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.mdl_config.json b/.mdl_config.json index 7a6f3f8..8266cdb 100644 --- a/.mdl_config.json +++ b/.mdl_config.json @@ -1,4 +1,10 @@ { + "MD003": { + "style": "atx_closed" + }, + "MD004": { + "style": "dash" + }, "MD013": { "code_blocks": false, "tables": false @@ -6,5 +12,8 @@ "MD024": { "allow_different_nesting": true }, + "MD029": { + "style": "one" + }, "default": true } From afc6bd6f6d754f8c2bc5675411535b0c61e0ec78 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 18 Jun 2021 03:37:08 -0400 Subject: [PATCH 34/63] Add rule for image headers Add

and tags to the allowed list for MD033 (HTML elements) to support using an image as the first thing in a markdown file (header image). --- .mdl_config.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.mdl_config.json b/.mdl_config.json index 8266cdb..38bc045 100644 --- a/.mdl_config.json +++ b/.mdl_config.json @@ -15,5 +15,11 @@ "MD029": { "style": "one" }, + "MD033": { + "allowed_elements": [ + "h1", + "img" + ] + }, "default": true } From 33a28ee8f5b5dacd3a26e5479a50201164e14e85 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 22 Jun 2021 10:37:31 -0400 Subject: [PATCH 35/63] Bump actions/github-script pin from v3 to v4 --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9afe401..4f94908 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -119,7 +119,7 @@ jobs: - uses: actions/checkout@v2 - name: Gather repository metadata id: repo - uses: actions/github-script@v3 + uses: actions/github-script@v4 with: script: | const repo = await github.repos.get(context.repo) From ce173f401d8eec4f2caf3cf8174a5b53f03222da Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 18 Jun 2021 03:51:38 -0400 Subject: [PATCH 36/63] Switch to a YAML markdownlint configuration file This converts the existing `.mdl_config.json` file to an equivalent `.mdl_config.yaml` file. The reference in the markdownlint pre-commit hook configuration is updated to match. Co-authored-by: Shane Frasier --- .mdl_config.json | 25 ------------------------- .mdl_config.yaml | 24 ++++++++++++++++++++++++ .pre-commit-config.yaml | 2 +- 3 files changed, 25 insertions(+), 26 deletions(-) delete mode 100644 .mdl_config.json create mode 100644 .mdl_config.yaml diff --git a/.mdl_config.json b/.mdl_config.json deleted file mode 100644 index 38bc045..0000000 --- a/.mdl_config.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "MD003": { - "style": "atx_closed" - }, - "MD004": { - "style": "dash" - }, - "MD013": { - "code_blocks": false, - "tables": false - }, - "MD024": { - "allow_different_nesting": true - }, - "MD029": { - "style": "one" - }, - "MD033": { - "allowed_elements": [ - "h1", - "img" - ] - }, - "default": true -} diff --git a/.mdl_config.yaml b/.mdl_config.yaml new file mode 100644 index 0000000..a04720a --- /dev/null +++ b/.mdl_config.yaml @@ -0,0 +1,24 @@ +--- + +default: true + +MD003: + style: "atx_closed" + +MD004: + style: "dash" + +MD013: + code_blocks: false + tables: false + +MD024: + allow_different_nesting: true + +MD029: + style: "one" + +MD033: + allowed_elements: + - h1 + - img diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf0330d..6b87ab0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: hooks: - id: markdownlint args: - - --config=.mdl_config.json + - --config=.mdl_config.yaml - repo: https://github.com/pre-commit/mirrors-prettier rev: v2.3.0 hooks: From f2a423095efe2f1a96ce2621352ee7cb4dd0458a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 18 Jun 2021 03:59:36 -0400 Subject: [PATCH 37/63] Add comments to markdownlint configuration Now that this is a YAML file we can add comments explaining the rule modifications we use. This will make it easier to edit or expand in the future. --- .mdl_config.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.mdl_config.yaml b/.mdl_config.yaml index a04720a..a2f08f3 100644 --- a/.mdl_config.yaml +++ b/.mdl_config.yaml @@ -1,24 +1,40 @@ --- +# Default state for all rules default: true +# MD003/heading-style/header-style - Heading style MD003: + # Enforce the ATX-closed style of header style: "atx_closed" +# MD004/ul-style - Unordered list style MD004: + # Enforce dashes for unordered lists style: "dash" +# MD013/line-length - Line length MD013: + # Do not enforce for code blocks code_blocks: false + # Do not enforce for tables tables: false +# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the +# same content MD024: + # Allow headers with the same content as long as they are not in the same + # parent heading allow_different_nesting: true +# MD029/ol-prefix - Ordered list item prefix MD029: + # Enforce the `1.` style for ordered lists style: "one" +# MD033/no-inline-html - Inline HTML MD033: + # The h1 and img elements are allowed to permit header images allowed_elements: - h1 - img From d4781ee177698490b740c5dc0e3ae90282c70618 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 24 Jun 2021 01:38:44 -0400 Subject: [PATCH 38/63] Add the validate_manifest hook from pre-commit This hook will validate any pre-commit hook manifest files in the repository. --- .pre-commit-config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf0330d..82a5e46 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,6 +47,12 @@ repos: args: - --strict + # pre-commit hooks + - repo: https://github.com/pre-commit/pre-commit + rev: v2.13.0 + hooks: + - id: validate_manifest + # Shell script hooks - repo: https://github.com/lovesegfault/beautysh rev: v6.1.0 From 106af21c04ae34d0402b9cfc59f386e2756776bd Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 9 Jul 2021 13:34:16 -0400 Subject: [PATCH 39/63] Install terraform and packer for the linting job We should be doing this because the Packer and Terraform pre-commit hooks leverage the corresponding executables; therefore, it makes sense to go ahead and install the particular versions of those executables that we support. Also add support for optionally debugging via tmate. See also cisagov/skeleton-generic#74. --- .github/workflows/build.yml | 63 ++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5c65f71..8fa1b2f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,13 +8,16 @@ on: types: [apb] env: + CURL_CACHE_DIR: ~/.cache/curl PIP_CACHE_DIR: ~/.cache/pip PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit + RUN_TMATE: ${{ secrets.RUN_TMATE }} jobs: lint: runs-on: ubuntu-latest steps: + - uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v2 - id: setup-python uses: actions/setup-python@v2 @@ -23,17 +26,72 @@ jobs: - uses: actions/cache@v2 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + py${{ steps.setup-python.outputs.python-version }}-\ + go${{ env.GO_VERSION }}-\ + packer${{ env.PACKER_VERSION }}-\ + tf${{ env.TERRAFORM_VERSION }}-" with: + # Note that the .terraform directory IS NOT included in the + # cache because if we were caching, then we would need to use + # the `-upgrade=true` option. This option blindly pulls down the + # latest modules and providers instead of checking to see if an + # update is required. That behavior defeats the benefits of caching. + # so there is no point in doing it for the .terraform directory. path: | ${{ env.PIP_CACHE_DIR }} ${{ env.PRE_COMMIT_CACHE_DIR }} + ${{ env.CURL_CACHE_DIR }} + ${{ steps.go-cache.outputs.dir }} key: "${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: | ${{ env.BASE_CACHE_KEY }} + - uses: actions/setup-go@v2 + with: + go-version: '1.16' + - name: Store installed Go version + run: | + echo "GO_VERSION="\ + "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ + >> $GITHUB_ENV + - name: Lookup go cache directory + id: go-cache + run: | + echo "::set-output name=dir::$(go env GOCACHE)" + - name: Install Packer + run: | + mkdir -p ${{ env.CURL_CACHE_DIR }} + PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" + curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ + --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ + --location \ + "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}" + sudo unzip -o -d /usr/local/bin \ + ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" + - name: Install Terraform + run: | + mkdir -p ${{ env.CURL_CACHE_DIR }} + TERRAFORM_ZIP="terraform_${TERRAFORM_VERSION}_linux_amd64.zip" + curl --output ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" \ + --time-cond ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" \ + --location \ + "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${TERRAFORM_ZIP}" + sudo unzip -d /opt/terraform \ + ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" + sudo ln -s /opt/terraform/terraform /usr/bin/terraform + sudo mv /usr/local/bin/terraform /usr/local/bin/terraform-default + sudo ln -s /opt/terraform/terraform /usr/local/bin/terraform + - name: Install Terraform-docs + run: GO111MODULE=on go get github.com/terraform-docs/terraform-docs + - name: Find and initialize Terraform directories + run: | + for path in $(find . -not \( -type d -name ".terraform" -prune \) \ + -type f -iname "*.tf" -exec dirname "{}" \; | sort -u); do \ + echo "Initializing '$path'..."; \ + terraform init -input=false -backend=false "$path"; \ + done - name: Install dependencies run: | python -m pip install --upgrade pip @@ -42,3 +100,6 @@ jobs: run: pre-commit install-hooks - name: Run pre-commit on all files run: pre-commit run --all-files + - name: Setup tmate debug session + uses: mxschmitt/action-tmate@v3 + if: env.RUN_TMATE From c4810439814c3ebed6dd05f3b690b460670cd878 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 9 Jul 2021 22:43:09 -0400 Subject: [PATCH 40/63] Break out the curl cache creation into its own step Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8fa1b2f..bc632c3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,9 +60,10 @@ jobs: id: go-cache run: | echo "::set-output name=dir::$(go env GOCACHE)" + - name: Setup curl cache + run: mkdir -p ${{ env.CURL_CACHE_DIR }} - name: Install Packer run: | - mkdir -p ${{ env.CURL_CACHE_DIR }} PACKER_ZIP="packer_${PACKER_VERSION}_linux_amd64.zip" curl --output ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ @@ -72,7 +73,6 @@ jobs: ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" - name: Install Terraform run: | - mkdir -p ${{ env.CURL_CACHE_DIR }} TERRAFORM_ZIP="terraform_${TERRAFORM_VERSION}_linux_amd64.zip" curl --output ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" \ --time-cond ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" \ From 70414cff28c661c3b76425edf5021f213f505413 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 9 Jul 2021 22:46:47 -0400 Subject: [PATCH 41/63] Remove unnecessary line in tasks There is no reason to create /usr/bin/terraform. This is a vestige of an earlier age. Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bc632c3..3946d90 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,7 +80,6 @@ jobs: "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${TERRAFORM_ZIP}" sudo unzip -d /opt/terraform \ ${{ env.CURL_CACHE_DIR }}/"${TERRAFORM_ZIP}" - sudo ln -s /opt/terraform/terraform /usr/bin/terraform sudo mv /usr/local/bin/terraform /usr/local/bin/terraform-default sudo ln -s /opt/terraform/terraform /usr/local/bin/terraform - name: Install Terraform-docs From b629f7f623490217fbd43d76fd77b4638cd4a4ec Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Fri, 9 Jul 2021 22:48:21 -0400 Subject: [PATCH 42/63] Modify the Packer installation to model that of Terraform The Terraform installation does not destroy the existing system Terraform installation, and neither should the Packer installation. Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3946d90..871bee7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -69,8 +69,10 @@ jobs: --time-cond ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" \ --location \ "https://releases.hashicorp.com/packer/${PACKER_VERSION}/${PACKER_ZIP}" - sudo unzip -o -d /usr/local/bin \ + sudo unzip -d /opt/packer \ ${{ env.CURL_CACHE_DIR }}/"${PACKER_ZIP}" + sudo mv /usr/local/bin/packer /usr/local/bin/packer-default + sudo ln -s /opt/packer/packer /usr/local/bin/packer - name: Install Terraform run: | TERRAFORM_ZIP="terraform_${TERRAFORM_VERSION}_linux_amd64.zip" From 181d1b2fafa211fb7cae5b6023e1b5271b59bbda Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sat, 10 Jul 2021 22:36:45 -0400 Subject: [PATCH 43/63] Install a specific version of terraform-docs Note that this change is dependent on the merging of cisagov/setup-env-github-action#31. Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 871bee7..c8a1426 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,7 +85,9 @@ jobs: sudo mv /usr/local/bin/terraform /usr/local/bin/terraform-default sudo ln -s /opt/terraform/terraform /usr/local/bin/terraform - name: Install Terraform-docs - run: GO111MODULE=on go get github.com/terraform-docs/terraform-docs + run: | + GO111MODULE=on go get \ + github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION} - name: Find and initialize Terraform directories run: | for path in $(find . -not \( -type d -name ".terraform" -prune \) \ From bb6e566e3a8e1069ca2c6a1f441f67fc4c176685 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Sun, 11 Jul 2021 21:59:58 -0400 Subject: [PATCH 44/63] Move go installation so that it takes place before the cache task Some variables defined in the go installation are used in the cache task, so the go installation must happen first. Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c8a1426..04159c2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,20 @@ jobs: uses: actions/setup-python@v2 with: python-version: 3.9 + # GO_VERSION and GOCACHE are used by the cache task, so the go + # installation must happen before that. + - uses: actions/setup-go@v2 + with: + go-version: '1.16' + - name: Store installed Go version + run: | + echo "GO_VERSION="\ + "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ + >> $GITHUB_ENV + - name: Lookup go cache directory + id: go-cache + run: | + echo "::set-output name=dir::$(go env GOCACHE)" - uses: actions/cache@v2 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ @@ -48,18 +62,6 @@ jobs: ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: | ${{ env.BASE_CACHE_KEY }} - - uses: actions/setup-go@v2 - with: - go-version: '1.16' - - name: Store installed Go version - run: | - echo "GO_VERSION="\ - "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ - >> $GITHUB_ENV - - name: Lookup go cache directory - id: go-cache - run: | - echo "::set-output name=dir::$(go env GOCACHE)" - name: Setup curl cache run: mkdir -p ${{ env.CURL_CACHE_DIR }} - name: Install Packer From 337d1efb8f72c11cae6b83f3f5e63e8187599470 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Mon, 12 Jul 2021 09:06:41 -0400 Subject: [PATCH 45/63] Capitalize Go for consistency Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 04159c2..d84b7da 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,7 +23,7 @@ jobs: uses: actions/setup-python@v2 with: python-version: 3.9 - # GO_VERSION and GOCACHE are used by the cache task, so the go + # GO_VERSION and GOCACHE are used by the cache task, so the Go # installation must happen before that. - uses: actions/setup-go@v2 with: @@ -33,7 +33,7 @@ jobs: echo "GO_VERSION="\ "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ >> $GITHUB_ENV - - name: Lookup go cache directory + - name: Lookup Go cache directory id: go-cache run: | echo "::set-output name=dir::$(go env GOCACHE)" From 8ee2116f428f1738540f0cdf261f1e4f1c15d092 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Tue, 13 Jul 2021 17:02:13 -0400 Subject: [PATCH 46/63] Prefer the newer "go install" syntax As of [Go 1.16](https://tip.golang.org/doc/go1.16#go-command) the `GO111MODULE` environment variable defaults to `on` and `go get` has been deprecated for module installation. Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d84b7da..73f345a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -88,7 +88,7 @@ jobs: sudo ln -s /opt/terraform/terraform /usr/local/bin/terraform - name: Install Terraform-docs run: | - GO111MODULE=on go get \ + go install \ github.com/terraform-docs/terraform-docs@${TERRAFORM_DOCS_VERSION} - name: Find and initialize Terraform directories run: | From e2a729d0b11ab74207a3bb77367d8e9d8c577889 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Jul 2021 17:42:36 -0400 Subject: [PATCH 47/63] Install the shfmt tool for GHA The `shfmt` tool does not ship on the GitHub Actions runners so we must install it manually. --- .github/workflows/build.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5c65f71..9dd5f7a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,25 +15,44 @@ jobs: lint: runs-on: ubuntu-latest steps: + - uses: cisagov/setup-env-github-action@develop - uses: actions/checkout@v2 - id: setup-python uses: actions/setup-python@v2 with: python-version: 3.9 + # GO_VERSION and GOCACHE are used by the cache task, so the Go + # installation must happen before that. + - uses: actions/setup-go@v2 + with: + go-version: '1.16' + - name: Store installed Go version + run: | + echo "GO_VERSION="\ + "$(go version | sed 's/^go version go\([0-9.]\+\) .*/\1/')" \ + >> $GITHUB_ENV + - name: Lookup Go cache directory + id: go-cache + run: | + echo "::set-output name=dir::$(go env GOCACHE)" - uses: actions/cache@v2 env: BASE_CACHE_KEY: "${{ github.job }}-${{ runner.os }}-\ - py${{ steps.setup-python.outputs.python-version }}-" + py${{ steps.setup-python.outputs.python-version }}-\ + go${{ env.GO_VERSION }}-" with: path: | ${{ env.PIP_CACHE_DIR }} ${{ env.PRE_COMMIT_CACHE_DIR }} + ${{ steps.go-cache.outputs.dir }} key: "${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ ${{ hashFiles('**/.pre-commit-config.yaml') }}" restore-keys: | ${{ env.BASE_CACHE_KEY }} + - name: Install shfmt + run: go install mvdan.cc/sh/v3/cmd/shfmt@${SHFMT_VERSION} - name: Install dependencies run: | python -m pip install --upgrade pip From 7d5477a03a7ab0c725e28221203c5eef0e8e01af Mon Sep 17 00:00:00 2001 From: dav3r Date: Wed, 14 Jul 2021 09:15:06 -0400 Subject: [PATCH 48/63] Correct minor version number in README Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e0ac92..02274cc 100644 --- a/README.md +++ b/README.md @@ -196,7 +196,7 @@ containerize. It is recommended that most users use a version tag (e.g. | Image:tag | Description | |-----------|-------------| |`cisagov/postfix:0.0.4`| An exact release version. | -|`cisagov/postfix:0.4`| The most recent release matching the major and minor version numbers. | +|`cisagov/postfix:0.0`| The most recent release matching the major and minor version numbers. | |`cisagov/postfix:0`| The most recent release matching the major version number. | |`cisagov/postfix:edge` | The most recent image built from a merge into the `develop` branch of this repository. | |`cisagov/postfix:nightly` | A nightly build of the `develop` branch of this repository. | From 26d132ee54248262b211161a3d6551287da2ce9a Mon Sep 17 00:00:00 2001 From: dav3r Date: Wed, 14 Jul 2021 09:23:50 -0400 Subject: [PATCH 49/63] Use preferred capitalization for Postfix Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 02274cc..7cf0119 100644 --- a/README.md +++ b/README.md @@ -243,8 +243,8 @@ exposed ports at 1025, 1587, and 1993, respectively. | Filename | Purpose | |--------------|---------| -| `fullchain.pem` | Public key for the postfix server. | -| `privkey.pem` | Private key for the postfix server. | +| `fullchain.pem` | Public key for the Postfix server. | +| `privkey.pem` | Private key for the Postfix server. | | `users.txt` | Mail account credentials to create at startup. | ## Building from source ## From befdefd9f12ad7eb9bcc163038d536049f39f753 Mon Sep 17 00:00:00 2001 From: dav3r Date: Wed, 14 Jul 2021 09:24:11 -0400 Subject: [PATCH 50/63] Use preferred capitalization for Postfix Co-authored-by: Nick M. <50747025+mcdonnnj@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7cf0119..90583ff 100644 --- a/README.md +++ b/README.md @@ -189,7 +189,7 @@ environment variables. See the ## Image tags ## The images of this container are tagged with [semantic -versions](https://semver.org) of the underlying postfix project that they +versions](https://semver.org) of the underlying Postfix project that they containerize. It is recommended that most users use a version tag (e.g. `:0.0.4`). From 406b6880bd25a8592ad235102d4e832e05ab38e3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Jul 2021 17:53:55 -0400 Subject: [PATCH 51/63] Replace the beautysh hook with pre-commit-shfmt We have had a difficult time with how beautysh parses some shellscripts. I went in pursuit of an alternative and I believe shfmt to be a good alternative. Co-authored-by: Shane Frasier --- .pre-commit-config.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf0330d..c915aa9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -48,13 +48,20 @@ repos: - --strict # Shell script hooks - - repo: https://github.com/lovesegfault/beautysh - rev: v6.1.0 + - repo: https://github.com/cisagov/pre-commit-shfmt + rev: v0.0.2 hooks: - - id: beautysh + - id: shfmt args: - - --indent-size + # Indent by two spaces + - -i - '2' + # Binary operators may start a line + - -bn + # Switch cases are indented + - -ci + # Redirect operators are followed by a space + - -sr - repo: https://github.com/detailyang/pre-commit-shell rev: 1.0.5 hooks: From 2b48e75b23cb80af9e97098da2dd6b9fb5eea2e4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Jul 2021 18:08:51 -0400 Subject: [PATCH 52/63] Apply changes from the shfmt pre-commit hook --- setup-env | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/setup-env b/setup-env index 1579e04..5d7f673 100755 --- a/setup-env +++ b/setup-env @@ -4,7 +4,8 @@ set -o nounset set -o errexit set -o pipefail -USAGE=$(cat << 'END_OF_LINE' +USAGE=$( + cat << 'END_OF_LINE' Configure a developement environment for this repository. It does the following: @@ -35,17 +36,17 @@ FORCE=0 PARAMS="" # Parse command line arguments -while (( "$#" )); do +while (("$#")); do case "$1" in - -f|--force) + -f | --force) FORCE=1 shift ;; - -h|--help) + -h | --help) echo "${USAGE}" exit 0 ;; - -i|--install-hooks) + -i | --install-hooks) INSTALL_HOOKS=1 shift ;; @@ -160,7 +161,8 @@ pre-commit install ${INSTALL_HOOKS:+"--install-hooks"} # This could fail if the remotes are already setup, but that is ok. set +o errexit -eval "$(python3 << 'END_OF_LINE' +eval "$( + python3 << 'END_OF_LINE' from pathlib import Path import yaml import sys From 4d37dfbaccb78f61c99be58bce79004808b3f295 Mon Sep 17 00:00:00 2001 From: dav3r Date: Thu, 15 Jul 2021 12:29:45 -0400 Subject: [PATCH 53/63] Use preferred capitalization for Docker Hub --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9afe401..b4e6c9d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -79,13 +79,13 @@ jobs: # The source version as reported by the `bump_version.sh show` command. # tags: # A comma separated list of Docker tags to be applied to the images on - # DockerHub. The tags will vary depending on: + # Docker Hub. The tags will vary depending on: # - The event that triggered the build. # - The branch the build is based upon. # - The git tag the build is based upon. # # When a build is based on a git tag of the form `v*.*.*` the image will - # be tagged on DockerHub with multiple levels of version specificity. + # be tagged on Docker Hub with multiple levels of version specificity. # For example, a git tag of `v1.2.3+a` will generate Docker tags of # `:1.2.3_a`, `:1.2.3`, `:1.2`, `:1`, and `:latest`. # @@ -279,16 +279,16 @@ jobs: build-push-all: # Builds the final set of images for each of the platforms listed in # PLATFORMS environment variable. These images are tagged with the Docker - # tags calculated in the "prepare" job and pushed to DockerHub and the + # tags calculated in the "prepare" job and pushed to Docker Hub and the # GitHub Container Registry. The contents of README.md are pushed as the - # image's description to DockerHub. This job is skipped when the triggering + # image's description to Docker Hub. This job is skipped when the triggering # event is a pull request. name: "Build and push all platforms" runs-on: ubuntu-latest needs: [lint, prepare, test] if: github.event_name != 'pull_request' steps: - - name: Login to DockerHub + - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKER_USERNAME }} From eede87c452fc0949962d504710feb834629badf7 Mon Sep 17 00:00:00 2001 From: dav3r Date: Thu, 15 Jul 2021 12:39:07 -0400 Subject: [PATCH 54/63] Satisfy linter by shortening a long line --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b4e6c9d..f2cf5cc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -281,8 +281,8 @@ jobs: # PLATFORMS environment variable. These images are tagged with the Docker # tags calculated in the "prepare" job and pushed to Docker Hub and the # GitHub Container Registry. The contents of README.md are pushed as the - # image's description to Docker Hub. This job is skipped when the triggering - # event is a pull request. + # image's description to Docker Hub. This job is skipped when the + # triggering event is a pull request. name: "Build and push all platforms" runs-on: ubuntu-latest needs: [lint, prepare, test] From 408969ac265d8197b942a67fae2d3cb200128f40 Mon Sep 17 00:00:00 2001 From: dav3r Date: Thu, 15 Jul 2021 14:24:51 -0400 Subject: [PATCH 55/63] Use preferred capitalization for Docker Hub --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 446c7ab..6e011be 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ environment variables. See the ### Docker Compose ### -1. Pull the new image from Docker hub: +1. Pull the new image from Docker Hub: ```console docker-compose pull From 51076ed3ddf39fc2304bfe9bdd49e85cb535b89e Mon Sep 17 00:00:00 2001 From: dav3r Date: Thu, 15 Jul 2021 14:30:21 -0400 Subject: [PATCH 56/63] Capitalize Docker in README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6e011be..f92b3df 100644 --- a/README.md +++ b/README.md @@ -10,12 +10,12 @@ [![Docker Image Size (latest by date)](https://img.shields.io/docker/image-size/cisagov/example)](https://hub.docker.com/r/cisagov/example) [![Platforms](https://img.shields.io/badge/platforms-amd64%20%7C%20arm%2Fv6%20%7C%20arm%2Fv7%20%7C%20arm64%20%7C%20ppc64le%20%7C%20s390x-blue)](https://hub.docker.com/r/cisagov/skeleton-docker/tags) -This is a docker skeleton project that can be used to quickly get a -new [cisagov](https://github.com/cisagov) GitHub docker project +This is a Docker skeleton project that can be used to quickly get a +new [cisagov](https://github.com/cisagov) GitHub Docker project started. This skeleton project contains [licensing information](LICENSE), as well as [pre-commit hooks](https://pre-commit.com) and [GitHub Actions](https://github.com/features/actions) configurations -appropriate for docker containers and the major languages that we use. +appropriate for Docker containers and the major languages that we use. ## Running ## From 440753c3eff55ede207f19d35018dea244552f4d Mon Sep 17 00:00:00 2001 From: David Redmin Date: Thu, 15 Jul 2021 14:36:24 -0400 Subject: [PATCH 57/63] Fix additional Docker and Docker Hub capitalizations --- push_readme.sh | 2 +- tests/conftest.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/push_readme.sh b/push_readme.sh index 12e2340..0d32ec8 100755 --- a/push_readme.sh +++ b/push_readme.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Push the README.md file to the docker hub repository +# Push the README.md file to the Docker Hub repository # Requires the following environment variables to be set: # DOCKER_PASSWORD, DOCKER_USERNAME, IMAGE_NAME diff --git a/tests/conftest.py b/tests/conftest.py index 28d6c42..90938e6 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -11,14 +11,14 @@ @pytest.fixture(scope="session") def main_container(dockerc): - """Return the main container from the docker composition.""" + """Return the main container from the Docker composition.""" # find the container by name even if it is stopped already return dockerc.containers(service_names=[MAIN_SERVICE_NAME], stopped=True)[0] @pytest.fixture(scope="session") def version_container(dockerc): - """Return the version container from the docker composition. + """Return the version container from the Docker composition. The version container should just output the version of its underlying contents. """ From 1708b5c45ac12f9acfb447e532c4fc5746a80d23 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Jul 2021 11:27:26 -0400 Subject: [PATCH 58/63] Update pre-commit hooks This is performed by running `pre-commit autoupdate`, but with the `ansible-lint` hook held back manually. --- .pre-commit-config.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf0330d..cf319bf 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: args: - --config=.mdl_config.json - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.3.0 + rev: v2.3.2 hooks: - id: prettier - repo: https://github.com/adrienverge/yamllint @@ -68,7 +68,7 @@ repos: args: - --config=.bandit.yml - repo: https://github.com/psf/black - rev: 21.5b2 + rev: 21.7b0 hooks: - id: black - repo: https://gitlab.com/pycqa/flake8 @@ -78,15 +78,15 @@ repos: additional_dependencies: - flake8-docstrings - repo: https://github.com/PyCQA/isort - rev: 5.8.0 + rev: 5.9.2 hooks: - id: isort - repo: https://github.com/pre-commit/mirrors-mypy - rev: v0.812 + rev: v0.910 hooks: - id: mypy - repo: https://github.com/asottile/pyupgrade - rev: v2.19.1 + rev: v2.21.2 hooks: - id: pyupgrade @@ -123,7 +123,7 @@ repos: # Docker hooks - repo: https://github.com/IamTheFij/docker-pre-commit - rev: v2.0.0 + rev: v2.0.1 hooks: - id: docker-compose-check From 6ad71a80c77b942510b4c9a7dfafbd90b899171b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 19 Jul 2021 16:46:56 -0400 Subject: [PATCH 59/63] Satisfy pre-commit hooks Update to reflect the new pre-commit configuration. --- bump_version.sh | 5 ++--- push_readme.sh | 14 +++++++------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/bump_version.sh b/bump_version.sh index ec9313d..a6c8ed9 100755 --- a/bump_version.sh +++ b/bump_version.sh @@ -13,12 +13,11 @@ HELP_INFORMATION="bump_version.sh (show|major|minor|patch|prerelease|build|final old_version=$(sed -n "s/^__version__ = \"\(.*\)\"$/\1/p" $VERSION_FILE) -if [ $# -ne 1 ] -then +if [ $# -ne 1 ]; then echo "$HELP_INFORMATION" else case $1 in - major|minor|patch|prerelease|build) + major | minor | patch | prerelease | build) new_version=$(python -c "import semver; print(semver.bump_$1('$old_version'))") echo Changing version from "$old_version" to "$new_version" tmp_file=/tmp/version.$$ diff --git a/push_readme.sh b/push_readme.sh index 12e2340..da6dc46 100755 --- a/push_readme.sh +++ b/push_readme.sh @@ -11,19 +11,19 @@ set -o pipefail echo "Logging in and requesting JWT..." token=$(curl --silent --request POST \ - --header "Content-Type: application/json" \ - --data \ - '{"username": "'"$DOCKER_USERNAME"'", "password": "'"$DOCKER_PASSWORD"'"}' \ + --header "Content-Type: application/json" \ + --data \ + '{"username": "'"$DOCKER_USERNAME"'", "password": "'"$DOCKER_PASSWORD"'"}' \ https://hub.docker.com/v2/users/login/ | jq --raw-output .token) echo "Pushing README file..." -code=$(jq --null-input --arg msg "$( Date: Thu, 5 Aug 2021 11:32:24 -0400 Subject: [PATCH 60/63] Resolve merge conflicts --- .github/workflows/build.yml | 6 +----- README.md | 9 --------- tests/conftest.py | 13 ------------- 3 files changed, 1 insertion(+), 27 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c6a9f0f..35b844d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,12 +26,8 @@ on: env: BUILDX_CACHE_DIR: ~/.cache/buildx -<<<<<<< HEAD - IMAGE_NAME: cisagov/postfix -======= CURL_CACHE_DIR: ~/.cache/curl - IMAGE_NAME: cisagov/example ->>>>>>> 0f98fd6e7c050b27148097a413eff6d9a93b807a + IMAGE_NAME: cisagov/postfix PIP_CACHE_DIR: ~/.cache/pip PLATFORMS: "linux/amd64,linux/arm/v6,linux/arm/v7,\ linux/arm64,linux/ppc64le,linux/s390x" diff --git a/README.md b/README.md index b67a2ef..7df39d3 100644 --- a/README.md +++ b/README.md @@ -10,19 +10,10 @@ [![Docker Image Size (latest by date)](https://img.shields.io/docker/image-size/cisagov/postfix)](https://hub.docker.com/r/cisagov/postfix) [![Platforms](https://img.shields.io/badge/platforms-amd64%20%7C%20arm%2Fv6%20%7C%20arm%2Fv7%20%7C%20arm64%20%7C%20ppc64le%20%7C%20s390x-blue)](https://hub.docker.com/r/cisagov/postfix/tags) -<<<<<<< HEAD Creates a Docker container with an installation of the [postfix](http://postfix.org) MTA. Additionally it has an IMAP server ([dovecot](https://dovecot.org)) for accessing the archvies of sent email. All email is BCC'd to the `mailarchive` account. -======= -This is a Docker skeleton project that can be used to quickly get a -new [cisagov](https://github.com/cisagov) GitHub Docker project -started. This skeleton project contains [licensing -information](LICENSE), as well as [pre-commit hooks](https://pre-commit.com) -and [GitHub Actions](https://github.com/features/actions) configurations -appropriate for Docker containers and the major languages that we use. ->>>>>>> c6aa7f05b09191075d195f0743dd0f4d36f3920c ## Running ## diff --git a/tests/conftest.py b/tests/conftest.py index 54e8cee..e069ffc 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -15,19 +15,6 @@ def main_container(dockerc): return dockerc.containers(service_names=[MAIN_SERVICE_NAME], stopped=True)[0] -<<<<<<< HEAD -======= -@pytest.fixture(scope="session") -def version_container(dockerc): - """Return the version container from the Docker composition. - - The version container should just output the version of its underlying contents. - """ - # find the container by name even if it is stopped already - return dockerc.containers(service_names=[VERSION_SERVICE_NAME], stopped=True)[0] - - ->>>>>>> c6aa7f05b09191075d195f0743dd0f4d36f3920c def pytest_addoption(parser): """Add new commandline options to pytest.""" parser.addoption( From dc612776d582d3f53a66d5a402d66c028caacdae Mon Sep 17 00:00:00 2001 From: David Redmin Date: Thu, 5 Aug 2021 11:44:33 -0400 Subject: [PATCH 61/63] Merge remote-tracking branch 'skeleton-docker/develop' --- .github/lineage.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/lineage.yml b/.github/lineage.yml index b10c80c..14f5a0e 100644 --- a/.github/lineage.yml +++ b/.github/lineage.yml @@ -1,6 +1,5 @@ --- -version: "1" - lineage: skeleton: remote-url: https://github.com/cisagov/skeleton-docker.git +version: '1' From 0151f3e92dfd997c23378de41d62bc2f95b93312 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Thu, 5 Aug 2021 11:45:43 -0400 Subject: [PATCH 62/63] Satisfy shfmt --- src/docker-entrypoint.sh | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/docker-entrypoint.sh b/src/docker-entrypoint.sh index ce91e89..dfcd31c 100755 --- a/src/docker-entrypoint.sh +++ b/src/docker-entrypoint.sh @@ -4,7 +4,6 @@ set -e #set -x - function generate_configs() { # configure postfix echo "Generating postfix configurations for ${PRIMARY_DOMAIN}" @@ -39,24 +38,22 @@ function generate_configs() { echo "All configurations generated for ${PRIMARY_DOMAIN}" } - function generate_users() { echo "Generating users and passwords:" echo "--------------------------------------------" - while IFS=" " read -r username password || [ -n "$username" ] - do - if [ -z "$password" ]; then password=$(diceware -d-); + while IFS=" " read -r username password || [ -n "$username" ]; do + if [ -z "$password" ]; then + password=$(diceware -d-) echo -e "$username\t$password" else echo -e "$username\t" fi - adduser "$username" --quiet --disabled-password --shell /usr/sbin/nologin --gecos "" &>/dev/null || true + adduser "$username" --quiet --disabled-password --shell /usr/sbin/nologin --gecos "" &> /dev/null || true echo "$username:$password" | chpasswd || true done echo "--------------------------------------------" } - if [ "$1" = 'postfix' ]; then echo "Starting mail server with:" echo " PRIMARY_DOMAIN=${PRIMARY_DOMAIN}" From 8dff8d45482d5cd8c6bb51399c8394d75ea12760 Mon Sep 17 00:00:00 2001 From: David Redmin Date: Thu, 5 Aug 2021 13:33:47 -0400 Subject: [PATCH 63/63] Appease CodeQL "username" is changed to "user" in this function to work around a CodeQL failure for "Clear-text logging of sensitive information". --- tests/container_test.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tests/container_test.py b/tests/container_test.py index d9a889f..d5a21bc 100644 --- a/tests/container_test.py +++ b/tests/container_test.py @@ -75,18 +75,20 @@ def test_imap_login(username, password): m.login(username, password) +# Note that "username" is changed to "user" in this function to work around +# a CodeQL failure for "Clear-text logging of sensitive information". :( @pytest.mark.parametrize( - "username,password", [(ARCHIVE_USER, ARCHIVE_PW), (TEST_SEND_USER, TEST_SEND_PW)] + "user,password", [(ARCHIVE_USER, ARCHIVE_PW), (TEST_SEND_USER, TEST_SEND_PW)] ) -def test_imap_messages_exist(username, password): +def test_imap_messages_exist(user, password): """Test test existence of our test messages.""" with IMAP4_SSL("localhost", IMAP_PORT) as m: - m.login(username, password) + m.login(user, password) typ, data = m.select() - assert typ == "OK", f"Select did not return OK status for {username}" + assert typ == "OK", f"Select did not return OK status for {user}" message_count = int(data[0]) - print(f"{username} inbox message count: {message_count}") - assert message_count > 0, f"Expected message in the {username} inbox" + print(f"{user} inbox message count: {message_count}") + assert message_count > 0, f"Expected message in the {user} inbox" @pytest.mark.parametrize(