Merge pull request #58 from cisagov/lineage/skeleton

⚠️ CONFLICT! Lineage pull request for: skeleton

Author: jsf9k

.github/dependabot.yml

@@ -20,6 +20,8 @@ updates:
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-ansible-role
+      - dependency-name: docker/setup-buildx-action
+      - dependency-name: docker/setup-qemu-action
       - dependency-name: github/codeql-action
     package-ecosystem: github-actions
     schedule:

.github/workflows/build.yml

@@ -168,12 +168,77 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   test:
+    name: >-
+      test (${{ matrix.scenario }}) -
+      ${{ matrix.platform }}-${{ matrix.architecture }}
     needs:
       - diagnostics
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
+        architecture:
+          - amd64
+          - arm64
+        exclude:
+          # Buster does not have a new enough version of the golang
+          # package to build any go projects of recent vintage.
+          - platform: debian10-systemd
+            scenario: go
+          # Focal does not have a new enough version of the golang
+          # package to build any go projects of recent vintage.
+          - platform: ubuntu-20-systemd
+            scenario: go
+          # PowerShell does not support ARM64 on Debian-based platforms.
+          - architecture: arm64
+            scenario: powershell
+          # The latest official release of PowerShell does not support
+          # Ubuntu Noble.  It requires libicu <= 72, but Noble only
+          # offers libicu 74:
+          # https://packages.ubuntu.com/search?keywords=libicu&searchon=names&suite=noble&section=all
+          - platform: ubuntu-24-systemd
+            scenario: powershell
+          # Debian Bookworm and Trixie do not offer Python 2.
+          - platform: debian12-systemd
+            scenario: python2
+          - platform: debian13-systemd
+            scenario: python2
+          # Ubuntu Noble does not offer Python 2.
+          - platform: ubuntu-24-systemd
+            scenario: python2
+          # Debian Buster does not have a new enough version of cargo
+          # to parse the cargo.toml file for RustScan.  The
+          # buster-backports package repository no longer exists.
+          - platform: debian10-systemd
+            scenario: rust
+          # Debian Bullseye has an older version of cargo, which gives
+          # a "feature `resolver` is required" error when installing
+          # RustScan.  There is no newer version in backports.
+          - platform: debian11-systemd
+            scenario: rust
+          # Debian Bookworm has an older version of rustc, which gives
+          # a "package `regex-syntax v0.8.2` cannot be built because
+          # it requires rustc 1.65 or newer, while the currently
+          # active rustc version is 1.63.0" error when installing the
+          # tool.
+          - platform: debian12-systemd
+            scenario: rust
+        platform:
+          # This Ansible role only supports Debian-based platforms for
+          # now.
+          # - amazonlinux2023-systemd
+          - debian10-systemd
+          - debian11-systemd
+          - debian12-systemd
+          - debian13-systemd
+          # This Ansible role only supports Debian-based platforms for
+          # now.
+          # - fedora39-systemd
+          # - fedora40-systemd
+          - kali-systemd
+          - ubuntu-20-systemd
+          - ubuntu-22-systemd
+          - ubuntu-24-systemd
         scenario:
           - csharp
           - default
@@ -210,8 +275,15 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install --upgrade --requirement requirements-test.txt
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Run molecule tests
-        run: molecule test --scenario-name ${{ matrix.scenario }}
+        run: >-
+          molecule test
+          --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
+          --scenario-name ${{ matrix.scenario }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint
         args:
@@ -46,7 +46,7 @@ repos:
         # mirror does not pull tags for old major versions once a new major
         # version tag is published.
         additional_dependencies:
-          - prettier@3.2.5
+          - prettier@3.3.1
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
     hooks:
@@ -56,14 +56,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.28.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.6.2
+    rev: v3.7.1
     hooks:
       - id: validate_manifest
 
@@ -98,7 +98,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.7.0-4
+    rev: v3.8.0-1
     hooks:
       - id: shfmt
         args:
@@ -116,21 +116,22 @@ repos:
           # Redirect operators are followed by a space
           - --space-redirects
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.9.0.6
+    rev: v0.10.0.1
     hooks:
       - id: shellcheck
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
-        # Bandit complains about the use of assert() in tests
-        exclude: molecule/(csharp|default|go|powershell|python|python2|rust)/tests
+        # Bandit complains about the use of assert() in tests. This should cover
+        # the tests/ subdirectory for any molecule scenario.
+        exclude: molecule/[^/]+/tests
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -144,24 +145,42 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.2.0
+    rev: v24.6.0
     hooks:
       - id: ansible-lint
-      # files: molecule/default/playbook.yml
+        additional_dependencies:
+          # On its own ansible-lint does not pull in ansible, only
+          # ansible-core.  Therefore, if an Ansible module lives in
+          # ansible instead of ansible-core, the linter will complain
+          # that the module is unknown.  In these cases it is
+          # necessary to add the ansible package itself as an
+          # additional dependency, with the same pinning as is done in
+          # requirements-test.txt of cisagov/skeleton-ansible-role.
+          # - ansible>=9,<10
+          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
+          # discussed in ansible/ansible#82702, which breaks any
+          # symlinked files in vars, tasks, etc. for any Ansible role
+          # installed via ansible-galaxy.  Hence we never want to
+          # install those versions.
+          #
+          # Note that any changes made to this dependency must also be
+          # made in requirements.txt in cisagov/skeleton-packer and
+          # requirements-test.txt in cisagov/skeleton-ansible-role.
+          - ansible-core>=2.16.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

defaults/main.yml

@@ -31,6 +31,12 @@ assessment_tool_owner: root
 # system package
 assessment_tool_powershell: false
 
+# The version of the powershell system package to install.  Note that
+# this version is only applied to installations where the package is
+# downloaded from https://github.com/PowerShell/PowerShell; Kali
+# Linux, for instance, offers its own powershell system package.
+assessment_tool_powershell_version: 7.4.2
+
 # A Boolean that can indicate that Python is to be installed and a
 # pristine Python virtual environment created.  If any of
 # assessment_tool_pip_packages or

meta/main.yml

@@ -17,7 +17,7 @@ galaxy_info:
     - mono
     - python
     - rust
-  license: CC0
+  license: CC0-1.0
   # With the release of version 2.10, Ansible finally correctly
   # identifies Kali Linux as being the Kali distribution of the Debian
   # OS family.  This simplifies a lot of things for roles that support
@@ -39,14 +39,15 @@ galaxy_info:
     # This Ansible role only supports Debian-based platforms for now.
     # - name: Fedora
     #   versions:
-    #     - "38"
     #     - "39"
+    #     - "40"
     - name: Kali
       versions:
         - "2023"
     - name: Ubuntu
       versions:
         - focal
         - jammy
+        - noble
   role_name: assessment_tool
   standalone: true

molecule/csharp/externally-managed-python.yml

@@ -0,0 +1 @@
+../default/externally-managed-python.yml