Merge pull request #25 from cisagov/improvement/last_touchups

Final touch ups for the modernization effort

.github/dependabot.yml

@@ -39,6 +39,11 @@ updates:
     schedule:
       interval: "weekly"
 
+  - package-ecosystem: "pip"
+    directory: "/src"
+    schedule:
+      interval: "weekly"
+
   - package-ecosystem: "terraform"
     directory: "/"
     schedule:

.github/labels.yml

@@ -59,6 +59,9 @@
 - color: "ef476c"
   description: This issue is a request for information or needs discussion
   name: question
+- color: "d73a4a"
+  description: This issue or pull request addresses a security issue
+  name: security
 - color: "00008b"
   description: This issue or pull request adds or otherwise modifies test code
   name: test

.github/workflows/build.yml

@@ -248,7 +248,7 @@ jobs:
         run: mkdir -p dist
       - name: Build image
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           build-args: |
             VERSION=${{ needs.prepare.outputs.source_version }}
@@ -345,6 +345,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint, prepare, test]
     if: github.event_name != 'pull_request'
+    # When Dependabot creates a PR it requires this permission in
+    # order to push Docker images to ghcr.io.
+    permissions:
+      packages: write
     steps:
       - name: Login to Docker Hub
         uses: docker/login-action@v2
@@ -376,7 +380,7 @@ jobs:
         run: ./buildx-dockerfile.sh
       - name: Build and push platform images to registries
         id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           build-args: |
             VERSION=${{ needs.prepare.outputs.source_version }}

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.32.2
+    rev: v0.33.0
     hooks:
       - id: markdownlint
         args:
@@ -41,22 +41,22 @@ repos:
     hooks:
       - id: prettier
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.28.0
+    rev: v1.29.0
     hooks:
       - id: yamllint
         args:
           - --strict
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.18.4
+    rev: 0.21.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v2.20.0
+    rev: v3.0.2
     hooks:
       - id: validate_manifest
 
@@ -98,27 +98,29 @@ repos:
         name: bandit (everything else)
         exclude: tests
   - repo: https://github.com/psf/black
-    rev: 22.10.0
+    rev: 22.12.0
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
-    rev: 5.0.4
+    rev: 6.0.0
     hooks:
       - id: flake8
         additional_dependencies:
           - flake8-docstrings
   - repo: https://github.com/PyCQA/isort
-    rev: 5.10.1
+    rev: 5.12.0
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.990
+    rev: v0.991
     hooks:
       - id: mypy
         additional_dependencies:
+          - boto3-stubs
+          - types-docopt
           - types-PyYAML
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.2.0
+    rev: v3.3.1
     hooks:
       - id: pyupgrade
 
@@ -131,7 +133,7 @@ repos:
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0
+    rev: v1.77.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11.1-alpine3.17 as compile-stage
+FROM python:3.11.2-alpine3.17 as compile-stage
 
 ###
 # For a list of pre-defined annotation keys and value types see:
@@ -16,6 +16,13 @@ ARG CISA_USER="cisa"
 ENV CISA_HOME="/home/${CISA_USER}"
 ENV VIRTUAL_ENV="${CISA_HOME}/.venv"
 
+
+# Versions of the Python packages installed directly
+ENV PYTHON_PIP_VERSION=23.0
+ENV PYTHON_PIPENV_VERSION=2023.2.4
+ENV PYTHON_SETUPTOOLS_VERSION=67.3.1
+ENV PYTHON_WHEEL_VERSION=0.38.4
+
 # Install base Python requirements and then install pipenv to manage installing
 # the Python dependencies into a created Python virtual environment. This is
 # done separately from the virtual environment so that pipenv and its
@@ -26,18 +33,18 @@ ENV VIRTUAL_ENV="${CISA_HOME}/.venv"
 # setuptools, and wheel) pre-venv because this Docker image is using Python
 # built from source and not a system Python package.
 RUN python3 -m pip install --no-cache-dir --upgrade \
-    pip==22.3.1 \
-    setuptools==65.7.0 \
-    wheel==0.38.4 \
+    pip==${PYTHON_PIP_VERSION} \
+    setuptools==${PYTHON_SETUPTOOLS_VERSION} \
+    wheel==${PYTHON_WHEEL_VERSION} \
   && python3 -m pip install --no-cache-dir --upgrade \
-    pipenv==2022.12.19 \
+    pipenv==${PYTHON_PIPENV_VERSION} \
   # Manually create Python virtual environment for the final image
   && python3 -m venv ${VIRTUAL_ENV} \
   # Ensure the core Python packages are installed in the virtual environment
   && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \
-    pip==22.3.1 \
-    setuptools==65.7.0 \
-    wheel==0.38.4
+    pip==${PYTHON_PIP_VERSION} \
+    setuptools==${PYTHON_SETUPTOOLS_VERSION} \
+    wheel==${PYTHON_WHEEL_VERSION}
 
 # Install client-cert-update Python requirements
 WORKDIR /tmp
@@ -46,7 +53,7 @@ COPY src/Pipfile src/Pipfile.lock ./
 # VIRTUAL_ENV environment variable if it is set.
 RUN pipenv sync --clear --verbose
 
-FROM python:3.11.1-alpine3.17 as build-stage
+FROM python:3.11.2-alpine3.17 as build-stage
 
 ###
 # Unprivileged user setup variables

README.md

@@ -21,7 +21,7 @@ certificates.
 To run the `cisagov/client-cert-update` image via Docker:
 
 ```console
-docker run cisagov/client-cert-update:0.1.0-rc.1
+docker run cisagov/client-cert-update:0.1.0-rc.2
 ```
 
 ### Running with Docker Compose ###
@@ -34,7 +34,7 @@ docker run cisagov/client-cert-update:0.1.0-rc.1
 
     services:
       update:
-        image: cisagov/client-cert-update:0.1.0-rc.1
+        image: cisagov/client-cert-update:0.1.0-rc.2
         init: true
         environment:
           - AWS_CONFIG_FILE=path/to/aws_config
@@ -82,7 +82,7 @@ environment variables.  See the
 
     services:
       update:
-        image: cisagov/client-cert-update:0.1.0-rc.1
+        image: cisagov/client-cert-update:0.1.0-rc.2
         init: true
         environment:
           - AWS_CONFIG_FILE=/run/secrets/aws_config
@@ -121,7 +121,7 @@ environment variables.  See the
 1. Pull the new image:
 
     ```console
-    docker pull cisagov/client-cert-update:0.1.0-rc.1
+    docker pull cisagov/client-cert-update:0.1.0-rc.2
     ```
 
 1. Recreate and run the container by following the [previous instructions](#running-with-docker).
@@ -130,12 +130,12 @@ environment variables.  See the
 
 The images of this container are tagged with [semantic
 versions](https://semver.org).  It is recommended that most users use a version
-tag (e.g. `:0.1.0-rc.1`).
+tag (e.g. `:0.1.0-rc.2`).
 
 | Image:tag | Description |
 |-----------|-------------|
-|`cisagov/client-cert-update:0.1.0-rc.1`| An exact release version. |
-|`cisagov/client-cert-update:0.0`| The most recent release matching the major and minor version numbers. |
+|`cisagov/client-cert-update:0.1.0-rc.2`| An exact release version. |
+|`cisagov/client-cert-update:0.1`| The most recent release matching the major and minor version numbers. |
 |`cisagov/client-cert-update:0`| The most recent release matching the major version number. |
 |`cisagov/client-cert-update:edge` | The most recent image built from a merge into the `develop` branch of this repository. |
 |`cisagov/client-cert-update:nightly` | A nightly build of the `develop` branch of this repository. |
@@ -196,7 +196,7 @@ Build the image locally using this git repository as the [build context](https:/
 
 ```console
 docker build \
-  --tag cisagov/client-cert-update:0.1.0-rc.1 \
+  --tag cisagov/client-cert-update:0.1.0-rc.2 \
   https://github.com/cisagov/client-cert-update.git#develop
 ```
 
@@ -227,7 +227,7 @@ Docker:
       --file Dockerfile-x \
       --platform linux/amd64 \
       --output type=docker \
-      --tag cisagov/client-cert-update:0.1.0-rc.1 .
+      --tag cisagov/client-cert-update:0.1.0-rc.2 .
     ```
 
 ## Contributing ##

src/Pipfile

@@ -7,7 +7,7 @@ name = "pypi"
 # Minimum version for IMDSv2 support
 boto3 = ">=1.13.23"
 docopt = ">=0.6.2"
-mongo-db-from-config = {file = "https://github.com/cisagov/mongo-db-from-config/archive/v0.1.0.tar.gz"}
+mongo-db-from-config = {file = "https://github.com/cisagov/mongo-db-from-config/archive/v0.2.0.tar.gz"}
 
 [requires]
-python_full_version = "3.11.1"
+python_full_version = "3.11.2"

src/version.txt

@@ -1 +1 @@
-__version__ = "0.1.0-rc.1"
+__version__ = "0.1.0-rc.2"