This commit will make a few changes. The
orginal version of the semantic checking
function was a bit more difficult to read.
It is now somewhat easier to follow how
the regex is structured. Also the function
has been renamed to check_python_version
since it has 2 functions, making sure that
the version is semantically correct and the
second is to make sure that it is installed
on the user's machine. This makes it easier
to follow the logic for the flags, -p or
--python-version and -l or --list-versions

This commit will make a few changes. The
orginal version of the semantic checking
function was a bit more difficult to read.
It is now somewhat easier to follow how
the regex is structured. Also the function
has been renamed to check_python_version
since it has 2 functions, making sure that
the version is semantically correct and the
second is to make sure that it is installed
on the user's machine. This makes it easier
to follow the logic for the flags, -p or
--python-version and -l or --list-versions

…ttps://github.com/cisagov/skeleton-generic into improvement/correct-semantic-python-version-checks

Co-authored-by: dav3r <[email protected]>

Co-authored-by: dav3r <[email protected]>

Add the `check-useless-excludes` meta hook to verify that any defined
`exclude` directives apply to at least one file in the repository.

Since we have a version pin of some kind for the molecule package in
the `requirements-test.txt` file it makes sense to ensure this
dependency is centrally managed.

Now that we always run systemd-enabled Docker images for our Molecule
testing it makes sense to always do this.

Instead of manually installing Packer we can instead leverage the
hashicorp/setup-packer Action just as we do for Terraform.

He is no longer a member of @cisagov/vm-dev.

Previously we only provided a lower bound for the version, but pinning to a specific version aligns with what has been done with the prettier hook and how pre-commit hooks are pinned in general.

The flake8-docstrings package is rarely updated, so there is no real downside to pinning to a specific version.

Co-authored-by: Nick <[email protected]>

Bumps [actions/cache](https://github.com/actions/cache) from 3 to 4.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v3...v4)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps [crazy-max/ghaction-github-status](https://github.com/crazy-max/ghaction-github-status) from 3 to 4.
- [Release notes](https://github.com/crazy-max/ghaction-github-status/releases)
- [Commits](crazy-max/ghaction-github-status@v3...v4)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-github-status
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

This is done automatically with the `pre-commit autoupdate` command.
The pre-commit/mirrors-prettier hook was manually held back because the
latest tags are for alpha releases of the next major version.

Use the latest v3 release available from NPM.

…max/ghaction-github-status-4

Bump crazy-max/ghaction-github-status from 3 to 4

…s/cache-4

Bump actions/cache from 3 to 4

Use an Action to install Packer in our GitHub Actions workflows

…hon-version-checks

Add checks for correct semantic version of Python

Remove @jasonodoom as a codeowner

The pip-audit tool will audit any supplied pip requirements files for
vulnerable packages.

…hook

Add the `check-useless-excludes` hook to the pre-commit configuration

…mmit_hook

Add a pre-commit hook to run `pip-audit`

Add a lower-bound pin for the `flake8-docstrings` `pip` package

Update `pre-commit` hooks

This replaces the now archived pre-commit/mirrors-prettier hook.

Switch the `pre-commit` hook used to run `prettier`

Add a `workflow_dispatch` trigger so we can manually run the workflow
if needed.

This Action will provide information about the usage of GITHUB_TOKEN in
the workflow. It should be added to _every_ job in _any_ workflow to
provide information for analysis.

This changes the default permissions for the GITHUB_TOKEN used in our
GitHub Actions configuration to the minimum required to successfully
run.

This is done automatically with the `pre-commit autoupdate` command.

Ensure that all hook ids are sorted alphabetically in each hook entry
in our pre-commit configuration.

…bels_workflow

Allow the `sync-labels` workflow to be run manually

…ons-monitor

Add the `GitHubSecurityLab/actions-permissions/monitor` Action

Explicitly define permissions of `GITHUB_TOKEN` in our GitHub Actions workflows

Update `pre-commit` hook versions

…hooks

Add additional hooks from `pre-commit/pre-commit-hooks`

…oks_are_sorted

Sort hook ids in each `pre-commit` hook entry

…skeleton

…at lacks it

This must have been missed in a previous Lineage PR.

Co-authored-by: Nick <[email protected]>

The job checks out the code, so it needs repo read permissions.

Co-authored-by: Nick <[email protected]>

Add a directive for hashicorp/setup-packer that was missed when it was
added to the `build` workflow. Add a directive for
cisagov/setup-env-github-action that is not strictly necessary since we
currently just pull from the `develop` branch, but is good to have in
case we were to change that in the future.

Add missing dependabot ignore directives

This is being done because the pip-audit pre-commit hook identifies a
vulnerability in ansible-core version 2.16.13.  Note that this
requires that we bump up ansible to version 10 since all versions of
ansible 9 have a dependency on ~=2.16.X.

This is being done because the pip-audit pre-commit hook identifies a
vulnerability in ansible-core version 2.16.13.  Note that this
requires that we bump up ansible to version 10 since all versions of
ansible 9 have a dependency on ~=2.16.X.

Fedora 41 was released on October 29th:
https://www.redhat.com/en/blog/announcing-fedora-41

Note that this is being done for testing purposes, and this change can
be reverted once cisagov/ansible-role-upgrade#66 is merged.

Version 24.10.0 is the first version that supports Fedora 41 as a
valid platform.

Version 24.10.0 is the first version that supports Fedora 41 as a
valid platform.

We can do this now that cisagov/ansible-role-upgrade#66 has been
merged.

The pin of ansible-core was originally put in place because the
pip-audit pre-commit hook identifies a vulnerability in ansible-core
2.16.13.  Normally we would pin ansible-core to >2.16.13, but in the
spirit of the earlier, optional pin of ansible>=10 we pin ansible-core
to >=2.17.  This effectively also pins ansible to >=10.

Co-authored-by: Nick M <[email protected]>

The pin of ansible-core was originally put in place because the
pip-audit pre-commit hook identifies a vulnerability in ansible-core
2.16.13.  Normally we would pin ansible-core accordingly (>2.16.13),
but the earlier pin of ansible>=10 effectively pins ansible-core to
>=2.17 so that's what we do here.

Co-authored-by: Nick M <[email protected]>

With this task in place the GitHub runners run out of resources and
crash.

This is being done only temporarily, and only because there is no
recent version of ansible-core that does not exhibit the
vulnerability.  Without this change we get a failure from the
pip-audit pre-commit hook that we cannot do anything about.

See cisagov/skeleton-ansible-role#210 for more details.

This adds even more evidence for why it is a good idea to go ahead and
upgrade ansible and ansible-core, in addition to the vulnerability
that pip-audit turned up.

Co-authored-by: Nick M <[email protected]>

This adds even more evidence for why it is a good idea to go ahead and
upgrade ansible and ansible-core, in addition to the vulnerability
that pip-audit turned up.

Co-authored-by: Nick M <[email protected]>

…n-for-ansible-core

Bump up the lower bound on `ansible-core`

…-pre-commit-hook-version

Update the version of the `ansible-lint` `pre-commit` hook

…ndabot

Add a dependabot ignore directive for `molecule`

…tialization-for-fedora

Add logic to wait for `systemd` initialization to complete on Fedora

We do this because pytest-testinfra 10.1.1 contains a fix for
SystemdService.exists that is required by some roles' Molecule test
code.

Note that we also add a corresponding line to the Dependabot
configuration so that descendant repos know this dependency is managed
here.

Co-authored-by: Nick <[email protected]>

Add a lower-bound pin for `pytest-testinfra`

…pin-for-ansible-core

Bump up the lower bound on `ansible-core`

Lineage pull request for: skeleton

…ra-41

Add support for Fedora 41

…eage/skeleton