⚠️ CONFLICT! Lineage pull request for: skeleton

.github/dependabot.yml

@@ -20,6 +20,8 @@ updates:
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-ansible-role
+      - dependency-name: docker/setup-buildx-action
+      - dependency-name: docker/setup-qemu-action
       - dependency-name: github/codeql-action
     package-ecosystem: github-actions
     schedule:

.github/workflows/build.yml

@@ -168,12 +168,33 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   test:
+    name: >-
+      test (${{ matrix.scenario }}) -
+      ${{ matrix.platform }}-${{ matrix.architecture }}
     needs:
       - diagnostics
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
+        architecture:
+          - amd64
+          - arm64
+        platform:
+          - amazonlinux2023-systemd
+          - debian10-systemd
+          - debian11-systemd
+          - debian12-systemd
+          # Docker does not yet officially support Debian Trixie.  See
+          # https://docs.docker.com/engine/install/debian/ for more
+          # details.
+          # - debian13-systemd
+          - fedora39-systemd
+          - fedora40-systemd
+          - kali-systemd
+          - ubuntu-20-systemd
+          - ubuntu-22-systemd
+          - ubuntu-24-systemd
         scenario:
           - default
     steps:
@@ -204,8 +225,15 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install --upgrade --requirement requirements-test.txt
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Run molecule tests
-        run: molecule test --scenario-name ${{ matrix.scenario }}
+        run: >-
+          molecule test
+          --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
+          --scenario-name ${{ matrix.scenario }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint
         args:
@@ -46,7 +46,7 @@ repos:
         # mirror does not pull tags for old major versions once a new major
         # version tag is published.
         additional_dependencies:
-          - prettier@3.2.5
+          - prettier@3.3.1
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
     hooks:
@@ -56,14 +56,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.28.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.6.2
+    rev: v3.7.1
     hooks:
       - id: validate_manifest
 
@@ -98,7 +98,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.7.0-4
+    rev: v3.8.0-1
     hooks:
       - id: shfmt
         args:
@@ -116,21 +116,22 @@ repos:
           # Redirect operators are followed by a space
           - --space-redirects
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.9.0.6
+    rev: v0.10.0.1
     hooks:
       - id: shellcheck
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
-        # Bandit complains about the use of assert() in tests
-        exclude: molecule/(default|systemd_enabled)/tests
+        # Bandit complains about the use of assert() in tests. This should cover
+        # the tests/ subdirectory for any molecule scenario.
+        exclude: molecule/[^/]+/tests
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -144,24 +145,42 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.2.0
+    rev: v24.6.0
     hooks:
       - id: ansible-lint
-      # files: molecule/default/playbook.yml
+        additional_dependencies:
+          # On its own ansible-lint does not pull in ansible, only
+          # ansible-core.  Therefore, if an Ansible module lives in
+          # ansible instead of ansible-core, the linter will complain
+          # that the module is unknown.  In these cases it is
+          # necessary to add the ansible package itself as an
+          # additional dependency, with the same pinning as is done in
+          # requirements-test.txt of cisagov/skeleton-ansible-role.
+          # - ansible>=9,<10
+          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
+          # discussed in ansible/ansible#82702, which breaks any
+          # symlinked files in vars, tasks, etc. for any Ansible role
+          # installed via ansible-galaxy.  Hence we never want to
+          # install those versions.
+          #
+          # Note that any changes made to this dependency must also be
+          # made in requirements.txt in cisagov/skeleton-packer and
+          # requirements-test.txt in cisagov/skeleton-ansible-role.
+          - ansible-core>=2.16.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

meta/main.yml

@@ -14,7 +14,7 @@ galaxy_info:
   galaxy_tags:
     - cyhy
     - mailer
-  license: CC0
+  license: CC0-1.0
   # With the release of version 2.10, Ansible finally correctly
   # identifies Kali Linux as being the Kali distribution of the Debian
   # OS family.  This simplifies a lot of things for roles that support
@@ -37,14 +37,15 @@ galaxy_info:
         # - trixie
     - name: Fedora
       versions:
-        - "38"
         - "39"
+        - "40"
     - name: Kali
       versions:
         - "2023"
     - name: Ubuntu
       versions:
         - focal
         - jammy
+        - noble
   role_name: cyhy_mailer
   standalone: true

molecule/default/externally-managed-python.yml

@@ -0,0 +1,49 @@
+---
+# This is in place to restore a destructive action in geerlingguy's Ansible
+# Docker images that we use for testing. The change is fine for the intended
+# purpose of the images but not for how we use them.
+- name: Ensure Python is marked as externally managed if appropriate
+  hosts: all
+  become: true
+  become_method: ansible.builtin.sudo
+  tasks:
+    - name: Ensure Python is marked as externally managed
+      when:
+        - ansible_distribution in ["Debian", "Ubuntu"]
+        - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"]
+      block:
+        - name: Gather package facts
+          ansible.builtin.package_facts:
+            manager: auto
+
+        - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed
+          when: '"python3" in ansible_facts.packages'
+          block:
+            # This gets a unique list of installed Python packages in the form of major.minor
+            # by taking the list of installed Python packages and:
+            # 1. Extracting the version from each package's information
+            # 2. Removing any version information after the major.minor version
+            # 3. Ensuring there are no duplicates
+            #
+            # NOTE:
+            # Since the value of python_versions is a multiline string, the regex expressions used in
+            # the regex_replace filter must use single backslashes for special sequences. If the value
+            # of python_versions were to be changed from a multiline string, the special sequences
+            # must be modified to use double backslashes instead. This is due to how the YAML is
+            # processed when Ansible reads the playbook.
+            - name: Extract version information about installed Python packages
+              ansible.builtin.set_fact:
+                python_versions: >-
+                  {{
+                    ansible_facts.packages["python3"]
+                    | map(attribute="version")
+                    | map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1")
+                    | unique
+                  }}
+
+            - name: Restore EXTERNALLY-MANAGED file for Python
+              ansible.builtin.template:
+                dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED
+                mode: 0644
+                src: EXTERNALLY-MANAGED.j2
+              loop: "{{ python_versions }}"