Merge https://github.com/cisagov/skeleton-tf-module into lineage/skeleton

Author: jsf9k

.bandit.yml

@@ -1,25 +1,40 @@
 [flake8]
 max-line-length = 80
+
 # Select (turn on)
-# * Complexity violations reported by mccabe (C) -
-#   http://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes
-# * Documentation conventions compliance reported by pydocstyle (D) -
-#   http://www.pydocstyle.org/en/stable/error_codes.html
-# * Default errors and warnings reported by pycodestyle (E and W) -
+# * C: Complexity violations reported by mccabe -
+#   https://flake8.pycqa.org/en/latest/user/error-codes.html#error-violation-codes
+# * C4: Default errors and warnings reported by flake8-comprehensions -
+#   https://github.com/adamchainz/flake8-comprehensions#rules
+# * D: Documentation conventions compliance reported by pydocstyle -
+#   https://github.com/PyCQA/pydocstyle/blob/master/docs/error_codes.rst
+# * DUO: Default errors and warnings reported by dlint -
+#   https://github.com/dlint-py/dlint/tree/master/docs
+# * E: Default errors reported by pycodestyle -
 #   https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes
-# * Default errors reported by pyflakes (F) -
-#   http://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes
-# * Default warnings reported by flake8-bugbear (B) -
+# * F: Default errors reported by pyflakes -
+#   https://flake8.pycqa.org/en/latest/glossary.html#term-pyflakes
+# * N: Default errors and warnings reported by pep8-naming -
+#   https://github.com/PyCQA/pep8-naming#error-codes
+# * NQA: Default errors and warnings reported by flake8-noqa -
+#   https://github.com/plinss/flake8-noqa#error-codes
+# * W: Default warnings reported by pycodestyle -
+#   https://pycodestyle.readthedocs.io/en/latest/intro.html#error-codes
+# * B: Default warnings reported by flake8-bugbear -
 #   https://github.com/PyCQA/flake8-bugbear#list-of-warnings
-# * The B950 flake8-bugbear opinionated warning -
+# * B950: Bugbear opinionated warning for line too long -
 #   https://github.com/PyCQA/flake8-bugbear#opinionated-warnings
-select = C,D,E,F,W,B,B950
-# Ignore flake8's default warning about maximum line length, which has
-# a hard stop at the configured value.  Instead we use
-# flake8-bugbear's B950, which allows up to 10% overage.
-#
-# Also ignore flake8's warning about line breaks before binary
-# operators.  It no longer agrees with PEP8.  See, for example, here:
-# https://github.com/ambv/black/issues/21. Guido agrees here:
-# https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b.
-ignore = E501,W503
+select = C,C4,D,DUO,E,F,N,NQA,W,B,B950
+
+# Ignore
+# * E203: pycodestyle's default warning about whitespace before ':' because Black enforces
+#   an equal amount of whitespace around slice operators (':').
+# * E501: pycodestyle's default warning about maximum line length, which has a hard stop
+#   at the configured value.  Instead we use flake8-bugbear's B950, which
+#   allows up to 10% overage.
+# * W503: pycodestyle's warning about line breaks before binary operators.  It no longer
+#   agrees with PEP8.  See, for example, here:
+#   https://github.com/ambv/black/issues/21
+#   Guido agrees here:
+#   https://github.com/python/peps/commit/c59c4376ad233a62ca4b3a6060c81368bd21e85b
+ignore = E203,E501,W503

.flake8

@@ -63,7 +63,6 @@ test:
       - any-glob-to-any-file:
           # Add any test-related files or paths.
           - .ansible-lint
-          - .bandit.yml
           - .flake8
           - .isort.cfg
           - .mdl_config.yaml

.github/labeler.yml

@@ -149,12 +149,12 @@ jobs:
       - uses: hashicorp/setup-packer@v3
         with:
           version: ${{ steps.setup-env.outputs.packer-version }}
-      - uses: hashicorp/setup-terraform@v3
+      - uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
       - name: Install go-critic
         env:
-          PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
+          PACKAGE_URL: github.com/go-critic/go-critic/cmd/go-critic
           PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
         run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
       - name: Install goimports

.github/workflows/build.yml

@@ -87,7 +87,7 @@ jobs:
       - uses: actions/checkout@v6
       - name: Sync repository labels
         if: success()
-        uses: crazy-max/ghaction-github-labeler@v5
+        uses: crazy-max/ghaction-github-labeler@v6
         with:
           # This is a hideous ternary equivalent so we only do a dry run unless
           # this workflow is triggered by the develop branch.

.github/workflows/sync-labels.yml

@@ -45,7 +45,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.47.0
+    rev: v0.48.0
     hooks:
       - id: markdownlint
         args:
@@ -63,7 +63,7 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.36.2
+    rev: 0.37.0
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
@@ -105,7 +105,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.12.0-2
+    rev: v3.13.0-1
     hooks:
       - id: shfmt
         args:
@@ -129,23 +129,26 @@ repos:
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.9.3
+    rev: 1.9.4
     hooks:
       - id: bandit
-        args:
-          - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 26.1.0
+    rev: 26.3.1
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
     rev: 7.3.0
     hooks:
       - id: flake8
         additional_dependencies:
+          - dlint==0.16.0
+          - flake8-bugbear==25.11.29
+          - flake8-comprehensions==3.17.0
           - flake8-docstrings==1.7.0
+          - flake8-noqa==1.5.0
+          - pep8-naming==0.15.1
   - repo: https://github.com/PyCQA/isort
-    rev: 8.0.0
+    rev: 8.0.1
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
@@ -157,6 +160,22 @@ repos:
     hooks:
       - id: pip-audit
         args:
+          # We have to ignore this vulnerability for now since an
+          # update for pygments has not yet been released.
+          #
+          # In any event, this vulnerability is unlikely to cause us
+          # any problems since we don't feed any regexes to pygments
+          # directly.  pygments is pulled in as a dependency of
+          # pytest.
+          #
+          # See also:
+          # - https://nvd.nist.gov/vuln/detail/CVE-2026-4539
+          # - https://github.com/pygments/pygments/issues/3058
+          #
+          # TODO: Remove this when it becomes possible.  See
+          # cisagov/skeleton-generic#257 for more details.
+          - --ignore-vuln
+          - CVE-2026-4539
           # Add any pip requirements files to scan
           - --requirement
           - requirements-dev.txt
@@ -177,6 +196,9 @@ repos:
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
+    # We need to stay on this version because we are still using Python 3.13 in
+    # our GitHub Actions configuration. Later versions require Python 3.14 for
+    # the hook to run.
     rev: v26.1.1
     hooks:
       - id: ansible-lint
@@ -207,6 +229,15 @@ repos:
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
+      # This needs to run after the terraform_validate hook so that any Terraform
+      # configurations are initialized.
+      - id: terraform_providers_lock
+        args:
+          - --args=-platform=darwin_amd64
+          - --args=-platform=darwin_arm64
+          - --args=-platform=linux_amd64
+          - --args=-platform=linux_arm64
+          - --hook-config=--mode=always-regenerate-lockfile
 
   # Docker hooks
   - repo: https://github.com/IamTheFij/docker-pre-commit