cisagov
diff --git a/‎.github/dependabot.yml
Lines changed: 2 additions & 0 deletions b/‎.github/dependabot.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/build.yml
Lines changed: 46 additions & 1 deletion b/‎.github/workflows/build.yml
Lines changed: 46 additions & 1 deletion
diff --git a/‎.pre-commit-config.yaml
Lines changed: 33 additions & 28 deletions b/‎.pre-commit-config.yaml
Lines changed: 33 additions & 28 deletions
diff --git a/‎meta/main.yml
Lines changed: 8 additions & 7 deletions b/‎meta/main.yml
Lines changed: 8 additions & 7 deletions
diff --git a/‎molecule/default/externally-managed-python.yml
Lines changed: 49 additions & 0 deletions b/‎molecule/default/externally-managed-python.yml
Lines changed: 49 additions & 0 deletions
@@ -20,6 +20,8 @@ updates:
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-ansible-role
+      - dependency-name: docker/setup-buildx-action
+      - dependency-name: docker/setup-qemu-action
       - dependency-name: github/codeql-action
     package-ecosystem: github-actions
     schedule:
 
@@ -168,12 +168,50 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   test:
+    name: >-
+      test (${{ matrix.scenario }}) -
+      ${{ matrix.platform }}-${{ matrix.architecture }}
     needs:
       - diagnostics
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
+        architecture:
+          - amd64
+          - arm64
+        exclude:
+            # TODO: Starting with systemd version 253 or 254 (I'm not
+            # sure which) it is no longer possible to start
+            # systemd-resolved.service under QEMU emulation.  We
+            # support this case, but we cannot test it until we have
+            # native ARM64 runners.
+            #
+            # See issue #10 for more details.
+            - architecture: arm64
+              platform: debian13-systemd
+            - architecture: arm64
+              platform: fedora39-systemd
+            - architecture: arm64
+              platform: fedora40-systemd
+            - architecture: arm64
+              platform: kali-systemd
+            - architecture: arm64
+              platform: ubuntu-24-systemd
+        platform:
+          - amazonlinux2023-systemd
+          # These platforms do not provide systemd-resolved.
+          # - debian10-systemd
+          # - debian11-systemd
+          - debian12-systemd
+          - debian13-systemd
+          - fedora39-systemd
+          - fedora40-systemd
+          - kali-systemd
+          # These platforms do not provide systemd-resolved.
+          # - ubuntu-20-systemd
+          # - ubuntu-22-systemd
+          - ubuntu-24-systemd
         scenario:
           - default
           - disable_stub_resolver
@@ -206,8 +244,15 @@ jobs:
         run: |
           python -m pip install --upgrade pip
           pip install --upgrade --requirement requirements-test.txt
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Run molecule tests
-        run: molecule test --scenario-name ${{ matrix.scenario }}
+        run: >-
+          molecule test
+          --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
+          --scenario-name ${{ matrix.scenario }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
@@ -5,7 +5,7 @@ default_language_version:
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v4.6.0
     hooks:
       - id: check-case-conflict
       - id: check-executables-have-shebangs
@@ -31,7 +31,7 @@ repos:
 
   # Text file hooks
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.39.0
+    rev: v0.41.0
     hooks:
       - id: markdownlint
         args:
@@ -46,7 +46,7 @@ repos:
         # mirror does not pull tags for old major versions once a new major
         # version tag is published.
         additional_dependencies:
-          - prettier@3.2.5
+          - prettier@3.3.1
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
     hooks:
@@ -56,14 +56,14 @@ repos:
 
   # GitHub Actions hooks
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.0
+    rev: 0.28.4
     hooks:
       - id: check-github-actions
       - id: check-github-workflows
 
   # pre-commit hooks
   - repo: https://github.com/pre-commit/pre-commit
-    rev: v3.6.2
+    rev: v3.7.1
     hooks:
       - id: validate_manifest
 
@@ -98,7 +98,7 @@ repos:
 
   # Shell script hooks
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.7.0-4
+    rev: v3.8.0-1
     hooks:
       - id: shfmt
         args:
@@ -116,21 +116,22 @@ repos:
           # Redirect operators are followed by a space
           - --space-redirects
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.9.0.6
+    rev: v0.10.0.1
     hooks:
       - id: shellcheck
 
   # Python hooks
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
-        # Bandit complains about the use of assert() in tests
-        exclude: molecule/(default|disable_stub_resolver|specify_resolv_conf_target)/tests
+        # Bandit complains about the use of assert() in tests. This should cover
+        # the tests/ subdirectory for any molecule scenario.
+        exclude: molecule/[^/]+/tests
         args:
           - --config=.bandit.yml
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 24.2.0
+    rev: 24.4.2
     hooks:
       - id: black
   - repo: https://github.com/PyCQA/flake8
@@ -144,38 +145,42 @@ repos:
     hooks:
       - id: isort
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.8.0
+    rev: v1.10.0
     hooks:
       - id: mypy
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.1
+    rev: v3.15.2
     hooks:
       - id: pyupgrade
 
   # Ansible hooks
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.2.0
+    rev: v24.6.0
     hooks:
       - id: ansible-lint
         additional_dependencies:
-          # Per the documentation and the pre-commit hook
-          # configuration, ansible-lint does not know about modules
-          # that live outside of ansible-core.  See these links for
-          # more details:
-          # - https://github.com/ansible/ansible-lint/blob/main/src/ansiblelint/rules/syntax_check.md#syntax-checkunknown-module
-          # - https://github.com/ansible/ansible-lint/blob/ad0157eb38059b02d57458504340209f221e3189/.pre-commit-hooks.yaml#L14-L19
+          # On its own ansible-lint does not pull in ansible, only
+          # ansible-core.  Therefore, if an Ansible module lives in
+          # ansible instead of ansible-core, the linter will complain
+          # that the module is unknown.  In these cases it is
+          # necessary to add the ansible package itself as an
+          # additional dependency, with the same pinning as is done in
+          # requirements-test.txt of cisagov/skeleton-ansible-role.
+          - ansible>=9,<10
+          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
+          # discussed in ansible/ansible#82702, which breaks any
+          # symlinked files in vars, tasks, etc. for any Ansible role
+          # installed via ansible-galaxy.  Hence we never want to
+          # install those versions.
           #
-          # Since ansible.posix.mount lives inside of the ansible
-          # package itself, we must include that package here.
-          #
-          # Note also that for consistency's sake we pull in the same
-          # version of ansible that is used in requirements-test.txt.
-          - ansible>=8,<10
-      # files: molecule/default/playbook.yml
+          # Note that any changes made to this dependency must also be
+          # made in requirements.txt in cisagov/skeleton-packer and
+          # requirements-test.txt in cisagov/skeleton-ansible-role.
+          - ansible-core>=2.16.7
 
   # Terraform hooks
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.90.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
 
@@ -13,7 +13,7 @@ galaxy_info:
     - resolved
     - systemd
     - systemdresolved
-  license: CC0
+  license: CC0-1.0
   # With the release of version 2.10, Ansible finally correctly
   # identifies Kali Linux as being the Kali distribution of the Debian
   # OS family.  This simplifies a lot of things for roles that support
@@ -34,15 +34,16 @@ galaxy_info:
         - trixie
     - name: Fedora
       versions:
-        - "38"
         - "39"
+        - "40"
     - name: Kali
       versions:
         - "2023"
-    # These platforms do not provide systemd-resolved.
-    # - name: Ubuntu
-    #   versions:
-    #     - focal
-    #     - jammy
+    - name: Ubuntu
+      versions:
+        # These platforms do not provide systemd-resolved.
+        # - focal
+        # - jammy
+        - noble
   role_name: systemd_resolved
   standalone: true
@@ -0,0 +1,49 @@
+---
+# This is in place to restore a destructive action in geerlingguy's Ansible
+# Docker images that we use for testing. The change is fine for the intended
+# purpose of the images but not for how we use them.
+- name: Ensure Python is marked as externally managed if appropriate
+  hosts: all
+  become: true
+  become_method: ansible.builtin.sudo
+  tasks:
+    - name: Ensure Python is marked as externally managed
+      when:
+        - ansible_distribution in ["Debian", "Ubuntu"]
+        - ansible_distribution_release not in ["bullseye", "buster", "focal", "jammy"]
+      block:
+        - name: Gather package facts
+          ansible.builtin.package_facts:
+            manager: auto
+
+        - name: Ensure the EXTERNALLY-MANAGED file is present if Python 3 is installed
+          when: '"python3" in ansible_facts.packages'
+          block:
+            # This gets a unique list of installed Python packages in the form of major.minor
+            # by taking the list of installed Python packages and:
+            # 1. Extracting the version from each package's information
+            # 2. Removing any version information after the major.minor version
+            # 3. Ensuring there are no duplicates
+            #
+            # NOTE:
+            # Since the value of python_versions is a multiline string, the regex expressions used in
+            # the regex_replace filter must use single backslashes for special sequences. If the value
+            # of python_versions were to be changed from a multiline string, the special sequences
+            # must be modified to use double backslashes instead. This is due to how the YAML is
+            # processed when Ansible reads the playbook.
+            - name: Extract version information about installed Python packages
+              ansible.builtin.set_fact:
+                python_versions: >-
+                  {{
+                    ansible_facts.packages["python3"]
+                    | map(attribute="version")
+                    | map("regex_replace", "^(\d+\.\d+)\.\d+.*$", "\1")
+                    | unique
+                  }}
+
+            - name: Restore EXTERNALLY-MANAGED file for Python
+              ansible.builtin.template:
+                dest: /usr/lib/python{{ item }}/EXTERNALLY-MANAGED
+                mode: 0644
+                src: EXTERNALLY-MANAGED.j2
+              loop: "{{ python_versions }}"