feat: initial swf bundle implementation (#25)

* very wip with uds run --set FLAVOR=upstream working for gitlab+gitlabrunner on k3d+istio * add renovate config * fix: use vendored zarf in create task * fix direct calls to zarf and kubectl * update gitlab-runner version * add working dev bundle deployment * add workflows, update tasks and add missing dep package * ci: update runner being used in test jobs * ci: add yamllint config and fix runner name * ci: remove registry1 flavor since we way or may not test that here but also because -upstream ref is hardcoded into bundle * ci: temp changfes to attempt to debug zarf p c seemingly not working * ci: update action version Signed-off-by: Zachariah Miller <[email protected]> * ci: remove zarf debug flags * ci: add BUNDLE_PATH env and test full bundle * test overriding which bundle to deploy with env var * test core demo package temporarily with hardcoded path until enhancement to action inputs * bump up runner for full test * bump up job timeout for full test * reduce runner size since error was due to timeout * Add multiple tests and bump task/action versions * update test and publish flow * fix the linting things, remove registry1 flavor bundle publish * update test workflow * update task versions * update shim and test and start docs * rename bundles to not be packaged as uds-uds- and update docs * change formatting slightly that i will never be content with * remove renovvate things from settings.json we no longer need because of wayne * Add list of packages in each bundle to the respective readmes * update dependencies.yaml * Apply suggestions from code review fix things that can be from suggestions Co-authored-by: Wayne Starr <[email protected]> * address review feedback * remove js debug things for now * remove duplicate task * fix typo in action version update and fix missing switch to architecture input * update bundle directory structure and rename dev bundle to omit k3d- since it doesnt include k3d inside it * fix local package pathing due to new bundle directory structure * fix hopefully the last path issue * ci: update doc shim matrix item to reflect updated bundle folder * add default for root dependency task arch --------- Signed-off-by: Zachariah Miller <[email protected]> Co-authored-by: Eric Wyles <[email protected]> Co-authored-by: Wayne Starr <[email protected]>
defenseunicorns · Mar 21, 2024 · c4b79ab · c4b79ab
1 parent 7a64cf7
commit c4b79ab
Show file tree

Hide file tree

Showing 30 changed files with 1,072 additions and 23 deletions.
diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml
@@ -0,0 +1,36 @@
+name: CI Docs Shim
+
+on:
+  pull_request:
+    paths:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - ".gitignore"
+      - "renovate.json"
+      - ".release-please-config.json"
+      - "release-please-config.json"
+      - "oscal-component.yaml"
+      - "CODEOWNERS"
+      - "LICENSE"
+      - "CONTRIBUTING.md"
+      - "SECURITY.md"
+
+jobs:
+  run-test:
+    name: ${{ matrix.type }} ${{ matrix.bundle }} ${{ matrix.flavor }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        flavor: [upstream]
+        type: [install]
+        bundle: ["k3d-demo", "dev"]
+    steps:
+      - name: Shim for ${{ matrix.type }} ${{ matrix.bundle }} ${{ matrix.flavor }}
+        run: |
+          echo "Documentation-only change detected; marking ${{ matrix.type }} ${{ matrix.bundle }} ${{ matrix.flavor }} as successful."
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
@@ -1,30 +1,13 @@
 name: Metadata
 
 on:
+  # This workflow is triggered on pull requests to the main branch.
   pull_request:
     branches: [main]
-    types: [opened, edited, synchronize]
+    types: [milestoned, opened, edited, synchronize]
 
-jobs:
-  title_check:
-    runs-on: ubuntu-latest
-    name: Validate PR Title
-    permissions:
-      pull-requests: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
 
-      - name: Install commitlint
-        run: npm install --save-dev @commitlint/{config-conventional,cli}
-
-      - name: Lint PR title
-        env:
-          pull_request_title: ${{ github.event.pull_request.title }}
-        run: echo "$pull_request_title" | npx commitlint
+jobs:
+  validate:
+    name: Validate
+    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,34 @@
+name: Scan
+
+on:
+  # This workflow is triggered on pull requests to the main branch.
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, synchronize]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    name: Lint
+    permissions:
+      contents: read # Allows reading the repo contents
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        with:
+          username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+
+      - name: Install lint deps
+        run: |
+          uds run lint:deps
+
+      - name: Lint the repository
+        run: |
+          uds run lint:yaml
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -0,0 +1,50 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '30 1 * * 6'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge.
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml
@@ -0,0 +1,62 @@
+name: Publish UDS Software Factory
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  tag-new-version:
+    name: Tag New Version
+    permissions: write-all
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release-flag.outputs.release_created }}
+    steps:
+      - name: Create release tag
+        id: tag
+        uses: google-github-actions/release-please-action@a37ac6e4f6449ce8b3f7607e4d97d0146028dc0b # v4.1.0
+      - id: release-flag
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT
+
+  publish-package:
+    needs: tag-new-version
+    if: ${{ needs.tag-new-version.outputs.release_created == 'true' }}
+    runs-on: ubuntu-latest
+    name: Publish ${{ matrix.flavor }}
+    strategy:
+      matrix:
+        flavor: [upstream, registry1]
+        bundle_path: ["bundles/k3d-demo", "bundles/dev"]
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@0e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        with:
+          username: ${{secrets.IRON_BANK_ROBOT_USERNAME}}
+          password: ${{secrets.IRON_BANK_ROBOT_PASSWORD}}
+
+      - name: Login to GHCR
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3
+        with:
+          registry: ghcr.io
+          username: dummy
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish Package
+        run: uds run -f tasks/publish.yaml test-bundle --set FLAVOR=${{ matrix.flavor }} --set BUNDLE_PATH=${{ matrix.bundle_path }}
+
+      - name: Save logs
+        if: always()
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        with:
+          suffix: '${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}'
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -0,0 +1,66 @@
+name: Test
+
+# This workflow is triggered on pull requests to the main branch.
+on:
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, synchronize]
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - ".gitignore"
+      - "renovate.json"
+      - ".release-please-config.json"
+      - "release-please-config.json"
+      - "oscal-component.yaml"
+      - "CODEOWNERS"
+      - "LICENSE"
+      - "CONTRIBUTING.md"
+      - "SECURITY.md"
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: test-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  run-test:
+    name: ${{ matrix.type }} ${{ matrix.bundle }} ${{ matrix.flavor }}
+    runs-on: uds-swf-ubuntu-big-boy-16-core
+    timeout-minutes: 40
+    strategy:
+      matrix:
+        flavor: [upstream]
+        type: [install]
+        bundle: ["k3d-demo", "dev"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        with:
+          username: ${{secrets.IRON_BANK_ROBOT_USERNAME}}
+          password: ${{secrets.IRON_BANK_ROBOT_PASSWORD}}
+
+      - name: Test
+        uses: defenseunicorns/uds-common/.github/actions/test@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        with:
+          flavor: ${{ matrix.flavor }}
+          type: ${{ matrix.type }}
+          options: "--set BUNDLE_PATH=bundles/${{ matrix.bundle }}"
+
+      - name: Save logs
+        if: always()
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        with:
+          suffix: ${{ matrix.type }}-${{ matrix.bundle }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+zarf-package-*
+uds-bundle-*
+zarf-sbom
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,16 @@
+{
+    "yaml.schemas": {
+      "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.9.0/uds.schema.json": [
+        "**/uds-bundle.yaml"
+      ],
+
+      "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.9.0/tasks.schema.json": [
+        "tasks.yaml",
+        "tasks/**/*.yaml",
+        "src/**/validate.yaml"
+      ],
+      "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.9.0/zarf.schema.json": [
+        "**zarf.yaml"
+      ]
+    },
+  }
diff --git a/.yamllint b/.yamllint
@@ -0,0 +1,36 @@
+yaml-files:
+  - '**/*.y*ml'
+  - '.yamllint'
+
+ignore:
+  - '**/.terraform/**'
+  - '**/chart/templates**'
+
+rules:
+  anchors: enable
+  braces: enable
+  brackets: enable
+  colons: enable
+  commas: enable
+  comments:
+    level: warning
+  comments-indentation:
+    level: warning
+  document-end: disable
+  document-start:
+    level: warning
+  empty-lines: enable
+  empty-values: disable
+  float-values: disable
+  hyphens: enable
+  indentation: enable
+  key-duplicates: enable
+  key-ordering: disable
+  line-length: disable
+  new-line-at-end-of-file: enable
+  new-lines: enable
+  octal-values: disable
+  quoted-strings: disable
+  trailing-spaces: enable
+  truthy:
+    level: warning