Merge branch 'main' into adr/schema

zarf-dev · Aug 23, 2024 · 09ff6a4 · 09ff6a4
2 parents 8af8885 + 951b4e6
commit 09ff6a4
Show file tree

Hide file tree

Showing 70 changed files with 1,409 additions and 564 deletions.
diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml
@@ -5,22 +5,24 @@ permissions:
 
 on:
   workflow_dispatch:
-    inputs:
-      branchName:
-        description: "Branch to build the packages from"
-        required: true
-        default: "main"
 
 jobs:
   publish-packages:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       packages: write
     steps:
       - name: "Checkout Repo"
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Auth with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
-          ref: ${{ github.event.inputs.branchName }}
+          role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
+          aws-region: us-east-2
+          role-duration-seconds: 3600
 
       - name: Install The Latest Release Version of Zarf
         uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
@@ -39,12 +41,8 @@ jobs:
           zarf package create -o build -a arm64 examples/dos-games --signing-key=awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} --confirm
 
           # Publish a the signed dos-games package
-          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
-          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-amd64-1.1.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-arm64-1.1.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
 
           # Publish a skeleton of the dos-games package
           zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages
-        env:
-          AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,7 @@ jobs:
   build-release:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       packages: write
     steps:
       # Checkout the repo and setup the tooling for this job
@@ -53,13 +54,18 @@ jobs:
           rm build/zarf-linux-arm64
           echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
 
+      - name: Auth with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
+          aws-region: us-east-2
+          role-duration-seconds: 3600
+
       - name: "Zarf Agent: Sign the Image"
         run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
         env:
           COSIGN_EXPERIMENTAL: 1
-          AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
 
       # Builds init packages since GoReleaser won't handle this for us
       - name: Build init-packages For Release

diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml
@@ -53,7 +53,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1
+        uses: github/codeql-action/init@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yaml
@@ -62,6 +62,6 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1
+        uses: github/codeql-action/analyze@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -44,6 +44,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1
+        uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/test-import.yaml b/.github/workflows/test-import.yaml
@@ -0,0 +1,50 @@
+name: Test Import
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: import-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test-import:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Setup Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run test Go program that imports Zarf
+        run: |
+          cd $(mktemp -d)
+          echo "$GO_MAIN" > main.go
+          go mod init github.com/zarf-dev/test-import
+          go mod edit -replace github.com/zarf-dev/zarf=github.com/${{ github.repository }}@${COMMIT_SHA:0:12}
+          go mod tidy
+          cat go.mod | grep -q ${COMMIT_SHA:0:12}
+          go run main.go
+        env:
+          COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+          GO_MAIN: |
+            package main
+
+            import (
+            	"fmt"
+
+            	"github.com/zarf-dev/zarf/src/api/v1alpha1"
+            	"github.com/zarf-dev/zarf/src/pkg/packager"
+            )
+
+            func main() {
+            	fmt.Println(packager.Packager{})
+            	fmt.Println(v1alpha1.ZarfComponent{})
+            }
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -1,5 +1,5 @@
 run:
-  timeout: 5m
+  timeout: 10m
 linters:
   disable-all: true
   enable:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -40,15 +40,3 @@ repos:
         types: [go]
         language: golang
         pass_filenames: false
-  - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.14.0
-    hooks:
-      - id: check-jsonschema
-        name: "Validate Zarf Configs Against Schema"
-        files: "zarf.yaml"
-        types: [yaml]
-        args: ["--schemafile", "zarf.schema.json"]
-        exclude: |
-          (?x)^(
-            src/test/packages/12-lint/.*
-          )$
diff --git a/cosign.pub b/cosign.pub
@@ -1,14 +1,14 @@
 -----BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9u472y/wY0tjIiR2T6rY
-zOG1q4qwx5ZdmnoGsiG0Zc3rYo2DMiuKciG0MI4opCf4IID7kfYOD4aWILymwFID
-xW0L6pEbxknHRQacWZSf/qfA+aAcjbKOY3ZWU8/uLJJeq37Y4OLc17ThJ7ZOj1Yf
-Uvj81Uz9ZWVW7kYY31vWCruJh4VxZLsUAmFc6CsQUtzSGordLhh1b1rDP6ZRAaIP
-mQnniULogwIBqnUTkIVwxiRYG+V2a3IC5vqlBLQRQ3UOWQ9mgZcfcXuTA6Fh8bwO
-2lG768UfI1RBYioXAgXbPwXK+kM3Idvjcr+X2F3VpYWhHTscMIQF0ERzK7BkRqRI
-x9l/RRm5lP+9a1kt6giYtvX2OqEsWaG3lTen3ocwblaHRlmqnaiVBtAnVny6QDHX
-9p1HPMD/NjWjZucxWMjtdL5FZxBywbJVlxhe7sFByMoBZYhea9vGGSn2M2Q9kPiq
-Bgl6bKZdeYIhaKQ7wrNkS6YVHMIqqpCIUI6/YGYwnu0hodbjR0yA2LFx4TgFZAuY
-uGEiRP4Oi7WEOPkjRjP7kPXGpEBB7ulZ/Wohq1B6pB1Odo8WlfJRAek319F2aqqh
-J1c3YdZ/w3EvCLKd+Inp1UNbamb79UN6jtwhqwKw72YbZh/yP0rim49lQ++umwPX
-JWqG8iY/UzGB/3ch4/Wb09UCAwEAAQ==
------END PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr6pqXju3qrkVae35GIuG
+F58+zMd5XGMVgPkxFrdrJZ/3Ag65y7j4QsrcCFkXYAYNIy9iZliXypsxrr3oajJv
+EgLDAc0CqtWYa0tuT2kAP4YHzxVkLC8MZLhQ1fuj9QKylm3OIMf18ZAnp12upmK8
+SBvrYxtWfTOv4KBgRGdIO0U9M/dwNnodGosY0znyHD9dp1G7qRA7BNpOsuXoaLa/
+aSQ2X0icoq5N8BLLOl3/23w6nCV+G32HFD0/AurDZVMC8o6N91AkX3smfWINkNk+
+QUrCkjhlAMxtBPi2TCYB4PimOKLpO/q/hwfixkHJcx8zPY/UZCCJGrsOcdFdvN/M
+FkxqVZ2vBv+8LaElSAmbzsjVpg4w3QMk/6fVuU2rBtwog7DekuV/J5SwGCyTfC/4
+R8SetTsEpYgtDWp8+vugcfZTg5+7rPnMfNG16HdwJoC+LnWbeot6X2ZepTu4CrkV
+qCAfFlu9G9sy2ZrwT5gnFT9JoKPVRTgkYmADgSfF0njKjuFKfk+aEVIrKRCVbExe
+VtfmM1A9OfP4vCtCKw7tE5fFhmAa5v2D6LS/rG2m99fbZjDdeK9y22OZZyUCZaUN
+TM+VQTuY1bwXY0/XEhUHxP0Fzk2VGQVslwXgW305SzR8Yh/bTbE4pkNGpOta+4s2
+E5ZMlZgQX8x4gSfbxmBHgP0CAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/examples/composable-packages/zarf.yaml b/examples/composable-packages/zarf.yaml
@@ -31,7 +31,7 @@ components:
     # default: false    # the initial value overrides the child component
     import:
       # The URL to the skeleton package containing this component's package definition
-      url: oci://🦄/dos-games:1.0.0
+      url: oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0
       # Example optional custom name to point to in the imported package (default is to use this component's name)
       name: baseline
     # Un'name'd Zarf primitives will be appended to the end of the primitive's list for that component.

diff --git a/examples/dos-games/zarf.yaml b/examples/dos-games/zarf.yaml
@@ -2,7 +2,7 @@ kind: ZarfPackageConfig
 metadata:
   name: dos-games
   description: Simple example to load classic DOS games into K8s in the airgap
-  version: 1.0.0
+  version: 1.1.0
 
 components:
   - name: baseline

diff --git a/packages/zarf-registry/zarf.yaml b/packages/zarf-registry/zarf.yaml
@@ -111,7 +111,7 @@ components:
         architecture: amd64
     files:
       # Rust Injector Binary
-      - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/injector/###ZARF_PKG_TMPL_INJECTOR_VERSION###/zarf-injector-amd64
+      - source: https://zarf-init.s3.us-east-2.amazonaws.com/injector/###ZARF_PKG_TMPL_INJECTOR_VERSION###/zarf-injector-amd64
         target: "###ZARF_TEMP###/zarf-injector"
         shasum: "###ZARF_PKG_TMPL_INJECTOR_AMD64_SHASUM###"
         executable: true
@@ -126,7 +126,7 @@ components:
         architecture: arm64
     files:
       # Rust Injector Binary
-      - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/injector/###ZARF_PKG_TMPL_INJECTOR_VERSION###/zarf-injector-arm64
+      - source: https://zarf-init.s3.us-east-2.amazonaws.com/injector/###ZARF_PKG_TMPL_INJECTOR_VERSION###/zarf-injector-arm64
         target: "###ZARF_TEMP###/zarf-injector"
         shasum: "###ZARF_PKG_TMPL_INJECTOR_ARM64_SHASUM###"
         executable: true

diff --git a/site/src/content/docs/getting-started/index.mdx b/site/src/content/docs/getting-started/index.mdx
@@ -23,7 +23,7 @@ import { Tabs, TabItem, LinkCard, CardGrid } from '@astrojs/starlight/components
     # (Select optional components as desired)
 
     # Now you are ready to deploy any Zarf Package, try out our Retro Arcade!!
-    zarf package deploy oci://🦄/dos-games:1.0.0 --key=https://zarf.dev/cosign.pub
+    zarf package deploy oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0 --key=https://zarf.dev/cosign.pub
     # (Select 'Y' to confirm deployment)
     ```
 
@@ -39,7 +39,7 @@ import { Tabs, TabItem, LinkCard, CardGrid } from '@astrojs/starlight/components
     zarf init --confirm
 
     # Deploy the DOS Games package
-    zarf package deploy oci://🦄/dos-games:1.0.0 \
+    zarf package deploy oci://ghcr.io/zarf-dev/packages/dos-games:1.1.0 \
        --key=https://zarf.dev/cosign.pub \
        --confirm
     ```

diff --git a/site/src/content/docs/ref/deploy.mdx b/site/src/content/docs/ref/deploy.mdx
@@ -140,6 +140,12 @@ By default, Zarf waits for all resources to deploy successfully during install,
 
 You can override this behavior during install and upgrade by setting the `noWait: true` key under the `charts` and `manifests` fields.
 
+:::note
+
+Deployments will wait for helm [post-install hooks](https://helm.sh/docs/topics/charts_hooks/#the-available-hooks) to complete even with `noWait` set to `true` as Zarf follows the [Helm release lifecycle](https://helm.sh/docs/topics/charts_hooks/#hooks-and-the-release-lifecycle)
+
+:::
+
 ### Timeout Settings
 
 The default timeout for Helm operations in Zarf is 15 minutes.

diff --git a/src/cmd/root.go b/src/cmd/root.go
@@ -96,7 +96,8 @@ func Execute(ctx context.Context) {
 	if len(comps) > 1 && comps[1] == "tools" && slices.Contains(defaultPrintCmds, comps[2]) {
 		cmd.PrintErrln(cmd.ErrPrefix(), err.Error())
 	} else {
-		pterm.Error.Println(err.Error())
+		errParagraph := message.Paragraph(err.Error())
+		pterm.Error.Println(errParagraph)
 	}
 	os.Exit(1)
 }