Merge branch 'main' into adr/schema

zarf-dev · Aug 8, 2024 · 9bba04c · 9bba04c
2 parents 3048d5c + 02f2932
commit 9bba04c
Show file tree

Hide file tree

Showing 371 changed files with 6,818 additions and 5,753 deletions.
diff --git a/.github/.codecov.yml b/.github/.codecov.yml
@@ -0,0 +1,20 @@
+# To validate:
+#   cat codecov.yml | curl --data-binary @- https://codecov.io/validate
+
+codecov:
+  notify:
+    require_ci_to_pass: yes
+
+coverage:
+  status:
+    patch: false
+
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 1%
+    patch:
+      default:
+        enabled: no # disable patch since it is noisy and not correct
+        if_not_found: success
diff --git a/.github/ISSUE_TEMPLATE/tech_debt.md b/.github/ISSUE_TEMPLATE/tech_debt.md
@@ -10,7 +10,7 @@ assignees: ''
 A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
 
 ### Links to any relevant code
-(optional) i.e. - https://github.com/defenseunicorns/zarf/blob/main/README.md?plain=1#L1
+(optional) i.e. - https://github.com/zarf-dev/zarf/blob/main/README.md?plain=1#L1
 
 ### Additional context
 Add any other context or screenshots about the technical debt here.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -1,6 +1,6 @@
 # Reporting Security Issues
 
-To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/zarf-dev/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
 
 ### When Should I Report a Vulnerability?
 

diff --git a/.github/actions/cleanup-files/action.yaml b/.github/actions/cleanup-files/action.yaml
@@ -7,10 +7,16 @@ runs:
     - run: |
         lsblk -f
 
+        echo "removing some github actions pre-installed tools to save space"
+        sudo rm -rf /usr/share/dotnet
+        sudo rm -rf /opt/ghc
+        sudo rm -rf /opt/hostedtoolcache/CodeQL
+        sudo docker system prune --all --force
+
+        echo "removing zarf sboms, packages, cache"
         sudo rm -rf zarf-sbom /tmp/zarf-*
         sudo env "PATH=$PATH" CI=true make delete-packages
         sudo build/zarf tools clear-cache
-        sudo docker system prune --all --force
 
         lsblk -f
       shell: bash
diff --git a/.github/actions/debug-cluster/action.yaml b/.github/actions/debug-cluster/action.yaml
@@ -0,0 +1,22 @@
+name: debug-cluster
+description: "Setup Go binary and caching"
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        echo "***** Getting pods *****"
+        kubectl get pods -A
+
+        echo "***** Getting pods yaml *****"
+        kubectl get pods -A -o yaml
+
+        echo "***** Describing pods *****"
+        kubectl describe pods -A
+
+        echo "***** Getting nodes *****"
+        kubectl get nodes -A
+
+        echo "***** describing nodes *****"
+        kubectl describe nodes -A
+      shell: bash
diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
@@ -8,11 +8,4 @@ runs:
 
     - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
 
-    - name: install grype
-      env:
-        # renovate: datasource=github-tags depName=anchore/grype versioning=semver
-        VERSION: v0.74.6
-      run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION"
-      shell: bash
-
     - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -11,4 +11,4 @@ Relates to #
 ## Checklist before merging
 
 - [ ] Test, docs, adr added or updated as needed
-- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
+- [ ] [Contributor Guide Steps](https://github.com/zarf-dev/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
diff --git a/.github/workflows/build-rust-injector.yml b/.github/workflows/build-rust-injector.yml
@@ -2,25 +2,21 @@ name: Zarf Injector Rust Binaries
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_dispatch:
     inputs:
       versionTag:
         description: "Version tag"
         required: true
-      branchName:
-        description: "Branch to build the injector from"
-        required: true
 
 jobs:
   build-injector:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repo"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branchName }}
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Install tools
         uses: ./.github/actions/install-tools
@@ -37,13 +33,14 @@ jobs:
           shasum zarf-injector-amd64 >> checksums.txt
           shasum zarf-injector-arm64 >> checksums.txt
 
-      - name: Set AWS Credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      - name: Auth with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
-          aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
-          aws-region: us-gov-west-1
+          role-to-assume: ${{ secrets.AWS_WRITE_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
+          aws-region: us-east-2
+          role-duration-seconds: 3600
 
       - name: Sync Artifacts to S3
         run: |
-          aws s3 sync src/injector/dist/ s3://zarf-public/injector/${{ github.event.inputs.versionTag }}/
+          aws s3 sync src/injector/dist/ s3://zarf-init/injector/${{ github.event.inputs.versionTag }}/
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -16,12 +16,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
 
       - name: Install commitlint
         run: npm install --save-dev @commitlint/{config-conventional,cli}

diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -6,10 +6,10 @@ permissions:
   contents: read
 
 jobs:
-  validate:
+  dependency-review:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Dependency Review
-        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/dummy-dco.yaml b/.github/workflows/dummy-dco.yaml
@@ -0,0 +1,12 @@
+name: DCO
+on:
+  merge_group:
+
+permissions:
+  contents: read
+
+jobs:
+  DCO:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "dummy DCO workflow (it won't run any check actually) to trigger by merge_group in order to enable merge queue"
diff --git a/.github/workflows/nightly-ecr.yml b/.github/workflows/nightly-ecr.yml
@@ -2,7 +2,6 @@ name: Test ECR Publishing
 on:
   schedule:
    - cron: '0 7 * * * ' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
 
 
@@ -16,23 +15,25 @@ permissions:
   contents: read
 
 jobs:
-  validate:
+  ecr-nightly-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup golang
         uses: ./.github/actions/golang
 
       - name: Build the Zarf binary
         run: make build-cli-linux-amd
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      - name: Auth with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
+          role-duration-seconds: 3600
 
       # NOTE: The aws cli will need to be explicitly installed on self-hosted runners
       - name: Login to the ECR Registry

diff --git a/.github/workflows/nightly-eks.yml b/.github/workflows/nightly-eks.yml
@@ -2,7 +2,6 @@ name: Test EKS Cluster
 on:
   schedule:
    - cron: '0 7 * * *' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
     inputs:
       cluster_name:
@@ -24,24 +23,25 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  validate:
+  eks-nightly-test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup golang
         uses: ./.github/actions/golang
 
       - name: Build binary and zarf packages
         uses: ./.github/actions/packages
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      - name: Auth with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
-          role-duration-seconds: 14400
+          role-duration-seconds: 7200
 
       - name: Build the eks package
         run: ./build/zarf package create packages/distros/eks -o build --confirm
@@ -55,7 +55,11 @@ jobs:
             --confirm
 
       - name: Run tests
-        run: make test-e2e ARCH=amd64
+        run: make test-e2e-with-cluster ARCH=amd64
+
+      - name: show cluster logs
+        uses: ./.github/actions/debug-cluster
+        if: always()
 
       - name: Teardown the cluster
         if: always()

diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml
@@ -18,15 +18,15 @@ jobs:
       packages: write
     steps:
       - name: "Checkout Repo"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ github.event.inputs.branchName }}
 
       - name: Install The Latest Release Version of Zarf
-        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
+        uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
 
       - name: "Login to GHCR"
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: dummy
@@ -39,11 +39,11 @@ jobs:
           zarf package create -o build -a arm64 examples/dos-games --signing-key=awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} --confirm
 
           # Publish a the signed dos-games package
-          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/defenseunicorns/packages --key=https://zarf.dev/cosign.pub
-          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/defenseunicorns/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
 
           # Publish a skeleton of the dos-games package
-          zarf package publish examples/dos-games oci://ghcr.io/defenseunicorns/packages
+          zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages
         env:
           AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
           AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}