defenseunicorns · Racer159 · Nov 15, 2023 · Oct 2, 2023 · Oct 3, 2023 · Oct 4, 2023
@@ -0,0 +1,25 @@
+{
+  "env": {
+    "browser": false,
+    "es2021": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/recommended"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 2022
+  },
+  "plugins": [
+    "@typescript-eslint"
+  ],
+  "ignorePatterns": [
+    "node_modules",
+    "dist",
+    "hack",
+    "build",
+    "capabilities/zarf-types.ts"
+  ],
+  "root": true
+}
@@ -0,0 +1,30 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: possible-bug
+assignees: ''
+---
+
+### Environment
+
+Device and OS:
+App version:
+Kubernetes distro being used:
+Other:
+
+### Steps to reproduce
+
+1.
+
+### Expected result
+
+### Actual Result
+
+### Visual Proof (screenshots, videos, text, etc)
+
+### Severity/Priority
+
+### Additional Context
+
+Add any other context or screenshots about the technical debt here.
@@ -0,0 +1,25 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'enhancement'
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+### Describe the solution you'd like
+
+- **Given** a state
+- **When** an action is taken
+- **Then** something happens
+
+### Describe alternatives you've considered
+
+(optional) A clear and concise description of any alternative solutions or features you've considered.
+
+### Additional context
+
+Add any other context or screenshots about the feature request here.
@@ -0,0 +1,19 @@
+---
+name: Tech debt
+about: Record something that should be investigated or refactored in the future.
+title: ''
+labels: 'tech-debt'
+assignees: ''
+---
+
+### Describe what should be investigated or refactored
+
+A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
+
+### Links to any relevant code
+
+(optional) i.e. - <https://github.com/defenseunicorns/zarf-init-aws/blob/main/README.md?plain=1#L1>
+
+### Additional context
+
+Add any other context or screenshots about the technical debt here.
@@ -0,0 +1,26 @@
+---
+name: UX Test
+about: Record something that should be investigated to test User Experience
+title: ''
+labels: 'ux'
+assignees: ''
+---
+
+## Driving Questions
+
+What are we hoping to validate?
+
+## Testing Plan
+
+User Persona:
+Sample Group:
+
+- [ ] Use Checklist for Tasks
+
+## Additional context
+
+Add any other context or screenshots about the UX test here.
+
+Related to issue: #
+
+## Link to Test & Results
@@ -0,0 +1,6 @@
+paths-ignore:
+  - build/**
+
+query-filters:
+  - exclude:
+      id: go/path-injection
@@ -0,0 +1,20 @@
+## Description
+
+...
+
+## Related Issue
+
+Fixes #
+<!-- or -->
+Relates to #
+
+## Type of change
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Other (security config, docs update, etc)
+
+## Checklist before merging
+
+- [ ] Test, docs, adr added or updated as needed
+- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf-init-aws/blob/main/CONTRIBUTING.md) followed
@@ -0,0 +1,75 @@
+name: Publish Zarf Init Package for AWS on Tag
+
+permissions:
+  contents: read
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write
+    steps:
+      # Checkout the repo and setup the tooling for this job
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Install latest version of Zarf
+        uses: defenseunicorns/setup-zarf@main
+
+      - name: Install tools
+        uses: defenseunicorns/zarf/.github/actions/install-tools@main
+
+      - name: Setup Go
+        uses: defenseunicorns/zarf/.github/actions/golang@main
+
+      - name: Build ECR credential-helper binary
+        run: make build-credential-helper-linux-amd
+
+      - name: "ECR Credential Helper: Login to GHCR"
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: dummy
+          password: ${{ github.token }}
+
+      - name: "ECR Credential Helper: Build and Publish the Image"
+        run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME .
+
+      # TODO@jeff-mccoy: Setup cosign signing key secrets in repo
+      # - name: "ECR Credential Helper: Sign the Image"
+      #   run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME
+      #   env:
+      #     COSIGN_EXPERIMENTAL: 1
+      #     AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
+      #     AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
+      #     AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
+
+      - name: Build AWS init package for release
+        run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME
+
+      - name: Publish AWS Init Package as OCI and Skeleton
+        run: make publish-aws-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
+
+      # Create a CVE report based on this build
+      - name: Create release time CVE report
+        run: make cve-report
+
+      - name: Save CVE report
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: cve-report
+          path: build/zarf-known-cves.csv
+
+      # Create GitHub release and upload the AWS init package as a release artifact
+      - name: Create GitHub release and upload AWS init package as release artifact
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
+        run: gh release create "$GITHUB_REF_NAME" ./build/zarf-init-*.tar.zst --generate-notes --verify-tag
@@ -0,0 +1,66 @@
+name: Analyze CodeQL
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - "CODEOWNERS"
+  schedule:
+    - cron: "32 2 * * 5"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go", "javascript", "typescript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Setup Go
+        uses: defenseunicorns/zarf/.github/actions/golang@main
+
+      - name: Setup NodeJS
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version: 20
+          cache: "npm"
+          cache-dependency-path: "package-lock.json"
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
+        env:
+          CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql.yaml
+
+      - name: Build
+        run: make build-credential-helper-linux-amd
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
+        with:
+          category: "/language:${{matrix.language}}"
@@ -0,0 +1,30 @@
+name: Analyze CVEs
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    - cron: "0 10 * * *"
+  pull_request:
+    paths:
+      - "**/package.json"
+      - "**/package-lock.json"
+      - "go.mod"
+      - "go.sum"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Install tools
+        uses: defenseunicorns/zarf/.github/actions/install-tools@main
+
+      - name: Install latest version of Zarf
+        uses: defenseunicorns/setup-zarf@main
+
+      - name: Check for CVEs in Dependencies
+        run: make test-cves
@@ -0,0 +1,23 @@
+name: Validate Schema Generation
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Setup Go
+        uses: defenseunicorns/zarf/.github/actions/golang@main
+
+      - name: Check that 'make gen-schema' was ran
+        run: make test-gen-schema
+
+      - name: Save logs
+        if: always()
+        uses: defenseunicorns/zarf/.github/actions/save-logs@main
@@ -0,0 +1,15 @@
+name: Validate Labels
+on:
+  pull_request:
+    types: [labeled, unlabeled, opened, edited, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2
+        with:
+          BANNED_LABELS: "needs-docs,needs-tests,needs-adr,needs-git-sign-off"