chore: cleanup root level files and add SPDX check for Go files (#2431)

## Description

Some docs + SPDX + linting + file location cleanup.

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Signed-off-by: razzle <[email protected]>
Co-authored-by: Austin Abro <[email protected]>
Co-authored-by: Austin Abro <[email protected]>

.github/CONTRIBUTING.md

@@ -25,6 +25,9 @@ pre-commit install
 
 # install goimports
 go install golang.org/x/tools/cmd/goimports@latest
+
+# install revive
+go install github.com/mgechev/revive@latest
 ```
 
 Now every time you commit, the hooks will run and format your code, linting can be called via `make lint-go`.

.github/actions/install-tools/action.yaml

@@ -8,7 +8,11 @@ runs:
 
  - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
 
- - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin --tag v0.64.2"
+ - name: install grype
+ env:
+ # renovate: datasource=github-tags depName=anchore/grype versioning=semver
+ VERSION: v0.74.6
+ run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION"
  shell: bash
 
  - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

.github/codeql.yaml

@@ -2,7 +2,7 @@ paths-ignore:
  - src/pkg/packager/network.go
  - src/pkg/utils/network.go
  - src/pkg/utils/credentials.go
- - docs-website/**
+ - site/**
  - build/**
 
 query-filters:

.github/workflows/scan-lint.yml

@@ -14,7 +14,7 @@ jobs:
  - name: Run Revive Action by pulling pre-built image
  uses: docker://morphy/revive-action:v2.5.7@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8
  with:
- config: revive.toml
+ config: hack/revive.toml
  # Exclude patterns, separated by semicolons (optional)
  exclude: "src/cmd/viper.go"
  # Path pattern (default: ./...)

.pre-commit-config.yaml

@@ -10,9 +10,11 @@ repos:
  - "--allow-missing-credentials"
  - id: detect-private-key
  - id: end-of-file-fixer
+ exclude: site/src/content/docs/commands/.*
  - id: fix-byte-order-marker
  - id: trailing-whitespace
  args: [--markdown-linebreak-ext=md]
+ exclude: site/src/content/docs/commands/.*
  - repo: https://github.com/sirosen/texthooks
  rev: 0.6.4
  hooks:
@@ -34,6 +36,17 @@ repos:
  - -w
  language: system
  pass_filenames: true
+ - id: lint
+ name: revive go lint
+ entry: revive
+ args:
+ - "-config"
+ - "hack/revive.toml"
+ - "-exclude"
+ - "src/cmd/viper.go"
+ files: .go$
+ language: system
+ pass_filenames: true
  - repo: https://github.com/python-jsonschema/check-jsonschema
  rev: 0.14.0
  hooks:

CODEOWNERS

@@ -1,35 +1,5 @@
 * @defenseunicorns/zarf
 
-# Docs & examples
-/adr/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/docs/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/examples/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-*.md @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Core code
-/src/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/go.* @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-main.go @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Init package
-/packages/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/zarf.yaml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Docs Website
-/docs-website/ @Racer159 @Noxsios @jeff-mccoy @lucasrod16 @AustinAbro321
-
-# Privileged pipeline files
-/.github/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/hack/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.gitignore @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.golangci.yml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.goreleaser.yml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.grype.yaml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/Dockerfile @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/renovate.json @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/Makefile @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Additional privileged files
 /CODEOWNERS @jeff-mccoy @austenbryan
 /cosign.pub @jeff-mccoy @austenbryan
 /LICENSE @jeff-mccoy @austenbryan

Makefile

@@ -3,7 +3,6 @@
 
 # Provide a default value for the operating system architecture used in tests, e.g. " APPLIANCE_MODE=true|false make test-e2e ARCH=arm64"
 ARCH ?= amd64
-KEY ?= ""
 ######################################################################################
 
 # Figure out which Zarf binary we should use based on the operating system we are on
@@ -219,11 +218,12 @@ test-docs-and-schema:
 
 # INTERNAL: used to test for new CVEs that may have been introduced
 test-cves:
- go run main.go tools sbom scan . -o json --exclude './docs-website' --exclude './examples' | grype --fail-on low
+ go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype --fail-on low
 
 cve-report: ## Create a CVE report for the current project (must `brew install grype` first)
  @test -d ./build || mkdir ./build
- go run main.go tools sbom scan . -o json --exclude './docs-website' --exclude './examples' | grype -o template -t hack/.templates/grype.tmpl > build/zarf-known-cves.csv
+ go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/grype.tmpl > build/zarf-known-cves.csv
 
 lint-go: ## Run revive to lint the go code (must `brew install revive` first)
- revive -config revive.toml -exclude src/cmd/viper.go -formatter stylish ./src/...
+ revive -config hack/revive.toml -exclude src/cmd/viper.go -formatter stylish ./src/...
+ hack/check-spdx-go.sh src >/dev/null || (echo "SPDX check for go failed, please run 'hack/check-spdx-go.sh src' to see the errors" && exit 1)

README.md

@@ -4,7 +4,7 @@
 [![Go version](https://img.shields.io/github/go-mod/go-version/defenseunicorns/zarf?filename=go.mod)](https://go.dev/)
 [![Build Status](https://img.shields.io/github/actions/workflow/status/defenseunicorns/zarf/release.yml)](https://github.com/defenseunicorns/zarf/actions/workflows/release.yml)
 [![Zarf Documentation Status](https://api.netlify.com/api/v1/badges/fe846ae4-25fb-4274-9968-90782640ee9f/deploy-status)](https://app.netlify.com/sites/zarf-docs/deploys)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/zarf/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/zarf)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/zarf/badge)](https://securityscorecards.dev/viewer/?uri=github.com/defenseunicorns/zarf)
 
 <img align="right" alt="zarf logo" src="site/src/assets/zarf-logo.png" height="256" />
 

hack/check-spdx-go.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Directory containing the Go files
+DIRECTORY="$1"
+
+# Array of paths to exclude from the check
+EXCLUDE_PATHS=(
+ "src/cmd/tools/helm/repo_update.go"
+ "src/cmd/tools/helm/repo_remove.go"
+ "src/cmd/tools/helm/load_plugins.go"
+ "src/cmd/tools/helm/repo_list.go"
+ "src/cmd/tools/helm/flags.go"
+ "src/cmd/tools/helm/repo_add.go"
+ "src/cmd/tools/helm/dependency.go"
+ "src/cmd/tools/helm/repo_index.go"
+ "src/cmd/tools/helm/repo.go"
+ "src/cmd/tools/helm/dependency_build.go"
+ "src/cmd/tools/helm/dependency_update.go"
+ "src/cmd/tools/helm/root.go"
+)
+
+BLACK='\033[0;30m'
+RED='\033[0;31m'
+RESET='\033[0m'
+
+# Function to check if a path is in the EXCLUDE_PATHS array
+is_excluded() {
+ local path="$1"
+ for exclude in "${EXCLUDE_PATHS[@]}"; do
+ if [[ "$path" == "$exclude"* ]]; then
+ return 0 # 0 means true/success in shell script
+ fi
+ done
+ return 1 # 1 means false/failure in shell script
+}
+
+# Flag to track if any file meets the condition
+found=0
+
+# Use process substitution to avoid subshell issue with the 'found' variable
+while IFS= read -r file; do
+ if is_excluded "$file"; then
+ echo -e "$BLACK$file$RESET"
+ continue
+ fi
+
+ # Use `head` to grab the first two lines and compare them directly
+ firstLine=$(head -n 1 "$file")
+ secondLine=$(head -n 2 "$file" | tail -n 1)
+
+ # Check if the lines do not match the specified strings
+ if [[ "$firstLine" != "// SPDX-License-Identifier: Apache-2.0" || "$secondLine" != "// SPDX-FileCopyrightText: 2021-Present The Zarf Authors" ]]; then
+ echo -e "$RED$file$RESET"
+ found=1
+ fi
+done < <(find "$DIRECTORY" -type f -name "*.go")
+
+# If any file met the condition, exit with status 1
+if [ "$found" -eq 1 ]; then
+ exit 1
+fi

hack/check-zarf-docs-and-schema.sh

@@ -1,4 +1,6 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
+
+set -euo pipefail
 
 if [ -z "$(git status -s ./site/src/content/docs/commands/ ./zarf.schema.json)" ]; then
  echo "Success!"

hack/create-zarf-schema.sh

@@ -1,4 +1,6 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
+
+set -euo pipefail
 
 # Create the json schema for the zarf.yaml
 go run main.go internal gen-config-schema > zarf.schema.json

hack/empty-config.toml

@@ -0,0 +1,3 @@
+# This is here so it can be used during certain Zarf commands
+# such as `internal gen-cli-docs` where we prefer an empty config
+# as opposed to the init package config at the base of the repo

hack/lint-all-zarf-packages.sh

@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+set -euo pipefail
 
 ZARF_BIN=$1
 LINT_SRC_TEST=$2
@@ -11,7 +13,7 @@ find "." -type f -name 'zarf.yaml' | while read -r yaml_file; do
  if [[ "$dir" == *src/test/* ]] && [ "$LINT_SRC_TEST" != true ]; then
  continue
  fi
- echo "Running 'zarf prepare lint' in directory: $dir"
- $ZARF_BIN prepare lint "$dir"
+ echo "Running 'zarf dev lint' in directory: $dir"
+ $ZARF_BIN dev lint "$dir"
  echo "---"
 done

revive.toml → hack/revive.toml

@@ -1,8 +1,8 @@
 ignoreGeneratedHeader = false
 severity = "warning"
 confidence = 0.8
-errorCode = 0
-warningCode = 0
+errorCode = 1
+warningCode = 1
 formatter = "stylish"
 
 [rule.blank-imports]

renovate.json

@@ -82,6 +82,16 @@
  "https:\\/\\/github.com\\/(?<depName>[\\w\\/\\-\\.\\+\\%]+?)\\/releases\\/download\\/(?<currentValue>[\\w\\/\\-\\.\\+\\%]+?)\\/"
  ],
  "datasourceTemplate": "github-releases"
+ },
+ {
+ "fileMatch": [
+ "\\.*\\.ya?ml$"
+ ],
+ "matchStrings": [
+ "# renovate: datasource=github-tags depName=anchore/grype versioning=semver\n\\s*VERSION: (?<currentValue>v[\\d.]+)"
+ ],
+ "datasourceTemplate": "github-tags",
+ "depNameTemplate": "anchore/grype"
  }
  ]
 }

site/astro.config.ts

@@ -7,7 +7,7 @@ import remarkGemoji from "remark-gemoji";
 // https://astro.build/config
 export default defineConfig({
  redirects: {
- '/docs/zarf-overview': '/'
+ "/docs/zarf-overview": "/",
  },
  markdown: {
  remarkPlugins: [remarkGemoji],
@@ -37,7 +37,10 @@ export default defineConfig({
  src: "./src/assets/zarf-logo-header.svg",
  replacesTitle: true,
  },
- customCss: ["./src/styles/custom.css"],
+ customCss: [
+ "./src/styles/custom.css",
+ "@fontsource/source-code-pro/400.css",
+ ],
  lastUpdated: true,
  sidebar: [
  {

site/package.json

@@ -17,6 +17,7 @@
  "dependencies": {
  "@astrojs/check": "^0.5.10",
  "@astrojs/starlight": "^0.21.2",
+ "@fontsource/source-code-pro": "^5.0.17",
  "astro": "^4.5.12",
  "mermaid": "^10.9.0",
  "rehype-autolink-headings": "^7.1.0",

site/src/content/docs/commands/zarf_tools_yq_eval.md

@@ -28,21 +28,21 @@ zarf tools yq eval [expression] [yaml_file1]... [flags]
 ```
 
 # Reads field under the given path for each file
-zarf tools yq e '.a.b' f1.yml f2.yml 
+zarf tools yq e '.a.b' f1.yml f2.yml
 
 # Prints out the file
-zarf tools yq e sample.yaml 
+zarf tools yq e sample.yaml
 
 # Pipe from STDIN
 ## use '-' as a filename to pipe from STDIN
 cat file2.yml | zarf tools yq e '.a.b' file1.yml - file3.yml
 
 # Creates a new yaml document
 ## Note that editing an empty file does not work.
-zarf tools yq e -n '.a.b.c = "cat"' 
+zarf tools yq e -n '.a.b.c = "cat"'
 
 # Update a file inplace
-zarf tools yq e '.a.b = "cool"' -i file.yaml 
+zarf tools yq e '.a.b = "cool"' -i file.yaml
 
 ```