chore!: add containerization and packaging manifest lints

.dockerignore

@@ -1,4 +1,11 @@
 **/*.tar.zst
+**/*.log*
+**/__pycache__
+**/.ruff_cache
 **/Dockerfile*
 **/.gitignore
-**/Makefile
+**/Makefile
+**/node_modules
+**/.svelte-kit
+**/zarf-sbom/
+**/zarf-*.tar.zst

.github/release-please-config.json

@@ -45,6 +45,11 @@
           "type": "generic",
           "path": "**/hugo.toml",
           "glob": true
+        },
+        {
+          "type": "generic",
+          "path": ".github/workflows/e2e-registry1-weekly.yaml",
+          "glob": true
         }
       ]
     }

.github/workflows/docker-lint.yaml

@@ -0,0 +1,40 @@
+name: Docker Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "**/Dockerfile"
+      - "**/Dockerfile.migrations"
+      - "**/.dockerignore"
+      - ".github/workflows/docker-lint.yaml"
+
+concurrency:
+  group: docker-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  docker-lint:
+    runs-on: ubuntu-latest
+    name: Lint Docker Manifest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+        with:
+          dockerfile: "*Dockerfile*"
+          recursive: true
+          config: .hadolint.yaml

.github/workflows/e2e-registry1-weekly.yaml

@@ -27,6 +27,7 @@ jobs:
   test-flavors:
     runs-on: ai-ubuntu-big-boy-8-core
     name: e2e_registry1_weekly
+    if: ${{ !github.event.pull_request.draft }}
 
     permissions:
       contents: read
@@ -36,16 +37,27 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          # x-release-please-start-version
+          ref: "v0.12.2"
+          # x-release-please-end
 
       - name: Setup Python
         uses: ./.github/actions/python
 
-      - name: Setup UDS Cluster
-        uses: ./.github/actions/uds-cluster
+      # TODO: remove hardcoded uds-cluster action due to incorrect usage in v0.12.2
+      - name: Setup UDS Environment
+        uses: defenseunicorns/uds-common/.github/actions/setup@822dac4452e6815aadcf09f487406ff258756a0c # v0.14.0
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          udsCliVersion: 0.14.0
+
+      - name: Create UDS Cluster
+        shell: bash
+        run: |
+          make create-uds-cpu-cluster
 
       - name: Setup Playwright
         run: |
@@ -58,6 +70,7 @@ jobs:
 
       # Mutate UDS bundle definition to use Registry1 packages
       - name: Mutation to Registry1 Bundle
+        # TODO: fix bundle path
         run: |
           uds zarf tools yq -i '.packages[1] |= del(.repository)' bundles/latest/cpu/uds-bundle.yaml
           uds zarf tools yq -i '.packages[1] |= .ref = "registry1"' bundles/latest/cpu/uds-bundle.yaml
@@ -68,29 +81,20 @@ jobs:
         run: |
           cd bundles/latest/cpu
           uds create . --confirm && \
-            uds deploy uds-bundle-leapfrogai-amd64-registry1.tar.zst \
-              --set LEAPFROGAI_API_BASE_URL="http://leapfrogai-api.leapfrogai.svc.cluster.local:8080" --confirm --no-progress && \
+            uds deploy --set DISABLE_KEYCLOAK=true uds-bundle-leapfrogai-amd64-registry1.tar.zst --confirm --no-progress && \
             rm -rf uds-bundle-leapfrogai-amd64-registry1.tar.zst && \
             docker system prune -af
 
       - name: Generate Secrets
         id: generate_secrets
         run: |
-          PASSWORD=$(cat <(openssl rand -base64 32 | tr -dc 'a-zA-Z0-9!@#$%^&*()_+-=[]{}|;:,.<>?' | head -c 20) <(echo '!@1Aa') | fold -w1 | shuf | tr -d '\n')
-          echo "::add-mask::$PASSWORD"
-          echo "FAKE_E2E_USER_PASSWORD=$PASSWORD" >> $GITHUB_OUTPUT
           ANON_KEY=$(uds zarf tools kubectl get secret supabase-bootstrap-jwt -n leapfrogai -o jsonpath='{.data.anon-key}' | base64 -d)
           echo "::add-mask::$ANON_KEY"
           echo "ANON_KEY=$ANON_KEY" >> $GITHUB_OUTPUT
-          SERVICE_ROLE_KEY=$(uds zarf tools kubectl get secret -n leapfrogai supabase-bootstrap-jwt -o jsonpath={.data.service-key} | base64 -d)
-          echo "::add-mask::$SERVICE_ROLE_KEY"
-          echo "SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY" >> $GITHUB_OUTPUT
 
       - name: Verify Secrets
         run: |
-          echo "FAKE_E2E_USER_PASSWORD is set: ${{ steps.generate_secrets.outputs.FAKE_E2E_USER_PASSWORD != '' }}"
           echo "ANON_KEY is set: ${{ steps.generate_secrets.outputs.ANON_KEY != '' }}"
-          echo "SERVICE_ROLE_KEY is set: ${{ steps.generate_secrets.outputs.SERVICE_ROLE_KEY != '' }}"
 
       # Backends
       - name: Run Backend Tests
@@ -105,18 +109,11 @@ jobs:
 
       - name: Run Playwright E2E Tests
         env:
-          SERVICE_ROLE_KEY: ${{ steps.generate_secrets.outputs.SERVICE_ROLE_KEY }}
-          FAKE_E2E_USER_PASSWORD: ${{ steps.generate_secrets.outputs.FAKE_E2E_USER_PASSWORD }}
           ANON_KEY: ${{ steps.generate_secrets.outputs.ANON_KEY }}
         run: |
-          chmod +x ./.github/scripts/createUser.sh
-          ./.github/scripts/createUser.sh
-
           cp src/leapfrogai_ui/.env.example src/leapfrogai_ui/.env
-          mkdir -p playwright/auth
-          touch playwright/auth.user.json
 
-          SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY TEST_ENV=CI USERNAME=doug PASSWORD=$FAKE_E2E_USER_PASSWORD PUBLIC_SUPABASE_ANON_KEY=$ANON_KEY npm --prefix src/leapfrogai_ui run test:integration:ci
+          TEST_ENV=CI PUBLIC_DISABLE_KEYCLOAK=true PUBLIC_SUPABASE_ANON_KEY=$ANON_KEY npm --prefix src/leapfrogai_ui run test:integration:ci
 
       - name: Archive Playwright Report
         uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6

.github/workflows/helm-lint.yaml

@@ -0,0 +1,76 @@
+name: Helm Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "**/chart"
+      - "**/values"
+      - "**/*values.yaml"
+      - ".github/workflows/helm-lint.yaml"
+
+concurrency:
+  group: helm-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  helm-lint:
+    runs-on: ubuntu-latest
+    name: Lint Helm Charts
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        with:
+          version: "v3.13.3"
+
+      - name: Lint API Helm Charts
+        if: always()
+        run: |
+          helm lint packages/api/chart --quiet
+
+      - name: Lint llama-cpp-python Helm Charts
+        if: always()
+        run: |
+          helm lint packages/llama-cpp-python/chart --quiet
+
+      - name: Lint text-embeddings Helm Charts
+        if: always()
+        run: |
+          helm lint packages/text-embeddings/chart --quiet
+
+      - name: Lint vllm Helm Charts
+        if: always()
+        run: |
+          helm lint packages/vllm/chart --quiet
+
+      - name: Lint whisper Helm Charts
+        if: always()
+        run: |
+          helm lint packages/whisper/chart --quiet
+
+      - name: Lint repeater Helm Charts
+        if: always()
+        run: |
+          helm lint packages/repeater/chart --quiet
+
+      - name: Lint UI Helm Charts
+        if: always()
+        run: |
+          helm lint packages/ui/chart --quiet
+
+      # TODO: we will not be linting or refactoring Supabase charts until GitHub issue #968 is resolved and a path forward is provided

.github/workflows/uds-lint.yaml

@@ -0,0 +1,48 @@
+name: UDS Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "bundles/**"
+      - ".github/workflows/uds-lint.yaml"
+
+concurrency:
+  group: uds-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  uds-lint:
+    runs-on: ubuntu-latest
+    name: Lint UDS Manifest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install jsonschema
+        run: pip install check-jsonschema==0.28.0
+
+      - name: Download UDS Bundle Schema
+        run: curl -o uds.schema.json https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.0/uds.schema.json
+
+      - name: Validate uds-bundle.yaml (dev)
+        if: always()
+        run: |
+          check-jsonschema bundles/dev/gpu/uds-bundle.yaml --schemafile uds.schema.json
+          check-jsonschema bundles/dev/cpu/uds-bundle.yaml --schemafile uds.schema.json
+
+      - name: Validate uds-bundle.yaml (latest)
+        if: always()
+        run: |
+          check-jsonschema bundles/latest/gpu/uds-bundle.yaml --schemafile uds.schema.json
+          check-jsonschema bundles/latest/cpu/uds-bundle.yaml --schemafile uds.schema.json

.github/workflows/zarf-lint.yaml

@@ -0,0 +1,77 @@
+name: Zarf Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "**/zarf.yaml"
+      - ".github/workflows/zarf-lint.yaml"
+
+concurrency:
+  group: zarf-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zarf-lint:
+    runs-on: ubuntu-latest
+    name: Lint Zarf Manifest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Download Zarf Package Schema
+        # TODO: renovate setup
+        run: curl -o zarf.schema.json https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.0/zarf.schema.json
+
+      - name: Install jsonschema
+        run: pip install check-jsonschema==0.28.0
+
+      - name: Validate API zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/api/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate llama-cpp-python zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/llama-cpp-python/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate repeater zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/repeater/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate supabase zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/supabase/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate text-embeddings zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/text-embeddings/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate UI zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/ui/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate vllm zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/vllm/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate whisper zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/whisper/zarf.yaml --schemafile zarf.schema.json

.gitignore

@@ -30,6 +30,7 @@ src/leapfrogai_api/config.yaml
 node_modules
 package.json
 package-lock.json
+**/*.schema.json
 
 # local model and tokenizer files
 *.bin

.hadolint.yaml

@@ -0,0 +1,13 @@
+failure-threshold: error
+# TODO: slowly burn down these lower priority container warnings and errors, issue #984
+ignored:
+  - DL3007 # use of latest image
+  - DL3042 # pip --no-cache-dir
+  - DL4006 # shell usage warning
+  - DL3009 # apt-get list
+  - DL3015 # --no-install-recommends
+  - DL3018 # pinning distro package versions
+  - DL3008 # pinning distro package versions
+  - DL3045 # usage of relative COPY
+  - DL3002 # last user as root
+  - SC2086 # double quote vs single quote usage