Merge branch 'main' into lock-down-egress

.github/actions/lint-check/action.yaml

@@ -0,0 +1,19 @@
+name: lint-check
+description: "Check Project for Linting Errors"
+
+runs:
+  using: composite
+  steps:
+    - name: Use Node.js latest
+      uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+      with:
+        node-version: 20
+    - name: Set up Homebrew
+      uses: Homebrew/actions/setup-homebrew@master
+    - name: Install UDS CLI
+      # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+      run: brew install defenseunicorns/tap/[email protected]
+      shell: bash
+    - name: Run Formatting Checks
+      run: uds run lint-check --no-progress
+      shell: bash

.github/actions/save-logs/action.yaml

@@ -34,7 +34,7 @@ runs:
         sudo chown $USER /tmp/uds-*.log || echo ""
       shell: bash
 
-    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+    - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
       with:
         name: debug-log${{ inputs.suffix }}
         path: |

.github/actions/setup/action.yaml

@@ -33,13 +33,13 @@ runs:
     - name: Install UDS CLI
       shell: bash
       # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/[email protected].1
+      run: brew install defenseunicorns/tap/[email protected].2
 
     - name: Install Lula
       uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1
       with:
         # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced
-        version: v0.5.1
+        version: v0.6.0
 
     - name: Iron Bank Login
       if: ${{ inputs.registry1Username != '' }}

.github/filters.yaml

@@ -3,25 +3,96 @@ all:
 
 authservice:
   - "src/authservice/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 grafana:
   - "src/grafana/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 istio:
   - "src/istio/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 keycloak:
   - "src/keycloak/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 kiali:
   - "src/kiali/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 loki:
   - "src/loki/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 metrics-server:
   - "src/metrics-server/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 neuvector:
   - "src/neuvector/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 prometheus-stack:
   - "src/prometheus-stack/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 promtail:
   - "src/promtail/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 tempo:
   - "src/tempo/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"
+
 velero:
   - "src/velero/**"
+  - "!**/*.md"
+  - "!**/*.jpg"
+  - "!**/*.png"
+  - "!**/*.gif"
+  - "!**/*.svg"

.github/workflows/commitlint.yaml

@@ -24,8 +24,8 @@ jobs:
 
       - name: Install commitlint
         run: |
-          npm install --save-dev @commitlint/config-conventional@19.2.2
-          npm install --save-dev @commitlint/cli@19.3.0
+          npm install --save-dev @commitlint/config-conventional@19.4.1
+          npm install --save-dev @commitlint/cli@19.4.1
 
       - name: Lint PR title
         env:

.github/workflows/compliance.yaml

@@ -68,7 +68,7 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload Evaluated Assessment
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ inputs.flavor }}-assessment-results
           path: ./compliance/oscal-assessment-results.yaml

.github/workflows/docs-shim.yaml

@@ -0,0 +1,43 @@
+name: CI Docs
+
+on:
+  pull_request:
+    types: [milestoned, opened, reopened, synchronize]
+    paths:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - docs/**
+      - .vscode/**
+      - .gitignore
+      - renovate.json
+      - .release-please-config.json
+      - release-please-config.json
+      - CODEOWNERS
+      - LICENSE
+
+jobs:
+  lint-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: lint-check
+        uses: ./.github/actions/lint-check
+
+  run-package-test:
+    needs: lint-check
+    name: Schedule
+    strategy:
+      matrix:
+        package: [all]
+        flavor: [upstream, registry1, unicorn]
+        test_type: [install, upgrade]
+    uses: ./.github/workflows/test-shim.yaml
+    with:
+      package: ${{ matrix.package }}
+      flavor: ${{ matrix.flavor }}
+      test_type: ${{ matrix.test_type }}
+    secrets: inherit # Inherits all secrets from the parent workflow.

.github/workflows/nightly-testing.yaml

@@ -10,6 +10,11 @@ on:
       - .github/bundles/*
       - .github/test-infra/buckets-iac/*
 
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: test-eks-dev-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   nightly-testing:
     name: Test Core on EKS

.github/workflows/publish.yaml

@@ -1,6 +1,7 @@
 name: Publish UDS Core
 
 on:
+  # triggered by tag-and-release.yaml and snapshot-release.yaml
   workflow_call:
     inputs:
       snapshot:

.github/workflows/pull-request-conditionals.yaml

@@ -5,6 +5,20 @@ on:
   pull_request:
     # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
     types: [milestoned, opened, reopened, synchronize]
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - docs/**
+      - .vscode/**
+      - .gitignore
+      - renovate.json
+      - .release-please-config.json
+      - release-please-config.json
+      - CODEOWNERS
+      - LICENSE
 
 # Permissions for the GITHUB_TOKEN used by the workflow.
 permissions:
@@ -27,19 +41,10 @@ jobs:
   lint-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - name: Use Node.js latest
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
-        with:
-          node-version: 20
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-      - name: Install UDS CLI
-        shell: bash
-        # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-        run: brew install defenseunicorns/tap/[email protected]
-      - name: Run Formatting Checks
-        run: uds run lint-check --no-progress
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: lint-check
+        uses: ./.github/actions/lint-check
 
   # This job checks if there are changes in specific paths source packages.
   check-paths:
@@ -59,6 +64,7 @@ jobs:
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         with:
           filters: .github/filters.yaml
+          predicate-quantifier: every
 
   # This job triggers a separate workflow for each changed source package, if any.
   run-package-test:

.github/workflows/slim-dev-test.yaml

@@ -6,13 +6,18 @@ on:
     # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
     types: [milestoned, opened, reopened, synchronize]
     paths:
-      - src/pepr/*
-      - src/keycloak/*
-      - src/istio/*
-      - src/prometheus-stack/*
-      - packages/slim-dev/*
-      - bundles/k3d-slim-dev/*
-      - .github/workflows/slim-dev*
+      - src/pepr/**
+      - src/keycloak/**
+      - src/istio/**
+      - src/prometheus-stack/**
+      - packages/slim-dev/**
+      - bundles/k3d-slim-dev/**
+      - .github/workflows/slim-dev**
+      - "!**/*.md"
+      - "!**.jpg"
+      - "!**.png"
+      - "!**.gif"
+      - "!**.svg"
 
 # Permissions for the GITHUB_TOKEN used by the workflow.
 permissions:

.github/workflows/test-eks.yaml

@@ -1,6 +1,7 @@
 name: Test Core On EKS
 
 on:
+  # triggered by nightly-testing.yaml
   workflow_call:
     inputs:
       flavor:
@@ -54,7 +55,7 @@ jobs:
         run: uds run -f tasks/iac.yaml install-eksctl --no-progress
 
       - name: Setup Tofu
-        uses: opentofu/setup-opentofu@ae80d4ecaab946d8f5ff18397fbf6d0686c6d46a # v1.0.3
+        uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4
         with:
           tofu_version: 1.8.1
           tofu_wrapper: false

.github/workflows/test-shim.yaml

@@ -0,0 +1,42 @@
+name: Test Shim
+
+on:
+  # Manual trigger
+  workflow_dispatch:
+    inputs:
+      package:
+        type: string
+        description: "The name of the source package to test"
+        required: true
+      flavor:
+        type: string
+        description: "Flavor of the source package to test"
+        required: true
+      test_type:
+        type: string
+        description: "The type of test to perform"
+        required: true
+    # Triggered by pull-request-conditionals.yaml
+  workflow_call:
+    inputs:
+      package:
+        type: string
+        description: "The name of the source package to test"
+        required: true
+      flavor:
+        type: string
+        description: "Flavor of the source package to test"
+        required: true
+      test_type:
+        type: string
+        description: "The type of test to perform"
+        required: true
+
+jobs:
+  test:
+    runs-on: 'ubuntu-latest'
+    name: Test
+    steps:
+      - name: Skipped
+        run: |
+          echo skipped

.github/workflows/test.yaml

@@ -71,7 +71,7 @@ jobs:
 
       - name: Upload Assessment
         if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: ${{ inputs.flavor }}-assessment-results
           path: ./compliance/oscal-assessment-results.yaml

.vscode/settings.json

@@ -9,18 +9,18 @@
   },
   "yaml.schemas": {
     // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-    "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.1/uds.schema.json": [
+    "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.2/uds.schema.json": [
       "uds-bundle.yaml"
     ],
 
     // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-    "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.1/tasks.schema.json": [
+    "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.2/tasks.schema.json": [
       "tasks.yaml",
       "tasks/**/*.yaml",
       "src/**/validate.yaml"
     ],
     // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-    "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.1/zarf.schema.json": [
+    "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.2/zarf.schema.json": [
       "zarf.yaml"
     ]
   },