chore: create initial repository layout and package

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'possible-bug 🐛'
+assignees: ''
+---
+
+### Environment
+Device and OS:
+App/package versions:
+Kubernetes distro being used:
+Other:
+
+### Steps to reproduce
+1.
+
+### Expected result
+
+### Actual Result
+
+### Visual Proof (screenshots, videos, text, etc)
+
+### Severity/Priority
+
+### Additional Context
+Add any other context or screenshots about the technical debt here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,22 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'enhancement ✨'
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+### Describe the solution you'd like
+
+- **Given** a state
+- **When** an action is taken
+- **Then** something happens
+
+### Describe alternatives you've considered
+(optional) A clear and concise description of any alternative solutions or features you've considered.
+
+### Additional context
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/tech_debt.md

@@ -0,0 +1,16 @@
+---
+name: Tech debt
+about: Record something that should be investigated or refactored in the future.
+title: ''
+labels: 'tech-debt 💳'
+assignees: ''
+---
+
+### Describe what should be investigated or refactored
+A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
+
+### Links to any relevant code
+(optional) i.e. - https://github.com/defenseunicorns/uds-package-sigstore/blob/main/README.md?plain=1#L1
+
+### Additional context
+Add any other context or screenshots about the technical debt here.

.github/pull_request_template.md

@@ -0,0 +1,20 @@
+## Description
+
+...
+
+## Related Issue
+
+Fixes #
+<!-- or -->
+Relates to #
+
+## Type of change
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Other (security config, docs update, etc)
+
+## Checklist before merging
+
+- [ ] Test, docs, adr added or updated as needed
+- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-sigstore/blob/main/CONTRIBUTING.md#developer-workflow) followed

.github/workflows/ci-docs-shim.yaml

@@ -0,0 +1,20 @@
+name: CI Docs Shim
+
+on:
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, synchronize]
+
+jobs:
+  run-test:
+    name: ${{ matrix.type }} ${{ matrix.flavor }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        flavor: [upstream]
+        type: [install, upgrade]
+    steps:
+      - name: Shim for ${{ matrix.type }} ${{ matrix.flavor }}
+        run: |
+          echo "Documentation-only change detected; marking ${{ matrix.type }} ${{ matrix.flavor }} as successful."

.github/workflows/commitlint.yaml

@@ -0,0 +1,11 @@
+name: Metadata
+
+on:
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, edited, synchronize]
+
+jobs:
+  validate:
+    name: Validate
+    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0

.github/workflows/lint.yaml

@@ -0,0 +1,35 @@
+name: Scan
+
+on:
+  # This workflow is triggered on pull requests to the main branch.
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, synchronize]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    name: Lint
+    permissions:
+      contents: read # Allows reading the repo contents
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          fetch-depth: 0
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install lint deps
+        run: |
+          uds run lint:deps --no-progress
+
+      - name: Lint the repository
+        run: |
+          uds run lint:yaml --no-progress

.github/workflows/scorecard.yaml

@@ -0,0 +1,50 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '30 1 * * 6'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge.
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
+        with:
+          sarif_file: results.sarif

.github/workflows/tag-and-release.yaml

@@ -0,0 +1,67 @@
+name: Publish UDS Package Sigstore
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  tag-new-version:
+    name: Tag New Version
+    permissions: write-all
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release-flag.outputs.release_created }}
+    steps:
+      - name: Create release tag
+        id: tag
+        uses: google-github-actions/release-please-action@b887451af5bc7edb3f1b040349a3405b018fe48a # v0.7.0
+      - id: release-flag
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT
+
+  publish-package:
+    needs: tag-new-version
+    if: ${{ needs.tag-new-version.outputs.release_created == 'true' }}
+    runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'ubuntu-latest' }}
+    name: Publish ${{ matrix.flavor }} ${{ matrix.architecture }}
+    strategy:
+      matrix:
+        flavor: [upstream]
+        architecture: [amd64, arm64]
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build Package
+        run: uds run -f tasks/publish.yaml build-package --set FLAVOR=${{ matrix.flavor }} --no-progress
+
+      - name: Test Package
+        if: ${{ runner.arch != 'ARM64' }}
+        run: uds run -f tasks/publish.yaml test-package --set FLAVOR=${{ matrix.flavor }} --no-progress
+
+      - name: Publish Package
+        run: uds run -f tasks/publish.yaml publish-package --set FLAVOR=${{ matrix.flavor }} --no-progress
+
+      - name: Debug Output
+        if: ${{ always() }}
+        uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+
+      - name: Save logs
+        if: always()
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        with:
+          suffix: ${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}

.github/workflows/test.yaml

@@ -0,0 +1,69 @@
+name: Test
+
+on:
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, synchronize]
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - ".gitignore"
+      - "renovate.json"
+      - ".release-please-config.json"
+      - "release-please-config.json"
+      - "oscal-component.yaml"
+      - "CODEOWNERS"
+      - "LICENSE"
+      - "CONTRIBUTING.md"
+      - "SECURITY.md"
+
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: test-${{ github.ref }}-${{ inputs.package }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: ${{ matrix.type }} ${{ matrix.flavor }}
+    runs-on: uds-swf-ubuntu-big-boy-4-core # TODO: (@WSTARR) Replace once repo is made public
+    timeout-minutes: 25
+    strategy:
+      matrix:
+        flavor: [upstream]
+        type: [install]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Test
+        uses: defenseunicorns/uds-common/.github/actions/test@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        with:
+          flavor: ${{ matrix.flavor }}
+          type: ${{ matrix.type }}
+
+      - name: Debug Output
+        if: ${{ always() }}
+        uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+
+      - name: Save logs
+        if: always()
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        with:
+          suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}

.gitignore

@@ -0,0 +1,8 @@
+.cache/
+.idea/
+.vscode/
+build/
+.DS_Store
+*.tar.zst
+zarf-sbom
+tmp/

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    ".": "1.11.0-uds.1"
+}

.yamllint

@@ -0,0 +1,37 @@
+yaml-files:
+  - '**/*.y*ml'
+  - '.yamllint'
+
+# Ignore files from upstream
+ignore:
+  - '**/chart/templates**'
+
+
+rules:
+  anchors: enable
+  braces: enable
+  brackets: enable
+  colons: enable
+  commas: enable
+  comments:
+    level: warning
+  comments-indentation:
+    level: warning
+  document-end: disable
+  document-start:
+    level: warning
+  empty-lines: enable
+  empty-values: disable
+  float-values: disable
+  hyphens: enable
+  indentation: enable
+  key-duplicates: enable
+  key-ordering: disable
+  line-length: disable
+  new-line-at-end-of-file: enable
+  new-lines: enable
+  octal-values: disable
+  quoted-strings: disable
+  trailing-spaces: enable
+  truthy:
+    level: warning