chore: implement upgrade tests for sonarqube

.github/workflows/ci-docs-shim.yaml

@@ -22,13 +22,14 @@ on:
 
 jobs:
   run-test:
-    name: Create and Deploy Flavor ${{ matrix.flavor }}
+    name: ${{ matrix.type }} ${{ matrix.flavor }}
     runs-on: "ubuntu-latest"
     timeout-minutes: 20
     strategy:
       matrix:
         flavor: [upstream, registry1]
+        type: [install, upgrade]
     steps:
-      - name: Shim for Deploy ${{ matrix.flavor }}
+      - name: Shim for ${{ matrix.type }} ${{ matrix.flavor }}
         run: |
-          echo "Documentation-only change detected; marking Deploy ${{ matrix.flavor }} as successful."
+          echo "Documentation-only change detected; marking ${{ matrix.type }} ${{ matrix.flavor }} as successful."

.github/workflows/commitlint.yaml

@@ -8,4 +8,4 @@ on:
 jobs:
   validate:
     name: Validate
-    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@442bae718050ea9a47254851a45632aabeb13b17
+    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6

.github/workflows/lint.yaml

@@ -0,0 +1,33 @@
+name: Scan
+
+on:
+  # This workflow is triggered on pull requests to the main branch.
+  pull_request:
+    branches: [main]
+    types: [milestoned, opened, synchronize]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    name: Lint
+    permissions:
+      contents: read # Allows reading the repo contents
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6
+        with:
+          username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+
+      - name: Install lint deps
+        run: |
+          uds run lint:deps
+      - name: Lint the repository
+        run: |
+          uds run lint:yaml

.github/workflows/scorecard.yaml

@@ -5,7 +5,7 @@ on:
   schedule:
     - cron: '30 1 * * 6'
   push:
-    branches: [ "main" ]
+    branches: ["main"]
 
 # Declare default permissions as read only.
 permissions: read-all

.github/workflows/tag-and-release.yaml

@@ -31,28 +31,28 @@ jobs:
     permissions:
       contents: read
       packages: write
-    
+
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@442bae718050ea9a47254851a45632aabeb13b17
+        uses: defenseunicorns/uds-common/.github/actions/setup@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6
         with:
           username: ${{secrets.IRON_BANK_ROBOT_USERNAME}}
           password: ${{secrets.IRON_BANK_ROBOT_PASSWORD}}
-    
+
       - name: Login to GHCR
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
         with:
           registry: ghcr.io
           username: dummy
           password: ${{ secrets.GITHUB_TOKEN }}
-    
+
       - name: Publish Package
         run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }}
 
       - name: Save logs
         if: always()
-        uses: defenseunicorns/uds-common/.github/actions/save-logs@442bae718050ea9a47254851a45632aabeb13b17
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6
         with:
-          suffix: ${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}
+          suffix: ${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}

.github/workflows/test.yaml

@@ -3,7 +3,7 @@ name: Test
 on:
   pull_request:
     branches: [main]
-    types: [milestoned, opened, edited, synchronize]  
+    types: [milestoned, opened, synchronize]
     paths-ignore:
       - "**.md"
       - "**.jpg"
@@ -20,7 +20,7 @@ on:
       - "CODEOWNERS"
       - "LICENSE"
       - "CONTRIBUTING.md"
-      - "SECURITY.md"  
+      - "SECURITY.md"
 
 # Abort prior jobs in the same workflow / PR
 concurrency:
@@ -32,31 +32,32 @@ permissions:
 
 jobs:
   run-test:
-    name: Create and Deploy Flavor ${{ matrix.flavor }}
+    name: ${{ matrix.type }} ${{ matrix.flavor }}
     runs-on: ubuntu-latest
     timeout-minutes: 20
     strategy:
       matrix:
         flavor: [upstream, registry1]
+        type: [install, upgrade]
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@442bae718050ea9a47254851a45632aabeb13b17
+        uses: defenseunicorns/uds-common/.github/actions/setup@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6
         with:
           username: ${{secrets.IRON_BANK_ROBOT_USERNAME}}
           password: ${{secrets.IRON_BANK_ROBOT_PASSWORD}}
 
       - name: Test
-        uses: defenseunicorns/uds-common/.github/actions/test@442bae718050ea9a47254851a45632aabeb13b17
+        uses: defenseunicorns/uds-common/.github/actions/test@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6
         with:
           flavor: ${{ matrix.flavor }}
+          type: ${{ matrix.type }}
 
       - name: Save logs
         if: always()
-        uses: defenseunicorns/uds-common/.github/actions/save-logs@442bae718050ea9a47254851a45632aabeb13b17
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@05f42bb3117b66ebef8c72ae050b34bce19385f5 # v0.3.6
         with:
-          suffix: ${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}
-
+          suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}

.yamllint

@@ -0,0 +1,35 @@
+yaml-files:
+  - '**/*.y*ml'
+  - '.yamllint'
+
+ignore:
+  - 'chart/templates**'
+
+rules:
+  anchors: enable
+  braces: enable
+  brackets: enable
+  colons: enable
+  commas: enable
+  comments:
+    level: warning
+  comments-indentation:
+    level: warning
+  document-end: disable
+  document-start:
+    level: warning
+  empty-lines: enable
+  empty-values: disable
+  float-values: disable
+  hyphens: enable
+  indentation: enable
+  key-duplicates: enable
+  key-ordering: disable
+  line-length: disable
+  new-line-at-end-of-file: enable
+  new-lines: enable
+  octal-values: disable
+  quoted-strings: disable
+  trailing-spaces: enable
+  truthy:
+    level: warning

README.md

@@ -27,17 +27,9 @@ The released packages can be found in [ghcr](https://github.com/defenseunicorns/
 
 ## UDS Tasks (for local dev and CI)
 
-*For local dev, this requires installing [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
-
-| Task | Description | Example |
-| ---- | ----------- | ------- |
-| setup-cluster | Uses the `k3d-core-istio` bundle to create a cluster for testing against | `uds run setup-cluster` |
-| create-package | Creates just the SonarQube package | `uds run create-package --set FLAVOR=<flavor>` |
-| create-test-bundle | Creates SonarQube and SonarQube dependency packages and then bundles them | `uds run create-test-bundle` |
-| deploy-package | Deploy SonarQube package only | `uds run deploy-package` |
-| deploy-test-bundle | Deploy SonarQube and SonarQube dependency bundle | `uds run deploy-test-bundle` |
-| test-package | Run checks against a deployed package or bundle | `uds run test-package` |
-| cleanup | Teardown the cluster | `uds run cleanup` |
+*For local dev, this requires you install [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
+
+> :white_check_mark: **Tip:** To get a list of tasks to run you can use `uds run --list`!
 
 ## Contributing
 

bundle/uds-bundle.yaml

@@ -10,7 +10,7 @@ packages:
   - name: dev-postgres
     repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres
     ref: 0.0.1
-  
+
   - name: dev-secrets
     path: ../
     ref: 0.1.0

bundle/uds-config.yaml

@@ -4,4 +4,3 @@ variables:
     db_name: "sonarqubedb"
   sonarqube:
     sonarqube_db_endpoint: "postgresql.dev-postgres.svc.cluster.local"
-

common/zarf.yaml

@@ -2,22 +2,21 @@
 kind: ZarfPackageConfig
 metadata:
   name: sonarqube-common
-  description: "UDS SonarQube Common Package" 
+  description: "UDS SonarQube Common Package"
 
 components:
   - name: sonarqube
-    required: true
     description: "Deploy sonarqube"
     charts:
-    - name: uds-sonarqube-config
-      namespace: sonarqube
-      version: 0.1.0
-      localPath: ../chart
-    - name: sonarqube
-      namespace: sonarqube
-      # see note in README.md about use of registry1 chart for both flavors
-      url: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git
-      gitPath: chart
-      version: "8.0.3-bb.0"
-      valuesFiles:
-        - ../values/common-values.yaml
+      - name: uds-sonarqube-config
+        namespace: sonarqube
+        version: 0.1.0
+        localPath: ../chart
+      - name: sonarqube
+        namespace: sonarqube
+        # see note in README.md about use of registry1 chart for both flavors
+        url: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git
+        gitPath: chart
+        version: "8.0.3-bb.0"
+        valuesFiles:
+          - ../values/common-values.yaml

oscal-component.yaml

@@ -31,27 +31,27 @@ component-definition:
             - uuid: 55993d5e-a53f-4a85-8e5e-949f0da24b43
               control-id: au-2
               description: >-
-                SonarQube creates logs as it conducts secure code scanning within the secure DevSecOps pipeline.  
+                SonarQube creates logs as it conducts secure code scanning within the secure DevSecOps pipeline.
             - uuid: 25b50886-be11-46ae-bece-8c832fb85426
               control-id: au-3
               description: >-
-                SonarQube creates logs as it conducts secure code scanning within the secure DevSecOps pipeline.  
+                SonarQube creates logs as it conducts secure code scanning within the secure DevSecOps pipeline.
             - uuid: 1e89f273-7e85-4e76-8c10-190c3fdfddfc
               control-id: au-3.1
               description: >-
-                SonarQube creates logs as it conducts secure code scanning within the secure DevSecOps pipeline.  
+                SonarQube creates logs as it conducts secure code scanning within the secure DevSecOps pipeline.
             - uuid: 2afccc07-f998-46f0-a05f-55985c9e58a0
               control-id: au-8
               description: >-
                 SonarQube event logs contain NIST compliant timestamps.
             - uuid: 92f94bdb-e8da-45a6-9f0e-6cd4dc49eaa6
               control-id: ca-2.2
               description: >-
-                SonarQube runs automated code scanning to discover vulnerabilities as apart of the secure DevSecOps pipeline as code it committed. 
+                SonarQube runs automated code scanning to discover vulnerabilities as apart of the secure DevSecOps pipeline as code it committed.
             - uuid: c092d3d3-66ca-4922-ac76-d38440640648
               control-id: ca-7
               description: >-
-                SonarQube assists with the ConMon process be conducting automated security code scanning in the secure DevSecOps pipelines to discover code vulnerabilities as code is committed.  
+                SonarQube assists with the ConMon process be conducting automated security code scanning in the secure DevSecOps pipelines to discover code vulnerabilities as code is committed.
             - uuid: e4037835-5d80-4f09-9303-42045e5a588f
               control-id: cm-3.6
               description: >-
@@ -105,4 +105,4 @@ component-definition:
       - uuid: 2501ae6d-73e5-40e2-a87c-40e88c0c8b62
         title: UDS Package SonarQube
         rlinks:
-          - href: https://github.com/defenseunicorns/uds-package-sonarqube
+          - href: https://github.com/defenseunicorns/uds-package-sonarqube

renovate.json

@@ -10,15 +10,26 @@
     "replacements:all",
     "workarounds:all"
   ],
-  "hostRules": [
+  "packageRules": [
     {
-      "matchHost": "registry1.dso.mil",
-      "hostType": "docker",
-      "description": "Encrypted creds for registry1, scoped to this Github org using: https://github.com/renovatebot/renovate/blob/main/docs/usage/configuration-options.md#encrypted",
-      "encrypted": {
-        "username": "wcFMA/xDdHCJBTolAQ//a+5GNAOsD/UOKnqJDdbPRr73EXRgyRdtMOIqDyjGZIKcdVo64StgUb1O37O5bazoyGeYkcISaWjInxRuoBOxqFhdo5cTUIJavjm2Sn75OWCDBUr2Q5/OSluQDbp7QO9g4+cHxcjtldlMswZg0RIoSX8rtAcNvJePvuWDKRHmUSDbWrNoAPaqOUvBIUF+BUR8o2UtKY4c986B9sqz1/ZiyL7vmenuoFi36MPpq123b6xra9/Q8Zb+AGZY6guhI0kmmSvLPwuNpU/W9ocpaUW1jOgJdYDowZqoTC27uozw1rCq38ybL94GMeG+pzWJd7LBVbfpDnU10j5UC5l5coxghh8dBYNzirsRbYW9KMV3CSeRNxOqfUuJ9AfWekCBWQMkueDtop+lzZhpvsPnXYTV6V0+TE+W5lg0wApcGUNM5XsEHV/gchSULZCWUTHpyZfkUoyc3dXax7K9LawrNLLpJg3Oz0c5Y4WXS1SqfY3U6n84Q95URZC+uRl5BqzBwQSQYbWsnon+g3My+GukdhHlynoiJwQo/ch5gIfgiA59VrL/H9L/ABAyYzQ7KUEguQrNh8hbNG0dfpMLMIrdUDhno5vTeccx2k5R/EOQopxZCY+k2Xfqgg5okAG9eQKhhGKcQD+A8y6X2V0cPkHQ35TCi5AObrcQiiemBZUy3G6IJIrSdQFEs+WcBPT4GPgOAsZWUJKU4RU3qdhdUGZy/VwJSsB05/E65fRTGl5i0e5PhIoIbh4uaPgWnbJyvKi87bIIJhe9bxP/m2lDs5GPeXSrvBb0GT3t9l3aHUYW3uKp5GABwmvX6ptMbNoYoQRSLptR/gE80RPFSQ",
-        "password": "wcFMA/xDdHCJBTolAQ//bu2ZFKmMysjpkOkwQSgLigvUMDw1SHpp1YN8y1LerOqMfTocdswihRFbB/FFRP/bYG1ByhnAvxqhbdV0TRQqYTRXZehrlT+SDEVEJyK9eGS+ozClbccG64ebZSJ4y9rMFW3sK4Ja9ZyAEsX0S4vO88XwJhtOYmMGTXLlcSfiANQB8a9jISzov27FQOzdPx6cEd19FGxmX5vAdH9FWDwhVA6QSTrip4h5tZ6THylNc3md2TGRYUVTxMtsZdp/bnhv+I3LqmodR0vEP9Or/dbhtqnMy2sdS6HsANUaZ+7j4D0qDL7EEcxk+CHM5lM2sSz6u4+J4u01XDkn0HJ/mShPDSWUoU01Va/ZpRL8zw/bjKApDBSgvBOwF7eXfUKqLrg2zURm2quUf7XwuVTXmBMg3DSEuRBlW8kM0rGWGyv7U62sx+2zjK0v2uNHJz0hzWaEfriOQu4B7/avb+CIupfVYGNllyMTuB2ySDMLKN3Q/EB7q97apWqwcnThxRhK7t3e59ea4JDxodxeeTG3m/UgBLBlXCutk7BsC7NQPaSeOzV7mw6AOVQz+Bn0DAGd1x03ITYAcgfYvSW7VCfhrvnmuSVICHA7GTYevC7RBYhexWdgHZb98mIt1vVA2C+h7eqsx+xWhHQFE2+lNRTRmj9ccU/6qz1+3zqHdMQ/WD8MLofSdgFLU/A7qljUm/dk1MEVMtGznukdRpJJV4PsEcwh2OV/9is5KPyFQ83M7sl3/fY+CBaHFEiT4j/bSBznmxL3TuAjMdIT7j0cNsOxnsHllgRHL1qG3S2ZmAQ0Ex4gIUUGn2VbZLyRogJspsjxx5ZYuuYVfhtSaTU"
-      }
+      "groupName": "SonarQube Support Dependencies",
+      "labels": ["support-deps"],
+      "commitMessageTopic": "support-deps",
+      "packagePatterns": ["*"]
+    },
+    {
+      "groupName": "SonarQube Package Dependencies",
+      "labels": ["package-deps"],
+      "commitMessageTopic": "package-deps",
+      "registryUrls": ["https://registry1.dso.mil"],
+      "matchDatasources": ["docker", "helm", "git-tags"]
+    },
+    {
+      "groupName": "SonarQube Package Dependencies",
+      "labels": ["package-deps"],
+      "commitMessageTopic": "package-deps",
+      "matchPackageNames": ["https://repo1.dso.mil/big-bang/product/packages/sonarqube.git"],
+      "allowedVersions": "/.+-bb.+/"
     }
   ]
 }