ci: add lint testing workflow and precommit (#214)

* ci: add lint testing workflow

* ci: add setup task

* ci: add actions task

* ci: fix lint issues to get workflow to pass

* ci: fix shell lint errors

* feat: adding pre-commit and fixes

* test pre-commit

* add uds precommit task and fix syntax

* feat: add tasks for deps

* fix: update tasks and gitignore

* fix: update yamllint to ignore scratch and add dep msging

* ci: update renovate to track precommit vers

* ci: update to latest common version

* ci: update uds-common callable gh workflow version

* ci: update workflow to use precommit also

* Most updates (#223)

* chore(deps): update all dependencies

| datasource  | package                                                            | from                   | to                     |
| ----------- | ------------------------------------------------------------------ | ---------------------- | ---------------------- |
| helm        | cert-manager                                                       | v1.14.5                | v1.16.1                |
| github-tags | defenseunicorns/uds-cli                                            | 0.16.0                 | 0.17.0                 |
| github-tags | defenseunicorns/uds-cli                                            | v0.13.1                | v0.17.0                |
| github-tags | defenseunicorns/uds-cli                                            | v0.16.0                | v0.17.0                |
| docker      | ghcr.io/defenseunicorns/packages/metallb                           | 0.0.5-amd64            | 0.1.1-amd64            |
| docker      | ghcr.io/defenseunicorns/packages/uds/core                          | 0.28.0-registry1       | 0.29.0-registry1       |
| docker      | ghcr.io/defenseunicorns/packages/uds/gitlab                        | 17.2.7-uds.2-registry1 | 17.2.9-uds.0-registry1 |
| docker      | ghcr.io/defenseunicorns/packages/uds/gitlab-runner                 | 17.1.0-uds.1-registry1 | 17.2.1-uds.2-registry1 |
| docker      | ghcr.io/defenseunicorns/packages/uds/mattermost                    | 10.0.0-uds.0-registry1 | 10.0.0-uds.1-registry1 |
| docker      | ghcr.io/defenseunicorns/packages/uds/sonarqube                     | 10.6.0-uds.1-registry1 | 10.7.0-uds.0-registry1 |
| docker      | ghcr.io/zarf-dev/packages/init                                     | v0.39.0                | v0.41.0                |
| docker      | quay.io/jetstack/cert-manager-acmesolver                           | v1.14.5                | v1.16.1                |
| docker      | quay.io/jetstack/cert-manager-cainjector                           | v1.14.5                | v1.16.1                |
| docker      | quay.io/jetstack/cert-manager-controller                           | v1.14.5                | v1.16.1                |
| docker      | quay.io/jetstack/cert-manager-startupapicheck                      | v1.14.5                | v1.16.1                |
| docker      | quay.io/jetstack/cert-manager-webhook                              | v1.14.5                | v1.16.1                |
| docker      | quay.io/jetstack/trust-manager                                     | v0.11.0                | v0.12.0                |
| docker      | registry.k8s.io/sig-storage/csi-attacher                           | v4.4.3                 | v4.7.0                 |
| docker      | registry.k8s.io/sig-storage/csi-external-health-monitor-controller | v0.10.0                | v0.13.0                |
| docker      | registry.k8s.io/sig-storage/csi-node-driver-registrar              | v2.11.1                | v2.12.0                |
| docker      | registry.k8s.io/sig-storage/csi-provisioner                        | v5.0.1                 | v5.1.0                 |
| docker      | registry.k8s.io/sig-storage/csi-resizer                            | v1.11.2                | v1.12.0                |
| docker      | registry.k8s.io/sig-storage/csi-snapshotter                        | v6.3.2                 | v8.1.0                 |
| docker      | registry.k8s.io/sig-storage/livenessprobe                          | v2.13.1                | v2.14.0                |
| docker      | registry.k8s.io/sig-storage/snapshot-controller                    | v6.3.2                 | v8.1.0                 |
| docker      | registry.k8s.io/sig-storage/snapshot-validation-webhook            | v6.3.2                 | v8.1.0                 |
| docker      | registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws | v1.10.0                | v1.10.1                |
| helm        | trust-manager                                                      | v0.11.0                | v0.12.0                |

* deps: reverted update to metallb as it's causd problems before

* docs: updated manual SBOM with updated versions

* deps: reverted GitLab back to v17.1.0 b/c mkdir error on deploy

* deps: revert uds CLI to version in latest build harness

* deps: update build harness to latest patch release

* deps: revert uds CLI to 0.16.0 in vscode settings too

* Apply suggestions from code review

Co-authored-by: awendt <[email protected]>

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: awendt <[email protected]>

---------

Co-authored-by: Joseph Richardson <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: awendt <[email protected]>

.github/actions/setup/action.yaml

@@ -12,4 +12,4 @@ runs:
     - name: Install UDS CLI
       shell: bash
       # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/uds@0.16.0
+      run: brew install defenseunicorns/tap/uds@0.17.0

.github/workflows/lint.yaml

@@ -0,0 +1,33 @@
+name: Lint
+
+on:
+  # This workflow is triggered on pull requests to the main branch.
+  pull_request:
+    branches: [main]
+    # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).
+    types: [milestoned, opened, edited, synchronize]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # Allows reading the repo contents
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+
+      - name: Install UDS CLI
+        uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0
+        with:
+          version: v0.17.0
+
+      - name: Install lint deps
+        run: |
+          uds run deps --no-progress
+
+      - name: Lint the repository (using Precommit)
+        run: |
+          uds run precommit --no-progress

.github/workflows/tag-and-release.yaml

@@ -21,7 +21,7 @@ jobs:
         id: tag
         uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
       - id: release-flag
-        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT"
 
   # Publish the uds bundle
   publish-uds-bundle-eksd:

.pre-commit-config.yaml

@@ -0,0 +1,59 @@
+repos:
+  ################
+  # GENERAL CHECKS
+  ################
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: check-added-large-files
+        name: Large Files Check
+        args: ["--maxkb=1024"]
+
+      - id: detect-private-key
+        name: Check Private Keys
+
+      - id: check-merge-conflict
+        name: Merge Conflict Resolution Check
+
+      - id: end-of-file-fixer
+        name: Newline EOF Checker
+
+      - id: fix-byte-order-marker
+        name: Fix UTF-8 byte order marker
+
+      - id: trailing-whitespace
+        name: Whitespace Cleaning Check
+        args: [--markdown-linebreak-ext=md]
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.0
+    hooks:
+      - id: gitleaks
+        name: GitLeaks Checks
+
+  - repo: https://github.com/sirosen/texthooks
+    rev: 0.6.7
+    hooks:
+      - id: fix-smartquotes
+      - id: fix-spaces
+      - id: fix-ligatures
+
+  ############
+  # CODE LINT
+  ############
+
+  - repo: local
+    hooks:
+      - id: yaml-lint
+        name: "Yaml Lint"
+        entry: |
+          bash -c 'uds run lint:yaml'
+        language: system
+
+  - repo: local
+    hooks:
+      - id: shell-check
+        name: "Shell Check"
+        entry: |
+          bash -c 'uds run lint:shell'
+        language: system

.yamllint

@@ -0,0 +1,36 @@
+yaml-files:
+  - '**/*.y*ml'
+  - '.yamllint'
+
+ignore:
+  - '**/chart/templates**'
+  - 'scratch/**'
+
+rules:
+  anchors: enable
+  braces: enable
+  brackets: enable
+  colons: enable
+  commas: enable
+  comments:
+    level: warning
+  comments-indentation:
+    level: warning
+  document-end: disable
+  document-start:
+    level: warning
+  empty-lines: enable
+  empty-values: disable
+  float-values: disable
+  hyphens: enable
+  indentation: enable
+  key-duplicates: enable
+  key-ordering: disable
+  line-length: disable
+  new-line-at-end-of-file: enable
+  new-lines: enable
+  octal-values: disable
+  quoted-strings: disable
+  trailing-spaces: enable
+  truthy:
+    level: warning

README.md

@@ -165,4 +165,4 @@ destroy-ns <namespace>
 
 # So we don't dirty the git history
 rm temp.json
-```
+```

bundles/eksd/uds-bundle.yaml

@@ -525,14 +525,14 @@ packages:
                                 - gitaly
                         topologyKey: kubernetes.io/hostname
                 nodeAffinity:
-                    preferredDuringSchedulingIgnoredDuringExecution:
-                      - weight: 1
-                        preference:
-                          matchExpressions:
-                            - key: dedicated
-                              operator: In
-                              values:
-                                - gitaly-node
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 1
+                      preference:
+                        matchExpressions:
+                          - key: dedicated
+                            operator: In
+                            values:
+                              - gitaly-node
 
   # Gitlab Runner
   - name: gitlab-runner

bundles/rke2/uds-bundle.yaml

@@ -526,14 +526,14 @@ packages:
                                 - gitaly
                         topologyKey: kubernetes.io/hostname
                 nodeAffinity:
-                    preferredDuringSchedulingIgnoredDuringExecution:
-                      - weight: 1
-                        preference:
-                          matchExpressions:
-                            - key: dedicated
-                              operator: In
-                              values:
-                                - gitaly-node
+                  preferredDuringSchedulingIgnoredDuringExecution:
+                    - weight: 1
+                      preference:
+                        matchExpressions:
+                          - key: dedicated
+                            operator: In
+                            values:
+                              - gitaly-node
 
   # Gitlab Runner
   - name: gitlab-runner

config/uds-config.yaml

@@ -194,4 +194,3 @@ variables:
     # SSO requires a license
     NEXUS_SSO_ENABLED: false
     NEXUS_LICENSE_KEY: ""
-

docs/backup-restore.md

@@ -14,7 +14,7 @@ Run `velero backup describe manual-nexus-velero-backup-1716311265` or `velero ba
 
 - Delete the PVC (Velero will not restore data if the backed up PV/PVC still exist)
 ```bash
-$ kubectl delete pvc nexus-nexus-repository-manager-data 
+$ kubectl delete pvc nexus-nexus-repository-manager-data
 
 persistentvolumeclaim "nexus-nexus-repository-manager-data" deleted
 ```

packages/additional-manifests/pepr-policy-exemptions/README.md

@@ -1,3 +1,3 @@
 Due to an upstream bug ([tracked here](https://github.com/defenseunicorns/pepr/issues/745)) in pepr, each exemption needs to be installed sequentially 1 at a time and the easiest way to do that is separate zarf files.
 
-TODO - track progress against that issue, and return the nutanix-csi-exemption to the parent additional-manifests zarf package when the issue is resolved.
+TODO - track progress against that issue, and return the nutanix-csi-exemption to the parent additional-manifests zarf package when the issue is resolved.

packages/nutanix-csi/nutanix-volume.yaml

@@ -5,7 +5,7 @@ metadata:
   name: nutanix-volume
   annotations:
     storageclass.kubernetes.io/is-default-class: "true"
-parameters: 
+parameters:
   csi.storage.k8s.io/fstype: xfs
   hypervisorAttached: ###ZARF_VAR_HYPERVISOR_ATTACHED###
   flashMode: DISABLED

packages/trust-bundles/trust-bundle.yaml

@@ -7,12 +7,12 @@ spec:
   # Include a bundle of publicly trusted certificates which can be
   # used to validate most TLS certificates on the internet, such as
   # those issued by Let's Encrypt, Google, Amazon and others.
-  - useDefaultCAs: true
+    - useDefaultCAs: true
 
   # Custom CA chain provided via zarf variable
-  - secret:
-      name: "ca-chain"
-      key: "chain.crt"
+    - secret:
+        name: "ca-chain"
+        key: "chain.crt"
 
   target:
     # Sync the bundle to a ConfigMap called `trust-bundle` in every namespace which

renovate.json

@@ -9,5 +9,8 @@
     "group:all",
     "replacements:all",
     "workarounds:all"
-  ]
+  ],
+  "pre-commit": {
+    "enabled": true
+  }
 }

tasks.yaml

@@ -1,6 +1,9 @@
 includes:
   - create: ./tasks/create.yaml
   - deploy: ./tasks/deploy.yaml
+  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/lint.yaml
+  - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/actions.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/setup.yaml
 
 tasks:
   - name: dev-eksd
@@ -15,6 +18,22 @@ tasks:
       - task: create-bundle-rke2
       - task: deploy-dev-rke2
 
+  - name: deps
+    description: Install development dependencies
+    actions:
+      - task: lint:deps
+      - cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install -Ivq "shellcheck-py>=0.10.0.1"
+        description: "Install shellcheck-py via pip"
+      - cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install -Ivq "pre-commit>=4.0.1"
+        description: "Install pre-commit via pip"
+      - cmd: "echo '[*] Please ensure your path is set correctly, for example: \nexport PATH=$PATH:~/.local/bin:~/venv/bin'"
+        description: "Note to set your path"
+
+  - name: precommit
+    description: Run git precommit hooks
+    actions:
+      - cmd: pre-commit run --all-files
+
   ################
   #  Create
   ################

tasks/create.yaml

@@ -14,53 +14,53 @@ tasks:
   - name: eksd-bundle
     description: Create the eksd UDS Bundle with SWF on UDS Core
     actions:
-      - cmd: ./uds create ./bundles/eksd --architecture=${ARCH} --confirm
+      - cmd: ./uds create ./bundles/eksd --architecture="${ARCH}" --confirm
       - cmd: mv ./bundles/eksd/uds-bundle-* ./build
 
   - name: rke2-bundle
     description: Create the rke2 UDS Bundle with SWF on UDS Core
     actions:
-      - cmd: ./uds create ./bundles/rke2 --architecture=${ARCH} --confirm
+      - cmd: ./uds create ./bundles/rke2 --architecture="${ARCH}" --confirm
       - cmd: mv ./bundles/rke2/uds-bundle-* ./build
 
   # Packages
   - name: database-manifest-packages
     description: Create database manifest packages
     actions:
-      - cmd: ./uds zarf package create ./packages/databases/gitlab/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
-      - cmd: ./uds zarf package create ./packages/databases/sonarqube/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/databases/gitlab/secret --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/databases/sonarqube/secret --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: keycloak-config-wrapper-package
     description: Create the keycloak configurations shim loader
     actions:
-      - cmd: ./uds zarf package create ./packages/keycloak-config-wrapper --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/keycloak-config-wrapper --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: object-store-packages
     description: Create the object storage packages
     actions:
-      - cmd: ./uds zarf package create ./packages/object-store/gitlab --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/object-store/gitlab --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: additional-manifests-package
     description: Create package create additional manifests needed.
     actions:
-      - cmd: ./uds zarf package create ./packages/additional-manifests --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/additional-manifests --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: nutanix-csi-package
     description: Create Nutanix CSI driver package.
     actions:
-      - cmd: ./uds zarf package create ./packages/nutanix-csi --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/nutanix-csi --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: cert-manager-package
     description: Create cert-manager package.
     actions:
-      - cmd: ./uds zarf package create ./packages/cert-manager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/cert-manager --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: trust-manager-package
     description: Create trust-manager package.
     actions:
-      - cmd: ./uds zarf package create ./packages/trust-manager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/trust-manager --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build
 
   - name: trust-bundles-package
     description: Create trust-bundle package for adding custom CAs.
     actions:
-      - cmd: ./uds zarf package create ./packages/trust-bundles --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+      - cmd: ./uds zarf package create ./packages/trust-bundles --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build

tasks/deploy.yaml

@@ -15,7 +15,7 @@ tasks:
   - name: uds-version
     description: Check the UDS version in the build harness being used
     actions:
-      - cmd: docker run --rm ${DEPLOY_IMAGE} bash -c 'uds version'
+      - cmd: docker run --rm "${DEPLOY_IMAGE}" bash -c 'uds version'
 
   - name: deploy-bundle
     description: Deploy bundle based on configured input build and config directories
@@ -33,7 +33,7 @@ tasks:
         default: "eksd"
         description: Input to specify the type of bundle to deploy
     actions:
-      - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e BUNDLE_TYPE=${INPUT_BUNDLE_TYPE} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${BUNDLE_TYPE}-${ARCH}-${BUNDLE_VERSION}.tar.zst ${PACKAGE_LIST} --no-progress --confirm'
+      - cmd: docker run --rm -e ARCH="${ARCH}" -e BUNDLE_VERSION="${BUNDLE_VERSION}" -e BUNDLE_TYPE="${INPUT_BUNDLE_TYPE}" -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v "${INPUT_CONFIG_DIR}":/configs -v "${INPUT_BUILD_DIR}":/build "${DEPLOY_IMAGE}" bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${BUNDLE_TYPE}-${ARCH}-${BUNDLE_VERSION}.tar.zst ${PACKAGE_LIST} --no-progress --confirm'
 
   - name: deploy-published
     description: Deploy published oci of bundle from ghcr
@@ -48,4 +48,4 @@ tasks:
         default: "eksd"
         description: Input to specify the type of bundle to deploy
     actions:
-      - cmd: docker run --rm -e BUNDLE_VERSION=${BUNDLE_VERSION} -e BUNDLE_TYPE=${INPUT_BUNDLE_TYPE} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs ${DEPLOY_IMAGE} bash -c 'uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-${BUNDLE_TYPE}:${BUNDLE_VERSION} ${PACKAGE_LIST} --no-progress --confirm'
+      - cmd: docker run --rm -e BUNDLE_VERSION="${BUNDLE_VERSION}" -e BUNDLE_TYPE="${INPUT_BUNDLE_TYPE}" -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v "${INPUT_CONFIG_DIR}":/configs "${DEPLOY_IMAGE}" bash -c 'uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-${BUNDLE_TYPE}:${BUNDLE_VERSION} ${PACKAGE_LIST} --no-progress --confirm'