Merge pull request #32 from defenseunicorns/hotfix-create-standardize…

…d-repo-template

chore: create standardized repo template

.adr-dir

@@ -0,0 +1 @@
+adr

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'possible-bug 🐛'
+assignees: ''
+---
+
+### Environment
+Device and OS:
+App/package versions:
+Kubernetes distro being used:
+Other:
+
+### Steps to reproduce
+1.
+
+### Expected result
+
+### Actual Result
+
+### Visual Proof (screenshots, videos, text, etc)
+
+### Severity/Priority
+
+### Additional Context
+Add any other context or screenshots about the technical debt here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,22 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: 'enhancement ✨'
+assignees: ''
+---
+
+### Is your feature request related to a problem? Please describe.
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+### Describe the solution you'd like
+
+- **Given** a state
+- **When** an action is taken
+- **Then** something happens
+
+### Describe alternatives you've considered
+(optional) A clear and concise description of any alternative solutions or features you've considered.
+
+### Additional context
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/tech_debt.md

@@ -0,0 +1,16 @@
+---
+name: Tech debt
+about: Record something that should be investigated or refactored in the future.
+title: ''
+labels: 'tech-debt 💳'
+assignees: ''
+---
+
+### Describe what should be investigated or refactored
+A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
+
+### Links to any relevant code
+(optional) i.e. - https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/README.md?plain=1#L1
+
+### Additional context
+Add any other context or screenshots about the technical debt here.

.github/pull_request_template.md

@@ -0,0 +1,20 @@
+## Description
+
+...
+
+## Related Issue
+
+Fixes #
+<!-- or -->
+Relates to #
+
+## Type of change
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Other (security config, docs update, etc)
+
+## Checklist before merging
+
+- [ ] Test, docs, adr added or updated as needed
+- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow) followed

.github/workflows/scorecard.yaml

@@ -0,0 +1,50 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '30 1 * * 6'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge.
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          sarif_file: results.sarif

CONTRIBUTING.md

@@ -16,12 +16,42 @@ Specifically:
 * Continuous integration (CI) pipeline tests are definitive
 * We create immutable release artifacts
 
-## Definition of Done
+### Developer Workflow
 
-We apply these general principles to all User Stories and activities contributing to the UDS SWF.
+:key: == Required by automation
 
-* Automated continuous integration (CI) pipeline tests pass
-* CI pipeline tests have been updated to meet system changes
-* Changes are peer reviewed
-* Acceptance criteria is met
-* Documentation is updated to reflect what changed
+1. Drop a comment in any issue to let everyone know you're working on it and submit a Draft PR (step 4) as soon as you are able.
+2. :key: Set up your Git config to GPG sign all commits. [Here's some documentation on how to set it up](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits). You won't be able to merge your PR if you have any unverified commits.
+3. Create a Draft Pull Request as soon as you can, even if it is just 5 minutes after you started working on it. We lean towards working in the open as much as we can.
+   > ⚠️ **NOTE:** _:key: We use [Conventional Commit messages](https://www.conventionalcommits.org/) in PR titles so, if you can, use one of `fix:`, `feat:`, `chore:`, `docs:` or similar.  If you need help, just use with `wip:` and we'll help with the rest_
+4. :key: Automated tests will begin based on the paths you have edited in your Pull Request.
+   > ⚠️ **NOTE:** _If you are an external third-party contributor, the pipelines won't run until a [CODEOWNER](./CODEOWNERS) approves the pipeline run._
+5. :key: Be sure to heed the `needs-adr`,`needs-docs`,`needs-tests` labels as appropriate for the PR. Once you have addressed all of the needs, remove the label or request a maintainer to remove it.
+6. Once the review is complete and approved, a core member of the project will merge your PR. If you are an external third-party contributor, two core members of the project will be required to approve the PR.
+7. Close the issue if it is fully resolved by your PR. _Hint: You can add "Fixes #XX" to the PR description to automatically close an issue when the PR is merged._
+
+### Architecture Decision Records (ADR)
+
+We've chosen to use ADRs to document architecturally significant decisions. We primarily use the guidance found in [this article by Michael Nygard](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) with a couple of tweaks:
+
+- The criteria for when an ADR is needed is undefined. The team will decide when the team needs an ADR.
+- We will use the tool [adr-tools](https://github.com/npryce/adr-tools) to make it easier on us to create and maintain ADRs.
+- We will keep ADRs specific to this package in the repository under `adr/NNNN-name-of-adr.md`.
+  > `adr-tools` is configured with a dotfile to automatically use this directory and format.
+- We will keep ADRs relating to Software Factory as a whole in the [UDS Software Factory](https://github.com/defenseunicorns/uds-software-factory) repository under `adr/NNNN-name-of-adr.md`.
+
+### How to use `adr-tools`
+
+```bash
+# Create a new ADR titled "Use Bisquick for all waffle making"
+adr new Use Bisquick for all waffle making
+
+# Create a new ADR that supersedes a previous one. Let's say, for example, that the previous ADR about Bisquick was ADR number 9.
+adr new -s 9 Use scratch ingredients for all waffle making
+
+# Create a new ADR that amends a previous one. Let's say the previous one was ADR number 15
+adr new -l "15:Amends:Amended by" Use store-bought butter for all waffle making
+
+# Get full help docs. There are all sorts of other helpful commands that help manage the decision log.
+adr help
+```

README.md

@@ -1,36 +1,39 @@
-# uds-package-sonarqube
-UDS Sonarqube Zarf Package
+# UDS SonarQube Zarf Package
 
-This package is purposed for use as part of the software factory bundle deployed on UDS-CORE (https://github.com/defenseunicorns/uds-core).
+[![Latest Release](https://img.shields.io/github/v/release/defenseunicorns/uds-package-sonarqube)](https://github.com/defenseunicorns/uds-package-sonarqube/releases)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/defenseunicorns/uds-package-sonarqube/tag-and-release.yaml)](https://github.com/defenseunicorns/uds-package-sonarqube/actions/workflows/tag-and-release.yaml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/uds-package-sonarqube/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/uds-package-sonarqube)
+
+This package is designed for use as part of a [UDS Software Factory](https://github.com/defenseunicorns/uds-software-factory) bundle deployed on [UDS Core](https://github.com/defenseunicorns/uds-core).
 
 ## Pre-requisites
 
-Sonarqube needs connection to a postgres instance either in cluster or external. It finds this connection via the `sonarqube_db_endpoint` variable declared in the zarf package and configured (as an example) at deploy time by the [uds bundle config](./bundle/uds-config.yaml).
+SonarQube needs connection to a PostgreSQL instance either in cluster or external. It finds this connection via the `sonarqube_db_endpoint` variable declared in the zarf package and configured (as an example) at deploy time by the [uds bundle config](./bundle/uds-config.yaml).
 
-For local testing and CI, Sonarqube is bundled with the [dev-postgres package](ghcr.io/defenseunicorns/packages/uds/dev-postgres).
+For local testing and CI, SonarQube is bundled with the [dev-postgres package](ghcr.io/defenseunicorns/packages/uds/dev-postgres).
 
 ## Flavors
 
-| Flavor | Example Creation |
-| ------ | ---------------- |
-| upstream-ce | `zarf package create . -f upstream-ce` |
-| registry1 | `zarf package create . -f registry1` |
-
-## Package
+| Flavor | Description | Example Creation |
+| ------ | ----------- | ---------------- |
+| upstream-ce | Uses upstream images within the package. | `zarf package create . -f upstream-ce` |
+| registry1 | Uses images from registry1.dso.mil within the package. | `zarf package create . -f registry1` |
 
-The deployment package can be found in [ghcr](https://github.com/defenseunicorns/uds-package-sonarqube/pkgs/container/packages%2Fuds%2Fsonarqube).
+## Releases
 
+The released packages can be found in [ghcr](https://github.com/defenseunicorns/uds-package-sonarqube/pkgs/container/packages%2Fuds%2Fsonarqube).
 
 ## UDS Tasks (for local dev and CI)
-*For local dev, this requires you install [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
+
+*For local dev, this requires installing [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install)
 
 | Task | Description | Example |
 | ---- | ----------- | ------- |
 | setup-cluster | Uses the `k3d-core-istio` bundle to create a cluster for testing against | `uds run setup-cluster` |
-| create-package | Creates just the sonarqube package | `uds run create-package --set FLAVOR=<flavor>` |
-| create-test-bundle | Creates sonarqube and sonarqube dependency packages and then bundles them | `uds run create-test-bundle` |
-| deploy-package | Deploy Sonarqube package only | `uds run deploy-package` |
-| deploy-test-bundle | Deploy Sonarqube and Sonarqube dependency bundle | `uds run deploy-test-bundle` |
+| create-package | Creates just the SonarQube package | `uds run create-package --set FLAVOR=<flavor>` |
+| create-test-bundle | Creates SonarQube and SonarQube dependency packages and then bundles them | `uds run create-test-bundle` |
+| deploy-package | Deploy SonarQube package only | `uds run deploy-package` |
+| deploy-test-bundle | Deploy SonarQube and SonarQube dependency bundle | `uds run deploy-test-bundle` |
 | test-package | Run checks against a deployed package or bundle | `uds run test-package` |
 | cleanup | Teardown the cluster | `uds run cleanup` |
 
@@ -41,4 +44,5 @@ See:
 2. [/values/upstream.yaml](/values/upstream.yaml)
 
 ## Contributing
-Please see the [CONTRIBUTING.md](./CONTRIBUTING.md)
+
+Please see the [CONTRIBUTING.md](./CONTRIBUTING.md)

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+As UDS Software Factory has not yet reached v1.0.0, only the current latest minor release is supported.
+
+## Reporting a Vulnerability
+
+Please email `security-notice [at] defenseunicorns.com` to report a vulnerability. If you are unable to disclose details via email, please let us know and we can coordinate alternate communications.

adr/0001-record-architecture-decisions.md

@@ -0,0 +1,23 @@
+# 1. Record architecture decisions
+
+Date: 2022-03-01
+
+## Status
+
+Accepted
+
+## Context
+
+> NOTE:
+>
+> This file was automatically created when we used [adr-tools](https://github.com/npryce/adr-tools) to initialize the document log in the repo. ADRs on ADRs are a little silly, but it does give a lightweight way to direct the reader over to our contributor guide that has a lot more information.
+
+We need to record the architectural decisions made on this project.
+
+## Decision
+
+We will use Architecture Decision Records, as [described by Michael Nygard](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions), with a couple of small tweaks. See the [Documentation section in the Contributor guide](../CONTRIBUTING.md#documentation) for full details.
+
+## Consequences
+
+See Michael Nygard's article, linked above. For a lightweight ADR toolset, see Nat Pryce's [adr-tools](https://github.com/npryce/adr-tools).

adr/template.md

@@ -0,0 +1,19 @@
+# NUMBER. TITLE
+
+Date: DATE
+
+## Status
+
+STATUS
+
+## Context
+
+The issue motivating this decision, and any context that influences or constrains the decision.
+
+## Decision
+
+The change that we're proposing or have agreed to implement.
+
+## Consequences
+
+What becomes easier or more difficult to do and any risks introduced by the change that will need to be mitigated.

renovate.json

@@ -14,13 +14,9 @@
   "rebaseStalePrs": true,
   "schedule": ["after 7am and before 9am every weekday"],
   "dependencyDashboard": true,
-  "platform": "github",
-  "onboarding": false,
-  "requireConfig": false,
   "dependencyDashboardTitle": "Renovate Dashboard 🤖",
   "rebaseWhen": "conflicted",
   "commitBodyTable": true,
-  "ignorePaths": ["archive/**"],
   "suppressNotifications": ["prIgnoreNotification"],
   "pre-commit": {
     "enabled": true
@@ -31,8 +27,6 @@
   "kubernetes": {
     "fileMatch": ["\\.yaml$"],
     "ignorePaths": [
-      "ansible",
-      "scripts",
       ".github"
     ]
   },
@@ -76,32 +70,35 @@
     {
       "fileMatch": [".*\/?zarf\\.ya?ml$"],
       "matchStrings": [
-        "-\\s+['\"](?<depName>[^:]+):(?<currentValue>.*)['\"]"
+        "-\\s+['\"]?(?<depName>[^:]+):(?<currentValue>.*)['\"]?"
       ],
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
       "datasourceTemplate": "docker",
       "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
     },
     {
-      "fileMatch": ["^Makefile$"],
+      "fileMatch": [
+        "(^|/)zarf.yaml$"
+      ],
+      "matchStringsStrategy": "recursive",
       "matchStrings": [
-        "renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?( extractVersion=(?<extractVersion>.*?))?( registryUrl=(?<registryUrl>.*?))?\\s.*?=\\s*['\"]?(?<currentValue>.*?)['\"]?\\s"
+        "(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
+        "(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-)",
+        "(?m)name: (?<depName>.+)(.|\\n)*?url: (?<registryUrl>.+)(.|\\n)*?version: (?<currentValue>.+)"
       ],
-      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
-      "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
-    }
-  ],
-  "packageRules": [
-    {
-      "matchManagers": ["terraform"],
-      "matchDepTypes": ["module"],
-      "matchDatasources": ["github-tags", "git-tags"],
-      "versioning": "loose"
+      "datasourceTemplate": "helm"
     },
     {
-      "matchPackagePatterns": ["big-bang/.*"],
-      "matchDatasources": ["gitlab-tags"],
-      "allowedVersions": "!/^v.*$/"
+      "fileMatch": [
+        "(^|/)zarf.yaml$"
+      ],
+      "matchStringsStrategy": "recursive",
+      "matchStrings": [
+        "(?m)charts:(.|\\n)*?(^\\s{4}[\\w:]+|\\n$|^\\s{2}-)",
+        "(?m)name:(.|\\n)+?(^\\s{4}[\\w\\-:]+|\\n$|^\\s{2}-)",
+        "(?m)name: (?<depName>.+)(.|\\n)*?version: (?<currentValue>.+)(.|\\n)*?url: (?<registryUrl>.+)"
+      ],
+      "datasourceTemplate": "helm"
     }
   ]
 }