merge

.github/ISSUE_TEMPLATE/tech_debt.md

@@ -10,7 +10,7 @@ assignees: ''
 A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
 
 ### Links to any relevant code
-(optional) i.e. - https://github.com/defenseunicorns/zarf/blob/main/README.md?plain=1#L1
+(optional) i.e. - https://github.com/zarf-dev/zarf/blob/main/README.md?plain=1#L1
 
 ### Additional context
 Add any other context or screenshots about the technical debt here.

.github/SECURITY.md

@@ -1,6 +1,6 @@
 # Reporting Security Issues
 
-To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/zarf-dev/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
 
 ### When Should I Report a Vulnerability?
 

.github/pull_request_template.md

@@ -11,4 +11,4 @@ Relates to #
 ## Checklist before merging
 
 - [ ] Test, docs, adr added or updated as needed
-- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md#developer-workflow) followed
+- [ ] [Contributor Guide Steps](https://github.com/zarf-dev/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed

.github/workflows/build-rust-injector.yml

@@ -2,25 +2,21 @@ name: Zarf Injector Rust Binaries
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_dispatch:
     inputs:
       versionTag:
         description: "Version tag"
         required: true
-      branchName:
-        description: "Branch to build the injector from"
-        required: true
 
 jobs:
   build-injector:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repo"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branchName }}
 
       - name: Install tools
         uses: ./.github/actions/install-tools
@@ -37,13 +33,14 @@ jobs:
           shasum zarf-injector-amd64 >> checksums.txt
           shasum zarf-injector-arm64 >> checksums.txt
 
-      - name: Set AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
-          aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
-          aws-region: us-gov-west-1
+          role-to-assume: ${{ secrets.AWS_WRITE_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
+          aws-region: us-east-2
+          role-duration-seconds: 3600
 
       - name: Sync Artifacts to S3
         run: |
-          aws s3 sync src/injector/dist/ s3://zarf-public/injector/${{ github.event.inputs.versionTag }}/
+          aws s3 sync src/injector/dist/ s3://zarf-init/injector/${{ github.event.inputs.versionTag }}/

.github/workflows/dummy-dco.yaml

@@ -0,0 +1,12 @@
+name: DCO
+on:
+  merge_group:
+
+permissions:
+  contents: read
+
+jobs:
+  DCO:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "dummy DCO workflow (it won't run any check actually) to trigger by merge_group in order to enable merge queue"

.github/workflows/nightly-ecr.yml

@@ -2,7 +2,6 @@ name: Test ECR Publishing
 on:
   schedule:
    - cron: '0 7 * * * ' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
 
 
@@ -28,11 +27,13 @@ jobs:
       - name: Build the Zarf binary
         run: make build-cli-linux-amd
 
-      - name: Configure AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
+          role-duration-seconds: 3600
 
       # NOTE: The aws cli will need to be explicitly installed on self-hosted runners
       - name: Login to the ECR Registry

.github/workflows/nightly-eks.yml

@@ -2,7 +2,6 @@ name: Test EKS Cluster
 on:
   schedule:
    - cron: '0 7 * * *' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
     inputs:
       cluster_name:
@@ -36,12 +35,13 @@ jobs:
       - name: Build binary and zarf packages
         uses: ./.github/actions/packages
 
-      - name: Configure AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
-          role-duration-seconds: 14400
+          role-duration-seconds: 3600
 
       - name: Build the eks package
         run: ./build/zarf package create packages/distros/eks -o build --confirm
@@ -55,7 +55,7 @@ jobs:
             --confirm
 
       - name: Run tests
-        run: make test-e2e ARCH=amd64
+        run: make test-e2e-with-cluster ARCH=amd64
 
       - name: Teardown the cluster
         if: always()

.github/workflows/publish-application-packages.yml

@@ -23,7 +23,7 @@ jobs:
           ref: ${{ github.event.inputs.branchName }}
 
       - name: Install The Latest Release Version of Zarf
-        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
+        uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
 
       - name: "Login to GHCR"
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -39,11 +39,11 @@ jobs:
           zarf package create -o build -a arm64 examples/dos-games --signing-key=awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} --confirm
 
           # Publish a the signed dos-games package
-          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/defenseunicorns/packages --key=https://zarf.dev/cosign.pub
-          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/defenseunicorns/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
 
           # Publish a skeleton of the dos-games package
-          zarf package publish examples/dos-games oci://ghcr.io/defenseunicorns/packages
+          zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages
         env:
           AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
           AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}

.github/workflows/release.yml

@@ -42,13 +42,13 @@ jobs:
         run: |
           cp build/zarf build/zarf-linux-amd64
           cp build/zarf-arm build/zarf-linux-arm64
-          docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME .
+          docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME .
           rm build/zarf-linux-amd64
           rm build/zarf-linux-arm64
-          echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
+          echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
 
       - name: "Zarf Agent: Sign the Image"
-        run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
+        run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
         env:
           COSIGN_EXPERIMENTAL: 1
           AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
@@ -63,8 +63,8 @@ jobs:
 
       - name: Publish Init Package as OCI and Skeleton
         run: |
-          make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
-          make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
+          make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/zerf-dev/packages
+          make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
 
       # Create a CVE report based on this build
       - name: Create release time CVE report

.github/workflows/test-upgrade.yml

@@ -73,7 +73,7 @@ jobs:
           chmod +x build/zarf
 
       - name: Install release version of Zarf
-        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
+        uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
         with:
           download-init-package: true
 

.goreleaser.yaml

@@ -17,7 +17,7 @@ builds:
       - darwin
       - windows
     ldflags:
-      - -s -w -X github.com/defenseunicorns/zarf/src/config.CLIVersion={{.Tag}}
+      - -s -w -X github.com/zarf-dev/zarf/src/config.CLIVersion={{.Tag}}
       - -X k8s.io/component-base/version.gitVersion=v{{.Env.K8S_MODULES_MAJOR_VER}}.{{.Env.K8S_MODULES_MINOR_VER}}.{{.Env.K8S_MODULES_PATCH_VER}}
       - -X k8s.io/component-base/version.gitCommit={{.FullCommit}}
       - -X k8s.io/component-base/version.buildDate={{.Date}}
@@ -27,9 +27,9 @@ builds:
       - -X helm.sh/helm/v3/pkg/chartutil.k8sVersionMinor={{.Env.K8S_MODULES_MINOR_VER}}
       - -X github.com/derailed/k9s/cmd.version={{.Env.K9S_VERSION}}
       - -X github.com/google/go-containerregistry/cmd/crane/cmd.Version={{.Env.CRANE_VERSION}}
-      - -X github.com/defenseunicorns/zarf/src/cmd/tools.syftVersion={{.Env.SYFT_VERSION}}
-      - -X github.com/defenseunicorns/zarf/src/cmd/tools.archiverVersion={{.Env.ARCHIVER_VERSION}}
-      - -X github.com/defenseunicorns/zarf/src/cmd/tools.helmVersion={{.Env.HELM_VERSION}}
+      - -X github.com/zarf-dev/zarf/src/cmd/tools.syftVersion={{.Env.SYFT_VERSION}}
+      - -X github.com/zarf-dev/zarf/src/cmd/tools.archiverVersion={{.Env.ARCHIVER_VERSION}}
+      - -X github.com/zarf-dev/zarf/src/cmd/tools.helmVersion={{.Env.HELM_VERSION}}
     goarch:
       - amd64
       - arm64

.pre-commit-config.yaml

@@ -9,7 +9,7 @@ repos:
         args:
           - "--allow-missing-credentials"
       - id: detect-private-key
-        exclude: "src/test/e2e/30_config_file_test.go"
+        exclude: "src/test/e2e/29_config_file_test.go"
       - id: end-of-file-fixer
         exclude: site/src/content/docs/commands/.*
       - id: fix-byte-order-marker

CODEOWNERS

@@ -1,5 +1,6 @@
-* @defenseunicorns/zarf @dgershman
+* @zarf-dev/maintainers @zarf-dev/reviewers
 
-/CODEOWNERS @jeff-mccoy @austenbryan
-/cosign.pub @jeff-mccoy @austenbryan
-/LICENSE @jeff-mccoy @austenbryan
+/CODEOWNERS @zarf-dev/tsc
+/cosign.pub @zarf-dev/tsc
+/LICENSE @zarf-dev/tsc
+/CHARTER.pdf @zarf-dev/tsc

CODE_OF_CONDUCT.md

@@ -1,132 +1 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official email address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-zarf-dev-private@googlegroups.com.
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations
+Community members are required to abide by the [OpenSSF Code of Conduct](https://openssf.org/community/code-of-conduct/) in all project spaces including (but not limited to) GitHub, Slack, social media, and conferences.