chore!: add containerization and packaging manifest lints (#937)

### BREAKING CHANGES

GPU_CLASS_NAME is now GPU_RUNTIME to better align with both standard container baking conventions and the actual manifest field and purpose.

.dockerignore

@@ -1,4 +1,11 @@
 **/*.tar.zst
+**/*.log*
+**/__pycache__
+**/.ruff_cache
 **/Dockerfile*
 **/.gitignore
-**/Makefile
+**/Makefile
+**/node_modules
+**/.svelte-kit
+**/zarf-sbom/
+**/zarf-*.tar.zst

.github/release-please-config.json

@@ -45,6 +45,11 @@
           "type": "generic",
           "path": "**/hugo.toml",
           "glob": true
+        },
+        {
+          "type": "generic",
+          "path": ".github/workflows/e2e-registry1-weekly.yaml",
+          "glob": true
         }
       ]
     }

.github/workflows/docker-lint.yaml

@@ -0,0 +1,40 @@
+name: Docker Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "**/Dockerfile"
+      - "**/Dockerfile.migrations"
+      - "**/.dockerignore"
+      - ".github/workflows/docker-lint.yaml"
+
+concurrency:
+  group: docker-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  docker-lint:
+    runs-on: ubuntu-latest
+    name: Lint Docker Manifest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+        with:
+          dockerfile: "*Dockerfile*"
+          recursive: true
+          config: .hadolint.yaml

.github/workflows/e2e-registry1-weekly.yaml

@@ -37,6 +37,10 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          # x-release-please-start-version
+          ref: "caf4f9c3093a55a003b49fcbf05c03221be6a232" # 0.12.2 w/ integration tests turned-on
+          # x-release-please-end
 
       - name: Setup Python
         uses: ./.github/actions/python
@@ -51,6 +55,12 @@ jobs:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          udsCliVersion: 0.14.0
+
+      - name: Create UDS Cluster
+        shell: bash
+        run: |
+          UDS_CONFIG=.github/config/uds-config.yaml make create-uds-cpu-cluster
 
       - name: Setup Playwright
         run: |
@@ -63,6 +73,7 @@ jobs:
 
       # Mutate UDS bundle definition to use Registry1 packages
       - name: Mutation to Registry1 Bundle
+        # TODO: fix bundle path
         run: |
           uds zarf tools yq -i '.packages[1] |= del(.repository)' bundles/latest/cpu/uds-bundle.yaml
           uds zarf tools yq -i '.packages[1] |= .ref = "registry1"' bundles/latest/cpu/uds-bundle.yaml

.github/workflows/helm-lint.yaml

@@ -0,0 +1,76 @@
+name: Helm Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "**/chart"
+      - "**/values"
+      - "**/*values.yaml"
+      - ".github/workflows/helm-lint.yaml"
+
+concurrency:
+  group: helm-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  helm-lint:
+    runs-on: ubuntu-latest
+    name: Lint Helm Charts
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Setup Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        with:
+          version: "v3.13.3"
+
+      - name: Lint API Helm Charts
+        if: always()
+        run: |
+          helm lint packages/api/chart --quiet
+
+      - name: Lint llama-cpp-python Helm Charts
+        if: always()
+        run: |
+          helm lint packages/llama-cpp-python/chart --quiet
+
+      - name: Lint text-embeddings Helm Charts
+        if: always()
+        run: |
+          helm lint packages/text-embeddings/chart --quiet
+
+      - name: Lint vllm Helm Charts
+        if: always()
+        run: |
+          helm lint packages/vllm/chart --quiet
+
+      - name: Lint whisper Helm Charts
+        if: always()
+        run: |
+          helm lint packages/whisper/chart --quiet
+
+      - name: Lint repeater Helm Charts
+        if: always()
+        run: |
+          helm lint packages/repeater/chart --quiet
+
+      - name: Lint UI Helm Charts
+        if: always()
+        run: |
+          helm lint packages/ui/chart --quiet
+
+      # TODO: we will not be linting or refactoring Supabase charts until GitHub issue #968 is resolved and a path forward is provided

.github/workflows/uds-lint.yaml

@@ -0,0 +1,48 @@
+name: UDS Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "bundles/**"
+      - ".github/workflows/uds-lint.yaml"
+
+concurrency:
+  group: uds-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  uds-lint:
+    runs-on: ubuntu-latest
+    name: Lint UDS Manifest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Install jsonschema
+        run: pip install check-jsonschema==0.28.0
+
+      - name: Download UDS Bundle Schema
+        run: curl -o uds.schema.json https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.0/uds.schema.json
+
+      - name: Validate uds-bundle.yaml (dev)
+        if: always()
+        run: |
+          check-jsonschema bundles/dev/gpu/uds-bundle.yaml --schemafile uds.schema.json
+          check-jsonschema bundles/dev/cpu/uds-bundle.yaml --schemafile uds.schema.json
+
+      - name: Validate uds-bundle.yaml (latest)
+        if: always()
+        run: |
+          check-jsonschema bundles/latest/gpu/uds-bundle.yaml --schemafile uds.schema.json
+          check-jsonschema bundles/latest/cpu/uds-bundle.yaml --schemafile uds.schema.json

.github/workflows/zarf-lint.yaml

@@ -0,0 +1,77 @@
+name: Zarf Lint
+
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - "**/zarf.yaml"
+      - ".github/workflows/zarf-lint.yaml"
+
+concurrency:
+  group: zarf-lint-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zarf-lint:
+    runs-on: ubuntu-latest
+    name: Lint Zarf Manifest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version-file: "pyproject.toml"
+
+      - name: Download Zarf Package Schema
+        # TODO: renovate setup
+        run: curl -o zarf.schema.json https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.14.0/zarf.schema.json
+
+      - name: Install jsonschema
+        run: pip install check-jsonschema==0.28.0
+
+      - name: Validate API zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/api/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate llama-cpp-python zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/llama-cpp-python/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate repeater zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/repeater/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate supabase zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/supabase/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate text-embeddings zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/text-embeddings/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate UI zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/ui/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate vllm zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/vllm/zarf.yaml --schemafile zarf.schema.json
+
+      - name: Validate whisper zarf.yaml
+        if: always()
+        run: |
+          check-jsonschema packages/whisper/zarf.yaml --schemafile zarf.schema.json

.gitignore

@@ -32,6 +32,7 @@ src/leapfrogai_api/config.yaml
 node_modules
 package.json
 package-lock.json
+**/*.schema.json
 
 # local model and tokenizer files
 *.bin

.hadolint.yaml

@@ -0,0 +1,13 @@
+failure-threshold: error
+# TODO: slowly burn down these lower priority container warnings and errors, issue #984
+ignored:
+  - DL3007 # use of latest image
+  - DL3042 # pip --no-cache-dir
+  - DL4006 # shell usage warning
+  - DL3009 # apt-get list
+  - DL3015 # --no-install-recommends
+  - DL3018 # pinning distro package versions
+  - DL3008 # pinning distro package versions
+  - DL3045 # usage of relative COPY
+  - DL3002 # last user as root
+  - SC2086 # double quote vs single quote usage