.github/ISSUE_TEMPLATE/tech_debt.md

@@ -10,7 +10,7 @@ assignees: ''
 A clear and concise description of what should be changed/researched. Ex. This piece of the code is not DRY enough [...]
 
 ### Links to any relevant code
-(optional) i.e. - https://github.com/defenseunicorns/zarf/blob/main/README.md?plain=1#L1
+(optional) i.e. - https://github.com/zarf-dev/zarf/blob/main/README.md?plain=1#L1
 
 ### Additional context
 Add any other context or screenshots about the technical debt here.

.github/SECURITY.md

@@ -1,6 +1,6 @@
 # Reporting Security Issues
 
-To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/zarf-dev/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
 
 ### When Should I Report a Vulnerability?
 

.github/pull_request_template.md

@@ -11,4 +11,4 @@ Relates to #
 ## Checklist before merging
 
 - [ ] Test, docs, adr added or updated as needed
-- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed
+- [ ] [Contributor Guide Steps](https://github.com/zarf-dev/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed

.github/workflows/build-rust-injector.yml

@@ -2,25 +2,21 @@ name: Zarf Injector Rust Binaries
 
 permissions:
   contents: read
+  id-token: write
 
 on:
   workflow_dispatch:
     inputs:
       versionTag:
         description: "Version tag"
         required: true
-      branchName:
-        description: "Branch to build the injector from"
-        required: true
 
 jobs:
   build-injector:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repo"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branchName }}
 
       - name: Install tools
         uses: ./.github/actions/install-tools
@@ -37,13 +33,14 @@ jobs:
           shasum zarf-injector-amd64 >> checksums.txt
           shasum zarf-injector-arm64 >> checksums.txt
 
-      - name: Set AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
-          aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
-          aws-region: us-gov-west-1
+          role-to-assume: ${{ secrets.AWS_WRITE_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
+          aws-region: us-east-2
+          role-duration-seconds: 3600
 
       - name: Sync Artifacts to S3
         run: |
-          aws s3 sync src/injector/dist/ s3://zarf-public/injector/${{ github.event.inputs.versionTag }}/
+          aws s3 sync src/injector/dist/ s3://zarf-init/injector/${{ github.event.inputs.versionTag }}/

.github/workflows/dummy-dco.yaml

@@ -0,0 +1,12 @@
+name: DCO
+on:
+  merge_group:
+
+permissions:
+  contents: read
+
+jobs:
+  DCO:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "dummy DCO workflow (it won't run any check actually) to trigger by merge_group in order to enable merge queue"

.github/workflows/nightly-ecr.yml

@@ -2,7 +2,6 @@ name: Test ECR Publishing
 on:
   schedule:
    - cron: '0 7 * * * ' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
 
 
@@ -28,11 +27,13 @@ jobs:
       - name: Build the Zarf binary
         run: make build-cli-linux-amd
 
-      - name: Configure AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
+          role-duration-seconds: 3600
 
       # NOTE: The aws cli will need to be explicitly installed on self-hosted runners
       - name: Login to the ECR Registry

.github/workflows/nightly-eks.yml

@@ -2,7 +2,6 @@ name: Test EKS Cluster
 on:
   schedule:
    - cron: '0 7 * * *' ## Every day at 0700 UTC
-
   workflow_dispatch: ## Give us the ability to run this manually
     inputs:
       cluster_name:
@@ -36,12 +35,13 @@ jobs:
       - name: Build binary and zarf packages
         uses: ./.github/actions/packages
 
-      - name: Configure AWS Credentials
+      - name: Auth with AWS
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
+          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
           aws-region: us-east-1
-          role-duration-seconds: 14400
+          role-duration-seconds: 7200
 
       - name: Build the eks package
         run: ./build/zarf package create packages/distros/eks -o build --confirm
@@ -55,7 +55,23 @@ jobs:
             --confirm
 
       - name: Run tests
-        run: make test-e2e ARCH=amd64
+        run: make test-e2e-with-cluster ARCH=amd64
+
+      - name: get pods
+        if: always()
+        run: kubectl get pods -n kiwix -o yaml
+
+      - name: describe pod
+        if: always()
+        run: kubectl describe pods -n kiwix
+
+      - name: get nodes
+        if: always()
+        run: kubectl get nodes -o yaml
+
+      - name: describe nodes
+        if: always()
+        run: kubectl describe nodes
 
       - name: Teardown the cluster
         if: always()

.github/workflows/publish-application-packages.yml

@@ -23,7 +23,7 @@ jobs:
           ref: ${{ github.event.inputs.branchName }}
 
       - name: Install The Latest Release Version of Zarf
-        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
+        uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
 
       - name: "Login to GHCR"
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -39,11 +39,11 @@ jobs:
           zarf package create -o build -a arm64 examples/dos-games --signing-key=awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} --confirm
 
           # Publish a the signed dos-games package
-          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/defenseunicorns/packages --key=https://zarf.dev/cosign.pub
-          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/defenseunicorns/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
+          zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub
 
           # Publish a skeleton of the dos-games package
-          zarf package publish examples/dos-games oci://ghcr.io/defenseunicorns/packages
+          zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages
         env:
           AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
           AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}

.github/workflows/release.yml

@@ -42,13 +42,13 @@ jobs:
         run: |
           cp build/zarf build/zarf-linux-amd64
           cp build/zarf-arm build/zarf-linux-arm64
-          docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME .
+          docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME .
           rm build/zarf-linux-amd64
           rm build/zarf-linux-arm64
-          echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
+          echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
 
       - name: "Zarf Agent: Sign the Image"
-        run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
+        run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
         env:
           COSIGN_EXPERIMENTAL: 1
           AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
@@ -63,8 +63,8 @@ jobs:
 
       - name: Publish Init Package as OCI and Skeleton
         run: |
-          make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
-          make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
+          make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
+          make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
 
       # Create a CVE report based on this build
       - name: Create release time CVE report
@@ -139,14 +139,6 @@ jobs:
           name: build-artifacts
           path: build/
 
-      # Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
-      - name: Set AWS Credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
-          aws-region: us-gov-west-1
-
       - name: Make zarf executable and skip brew latest for pre-release tags
         run: |
           chmod +x build/zarf

.github/workflows/test-upgrade.yml

@@ -73,7 +73,7 @@ jobs:
           chmod +x build/zarf
 
       - name: Install release version of Zarf
-        uses: defenseunicorns/setup-zarf@f95763914e20e493bb5d45d63e30e17138f981d6 # v1.0.0
+        uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
         with:
           download-init-package: true
 

.golangci.yaml

@@ -14,6 +14,8 @@ linters:
     - goimports
     - nolintlint
     - testifylint
+    - whitespace
+    - errorlint
 linters-settings:
   govet:
     enable-all: true
@@ -56,6 +58,7 @@ linters-settings:
   testifylint:
     enable-all: true
   errcheck:
+    check-type-assertions: true
     exclude-functions:
       - (*github.com/spf13/cobra.Command).Help
       - (*github.com/spf13/cobra.Command).MarkFlagRequired

.goreleaser.yaml

@@ -17,7 +17,7 @@ builds:
       - darwin
       - windows
     ldflags:
-      - -s -w -X github.com/defenseunicorns/zarf/src/config.CLIVersion={{.Tag}}
+      - -s -w -X github.com/zarf-dev/zarf/src/config.CLIVersion={{.Tag}}
       - -X k8s.io/component-base/version.gitVersion=v{{.Env.K8S_MODULES_MAJOR_VER}}.{{.Env.K8S_MODULES_MINOR_VER}}.{{.Env.K8S_MODULES_PATCH_VER}}
       - -X k8s.io/component-base/version.gitCommit={{.FullCommit}}
       - -X k8s.io/component-base/version.buildDate={{.Date}}
@@ -27,9 +27,9 @@ builds:
       - -X helm.sh/helm/v3/pkg/chartutil.k8sVersionMinor={{.Env.K8S_MODULES_MINOR_VER}}
       - -X github.com/derailed/k9s/cmd.version={{.Env.K9S_VERSION}}
       - -X github.com/google/go-containerregistry/cmd/crane/cmd.Version={{.Env.CRANE_VERSION}}
-      - -X github.com/defenseunicorns/zarf/src/cmd/tools.syftVersion={{.Env.SYFT_VERSION}}
-      - -X github.com/defenseunicorns/zarf/src/cmd/tools.archiverVersion={{.Env.ARCHIVER_VERSION}}
-      - -X github.com/defenseunicorns/zarf/src/cmd/tools.helmVersion={{.Env.HELM_VERSION}}
+      - -X github.com/zarf-dev/zarf/src/cmd/tools.syftVersion={{.Env.SYFT_VERSION}}
+      - -X github.com/zarf-dev/zarf/src/cmd/tools.archiverVersion={{.Env.ARCHIVER_VERSION}}
+      - -X github.com/zarf-dev/zarf/src/cmd/tools.helmVersion={{.Env.HELM_VERSION}}
     goarch:
       - amd64
       - arm64
@@ -64,7 +64,7 @@ changelog:
 # NOTE: We are explicitly adding the init-packages that are built prior to GoReleaser stage in the GitHub Actions workflow
 release:
   github:
-    owner: defenseunicorns
+    owner: zarf-dev
     name: zarf
   prerelease: auto
   mode: append
@@ -107,10 +107,3 @@ brews:
     commit_msg_template: "build(release): {{ .ProjectName }}@{{ .Tag }}"
     homepage: "https://zarf.dev/"
     description: "DevSecOps for Air Gap"
-
-# Upload artifact backups to s3
-blobs:
-  - provider: s3
-    region: us-gov-west-1
-    bucket: zarf-public
-    directory: "release/{{.Version}}"

CODEOWNERS

@@ -1,5 +1,6 @@
-* @defenseunicorns/zarf @dgershman
+* @zarf-dev/maintainers @zarf-dev/reviewers
 
-/CODEOWNERS @jeff-mccoy @austenbryan
-/cosign.pub @jeff-mccoy @austenbryan
-/LICENSE @jeff-mccoy @austenbryan
+/CODEOWNERS @zarf-dev/tsc
+/cosign.pub @zarf-dev/tsc
+/LICENSE @zarf-dev/tsc
+/CHARTER.pdf @zarf-dev/tsc