Enhance README.md with detailed project overview, repository layout, release information, and local command instructions for mb3r-stack integration and distribution repository.

Author: a-a-k

.github/workflows/bering-discover.yml

@@ -0,0 +1,122 @@
+name: bering-discover
+
+on:
+  workflow_call:
+    inputs:
+      target-path:
+        type: string
+        default: "."
+      output-dir:
+        type: string
+        default: ".mb3r/bering"
+      command:
+        type: string
+        default: ""
+      image-ref:
+        type: string
+        default: "TODO-SET-BERING-IMAGE"
+      artifact-name:
+        type: string
+        default: "mb3r-bering-discovery"
+      upload-artifact:
+        type: boolean
+        default: true
+    outputs:
+      report-path:
+        description: Discovery envelope JSON path within the artifact.
+        value: ${{ jobs.bering-discover.outputs.report-path }}
+      payload-path:
+        description: Raw discovery payload JSON path within the artifact.
+        value: ${{ jobs.bering-discover.outputs.payload-path }}
+      artifact-name:
+        description: Uploaded artifact name.
+        value: ${{ jobs.bering-discover.outputs.artifact-name }}
+      status:
+        description: Discovery adapter status.
+        value: ${{ jobs.bering-discover.outputs.status }}
+
+jobs:
+  bering-discover:
+    runs-on: ubuntu-latest
+    outputs:
+      report-path: ${{ steps.adapter.outputs.report-path }}
+      payload-path: ${{ steps.adapter.outputs.payload-path }}
+      artifact-name: ${{ steps.adapter.outputs.artifact-name }}
+      status: ${{ steps.adapter.outputs.status }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Run discovery adapter
+        id: adapter
+        shell: bash
+        env:
+          TARGET_PATH: ${{ inputs.target-path }}
+          OUTPUT_DIR: ${{ inputs.output-dir }}
+          COMMAND: ${{ inputs.command }}
+          IMAGE_REF: ${{ inputs.image-ref }}
+          ARTIFACT_NAME: ${{ inputs.artifact-name }}
+        run: |
+          python - <<'PY'
+          import json
+          import os
+          import subprocess
+          from datetime import datetime, timezone
+          from pathlib import Path
+
+          output_dir = Path(os.environ["OUTPUT_DIR"])
+          output_dir.mkdir(parents=True, exist_ok=True)
+          payload_path = output_dir / "bering-payload.json"
+          report_path = output_dir / "bering-discovery.json"
+          command = os.environ.get("COMMAND", "").strip()
+          env = os.environ.copy()
+          env["MB3R_TARGET_PATH"] = os.environ["TARGET_PATH"]
+          env["MB3R_PAYLOAD_JSON"] = str(payload_path)
+          env["MB3R_IMAGE_REF"] = os.environ["IMAGE_REF"]
+
+          exit_code = 0
+          status = "pending"
+          if command:
+              exit_code = subprocess.run(command, shell=True, env=env, check=False).returncode
+              status = "success" if exit_code == 0 else "failed"
+
+          payload = None
+          if payload_path.exists():
+              payload = json.loads(payload_path.read_text(encoding="utf-8"))
+              if exit_code == 0:
+                  status = "success"
+
+          report = {
+              "schemaVersion": "v1alpha1",
+              "kind": "mb3r.bering.discovery",
+              "adapter": "github-reusable-workflow",
+              "generatedAt": datetime.now(timezone.utc).replace(microsecond=0).isoformat(),
+              "targetPath": os.environ["TARGET_PATH"],
+              "imageRef": os.environ["IMAGE_REF"],
+              "command": command,
+              "status": status,
+              "exitCode": exit_code,
+              "payloadPath": payload_path.as_posix(),
+              "artifactName": os.environ["ARTIFACT_NAME"],
+              "payload": payload,
+          }
+          report_path.write_text(json.dumps(report, indent=2) + "\n", encoding="utf-8")
+
+          with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as handle:
+              handle.write(f"report-path={report_path.as_posix()}\n")
+              handle.write(f"payload-path={payload_path.as_posix()}\n")
+              handle.write(f"artifact-name={os.environ['ARTIFACT_NAME']}\n")
+              handle.write(f"status={status}\n")
+
+          if exit_code != 0:
+              raise SystemExit(exit_code)
+          PY
+
+      - if: ${{ inputs.upload-artifact }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.adapter.outputs.artifact-name }}
+          path: ${{ inputs.output-dir }}

.github/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - uses: azure/setup-helm@v4
+        with:
+          version: v3.15.4
+
+      - name: Install dependencies
+        run: python -m pip install -r requirements.txt
+
+      - name: Validate repository
+        run: make validate
+
+      - name: Package chart
+        run: make chart-package
+
+      - name: Package assets
+        run: make package-assets
+
+      - name: Release dry run
+        run: make release-dry-run

.github/workflows/example-consumer.yml

@@ -0,0 +1,44 @@
+name: example-consumer
+
+on:
+  workflow_dispatch:
+
+jobs:
+  bering:
+    uses: ./.github/workflows/bering-discover.yml
+    with:
+      command: |
+        python - <<'PY'
+        import json
+        import os
+        from pathlib import Path
+        Path(os.environ["MB3R_PAYLOAD_JSON"]).write_text(
+            json.dumps({"summary": "example discovery", "findings": 0}),
+            encoding="utf-8",
+        )
+        PY
+
+  sheaft:
+    needs: bering
+    uses: ./.github/workflows/sheaft-gate.yml
+    with:
+      discovery-artifact-name: ${{ needs.bering.outputs.artifact-name }}
+      command: |
+        python - <<'PY'
+        import json
+        import os
+        from pathlib import Path
+        Path(os.environ["MB3R_PAYLOAD_JSON"]).write_text(
+            json.dumps({"decision": "pass", "summary": "example gate"}),
+            encoding="utf-8",
+        )
+        PY
+
+  report:
+    needs:
+      - bering
+      - sheaft
+    uses: ./.github/workflows/mb3r-report.yml
+    with:
+      discovery-artifact-name: ${{ needs.bering.outputs.artifact-name }}
+      gate-artifact-name: ${{ needs.sheaft.outputs.artifact-name }}

.github/workflows/mb3r-report.yml

@@ -0,0 +1,136 @@
+name: mb3r-report
+
+on:
+  workflow_call:
+    inputs:
+      discovery-artifact-name:
+        type: string
+        default: "mb3r-bering-discovery"
+      gate-artifact-name:
+        type: string
+        default: "mb3r-sheaft-gate"
+      discovery-report-path:
+        type: string
+        default: ".mb3r/bering/bering-discovery.json"
+      gate-report-path:
+        type: string
+        default: ".mb3r/sheaft/sheaft-gate.json"
+      output-dir:
+        type: string
+        default: ".mb3r/report"
+      artifact-name:
+        type: string
+        default: "mb3r-report"
+      upload-artifact:
+        type: boolean
+        default: true
+    outputs:
+      report-json:
+        description: Combined report JSON path within the artifact.
+        value: ${{ jobs.mb3r-report.outputs.report-json }}
+      report-markdown:
+        description: Combined report markdown path within the artifact.
+        value: ${{ jobs.mb3r-report.outputs.report-markdown }}
+      artifact-name:
+        description: Uploaded artifact name.
+        value: ${{ jobs.mb3r-report.outputs.artifact-name }}
+      overall-decision:
+        description: Overall stack decision from the merged report.
+        value: ${{ jobs.mb3r-report.outputs.overall-decision }}
+
+jobs:
+  mb3r-report:
+    runs-on: ubuntu-latest
+    outputs:
+      report-json: ${{ steps.report.outputs.report-json }}
+      report-markdown: ${{ steps.report.outputs.report-markdown }}
+      artifact-name: ${{ steps.report.outputs.artifact-name }}
+      overall-decision: ${{ steps.report.outputs.overall-decision }}
+    steps:
+      - if: ${{ inputs.discovery-artifact-name != '' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.discovery-artifact-name }}
+          path: .mb3r/input-discovery
+
+      - if: ${{ inputs.gate-artifact-name != '' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.gate-artifact-name }}
+          path: .mb3r/input-gate
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Build combined report
+        id: report
+        shell: bash
+        env:
+          DISCOVERY_REPORT_PATH: ${{ inputs.discovery-report-path }}
+          GATE_REPORT_PATH: ${{ inputs.gate-report-path }}
+          OUTPUT_DIR: ${{ inputs.output-dir }}
+          ARTIFACT_NAME: ${{ inputs.artifact-name }}
+        run: |
+          python - <<'PY'
+          import json
+          import os
+          from datetime import datetime, timezone
+          from pathlib import Path
+
+          output_dir = Path(os.environ["OUTPUT_DIR"])
+          output_dir.mkdir(parents=True, exist_ok=True)
+
+          discovery_report = Path(".mb3r/input-discovery") / Path(os.environ["DISCOVERY_REPORT_PATH"]).name
+          gate_report = Path(".mb3r/input-gate") / Path(os.environ["GATE_REPORT_PATH"]).name
+          report_json = output_dir / "mb3r-report.json"
+          report_md = output_dir / "mb3r-report.md"
+
+          discovery = json.loads(discovery_report.read_text(encoding="utf-8"))
+          gate = json.loads(gate_report.read_text(encoding="utf-8"))
+
+          overall_decision = gate.get("decision", "review")
+          combined = {
+              "schemaVersion": "v1alpha1",
+              "kind": "mb3r.stack.report",
+              "adapter": "github-reusable-workflow",
+              "generatedAt": datetime.now(timezone.utc).replace(microsecond=0).isoformat(),
+              "overallDecision": overall_decision,
+              "discovery": {
+                  "status": discovery.get("status"),
+                  "path": discovery_report.as_posix(),
+                  "artifactName": discovery.get("artifactName"),
+              },
+              "gate": {
+                  "decision": gate.get("decision"),
+                  "status": gate.get("status"),
+                  "path": gate_report.as_posix(),
+                  "artifactName": gate.get("artifactName"),
+              },
+          }
+          report_json.write_text(json.dumps(combined, indent=2) + "\n", encoding="utf-8")
+
+          markdown = "\n".join(
+              [
+                  "# MB3R Report",
+                  "",
+                  f"- Generated at: {combined['generatedAt']}",
+                  f"- Discovery status: {combined['discovery']['status']}",
+                  f"- Gate status: {combined['gate']['status']}",
+                  f"- Overall decision: {combined['overallDecision']}",
+              ]
+          )
+          report_md.write_text(markdown + "\n", encoding="utf-8")
+
+          with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as handle:
+              handle.write(f"report-json={report_json.as_posix()}\n")
+              handle.write(f"report-markdown={report_md.as_posix()}\n")
+              handle.write(f"artifact-name={os.environ['ARTIFACT_NAME']}\n")
+              handle.write(f"overall-decision={overall_decision}\n")
+          PY
+
+      - if: ${{ inputs.upload-artifact }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.report.outputs.artifact-name }}
+          path: ${{ inputs.output-dir }}

.github/workflows/release.yml

@@ -0,0 +1,51 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - uses: azure/setup-helm@v4
+        with:
+          version: v3.15.4
+
+      - name: Install dependencies
+        run: python -m pip install -r requirements.txt
+
+      - name: Build release assets
+        run: make release-dry-run
+
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: Push OCI chart
+        shell: bash
+        run: |
+          chart_file=$(find dist/charts -maxdepth 1 -name '*.tgz' | head -n 1)
+          helm push "$chart_file" "oci://ghcr.io/${{ github.repository_owner }}/charts"
+
+      - name: Publish GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/charts/*.tgz
+            dist/assets/*.tgz
+            dist/stack-manifest.json
+            dist/compatibility-matrix.json
+            dist/SHA256SUMS.txt
+            dist/sbom.cdx.json