Merge pull request #7 from OpenCHAMI/feature/upgrade-fabrica

Feature/upgrade fabrica

Author: alexlovelltroy

.fabrica.yaml

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2026 OpenCHAMI Contributors
+#
+# SPDX-License-Identifier: MIT
+
+project:
+  name: boot-service
+  module: github.com/openchami/boot-service
+  description: OpenCHAMI boot service with Fabrica-generated REST APIs and legacy BSS compatibility
+  created: 2025-01-01T00:00:00Z
+features:
+  validation:
+    enabled: true
+    mode: strict
+  events:
+    enabled: false
+    bus_type: memory
+  conditional:
+    enabled: true
+    etag_algorithm: sha256
+  auth:
+    enabled: true
+  security:
+    authn:
+      enabled: true
+    authz:
+      enabled: false
+      mode: enforce
+  storage:
+    enabled: true
+    type: file
+  metrics:
+    enabled: false
+generation:
+  handlers: true
+  storage: true
+  client: true
+  openapi: true
+  events: false
+  middleware: true
+  reconciliation: false

.github/copilot-instructions.md

@@ -33,14 +33,15 @@ Client → Chi Router → [Auth Middleware] → Generated Handlers → Storage B
 **NEVER manually edit `*_generated.go` files.** All handlers, storage, and client code is generated from resource definitions.
 
 ```bash
-# After modifying resources in pkg/resources/*/
+# After modifying resources in apis/boot.openchami.io/v1/
 fabrica generate --handlers --storage --openapi --client
 
 # Or use the Makefile
 make dev  # clean + generate + build
 ```
 
-Resources are defined in `pkg/resources/{node,bootconfiguration,bmc}/` with `Spec` (desired state) and `Status` (observed state) structs.
+Resources are defined in `apis/boot.openchami.io/v1/` with `Spec` (desired state) and `Status` (observed state) structs.
+The `pkg/resources/*` tree is deprecated and should not be used for new code.
 
 ### Building
 
@@ -271,7 +272,7 @@ GoReleaser config: `.goreleaser.yaml` (v2.4.4 compatible, no sboms).
 ## Key Files Reference
 
 - `cmd/server/main.go` - Server entrypoint with Cobra CLI and config loading
-- `pkg/resources/*/` - Resource definitions (edit these, not generated files)
+- `apis/boot.openchami.io/v1/` - Resource definitions (edit these, not generated files)
 - `pkg/controllers/bootscript/` - Boot logic, config matching, iPXE generation
 - `pkg/handlers/legacy/` - BSS compatibility layer
 - `pkg/auth/` - TokenSmith integration and testing utilities

.github/workflows/PRBuild.yaml

@@ -0,0 +1,107 @@
+# Copyright © 2025 OpenCHAMI a Series of LF Projects, LLC
+#
+# SPDX-License-Identifier: MIT
+
+name: Build each PR for testing and validation
+
+on:
+    pull_request:
+        branches:
+            - main
+        types: [opened, synchronize, reopened, edited]
+    workflow_dispatch:
+      inputs:
+        pr_number:
+          description: 'PR Number to build (optional, for manual PR builds)'
+          required: false
+          type: string
+
+permissions: write-all # Necessary for the generate-build-provenance action with containers
+
+jobs:
+
+  build:
+
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up latest stable Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            image=moby/buildkit:master
+            network=host
+      - name: Docker Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: 1
+          fetch-depth: 0
+      # Set environment variables required by GoReleaser
+      - name: Set build environment variables
+        run: |
+          echo "GIT_STATE=$(if git diff-index --quiet HEAD --; then echo 'clean'; else echo 'dirty'; fi)" >> $GITHUB_ENV
+          echo "BUILD_HOST=$(hostname)" >> $GITHUB_ENV
+          echo "GO_VERSION=$(go version | awk '{print $3}')" >> $GITHUB_ENV
+          echo "BUILD_USER=$(whoami)" >> $GITHUB_ENV
+          echo "CGO_ENABLED=0" >> $GITHUB_ENV
+          echo "IS_PR_BUILD=true" >> $GITHUB_ENV
+
+      - name: Docker Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create Tag for PR
+        if: github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && inputs.pr_number != '')
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          PR_NUM="${{ github.event.number }}"
+          if [[ "${{ inputs.pr_number }}" != "" ]]; then
+            PR_NUM="${{ inputs.pr_number }}"
+          fi
+          git tag -f -a pr-${PR_NUM} -m "PR Release"
+
+      - name: Build/Push container with goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          version: '~> 2'
+          args: release --clean --skip=announce,validate,archive
+        id: goreleaser
+      - name: Process goreleaser output
+        id: process_goreleaser_output
+        run: |
+          echo "const fs = require('fs');" > process.js
+          echo 'const artifacts = ${{ steps.goreleaser.outputs.artifacts }}' >> process.js
+          echo "const firstNonNullDigest = artifacts.find(artifact => artifact.extra && artifact.extra.Digest != null)?.extra.Digest;" >> process.js
+          echo "console.log(firstNonNullDigest);" >> process.js
+          echo "fs.writeFileSync('digest.txt', firstNonNullDigest);" >> process.js
+          node process.js
+          echo "digest=$(cat digest.txt)" >> $GITHUB_OUTPUT
+      - name: Attest Binaries
+        uses: actions/attest-build-provenance@v4.1.0
+        with:
+          subject-path: dist/**/boot-*
+      - name: generate build provenance
+        uses: actions/attest-build-provenance@v4.1.0
+        with:
+          subject-name: ghcr.io/openchami/boot-service
+          subject-digest: ${{ steps.process_goreleaser_output.outputs.digest }}
+          push-to-registry: true

.github/workflows/REUSE.yaml

@@ -0,0 +1,16 @@
+# Copyright © 2025 OpenCHAMI a Series of LF Projects, LLC
+# SPDX-FileCopyrightText: 2020 Free Software Foundation Europe e.V.
+#
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-License-Identifier: MIT
+name: REUSE Compliance Check
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6.0.2
+      - name: REUSE Compliance Check
+        uses: fsfe/reuse-action@v6

.github/workflows/Release.yaml

@@ -0,0 +1,77 @@
+# Copyright © 2025 OpenCHAMI a Series of LF Projects, LLC
+#
+# SPDX-License-Identifier: MIT
+
+name: Release with goreleaser
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - v*
+
+permissions: write-all # Necessary for the generate-build-provenance action with containers
+
+jobs:
+
+  build:
+
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up latest stable Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Docker Login
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: 1
+          fetch-depth: 0
+      # Set environment variables required by GoReleaser
+      - name: Set build environment variables
+        run: |
+          echo "GIT_STATE=$(if git diff-index --quiet HEAD --; then echo 'clean'; else echo 'dirty'; fi)" >> $GITHUB_ENV
+          echo "BUILD_HOST=$(hostname)" >> $GITHUB_ENV
+          echo "GO_VERSION=$(go version | awk '{print $3}')" >> $GITHUB_ENV
+          echo "BUILD_USER=$(whoami)" >> $GITHUB_ENV
+          echo "CGO_ENABLED=0" >> $GITHUB_ENV
+          echo "IS_PR_BUILD=false" >> $GITHUB_ENV
+
+      - name: Release with goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          version: latest
+          args: release --clean
+        id: goreleaser
+      - name: Process goreleaser output
+        id: process_goreleaser_output
+        run: |
+          echo "const fs = require('fs');" > process.js
+          echo 'const artifacts = ${{ steps.goreleaser.outputs.artifacts }}' >> process.js
+          echo "const firstNonNullDigest = artifacts.find(artifact => artifact.extra && artifact.extra.Digest != null)?.extra.Digest;" >> process.js
+          echo "console.log(firstNonNullDigest);" >> process.js
+          echo "fs.writeFileSync('digest.txt', firstNonNullDigest);" >> process.js
+          node process.js
+          echo "digest=$(cat digest.txt)" >> $GITHUB_OUTPUT
+      - name: Attest Binaries
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/boot-service*
+      - name: generate build provenance
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ghcr.io/openchami/boot-service
+          subject-digest: ${{ steps.process_goreleaser_output.outputs.digest }}
+          push-to-registry: true

.github/workflows/golangci-lint.yaml

@@ -0,0 +1,20 @@
+# Copyright © 2025 OpenCHAMI a Series of LF Projects, LLC
+#
+# SPDX-License-Identifier: MIT
+name: golangci-lint
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest

.github/workflows/scorecard.yml

@@ -0,0 +1,82 @@
+# Copyright © 2025 OpenCHAMI a Series of LF Projects, LLC
+#
+# SPDX-License-Identifier: MIT
+
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '39 5 * * 1'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif