feat: Improvements (#2)

- Use single Application
- Update CI/CD
- Renovate bot
- CLI Improvements

Author: user-cube

.github/workflows/ci.yml

@@ -0,0 +1,109 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Go Tests
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: cli
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: cli/go.mod
+          cache-dependency-path: cli/go.sum
+
+      - name: Run tests
+        run: go test -race -coverprofile=coverage.out ./...
+
+      - name: Upload coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: cli/coverage.out
+
+  lint:
+    name: Go Lint
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: cli
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: cli/go.mod
+          cache-dependency-path: cli/go.sum
+
+      - uses: golangci/golangci-lint-action@v9
+        with:
+          working-directory: cli
+
+  helm-lint:
+    name: Helm Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: azure/setup-helm@v4
+
+      - name: Lint all charts
+        run: |
+          helm lint apps/
+          for chart in components/*/; do
+            echo "Linting $chart..."
+            if grep -q "^dependencies:" "$chart/Chart.yaml"; then
+              helm dependency build "$chart"
+            fi
+            values_args=""
+            if [ -f "$chart/values/base.yaml" ]; then
+              values_args="-f $chart/values/base.yaml"
+            fi
+            helm lint "$chart" $values_args
+          done
+
+  helm-validate:
+    name: Helm Validate Values
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        environment: [dev, staging, prod]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: azure/setup-helm@v4
+
+      - name: Build chart dependencies
+        run: |
+          for chart in components/*/; do
+            if grep -q "^dependencies:" "$chart/Chart.yaml"; then
+              helm dependency build "$chart"
+            fi
+          done
+
+      - name: Validate apps values
+        run: helm template apps/ -f apps/values/${{ matrix.environment }}.yaml
+
+      - name: Validate component values
+        run: |
+          for chart in components/*/; do
+            name=$(basename "$chart")
+            base="$chart/values/base.yaml"
+            env_file="$chart/values/${{ matrix.environment }}.yaml"
+            if [ -f "$base" ] && [ -f "$env_file" ]; then
+              echo "Validating $name for ${{ matrix.environment }}..."
+              helm template "$chart" -f "$base" -f "$env_file"
+            fi
+          done

.github/workflows/release.yml

@@ -36,6 +36,33 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  build-cli:
+    name: Build CLI Binaries
+    runs-on: ubuntu-latest
+    needs: release
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: cli/go.mod
+          cache-dependency-path: cli/go.sum
+
+      - name: Get latest tag
+        id: tag
+        run: echo "version=$(git describe --tags --abbrev=0 2>/dev/null || echo '')" >> "$GITHUB_OUTPUT"
+
+      - name: Run GoReleaser
+        if: steps.tag.outputs.version != ''
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   docs-build:
     runs-on: ubuntu-latest
     needs: release

.gitignore

@@ -17,17 +17,17 @@ secrets/
 
 # Binaries
 cli/cluster-bootstrap
-*.enc.yaml
-.sops.yaml
 
 # Sops
 age-key.txt
 repo-ssh-key.pem
 .env
+test_secrets/*
+.sops-test.yaml
 
 # MkDocs
 site/
 venv
 
 # Node
-node_modules/
+node_modules/

.goreleaser.yml

@@ -0,0 +1,30 @@
+project_name: cluster-bootstrap
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - main: ./main.go
+    dir: cli
+    binary: cluster-bootstrap
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+
+archives:
+  - format: tar.gz
+    name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
+
+checksum:
+  name_template: "checksums.txt"
+
+changelog:
+  skip: true

.pre-commit-config.yaml

@@ -0,0 +1,33 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-yaml
+        args: ["--allow-multiple-documents"]
+        exclude: "(cli/testdata/invalid\\.sops\\.yaml$|.*/templates/.*\\.yaml$)"
+      - id: check-merge-conflict
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: detect-private-key
+        exclude: "secrets\\..*\\.enc\\.yaml$"
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.22.1
+    hooks:
+      - id: gitleaks
+
+  - repo: local
+    hooks:
+      - id: go-fmt
+        name: go fmt
+        entry: bash -c 'cd cli && go fmt ./...'
+        language: system
+        types: [go]
+        pass_filenames: false
+
+      - id: go-vet
+        name: go vet
+        entry: bash -c 'cd cli && go vet ./...'
+        language: system
+        types: [go]
+        pass_filenames: false

README.md

@@ -19,15 +19,15 @@ Online documentation available at [Cluster Boostrap Docs](https://user-cube.gith
 - `helm` (for local template testing)
 - `sops` and `age` (for secrets encryption/decryption)
 - `go` 1.25+ (to build the CLI)
-- `task` (task runner for CLI development)
+- `task` ([Task runner](https://taskfile.dev/))
+- `pre-commit` ([pre-commit hooks](https://pre-commit.com/))
 - SSH private key with read access to this repo
 
 ## Quick Start
 
 ### 1. Build the CLI
 
 ```bash
-cd cli
 task build
 ```
 
@@ -67,14 +67,16 @@ kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.pas
 ```
 CLI bootstrap  →  ArgoCD + App of Apps (root Application)
                         ↓
-                   apps/ (Helm chart generating Application CRs)
+                   apps/ (Helm chart with dynamic template)
                         ↓
               components/argocd/  (self-managed ArgoCD)
               components/xxx/    (other components)
 ```
 
 ArgoCD manages itself — changes pushed to this repo are automatically synced.
 
+The `apps/` chart uses a **single dynamic template** that iterates over a `components` map defined in `apps/values.yaml`. Adding a new component requires only a new entry in the values — no template files to create or copy.
+
 ## Components
 
 | Component | Namespace | Sync Wave | Description |
@@ -96,10 +98,58 @@ ArgoCD manages itself — changes pushed to this repo are automatically synced.
 | `init` | Interactive setup for SOPS config and encrypted secrets files |
 | `vault-token` | Store Vault root token as Kubernetes secret |
 
+## Development
+
+### Setup
+
+```bash
+pre-commit install
+```
+
+### Available tasks
+
+Run `task --list` to see all available tasks. The most common ones:
+
+```bash
+task test         # Run Go tests with coverage
+task lint         # Run golangci-lint
+task helm-lint    # Lint Helm charts with templates
+task fmt          # Format Go source files
+task vet          # Run Go vet
+task docs-serve   # Serve MkDocs documentation locally
+```
+
+### Secrets example
+
+`secrets.example.enc.yaml` contains the expected secrets structure. To create a new environment:
+
+```bash
+cp secrets.example.enc.yaml secrets.myenv.enc.yaml
+sops --encrypt --in-place secrets.myenv.enc.yaml
+```
+
+Or use the CLI interactively: `./cli/cluster-bootstrap init myenv`
+
+To use a custom `.sops.yaml` path, set `SOPS_CONFIG` in your `.env`:
+
+```bash
+SOPS_CONFIG=/path/to/custom/.sops.yaml
+```
+
 ## Environments
 
 | Environment | Values File | Description |
 |-------------|-------------|-------------|
 | dev | `apps/values/dev.yaml` | Local/development clusters, minimal resources |
 | staging | `apps/values/staging.yaml` | Pre-production, moderate resources |
 | prod | `apps/values/prod.yaml` | Production, HA configuration |
+
+Environment files only need to set the `environment` key. Component defaults (namespace, sync wave, syncOptions, etc.) are defined in `apps/values.yaml`. To disable a component per environment:
+
+```yaml
+# apps/values/dev.yaml
+environment: dev
+components:
+  trivy-operator:
+    enabled: false
+```

Taskfile.yml

@@ -0,0 +1,46 @@
+version: "3"
+
+includes:
+  cli:
+    taskfile: cli/Taskfile.yml
+    dir: cli
+
+tasks:
+  build:
+    desc: Build the CLI binary
+    cmds:
+      - task: cli:build
+
+  test:
+    desc: Run Go tests with coverage
+    dir: cli
+    cmds:
+      - go test -cover ./...
+
+  lint:
+    desc: Run golangci-lint on the CLI
+    dir: cli
+    cmds:
+      - golangci-lint run ./...
+
+  fmt:
+    desc: Format Go source files
+    cmds:
+      - task: cli:fmt
+
+  vet:
+    desc: Run Go vet
+    cmds:
+      - task: cli:vet
+
+  helm-lint:
+    desc: Lint all Helm charts that contain templates
+    cmds:
+      - helm lint apps/
+      - helm lint components/argocd-repo-secret/
+      - helm lint components/vault/
+
+  docs-serve:
+    desc: Serve MkDocs documentation locally
+    cmds:
+      - mkdocs serve