break: Revamped schema based on ecosystem feedback (#96)

Signed-off-by: Eddie Knight <[email protected]>

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+---
+name: CI Checks
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    name: Validate Template with Schema
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Setup Cue
+        uses: cue-lang/[email protected]
+        with:
+          cue-version: 0.11.0
+
+      - name: Validate template-full.yml
+        run: cue vet template-full.yml schema.cue
+
+      - name: Validate template-minimum.yml
+        run: cue vet template-minimum.yml schema.cue

schema.cue

@@ -0,0 +1,152 @@
+//// Definitions ////
+
+import (
+  "time"
+)
+
+#URL: =~"^https?://[^\\s]+$"
+#Email: =~"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$"
+#Date: time.Format("2006-01-02")
+
+#Assessment: {
+  comment:   string
+  name?:     string
+  evidence?: #URL
+  date?:     #Date
+}
+
+#Attestation: {
+  name:            string
+  location:        #URL
+  "predicate-uri": string
+  comment?:         string
+}
+
+#Contact: {
+  name:         string
+  primary:      bool
+  affiliation?: string
+  email?:       #Email
+  social?:      string
+}
+
+#License: {
+  url:        #URL
+  expression: string
+}
+
+#Link: {
+  uri:     string
+  comment: string
+}
+
+//// Schema ////
+
+header: {
+  "last-reviewed":      #Date
+  "last-updated":       #Date
+  "schema-version":     string
+  url:                  #URL
+  comment?:             string
+  "project-si-source"?: #URL
+}
+
+project?: {
+  name:      string
+  homepage:  #URL
+  funding:   #URL
+  roadmap:   #URL
+
+  administrators: [...#Contact]
+
+  repositories: [...{
+    name:    string
+    comment: string
+    url:     #URL
+  }]
+
+  "vulnerability-reporting": {
+    "reports-accepted":       bool
+    "bug-bounty-available":   bool
+    "bug-bounty-program"?:     #URL
+    contact?:                  #Contact
+    comment?:                  string
+    "security-policy"?:        #URL
+    "pgp-key"?:                string
+
+    "in-scope"?:               [...string]
+    "out-of-scope"?:           [...string]
+  }
+
+  documentation?: {
+    "detailed-guide"?:        #URL
+    "code-of-conduct"?:       #URL
+    "quickstart-guide"?:       #URL
+    "release-process"?:       #URL
+    "signature-verification"?: #URL
+  }
+}
+
+repository?: {  
+  status: "active" | "abandoned" | "concept" | "inactive" | "moved" | "suspended" | "unsupported" | "WIP"
+
+  "accepts-change-request":           bool
+  "accepts-automated-change-request": bool
+  "bug-fixes-only":                   bool
+  "no-third-party-packages":          bool
+  url:                                #URL
+
+  "core-team": [...#Contact]
+
+  license: #License
+
+  security: {
+    assessments: {
+      self: #Assessment
+      "third-party"?: [...#Assessment]
+    }
+
+    champions?: [...#Contact]
+
+    tools?: [...{
+      name:     string
+      type: "fuzzing" | "container" | "secret" | "SCA" | "SAST" | "other"
+      version?: string
+      comment?: string
+
+      rulesets: [...string]
+
+      integration: {
+        adhoc:   bool
+        ci:      bool
+        release: bool
+      }
+
+      results: {
+        adhoc?: #Attestation
+        ci?: #Attestation
+        release?: #Attestation
+      }
+
+    }]
+  }
+
+  documentation?: {
+    "contributing-guide"?:           #URL
+    "dependency-management-policy"?: #URL
+    governance?:                     #URL
+    "review-policy"?:                #URL
+    "security-policy"?:              #URL
+  }
+
+  release?: {
+    "automated-pipeline": bool
+
+    "distribution-points": [...#Link]
+
+    changelog?:    #URL
+    license?:      #License
+
+    attestations?: [...#Attestation]
+  }
+}