refactor!: de-zarfify maru-runner (#73)

## Description

This PR removes Zarf as a dependency of Maru, and proposes the following
breaking changes to the library API surface:

1. Creating a simple registration system for `./` prefixed apps
2. Not reaching into os.Env within library code (i.e. when processing
`RUN_<VAR>`)

This also proposes the following feature breaking changes:

1. Drop support for `files`.

## Related Issue

Fixes #23 
Fixes #60

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [X] Other (security config, docs update, etc)

## Checklist before merging

- [X] Test, docs, adr added or updated as needed
- [X] [Contributor Guide
Steps](https://github.com/defenseunicorns/maru-runner/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: Eric Wyles <[email protected]>

Author: Racer159

.github/ISSUE_TEMPLATE/bug_report.md

@@ -2,7 +2,7 @@
 name: Bug report
 about: Create a report to help us improve
 title: ''
-labels: possible-bug
+labels: 'possible-bug 🐛'
 assignees: ''
 ---
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -2,7 +2,7 @@
 name: Feature request
 about: Suggest an idea for this project
 title: ''
-labels: 'enhancement'
+labels: 'enhancement ✨'
 assignees: ''
 ---
 

.github/ISSUE_TEMPLATE/tech_debt.md

@@ -2,7 +2,7 @@
 name: Tech debt
 about: Record something that should be investigated or refactored in the future.
 title: ''
-labels: 'tech-debt'
+labels: 'tech-debt 💳'
 assignees: ''
 ---
 
@@ -12,7 +12,7 @@ A clear and concise description of what should be changed/researched. Ex. This p
 
 ### Links to any relevant code
 
-(optional) i.e. - <https://github.com/defenseunicorns/uds-template-capability/blob/main/README.md?plain=1#L1>
+(optional) i.e. - <https://github.com/defenseunicorns/maru-runner/blob/main/README.md?plain=1#L1>
 
 ### Additional context
 

.github/workflows/dependency-review.yaml

@@ -0,0 +1,15 @@
+name: Dependency Review
+on: pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2

.github/workflows/test-schema.yaml

@@ -16,7 +16,7 @@ jobs:
         uses: ./.github/actions/golang
 
       - name: Docs and schemas
-        run: "make schema test-schema"
+        run: make test-schema
 
       - name: Save logs
         if: always()

.github/workflows/test-unit-pr.yaml

@@ -0,0 +1,32 @@
+name: Unit Tests
+on:
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - "**.jpg"
+      - "**.png"
+      - "**.gif"
+      - "**.svg"
+      - "adr/**"
+      - "docs/**"
+      - "CODEOWNERS"
+      - "goreleaser.yml"
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: unit-runner-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Run unit tests
+        run: |
+          make test-unit

.goreleaser.yaml

@@ -14,7 +14,7 @@ builds:
       - linux
       - darwin
     ldflags:
-      - -s -w -X 'github.com/defenseunicorns/maru-runner/src/config.CLIVersion={{.Tag}}' -X 'github.com/defenseunicorns/zarf/src/config.ActionsCommandZarfPrefix=zarf'
+      - -s -w -X 'github.com/defenseunicorns/maru-runner/src/config.CLIVersion={{.Tag}}'
     goarch:
       - amd64
       - arm64

.grype.yaml

@@ -1,6 +1 @@
 ignore:
-  # This vulnerability does not affect this project as we do not instantiate a rekor client
-  - vulnerability: GHSA-2h5h-59f5-c5x9
-
-  # This vulnerability does not affect this project as we do not instantiate a rekor client
-  - vulnerability: GHSA-frqx-jfcm-6jjr

Makefile

@@ -1,17 +1,40 @@
 # SPDX-License-Identifier: Apache-2.0
-# SPDX-FileCopyrightText: 2023-Present The UDS Authors
+# SPDX-FileCopyrightText: 2023-Present the Maru Authors
 
 ARCH ?= amd64
 CLI_VERSION ?= $(if $(shell git describe --tags),$(shell git describe --tags),"UnknownVersion")
-BUILD_ARGS := -s -w -X 'github.com/defenseunicorns/maru-runner/src/config.CLIVersion=$(CLI_VERSION)' \
-				    -X 'github.com/defenseunicorns/zarf/src/config.ActionsCommandZarfPrefix=zarf'
+BUILD_ARGS := -s -w -X 'github.com/defenseunicorns/maru-runner/src/config.CLIVersion=$(CLI_VERSION)'
+SRC_FILES ?= $(shell find . -type f -name "*.go")
+
+BUILD_CLI_FOR_SYSTEM := build-cli
+UNAME_S := $(shell uname -s)
+UNAME_P := $(shell uname -p)
+ifeq ($(UNAME_S),Darwin)
+	ifeq ($(UNAME_P),i386)
+		BUILD_CLI_FOR_SYSTEM := $(addsuffix -mac-intel,$(BUILD_CLI_FOR_SYSTEM))
+	endif
+	ifeq ($(UNAME_P),arm)
+		BUILD_CLI_FOR_SYSTEM := $(addsuffix -mac-apple,$(BUILD_CLI_FOR_SYSTEM))
+	endif
+else ifeq ($(UNAME_S),Linux)
+	ifeq ($(UNAME_P),x86_64)
+		BUILD_CLI_FOR_SYSTEM := $(addsuffix -linux-amd,$(BUILD_CLI_FOR_SYSTEM))
+	endif
+	ifeq ($(UNAME_P),aarch64)
+		BUILD_CLI_FOR_SYSTEM := $(addsuffix -linux-arm,$(BUILD_CLI_FOR_SYSTEM))
+	endif
+endif
 
 .PHONY: help
 help: ## Display this help information
 	@grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) \
 	  | sort | awk 'BEGIN {FS = ":.*?## "}; \
 	  {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
+.PHONY: build
+build: ## Build the CLI for the current machine's OS and architecture
+	$(MAKE) $(BUILD_CLI_FOR_SYSTEM)
+
 build-cli-linux-amd: ## Build the CLI for Linux AMD64
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="$(BUILD_ARGS)" -o build/maru main.go
 
@@ -24,14 +47,18 @@ build-cli-mac-intel: ## Build the CLI for Mac Intel
 build-cli-mac-apple: ## Build the CLI for Mac Apple
 	GOOS=darwin GOARCH=arm64 go build -ldflags="$(BUILD_ARGS)" -o build/maru-mac-apple main.go
 
+.PHONY: test-unit
+test-unit: ## Run unit tests
+	cd src/pkg && go test ./... -failfast -v -timeout 30m
+
+.PHONY: test-e2e
 test-e2e: ## Run End to End (e2e) tests
 	cd src/test/e2e && go test -failfast -v -timeout 30m
 
 schema: ## Update JSON schema for maru tasks
 	./hack/generate-schema.sh
 
-test-schema: ## Test if the schema has been modified
-	$(MAKE) schema
+test-schema: schema ## Test if the schema has been modified
 	./hack/test-generate-schema.sh
 
 clean: ## Clean up build artifacts

README.md

@@ -5,10 +5,8 @@
 [![Build Status](https://img.shields.io/github/actions/workflow/status/defenseunicorns/maru-runner/release.yaml)](https://github.com/defenseunicorns/maru-runner/actions/workflows/release.yaml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/maru-runner/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/maru-runner)
 
-Maru is a task runner that enables developers to automate builds and perform common shell tasks. It
-uses [Zarf](https://zarf.dev/) under the hood to perform tasks and shares a syntax similar to `zarf.yaml` manifests.
-Many [Zarf Actions features](https://docs.zarf.dev/ref/actions/) are also available in
-the runner.
+Maru is a task runner that enables developers to automate builds and perform common shell tasks and shares a syntax similar to `zarf.yaml` `actions`.
+Many [Zarf Actions features](https://docs.zarf.dev/ref/actions/) are also available in the runner.
 
 ## Table of Contents
 
@@ -20,7 +18,6 @@ the runner.
             - [Task](#task)
             - [Cmd](#cmd)
         - [Variables](#variables)
-        - [Files](#files)
         - [Wait](#wait)
         - [Includes](#includes)
         - [Task Inputs and Reusable Tasks](#task-inputs-and-reusable-tasks)
@@ -260,28 +257,6 @@ Variable precedence is as follows, from least to most specific:
 
 That is to say, variables set via the `--set` flag take precedence over all other variables. The exception to this precedence order is when a variable is modified using `setVariable`, which will change the value of the variable during runtime.
 
-### Files
-
-The `files` key is used to copy local or remote files to the current working directory
-
-```yaml
-tasks:
-  - name: copy-local
-    files:
-      - source: /tmp/foo
-        target: foo
-  - name: copy-remote
-    files:
-      - source: https://cataas.com/cat
-        target: cat.jpeg
-```
-
-Files blocks can also use the following attributes:
-
-- `executable`: boolean value indicating if the file is executable
-- `shasum`: SHA string to verify the integrity of the file
-- `symlinks`: list of strings referring to symlink the file to
-
 ### Wait
 
 The `wait`key is used to block execution while waiting for a resource, including network responses and K8s operations