Skip to content

feat!: migrate baseline tooling and content to Gemara v1#494

Open
jpower432 wants to merge 5 commits intoossf:mainfrom
jpower432:gemara-sdk-migration
Open

feat!: migrate baseline tooling and content to Gemara v1#494
jpower432 wants to merge 5 commits intoossf:mainfrom
jpower432:gemara-sdk-migration

Conversation

@jpower432
Copy link
Copy Markdown

@jpower432 jpower432 commented Apr 6, 2026

Summary

  • Migrates baseline content and Go tooling to gemaraproj/go-gemara SDK and Gemara v1 schema
  • Adds a gemara CLI subcommand to export the assembled baseline as a single Gemara ControlCatalog YAML validated with CUE in a new CI workflow to verify v1 schema conformance.

Field Changes

Change Before After
Control grouping flat title/description per file groups array with id, controls reference via group
Guideline mappings guideline-mappings guidelines
Applicability values Maturity Level 1 maturity-1 retired dropped in favor of state
Framework metadata frameworks.yaml (separate file) consolidated into metadata.yaml

CI Changes

  • New cue-validate.yaml workflow for CUE validation when PRs are submitted
  • All Go workflows now use go-version-file: cmd/go.mod instead of a hardcoded version to support the bump to Go 1.25 (needed by SDK)

Note: This has breaking changes from a baseline authoring perspective, but the output devel.md produced from this branch is identical to the one produced via the current main branch

jpower432 added 3 commits April 6, 2026 15:57
@jpower432
feat!: migrate baseline tooling and content to Gemara v1
ea79850 
BREAKING CHANGE: baseline content now uses Gemara v1 schema format.
Control family files use `groups`, `group` refs, and `guidelines`
(renamed from `guideline-mappings`). Applicability values use
`maturity-x` IDs. Framework metadata moves from `frameworks.yaml`
into `metadata.yaml`.

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Made-with: Cursor
@jpower432
feat: add gemara export command and CUE validation
5a800c4 
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Made-with: Cursor
@jpower432
fix: use go-version-file in CI workflows to track go.mod
3ce5505 
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
@jpower432 jpower432 marked this pull request as draft April 6, 2026 20:01
@jpower432
fix: resolve golangci-lint and spellcheck CI failures
a523aa0 
Made-with: Cursor
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
funnelfiasco
funnelfiasco reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks generally good. I'm going to add a few comments in the main thread and put this on the agenda for next week's meeting.

@funnelfiasco
Copy link
Copy Markdown
Contributor

funnelfiasco commented Apr 6, 2026

Adds a gemara CLI subcommand to export the assembled baseline as a single Gemara ControlCatalog YAML validated with CUE in a new CI workflow to verify v1 schema conformance.

Is this just for the validation? Are there other use cases for this output (e.g. would it be useful to anyone if we published a YAML file for releases?)

@jpower432 @funnelfiasco
chore: update .github/workflows/cue-validate.yaml
6a33553 
Co-authored-by: Ben Cotton <bcotton@funnelfiasco.com>
Signed-off-by: Jennifer Power <jpower@redhat.com>
@jpower432
Copy link
Copy Markdown
Author

jpower432 commented Apr 6, 2026
edited
Loading

Adds a gemara CLI subcommand to export the assembled baseline as a single Gemara ControlCatalog YAML validated with CUE in a new CI workflow to verify v1 schema conformance.

Is this just for the validation? Are there other use cases for this output (e.g. would it be useful to anyone if we published a YAML file for releases?)

The catalog YAML would likely be useful as a release artifact as well so it could be referenced/imported by other Gemara artifacts (i.e. EvaluationLog(s)).

@jpower432 jpower432 marked this pull request as ready for review April 6, 2026 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@funnelfiasco funnelfiasco funnelfiasco left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jpower432 @funnelfiasco