Best practice GitOps file structure (#17)

* Best practice GH action - WIP

* Finish stubbing out action (requires changes to fleetctl)

* A few changes to stubbed-out action for readability

* Best practice GitOps example with query and policy libraries

* Update macos-workstations.policies.yml

* Update README.md

* --replace instead of --force (--force already existed for skipping validation)

* Update action.yml

* Update cis.policies.yml

- Link to CIS policies

* Move /queries and /policies contents to /lib

* Update best practice

* Add policies and queries

* Add macOS'

* Only start w/ controls, queries, and policies

* Update device health policies

* Cut a policy

* Sentence casing and update name of Remote Application Scripting

* Sentence case

* Sentence case

* Remove --- from teams

* Separate files

* Changes during the call

* Changes during the call

* Observers can't run

* change policy

* Changes from the call

* Prep for call

* Reorg

* reorg

* Prep for call

* Changes from the call

* Update

* Validate YAML

* Update README

* Update README

* Fleet GitOps is in beta

* Update language in README to clarify the status of this repo

(So we can go ahead and merge the PR with the best practice file structure)

* Update README.md

---------

Co-authored-by: Noah Talerman <[email protected]>
Co-authored-by: Noah Talerman <[email protected]>

.github/workflows/workflow.yml

@@ -0,0 +1,100 @@
+name: 'Apply latest configuration profiles via Fleet'
+description: 'Applies the latest MDM configuration profiles to a Fleet team'
+
+inputs:
+  FLEET_API_TOKEN:
+    description: 'Fleet API Token'
+    required: true
+  FLEET_URL:
+    description: 'Fleet URL'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+      with:
+        repository: ${{ inputs.MDM_CONFIG_REPO }}
+
+    - name: Install fleetctl
+      run: npm install -g fleetctl
+      shell: bash
+
+    - name: Configure fleetctl
+      run: fleetctl config set --address ${{ inputs.FLEET_URL }} --token ${{ inputs.FLEET_API_TOKEN }}
+      shell: bash
+
+    - name: Run fleetctl apply
+      run: |
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # STEP 1: Apply config
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # Combine the contents of all the top-level config into a single YAML document
+
+        # - Include the contents of no-team.controls.yml
+        # TODO
+
+        # - Include the contents of default.settings.yml
+        # TODO
+
+        # - Include anything of `kind: config` in default.queries.yml
+        # TODO
+
+        # - Include anything of `kind: config` in default.policies.yml
+        # TODO
+
+        # Apply top-level config with `--replace` (replaces all existing top-level config)
+        # TODO
+
+        # Loop through folders in /teams and combine the contents of all team config into a single YAML document
+
+        # - Include the contents of <folder-name>.controls.yml
+        # TODO
+
+        # - Include the contents of <folder-name>.settings.yml
+        # TODO
+
+        # - Include anything of `kind: team` in <folder-name>.queries.yml
+        # TODO
+
+        # - Include anything of `kind: team` in <folder-name>.policies.yml
+        # TODO
+
+        # Apply team config with `--replace` (replaces all existing config for this team)
+        # TODO
+
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # STEP 2: Apply queries
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # Compile all queries into a single YAML document
+
+        # - Include anything of `kind: query` in default.queries.yml
+        # TODO
+        
+        # - Loop through folders in /teams and include anything of `kind: query` in <folder-name>.queries.yml for each
+        # TODO
+        
+        # Apply compiled queries YAML with `--replace` (deletes any queries in Fleet that aren't present in this config)
+        # TODO
+
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # STEP 3: Apply policies
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # Compile all policies into a single YAML document
+        # TODO
+        
+        # - Include anything of `kind: policy` in default.policies.yml
+        # TODO
+        
+        # - Loop through folders in /teams and include anything of `kind: policy` in <folder-name>.policies.yml for each
+        # TODO
+        
+        # Apply compiled policies YAML with `--replace` (deletes any policies in Fleet that aren't present in this config)
+        # TODO
+
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+        # All done!
+        # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+      shell: bash

README.md

@@ -1,40 +1,24 @@
-# fleet-mdm-gitops
-This GitHub Action applies the latest MDM configuration profiles to a group of hosts in [Fleet](https://fleetdm.com).  It lets everyone contribute, while giving you history and an approval workflow.
+# Fleet GitOps
 
-![image](https://github.com/fleetdm/fleet-mdm-gitops/assets/618009/83cb87b6-2303-40e4-bc5b-e0f8168a00c7)
+> #### 🚧 Fleet GitOps is currently in development.
+>
+> In the mean time, you can explore this repo for a preview of Fleet's GitOps best practice, and track its progress [here](https://github.com/fleetdm/fleet/issues/13643).
 
-## Example usage
+This folder illustrates the best practice for using Fleet with a GitOps workflow.
 
-```yml
-steps:
-  - name: Apply configuration profiles and updates
-    uses: fleetdm/fleet-mdm-gitops
-    with:
-      FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
-      FLEET_URL: ${{ secrets.FLEET_URL }}
-      FLEET_TEAM_NAME: Workstations
-      MDM_CONFIG_REPO: fleetdm/fleet
-      MDM_CONFIG_DIRECTORY: mdm_profiles
-      MAC_OS_MIN_VERSION: 13.3.1
-      MAC_OS_VERSION_DEADLINE: 2023-05-15
-      MAC_OS_ENABLE_DISK_ENCRYPTION: true
-```
+How to setup a GitOps workflow to manage Fleet:
 
+1. Clone this repository.
 
-## Contributing
+2. Make any changes to policies, queries, controls, and more defined in the files.
 
-Please observe the guidelines and conventions laid out in the [Fleet contribution guide](https://fleetdm.com/) when opening issues or submitting pull requests.
+3. Create your own GitHub repository and push your cloned and modified code to your repo.
 
-### Help
+4. Add Fleet's open-source [GitHub action](https://github.com/fleetdm/fleet-gitops) to your repo. Now, when anyone makes a change to any file, the action will run and update Fleet.
 
-Unsure?  If you run into any trouble or questions, click [here](https://fleetdm.com/slack).
+#### Structure:
 
-
-### Bugs
-
-If you suspect you've found a bug, please [report the bug here](https://github.com/fleetdm/fleet/issues).  Thanks!
-
-
-## License
-
-This GitHub Action is free and open-source under the MIT License.
+- `lib/` - folder for policies, queries, configuration profiles, scripts, and agent options. These files can be referenced in top level keys in the `default.yml` file and the files in the `teams/` folder.
+- `default.yml` - file that defines the queries, policies, controls, and agent options for all hosts. If you're using Fleet Premium, this file updates queries and policies that run on all hosts ("All teams"). Controls and agent options are defined for hosts on "No team."
+- `teams/` - folder for teams in Fleet. These files define the controls, queries, policies, and agent options for hosts assigned to the specified team.
+- `.github/workflows/workflow.yml` - TODO: Explain how to add/update secrets. That's what this file is used for