Update stable v1

.github/workflows/build-and-push.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 
@@ -48,7 +48,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 

.github/workflows/jsonschema.yaml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 

.github/workflows/yaml-lint.yaml

@@ -0,0 +1,37 @@
+---
+name: Validate YAML
+
+on:
+  push:
+    paths:
+      - 'catalog/**'
+  pull_request:
+    paths:
+      - 'catalog/**'
+
+permissions: read-all  # zizmor: ignore[excessive-permissions]
+
+jobs:
+  yaml_lint:
+    name: YAML lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
+        with:
+          python-version: "3.11"
+
+      - name: Install yamllint
+        run: pip install yamllint
+
+      - name: Lint YAML files
+        run: >-
+          yamllint -s -d
+          '{extends: default, rules: {line-length: disable, document-start: disable}}'
+          catalog/

.github/workflows/zizmor.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 

.gitignore

@@ -1 +1,2 @@
 pattern-catalog.Dockerfile
+pattern-ui-catalog.Dockerfile

README.md

@@ -142,6 +142,10 @@ extra_features:
 external_requirements: null
 org: my-org
 spoke: null
+variants:
+  - name: default
+    default: true
+    description: Default deployment variant
 ```
 
 **`catalog/<name>/values-secret.yaml.template`** - metadata for secret material

catalog/catalog.yaml

@@ -1,4 +1,4 @@
-generated_at: "2026-05-28T15:34:12Z"
+generated_at: "2026-06-25T12:56:50Z"
 generator_version: "1.0"
 catalog_description: '(Tech-Preview) Additional patterns can be found here: <a href="https://validatedpatterns.io">validatedpatterns.io</a>'
 catalog_logo: "https://validatedpatterns.io/images/logo.png"

catalog/layered-zero-trust/values-secret.yaml.template

@@ -219,17 +219,54 @@ secrets:
   # Used by: supply-chain pipeline (push), qtodo (pull) when registry enabled
   # Policy: hub-supply-chain-jwt-secret (read access to hub/infra/registry/*)
   #
-  # Uncomment and replace REPLACE_WITH_REGISTRY_TOKEN with your registry
-  # token/password in your local ~/values-secret-layered-zero-trust.yaml.
+  # Store your registry token in a local file to avoid plaintext in YAML:
+  #   echo -n "your-registry-token" > ~/.config/validated-patterns/registry-token
   # ===========================================================================
   #- name: registry-user
   #  vaultPrefixes:
   #  - hub/infra/registry
   #  fields:
   #  - name: registry-password
-  #    value: "REPLACE_WITH_REGISTRY_TOKEN"
+  #    path: ~/.config/validated-patterns/registry-token
   #    onMissingValue: error
 
+  # ===========================================================================
+  # SUPPLY CHAIN GIT CREDENTIALS (hub/supply-chain/)
+  # Credentials for cloning protected Git repositories in Tekton pipelines
+  # Policy: hub-supply-chain-jwt-secret (read access to hub/supply-chain/*)
+  #
+  # Choose ONE of the two options below depending on your auth type:
+  #   Option A: HTTPS basic auth (username + PAT)
+  #   Option B: SSH key auth (ssh-privatekey + known_hosts)
+  # ===========================================================================
+  # Option A: HTTPS basic auth (uncomment for HTTPS protected repositories)
+  # Store your Git username and PAT in local files to avoid plaintext in YAML:
+  #   echo -n "your-git-username" > ~/.config/validated-patterns/git-username
+  #   echo -n "your-personal-access-token" > ~/.config/validated-patterns/git-token
+  #- name: git-credentials
+  #  vaultPrefixes:
+  #  - hub/supply-chain
+  #  fields:
+  #  - name: username
+  #    path: ~/.config/validated-patterns/git-username
+  #    onMissingValue: error
+  #  - name: password
+  #    path: ~/.config/validated-patterns/git-token
+  #    onMissingValue: error
+
+  # Option B: SSH key auth (uncomment for SSH protected repositories)
+  # The private key must NOT be password-protected (passphrase-less).
+  # Generate a passwordless key: ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_ztvp -N ""
+  # Generate known_hosts: ssh-keyscan github.com > ~/.ssh/known_hosts_github
+  #- name: git-credentials
+  #  vaultPrefixes:
+  #  - hub/supply-chain
+  #  fields:
+  #  - name: ssh-privatekey
+  #    path: ~/.ssh/id_ed25519_ztvp     # Replace with your SSH private key path
+  #  - name: known_hosts
+  #    path: ~/.ssh/known_hosts_github  # Replace with your known_hosts file path
+
   # ===========================================================================
   # COCO (CONFIDENTIAL CONTAINERS) SECRETS
   # Uncomment the secrets below when deploying with CoCo support.
@@ -397,3 +434,69 @@ secrets:
   #  fields:
   #  - name: content
   #    path: ~/.kube/kubeconfig-ztvp-spoke-2
+
+# ===========================================================================
+# BOOTSTRAP SECRETS - Private Repository Access
+# ===========================================================================
+# Uncomment ONE of the sections below if deploying this pattern from a
+# private git repository.  These secrets are created directly as Kubernetes
+# Secrets (not via Vault) so that ArgoCD can authenticate to the private
+# repository before any other component is deployed.
+#
+# After uncommenting and filling in the values, deploy with:
+#   ./pattern.sh make TOKEN_SECRET=private-repo TOKEN_NAMESPACE=openshift-operators install
+#
+# See docs/private-repos.md for full instructions.
+# ===========================================================================
+
+# --- OPTION A: SSH key authentication ---
+# Generate a passwordless deploy key:
+#   ssh-keygen -t ed25519 -f ~/.ssh/ztvp-deploy-key -N ""
+# Add the public key (~/.ssh/ztvp-deploy-key.pub) as a deploy key in
+# your Git hosting provider (GitHub, GitLab, etc.)
+#
+# insecureIgnoreHostKey is required because the ArgoCD repo-server runs
+# in a container that does not have the Git host's SSH fingerprint in its
+# known_hosts file.  Without this flag, SSH connections fail with
+# "knownhosts: key is unknown".
+#
+# The VP operator copies this secret as vp-private-repo-credentials into
+# vp-gitops (its managed ArgoCD namespace).  The ACM chart (0.2.x+) reads
+# global.vpArgoNamespace which the VP operator sets automatically.
+
+#bootstrap_secrets:
+#- name: private-repo
+#  targetNamespaces:
+#  - openshift-operators
+#  labels:
+#    argocd.argoproj.io/secret-type: repository
+#  fields:
+#  - name: type
+#    value: git
+#  - name: url
+#    value: git@github.com:YOUR-ORG/layered-zero-trust.git
+#  - name: insecureIgnoreHostKey
+#    value: "true"
+#  - name: sshPrivateKey
+#    path: ~/.ssh/ztvp-deploy-key
+
+# --- OPTION B: HTTPS with Personal Access Token (PAT) ---
+# Create a PAT with read access to your repository.
+# For GitHub: Settings -> Developer settings -> Personal access tokens
+# For GitLab: Settings -> Access Tokens (username must be "oauth2")
+
+#bootstrap_secrets:
+#- name: private-repo
+#  targetNamespaces:
+#  - openshift-operators
+#  labels:
+#    argocd.argoproj.io/secret-type: repository
+#  fields:
+#  - name: type
+#    value: git
+#  - name: url
+#    value: https://github.com/YOUR-ORG/layered-zero-trust.git
+#  - name: username
+#    value: YOUR-USERNAME
+#  - name: password
+#    path: ~/.config/validated-patterns/git-pat

catalog/multicloud-gitops/pattern.yaml

@@ -60,6 +60,12 @@ extra_features:
   hypershift_support: true
   spoke_support: true
 external_requirements: null
+variants:
+  - name: hub
+    default: true
+    description: Default multicluster hub/spoke Multicloud Gitops variant
+  - name: standalone
+    description: Single cluster Multicloud Gitops (no ACM) variant
 org: validatedpatterns
 spoke: null
 clustergroupname: hub

catalog/rag-llm-gitops/values-secret.yaml.template

@@ -2,15 +2,8 @@
 # https://github.com/validatedpatterns/common/tree/main/ansible/roles/vault_utils#values-secret-file-format
 
 version: "2.0"
-# Ideally you NEVER COMMIT THESE VALUES TO GIT (although if all passwords are
-# automatically generated inside the vault this should not really matter)
-
-# In order to use huggingface models, you will need to
-# provide your token as a value for hftoken below.
-
-# EDB Postgres Operator requires authentication to pull images from docker.enterprisedb.com
-# Register for a free trial at: https://www.enterprisedb.com/accounts/register
-# Get your token from: https://www.enterprisedb.com/repos-downloads
+# Do not update sensitive secrets (db credentials) in this file and commit to git.
+# Copy this template file to ~/values-secret-rag-llm-gitops and update secrets in your home directory
 
 backingStore: vault
 
@@ -22,22 +15,47 @@ vaultPolicies:
     rule "charset" { charset = "0123456789" min-chars = 1 }
 
 secrets:
+  # This must be set to use models requiring huggingface authentication
+  # The default model (ibm-granite/granite-3.3-8b-instruct) does not require authentication
   - name: hfmodel
     fields:
     - name: hftoken
       value: null
+
+  # Only used when .global.db is set to PGVECTOR in values-global.yaml
+  - name: pgvector
+    fields:
+    - name: username
+      value: postgres
+    - name: password
+      onMissingValue: generate
+      override: true
+      vaultPolicy: basicPolicy
+    - name: dbname
+      value: rag_blueprint
+
+  # Only used when .global.db is set to EDB in values-global.yaml
+  # EDB Postgres Operator requires authentication to pull images from docker.enterprisedb.com
+  # Register for a free trial at: https://www.enterprisedb.com/accounts/register
+  # Get your token from: https://www.enterprisedb.com/repos-downloads
   - name: edb
     fields:
     - name: token
       value: null
       description: EDB subscription token for pulling certified operator images
+
+  # Only used when .global.db is set to MSSQL in values-global.yaml
+  # The pattern creates a local SQL Server deployment. To use an existing SQL Server DB on Azure, use secret below.
   - name: mssql
     fields:
     - name: sa-pass
       onMissingValue: generate
       override: true
       vaultPolicy: basicPolicy
       description: mssql password for sa user
+
+  # Only used when .global.db is set to AZURESQL in values-global.yaml
+  # The Azure SQL Server database needs to be created outside of the pattern.
   - name: azuresql
     fields:
     - name: user

pattern.schema.json

@@ -143,6 +143,14 @@
       "type": "string",
       "description": "URL or path to a logo image for the pattern",
       "format": "uri"
+    },
+    "variants": {
+      "type": "array",
+      "description": "Deployment variants for the pattern",
+      "items": {
+        "$ref": "#/$defs/variant"
+      },
+      "minItems": 1
     }
   },
   "$defs": {
@@ -191,6 +199,26 @@
           "$ref": "#/$defs/nodePoolSpec"
         }
       }
+    },
+    "variant": {
+      "type": "object",
+      "description": "A deployment variant of the pattern",
+      "required": ["name"],
+      "additionalProperties": false,
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "Unique identifier for the variant"
+        },
+        "default": {
+          "type": "boolean",
+          "description": "Whether this is the default variant"
+        },
+        "description": {
+          "type": "string",
+          "description": "Human-readable description of the variant"
+        }
+      }
     }
   }
 }