feat: sovereign reference scenario (open-component-model#1733)

<!-- markdownlint-disable MD041 -->
#### What this PR does / why we need it

This document designs a reference scenario demonstrating OCM's core
value proposition: **modeling, signing, transporting, and deploying a
multi-service product into an air-gapped sovereign cloud environment**.

The scenario uses two genuinely interdependent services:
- **sovereign-notes**: A minimal Go web service that stores notes in
PostgreSQL
- **PostgreSQL**: The official postgres image, deployed via manifests

Both are packaged as OCM components, signed, transferred through an
air-gap via CTF, and bootstrapped on a local kind cluster using the OCM
Kubernetes controllers with KRO, Flux/Argo.

#### Which issue(s) this PR fixes
<!--
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
-->

This gives us a new reference scenario that integrates us with Apeiro
and the World.
fix open-component-model/ocm-project#842

Note that this itself is not finished until fully integrated. Especially
integration into Apeiro is higher level and conceptual than our OCM
delivery scenario.

Note also that this delivery scenario itself is not fully ready, and
many APIs are pseudo-coded in by me. As I understand them more, I gain
more understanding of the APIs as well so these things might change. The
core delivery scenario should be rather stable however


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a sovereign conformance scenario: deployable Notes service +
PostgreSQL, Helm charts, OpenAPI/ORD metadata, product orchestration,
and end‑to‑end task automation for build/sign/air‑gap/import/deploy.

* **Tests**
* CI now exposes image tags and includes a reusable Conformance
workflow/job to run the end‑to‑end scenario.

* **Documentation**
* Added conformance README, scenario USAGE, detailed ADR/design doc,
runbooks and contribution guidance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Signed-off-by: Jakob Möller <contact@jakob-moeller.com>

Author: jakobmoellerdev

.github/config/.markdownlint-cli2.yaml

@@ -1,4 +1,5 @@
 #yaml-language-server: $schema=https://raw.githubusercontent.com/DavidAnson/markdownlint-cli2/refs/heads/main/schema/markdownlint-cli2-config-schema.json
+gitignore: true
 config:
   default: true
 

.github/config/wordlist.txt

@@ -338,6 +338,7 @@ ocmify
 ocmops
 ocmresourcereference
 ocms
+ocm's
 odg
 offboarding
 onboarded
@@ -599,4 +600,15 @@ warroom
 wgs
 kubermatic
 baseUrl
-ociimage
+krm
+kv
+ord
+openmcp
+resourcegraphdefinitions
+rgds
+kustomizations
+ecdsa
+integrators
+taskfile
+ociimage
+statefulset

.github/workflows/cli.yml

@@ -153,6 +153,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       image_digest: ${{ steps.digest.outputs.digest }}
+      image_tag: ${{ steps.set-tag.outputs.tag }}
     permissions:
       actions: read           # Needed for artifact download
       packages: write         # Needed for pushing OCI images and provenance layers
@@ -178,7 +179,11 @@ jobs:
 
       # use discovered tag from layout
       - name: Set TAG
-        run: echo "TAG=$(oras repo tags --oci-layout ${LAYOUT} | head -n 1)" >> "$GITHUB_ENV"
+        id: set-tag
+        run: |
+          TAG=$(oras repo tags --oci-layout ${LAYOUT} | head -n 1)
+          echo "TAG=$TAG" >> "$GITHUB_ENV"
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GHCR
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
@@ -207,3 +212,11 @@ jobs:
           subject-digest: ${{ steps.digest.outputs.digest }}
           subject-name: ${{ env.TARGET_REPO }}
           push-to-registry: true
+
+  conformance:
+    name: Conformance
+    needs: publish
+    uses: ./.github/workflows/conformance.yml
+    with:
+      cli_image: "ghcr.io/open-component-model/cli:${{ needs.publish.outputs.image_tag }}@${{ needs.publish.outputs.image_digest }}"
+    secrets: inherit

.github/workflows/conformance.yml

@@ -0,0 +1,91 @@
+name: Conformance
+
+on:
+  workflow_call:
+    inputs:
+      cli_image:
+        description: "CLI Docker image reference"
+        type: string
+        required: false
+        default: ""
+      toolkit_image:
+        description: "OCI reference to the controller Helm chart (with optional :version tag)"
+        type: string
+        required: false
+        default: ""
+  push:
+    branches:
+      - main
+    paths:
+      - conformance/**
+      - .github/workflows/conformance.yml
+  pull_request:
+    branches:
+      - main
+    paths:
+      - conformance/**
+      - .github/workflows/conformance.yml
+
+permissions:
+  contents: read
+
+concurrency:
+  group: conformance-${{ github.workflow }}-${{ github.ref }}-${{ inputs.cli_image || 'default-cli' }}-${{ inputs.toolkit_image || 'default-toolkit' }}
+  cancel-in-progress: true
+
+env:
+  CLI_IMAGE: ${{ inputs.cli_image || 'ghcr.io/open-component-model/cli:main' }}
+  TOOLKIT_IMAGE: ${{ inputs.toolkit_image || 'ghcr.io/open-component-model/kubernetes/controller/chart:0.0.0-c837a09' }}
+
+jobs:
+  conformance:
+    name: Sovereign Scenario
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          sparse-checkout: conformance/scenarios/sovereign
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: conformance/scenarios/sovereign/components/notes/go.mod
+      - name: Install Task
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - name: Install Helm
+        uses: azure/setup-helm@v4.3.0
+        with:
+          version: v4.0.0
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@8454b02a32e48d775b9f563cb51fdcb1787b5b93 # v2.7.5
+
+      - name: Install kind
+        run: go install sigs.k8s.io/kind@v0.31.0
+      - name: Check dependencies
+        working-directory: conformance/scenarios/sovereign
+        run: task check
+      - name: Run conformance scenario
+        working-directory: conformance/scenarios/sovereign
+        run: >-
+          task run CLI_IMAGE='${{ env.CLI_IMAGE }}' TOOLKIT_IMAGE='${{ env.TOOLKIT_IMAGE }}'
+      - name: Run upgrade scenario
+        working-directory: conformance/scenarios/sovereign
+        run: >-
+          task upgrade CLI_IMAGE='${{ env.CLI_IMAGE }}' TOOLKIT_IMAGE='${{ env.TOOLKIT_IMAGE }}'
+      - name: Verify upgrade
+        working-directory: conformance/scenarios/sovereign
+        run: >-
+          task verify:deployment
+      - name: Show status
+        if: always()
+        working-directory: conformance/scenarios/sovereign
+        run: task status
+      - name: Cleanup
+        if: always()
+        working-directory: conformance/scenarios/sovereign
+        run: task clean

.github/workflows/kubernetes-controller.yml

@@ -107,6 +107,8 @@ jobs:
     name: "Publish Latest Image"
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    outputs:
+      chart_version: ${{ steps.version.outputs.version }}
     permissions:
       # Needed to push the image to GitHub Packages.
       # this token is the repo token, not the user token
@@ -161,4 +163,12 @@ jobs:
       - name: Cleanup unused cache
         shell: bash
         run: |
-          docker system prune --force
+          docker system prune --force
+
+  conformance:
+    name: Conformance
+    needs: publish_latest
+    uses: ./.github/workflows/conformance.yml
+    with:
+      toolkit_image: "ghcr.io/open-component-model/kubernetes/controller/chart:${{ needs.publish_latest.outputs.chart_version }}"
+    secrets: inherit

conformance/README.md

@@ -0,0 +1,45 @@
+# OCM Conformance Testing
+
+This directory contains conformance tests and reference scenarios that validate OCM's core capabilities and design principles.
+
+## Purpose
+
+Conformance testing ensures that OCM implementations correctly handle:
+
+- Component modeling and construction
+- Signing and verification workflows  
+- Cross-registry transport and localization
+- Air-gap deployment scenarios
+- Integration with cloud-native ecosystem tools
+
+## Structure
+
+- `scenarios/` - Reference implementation scenarios that demonstrate end-to-end OCM workflows
+- Each scenario includes:
+  - Complete working implementation
+  - Conformance test suite
+  - Documentation and setup instructions
+  - CI/CD automation
+
+## Current Scenarios
+
+- [`sovereign/`](./scenarios/sovereign) - Demonstrates modeling, signing, transporting, and deploying a multi-service product into an air-gapped sovereign cloud environment (ADR-0013)
+
+## Running Conformance Tests based on a scenario
+
+```bash
+cd scenarios/sovereign
+task run
+```
+
+## Contributing
+
+When adding new conformance scenarios:
+
+1. Create scenario directory under `scenarios/`
+2. Include complete working implementation
+3. Add conformance test suite in `tests/conformance/`
+4. Document setup and validation steps
+5. Update this README
+
+Each scenario should validate specific OCM capabilities and serve as a reference implementation for users adopting OCM.

conformance/scenarios/sovereign/.gitignore

@@ -0,0 +1,31 @@
+# Build artifacts
+transport-archive/
+airgap-archive/
+*.tar
+*.ctf
+deploy/notes-oci/
+deploy/notes.tar.gz
+
+# Go artifacts
+vendor/
+*.mod.backup
+
+# Testing artifacts
+tests/tmp/
+coverage.out
+*.test
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+/tmp/
+kind-config.yaml