fix(bundle)!: bundle feature flag and version requirement

[brandtkeller]

Description

This PR introduces a few breaking changes to largely resolve some of the symptoms of the problem of introducing new files into the package layout and backwards incompatibility.

Given the scope of changes released for the bundle format signature - the compatibility and errors involved could have been improved by placing a feature flag in front of the bundle format process. This would allow the default workflows with new releases to still be backwards compatible. This allows for multiple releases to be introduced that contain the updated verification logic for bundles before we remove generation of the legacy signature entirely.

Future Proofing

The root of the original issue is that new files outside of the checksums integrity check cannot exist in the package and be backwards compatible. This is a very niche case because in most cases the file should always be included in the checksums list.

This PR introduces ProvenanceFiles to the build data for two purposes:

• It introduces optionality going forward to include a new file that all versions hereon forward would be able to handle files outside of the checksums (typically post-signing)
• It also provides an opportunity to create observability around these invisible files that are included in the package but not transparent in the definition

There is merit on concern on security of a MITM injection of an untracked file - but this is ever present and should be mitigated by a package being signed whereby the zarf.yaml cannot be modified.

Summary

• Move the bundle format behind a feature flag - not enabled by default for backwards compatibility
• Introduce provenance files for forward compatibility on the files tracked outside of the checksums file

Related Issue

Fixes #4591

Relates to #

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	9e93d18
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/6994f3db3bd77e0008ada6d3

[codecov]

Codecov Report

❌ Patch coverage is 81.48148% with 10 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/pkg/packager/layout/package.go	78.04%	7 Missing and 2 partials ⚠️
src/cmd/package.go	50.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
src/api/v1alpha1/package.go	32.55% <ø> (ø)
src/pkg/feature/feature.go	91.12% <100.00%> (+0.53%)	⬆️
src/pkg/packager/layout/assemble.go	43.26% <100.00%> (+0.28%)	⬆️
src/cmd/package.go	37.70% <50.00%> (ø)
src/pkg/packager/layout/package.go	64.88% <78.04%> (+2.43%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[brandtkeller]

This feels like the appropriate default - given that we have logic that checks for this constant?

[AustinAbro321]

Yeah, it's pretty unlikely to be used given that it's only used when git describe --tags fails, but it's fine to be changed

[brandtkeller]

To elaborate - we have version compare logic that checks for the constant but we have tests that run where version will still resolve to UnknownVersion which is not handled. Aligning on an expected non-tag default should close the gap here some.