feat: accept version flag for zarf tools download-init

[jbrewer3]

Description

Updates to allow downloading of versioned zarf init packages
...

Related Issue

Fixes #3366

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs canceled.

Name	Link
🔨 Latest commit	c0e2a43
🔍 Latest deploy log	https://app.netlify.com/sites/zarf-docs/deploys/67d2ef0243c03c00084f6d1b

[codecov]

Codecov Report

Attention: Patch coverage is 9.09091% with 10 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/cmd/zarf_tools.go	9.09%	10 Missing ⚠️

Files with missing lines	Coverage Δ
src/cmd/zarf_tools.go	35.28% <9.09%> (-0.71%)	⬇️

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[brandtkeller]

make docs-and-schema should fix the error - otherwise this looks functional from my local testing.

[brandtkeller]

Adds a neat capability to the download-init command that many may find useful.

Given the parameters remained the same - I could not find an attack vector that this change might enable.

Arbitrary strings are validated by the OCI logic - if the tag doesn't exist the logs indicate as such. That does not mean there isn't potential for misuse.

Anytime we introduce accepting input from the user - I would prefer we perform input validation. In src/pkg/zoci/utils.go this might look something like:

// GetInitPackageURL returns the URL for the init package for the given version with strict validation.
func GetInitPackageURL(version string) (string, error) {
    // Strict SemVer validation (vMAJOR.MINOR.PATCH with optional pre-release and metadata)
    var validVersion = regexp.MustCompile(`^v\d+\.\d+\.\d+(-[a-zA-Z0-9._-]+)?(\+[a-zA-Z0-9._-]+)?$`)

    if !validVersion.MatchString(version) {
        return "", fmt.Errorf("invalid version: must follow SemVer and start with 'v' (e.g., v0.50.0)")
    }

    return fmt.Sprintf("ghcr.io/zarf-dev/packages/init:%s", version), nil
}

This would prevent any unnecessary network calls and provide more explicit errors.

Open to feedback from other maintainers as well.

[AustinAbro321]

@brandtkeller I like that suggestion, and I think it could be made even simpler by using the semver package we already use in Zarf

ver, err := semver.NewVersion(config.CLIVersion)
if err != nil {
  return fmt.Errorf("invalid version %s: %w", version, err)
}

[AustinAbro321]

LGTM