docs: Optimize repository for publishing to Cue registy

[eddie-knight]

This was intended to address #154

I went pretty far down this path today before trying to sign in to the cue registry. I entirely forgot that I tried at some point in the past and it became an obstacle:

This PR:

• Move schema.cue to the root level, so that the CUE module can be "github.com/ossf/security-insights"
• Moved the other contents of schema/ to docs/
• Adds anti-examples for testing, and a make test command to ensure validation behaves as expected for good and bad
• Adds docs for users to take advantage of the module (WIP, generated)
• Adds maintenance docs for publishing to the CUE registry (WIP, generated)

[eddie-knight]

@SecurityCRob @GeauxJD I put a request for the CUE app to have permissions on this repo, as well as Gemara so we can create that module later as well

[SecurityCRob]

Can we get some specificity here so we can understand the benefits and risks please? Is the request to install the CUE GitHub app for the whole ossf GitHub org or just the insights and Gemara repos (would limit blast radius if there was a problem if so). Are there other LF projects that have enabled this today we could go review & consult with?

Is this the tool you're looking at: https://cue.dev/docs/checking-existing-github-actions-files/

[eddie-knight]

Apologies, I expected there to be an alert with details on your end already. If it didn't come through, let me know and I'll figure out how to re-send the request.

CUE requires module publishing to be authorized by the organization owners, and enforce that via GitHub App.

I requested that the app be given permissions to the Gemara and Security Insights repositories, so — theoretically — the email sent to admins should list the exact blast radius.

[riaankleinhans]

@eddie-knight I looking for the access request, but did not see it in my mailbox.
Can you possibly resend the request and let me know when it was sent.