🌱 CNCF incubation readiness: governance docs, security self-assessment, roadmap#4069
🌱 CNCF incubation readiness: governance docs, security self-assessment, roadmap#4069clubanderson merged 3 commits intomainfrom
Conversation
Add ROADMAP.md, ARCHITECTURE.md, SUPPORT.md, COMMUNITY.md, and TAG-Security self-assessment to close CNCF incubation gaps. Add MikeSpreitzer as maintainer in OWNERS. Add OpenSSF Scorecard badge to README. Add ROADMAP governance check to auto-qa workflow. Signed-off-by: Andrew Anderson <andy@clubanderson.com>
kubestellar-prow
bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
kubestellar-prow
bot
added
the
size/XL
✅ Deploy Preview for kubestellarconsole canceled.
|
There was a problem hiding this comment.
Pull request overview
This PR addresses CNCF incubation readiness gaps by adding/adjusting governance and security documentation, updating maintainer metadata, and introducing an always-on workflow check to validate roadmap/governance hygiene.
Changes:
- Added core governance/security documentation (roadmap, architecture, community, support policy, TAG-Security self-assessment).
- Updated project metadata (OWNERS approver/reviewer list, security contacts, README badge).
- Extended Auto-QA to perform a ROADMAP/governance presence + freshness check every run.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
SECURITY_CONTACTS |
Removes former contacts from the published security contact list. |
ROADMAP.md |
Introduces a public roadmap with near/mid/long-term plans and non-goals. |
README.md |
Adds an OpenSSF Scorecard badge for supply-chain signaling. |
OWNERS |
Adds an additional approver/reviewer to strengthen governance. |
docs/SUPPORT.md |
Documents support policy, release channels, patch timelines, and platform matrix. |
docs/security/SELF-ASSESSMENT.md |
Adds a TAG-Security style self-assessment for CNCF readiness. |
docs/COMMUNITY.md |
Documents communication channels, meetings, and governance pointers. |
docs/ARCHITECTURE.md |
Provides an architecture overview, diagram, flows, and deployment modes. |
.github/workflows/auto-qa.yml |
Adds an always-on ROADMAP/governance check and routes findings into the issue creation step. |
| if [ ! -f "ROADMAP.md" ]; then | ||
| ISSUES="${ISSUES}### ROADMAP.md not found\nCNCF incubation requires a public roadmap document.\n\n" | ||
| HAS_ERRORS=true | ||
| else | ||
| # Check if ROADMAP.md has been updated in the last 90 days | ||
| LAST_MODIFIED=$(git log -1 --format="%ci" -- ROADMAP.md 2>/dev/null || echo "") | ||
| if [ -n "$LAST_MODIFIED" ]; then | ||
| STALE_THRESHOLD_DAYS=90 | ||
| LAST_EPOCH=$(date -d "$LAST_MODIFIED" +%s 2>/dev/null || date -jf "%Y-%m-%d %H:%M:%S %z" "$LAST_MODIFIED" +%s 2>/dev/null || echo "0") | ||
| DAYS_AGO=$(( ( $(date +%s) - LAST_EPOCH ) / 86400 )) |
There was a problem hiding this comment.
git log -1 -- ROADMAP.md won’t reliably return the last-modified commit with the current shallow checkout (actions/checkout default fetch-depth=1). If the most recent commit doesn’t touch ROADMAP.md, LAST_MODIFIED will be empty and the staleness check is skipped, producing false negatives. Consider checking out with fetch-depth: 0 (or fetching file history before this step) so the staleness calculation is meaningful.
.github/workflows/auto-qa.yml
Outdated
| for SECTION in "Near-Term\|Short-Term\|Q[1-4]" "Mid-Term\|Medium-Term" "Long-Term\|Future" "Non-Goals\|Out of Scope"; do | ||
| if ! grep -qiE "$SECTION" ROADMAP.md; then | ||
| ISSUES="${ISSUES}### ROADMAP.md missing section: ${SECTION%%\\*}\nA well-structured roadmap should include near-term, mid-term, long-term, and non-goals sections.\n\n" |
There was a problem hiding this comment.
The missing-section message uses ${SECTION%%\\*}, but the SECTION strings don’t contain \\*, so the message will print the full regex (e.g., Near-Term\|Short-Term\|Q[1-4]) rather than a human-friendly section name. Consider tracking a separate display name for each required section (or splitting on |) for clearer issue output.
| for SECTION in "Near-Term\|Short-Term\|Q[1-4]" "Mid-Term\|Medium-Term" "Long-Term\|Future" "Non-Goals\|Out of Scope"; do | |
| if ! grep -qiE "$SECTION" ROADMAP.md; then | |
| ISSUES="${ISSUES}### ROADMAP.md missing section: ${SECTION%%\\*}\nA well-structured roadmap should include near-term, mid-term, long-term, and non-goals sections.\n\n" | |
| for SECTION_ENTRY in "Near-Term\|Short-Term\|Q[1-4]::Near-term / short-term" "Mid-Term\|Medium-Term::Mid-term" "Long-Term\|Future::Long-term / future" "Non-Goals\|Out of Scope::Non-goals / out of scope"; do | |
| SECTION_REGEX="${SECTION_ENTRY%%::*}" | |
| SECTION_LABEL="${SECTION_ENTRY#*::}" | |
| if ! grep -qiE "$SECTION_REGEX" ROADMAP.md; then | |
| ISSUES="${ISSUES}### ROADMAP.md missing section: ${SECTION_LABEL}\nA well-structured roadmap should include near-term, mid-term, long-term, and non-goals sections.\n\n" |
docs/SUPPORT.md
Outdated
| | Channel | Frequency | Format | Stability | | ||
| |---------|-----------|--------|-----------| | ||
| | **Nightly** | Daily (5 AM UTC) | `v0.x.y-nightly.YYYYMMDD` | Pre-release; may contain breaking changes | | ||
| | **Weekly** | Sundays (5 AM UTC) | `v0.x.y-weekly.YYYYMMDD` | Stable snapshot; suitable for dev/test | |
There was a problem hiding this comment.
The documented weekly release version format (v0.x.y-weekly.YYYYMMDD) doesn’t match the release workflow: weekly pushes a semver tag (e.g., vX.Y.Z) and uses a -weekly suffix only in the GitHub Release name (no date). Align this table with the actual tagging/release scheme to avoid confusing users.
| | **Weekly** | Sundays (5 AM UTC) | `v0.x.y-weekly.YYYYMMDD` | Stable snapshot; suitable for dev/test | | |
| | **Weekly** | Sundays (5 AM UTC) | `vX.Y.Z` (semver tag; GitHub Release name `<version>-weekly`) | Stable snapshot; suitable for dev/test | |
docs/SUPPORT.md
Outdated
| |-----------|-------------------| | ||
| | **Kubernetes** | 1.28+ | | ||
| | **OpenShift** | 4.14+ | | ||
| | **Go** | 1.24+ | |
There was a problem hiding this comment.
The support matrix says Go 1.24+, but go.mod specifies go 1.25.0, meaning Go 1.24 is not sufficient to build this module. Update the supported Go version to match the go directive (and any CI/release constraints).
| | **Go** | 1.24+ | | |
| | **Go** | 1.25+ | |
| - **Storage**: SQLite via the `pkg/store` package for user preferences, onboarding state, and settings | ||
| - **API**: RESTful endpoints under `/api/` for cluster data, missions, marketplace, settings | ||
| - **WebSocket**: Real-time event push for cluster state changes, mission progress, and alerts | ||
| - **Metrics**: Prometheus `/metrics` endpoint for operational monitoring | ||
|
|
||
| The backend serves the built frontend as static assets on port 8080 and proxies Kubernetes API requests through the user's kubeconfig. |
There was a problem hiding this comment.
This doc claims the backend exposes a Prometheus /metrics endpoint, but /metrics appears to be served by kc-agent (pkg/agent/server.go) rather than the console backend (no /metrics route in pkg/api/server.go). Please clarify which component exposes metrics (or add the endpoint to the backend if that’s the intent).
docs/security/SELF-ASSESSMENT.md
Outdated
| | **Software** | [KubeStellar Console](https://github.com/kubestellar/console) | | ||
| | **Security Provider** | No — Console is a user-facing dashboard, not a security tool | | ||
| | **Languages** | Go (backend), TypeScript/React (frontend) | | ||
| | **SBOM** | Generated via GoReleaser for each release | |
There was a problem hiding this comment.
The metadata table states “SBOM generated via GoReleaser for each release,” but the current .goreleaser.yaml doesn’t define SBOM generation (no sboms section / related steps found). Either update the release pipeline to actually produce SBOM artifacts or adjust this statement to reflect current practice.
| | **SBOM** | Generated via GoReleaser for each release | | |
| | **SBOM** | Not currently generated; planned via GoReleaser in future releases | |
🔄 Auto-Applying Copilot Code ReviewCopilot code review found 4 code suggestion(s) and 2 general comment(s). @copilot Please apply all of the following code review suggestions:
Also address these general comments:
Push all fixes in a single commit. Run Auto-generated by copilot-review-apply workflow. |
…SBOM, metrics doc Agent-Logs-Url: https://github.com/kubestellar/console/sessions/2ee54c1c-9586-4bac-b48f-cc389298498f Co-authored-by: clubanderson <407614+clubanderson@users.noreply.github.com>
kubestellar-prow
bot
added
dco-signoff: no
Applied all suggestions in commit
|
Signed-off-by: Andrew Anderson <andy@clubanderson.com>
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thank you for your contribution! Your PR has been merged. Check out what's new:
Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey |
📌 Fixes
📝 Summary of Changes
Closes CNCF incubation gaps identified in a readiness assessment:
/metricsis served bykc-agent, not the console backendvX.Y.Zsemver tag and updated Go requirement to1.25+fetch-depth: 0so git history is available for staleness checks; improved missing-section messages to use human-friendly labels instead of raw regex stringsRemaining gaps (not in this PR)
Changes Made
kc-agent1.25+)fetch-depth: 0) and human-friendly section labels in error messagesChecklist
Please ensure the following before submitting your PR:
git commit -s)Screenshots or Logs (if applicable)
N/A — documentation and workflow changes only.
👀 Reviewer Notes
fetch-depth: 0change applies to the single checkout step for the entire auto-qa job; this ensures git history is available for the ROADMAP.md staleness check.REGEX::Labelpattern to emit readable section names (e.g. "Near-term / short-term") in GitHub issue bodies instead of raw regex strings.Test plan
npm run build)npm run lint)