Skip to content

feat: add Artifact Hub metadata and fix Dependabot Go version issue #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 18, 2025
Merged

feat: add Artifact Hub metadata and fix Dependabot Go version issue #64

merged 2 commits into from
Nov 18, 2025

Conversation

@vivekr-splunk
Copy link
Collaborator

@vivekr-splunk vivekr-splunk commented Nov 18, 2025
edited
Loading

Summary

This PR adds Artifact Hub support and configures Dependabot to properly handle Go 1.24 (which includes important security fixes).

Artifact Hub Support

  • Added artifacthub-repo.yml: Repository metadata for Artifact Hub listing
  • Enhanced Helm Chart.yaml files: Added Artifact Hub annotations to both charts
    • Category: machine-learning
    • License: Apache-2.0
    • Operator capabilities marked
    • Links to documentation, compatibility matrix, BOM
    • Recommendations for related charts (cert-manager, kuberay, prometheus)
  • Improved keywords: Added operator, machine-learning, platform, observability

Dependabot Configuration for Go 1.24

  • Added ignore rules: Configured Dependabot to skip "go" and "golang.org/toolchain" updates
  • Manual Go management: Allows team to manage Go version updates manually for security patching
  • Alignment: Updated .env to GO_VERSION=1.24.0 to match go.mod
  • Security: Go 1.24 includes security fixes not available in Go 1.23

Why This Approach

Go 1.24 Security: Go 1.24.0 includes important security patches. While it's a newer release, we need to use it for security reasons.

Dependabot Limitation: Dependabot may have issues with newer Go versions, so we configure it to ignore Go toolchain updates while still updating other Go module dependencies.

Manual Control: This gives the team full control over when to update the Go version, which is important for:

  • Security vulnerability response
  • Testing compatibility with new Go releases
  • Coordinating updates across the team

After Merge

  1. Register on Artifact Hub:

    • Sign in at https://artifacthub.io with GitHub
    • Add OCI repository: oci://ghcr.io/splunk/charts
    • Charts will auto-sync and appear with enhanced metadata

  2. Dependabot Behavior:

    • Will update Go module dependencies (k8s.io/, sigs.k8s.io/, etc.)
    • Will NOT update Go language version (team manages manually)
    • Reduces noise from Go version update attempts

Test Plan

  • go.mod uses Go 1.24.0
  • .env uses GO_VERSION=1.24.0
  • Dependabot configured to ignore Go toolchain
  • Helm charts validate with helm lint
  • artifacthub-repo.yml follows Artifact Hub schema
  • Workflows pass with Go 1.24 (will verify in CI)
  • Charts appear on Artifact Hub after registration

Related

  • Configures Dependabot to work with Go 1.24
  • Prepares charts for Artifact Hub listing and security scorecards
  • Maintains security posture with latest Go patches

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Copilot AI review requested due to automatic review settings November 18, 2025 22:18
Copilot finished reviewing on behalf of vivekr-splunk November 18, 2025 22:21
rlieberman-splunk
rlieberman-splunk reviewed Nov 18, 2025
View reviewed changes
go.mod Outdated
go 1.24.0

toolchain go1.24.2
go 1.23
Copy link
Collaborator

@rlieberman-splunk rlieberman-splunk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this intentional? There are security vulnerabilities in 1.23 and we are upgrading in SOK too to 1.24.

Copy link
Collaborator Author

@vivekr-splunk vivekr-splunk Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted

Copilot AI reviewed Nov 18, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds Artifact Hub support for the Helm charts and fixes a critical Dependabot issue caused by using an unreleased Go version (1.24.0).

Key Changes:

  • Fixed go.mod to use stable Go 1.23 instead of unreleased 1.24.0, resolving Dependabot parsing errors
  • Added Artifact Hub metadata to both helm charts with detailed annotations for better discoverability
  • Created root-level artifacthub-repo.yml for repository-wide Artifact Hub configuration

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
go.mod Changed Go version from unreleased 1.24.0 to stable 1.23 and removed toolchain directive to fix Dependabot compatibility
artifacthub-repo.yml Added repository-level metadata for Artifact Hub listing with owner information and links
helm-chart/splunk-ai-operator/Chart.yaml Enhanced with Artifact Hub annotations including category, license, operator capabilities, links, and recommendations
helm-chart/splunk-ai-platform/Chart.yaml Enhanced with Artifact Hub annotations and updated description to mention observability stack

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

helm-chart/splunk-ai-operator/Chart.yaml Outdated
- url: https://artifacthub.io/packages/helm/kuberay/kuberay-operator
artifacthub.io/maintainers: |
- name: Splunk AI Team
email: opensource@splunk.com
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The email address in the Artifact Hub maintainers annotation (opensource@splunk.com) differs from the Chart.yaml maintainers field (splunkai@cisco.com on line 18). This inconsistency may cause confusion. Consider using the same email address for both, preferably splunkai@cisco.com which is consistently used throughout the codebase (CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md).

Suggested change
email: opensource@splunk.com
email: splunkai@cisco.com

Copilot uses AI. Check for mistakes.
helm-chart/splunk-ai-platform/Chart.yaml Outdated
- url: https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
artifacthub.io/maintainers: |
- name: Splunk AI Team
email: opensource@splunk.com
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The email address in the Artifact Hub maintainers annotation (opensource@splunk.com) differs from the Chart.yaml maintainers field (splunkai@cisco.com on line 21). This inconsistency may cause confusion. Consider using the same email address for both, preferably splunkai@cisco.com which is consistently used throughout the codebase (CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md).

Suggested change
email: opensource@splunk.com
email: splunkai@cisco.com

Copilot uses AI. Check for mistakes.
helm-chart/splunk-ai-operator/Chart.yaml
artifacthub.io/prerelease: "false"
artifacthub.io/containsSecurityUpdates: "false"
artifacthub.io/operator: "true"
artifacthub.io/operatorCapabilities: Seamless Upgrades
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The operator capabilities annotation is set to "Seamless Upgrades", but the existing helm-chart/splunk-ai-operator/artifacthub-repo.yml file specifies "Full Lifecycle". These should be consistent to avoid confusion on Artifact Hub. Consider aligning both to use the same capability level.

Suggested change
artifacthub.io/operatorCapabilities: Seamless Upgrades
artifacthub.io/operatorCapabilities: Full Lifecycle

Copilot uses AI. Check for mistakes.
artifacthub-repo.yml Outdated
url: https://github.com/splunk/splunk-ai-operator/releases
owners:
- name: Splunk
email: opensource@splunk.com
Copy link

Copilot AI Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The email address opensource@splunk.com is inconsistent with the existing helm-chart/splunk-ai-operator/artifacthub-repo.yml file which uses splunkai@cisco.com. For consistency across Artifact Hub configurations, consider using the same email address in both locations.

Suggested change
email: opensource@splunk.com
email: splunkai@cisco.com

Copilot uses AI. Check for mistakes.
@claude
feat: add Artifact Hub metadata and configure Dependabot for Go 1.24
e7ea73c 
- Add Artifact Hub annotations to Helm charts for better discoverability
- Add artifacthub-repo.yml with repository metadata
- Configure Dependabot to ignore Go toolchain updates (managed manually)
- Update .env to Go 1.24.0 to match go.mod

Artifact Hub changes:
- Added category, license, and operator capability annotations
- Added links to documentation, compatibility matrix, and BOM
- Added recommendations for related charts (cert-manager, kuberay)
- Enhanced keywords for better searchability

Dependabot configuration:
- Added ignore rules for "go" and "golang.org/toolchain" dependencies
- Allows manual management of Go version for security patching
- Go 1.24 includes security fixes not available in Go 1.23
- Dependabot will still update other Go module dependencies

Go version alignment:
- go.mod: go 1.24.0
- .env: GO_VERSION=1.24.0
- Ensures consistency across local dev, CI/CD, and workflows

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@vivekr-splunk vivekr-splunk force-pushed the feat/add-bom-sbom-generation branch from 2e48cb6 to e7ea73c Compare November 18, 2025 22:44
@coveralls
Copy link

coveralls commented Nov 18, 2025
edited
Loading

Pull Request Test Coverage Report for Build 19483380804

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 36.822%
Totals Coverage Status
Change from base Build 19481592956: 0.0%
Covered Lines: 2336
Relevant Lines: 6344
💛 - Coveralls

@claude
fix: use consistent email address across Artifact Hub configs
b9d8ebc 
- Change email from opensource@splunk.com to splunkai@cisco.com
- Ensures consistency with existing Chart.yaml maintainers
- Updates artifacthub-repo.yml and both Chart.yaml annotations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@vivekr-splunk vivekr-splunk merged commit 1f05a9f into main Nov 18, 2025
6 checks passed
@vivekr-splunk vivekr-splunk deleted the feat/add-bom-sbom-generation branch November 18, 2025 23:03
@vivekr-splunk vivekr-splunk mentioned this pull request Nov 18, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rlieberman-splunk rlieberman-splunk rlieberman-splunk approved these changes

@scai-splunk scai-splunk Awaiting requested review from scai-splunk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vivekr-splunk @coveralls @rlieberman-splunk