chore: Backport v20260626#1328
Open
britaniar wants to merge 8 commits into
Open
Conversation
…ating to VAP 3/) (Azure#736)
….0 to fix CVEs (Azure#739) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
…Azure#738) Bumps oss/go/microsoft/golang from 1.25.11 to 1.26.4. --- updated-dependencies: - dependency-name: oss/go/microsoft/golang dependency-version: 1.26.4 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…es (Azure#713) * ci: prepare release pipeline for -rc tags and add autogen release notes Foundational hygiene + workflow correctness for the release revamp tracked in kubefleet-dev/kubefleet#693. Four mechanical changes that together unblock cutting the first v0.4.0-rc.1 tag. 1. Anchor the SemVer regex and accept -rc.N in setup-release.yml. Closes the partial-match bug (e.g. v0.4.0extrastuff previously validated) and adds support for v*.*.*-rc.N pre-release tags following the Kubernetes convention. 2. Exclude -rc* tags from upgrade-compat tag discovery in upgrade.yml. Without this, the first RC becomes the "previous release" for all three compat jobs and the suite fails. Uses git rev-list and git describe --exclude= globs. 3. Add .github/release.yml for GitHub auto-generated release notes, with label-based categorization that mirrors the project's existing PR-title prefixes. Required release-note/* labels will be created out-of-band; see the PR description. 4. Delete charts/{hub,member}-agent/crdbases/ - vestigial copies of config/crd/bases/, unreferenced by chart templates, Makefile, or any shell script. Maps to kubefleet-dev/kubefleet#693 Phase 1 bullets 1 (partial), 6, 7. Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * docs: document PR title prefixes and release-note labels Adds two sections to CONTRIBUTING.md, completing the auto-generated release-notes setup from the same PR: - "Pull request titles" enumerates the prefixes enforced by pr-title-lint.yml and points contributors at make reviewable, which the PR template already mandates but CONTRIBUTING.md did not surface. - "Release note labels" maps each title prefix to its release-note/* label and documents the additive labels (breaking, security, none) and the distinction between release-note/none (entry suppressed, PR still in dataset) and ignore-for-release (PR excluded entirely). Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * ci: serialize release workflows and harden imagetools loop Two small additions in the same release-correctness theme as the rest of this PR: - Add concurrency groups to release.yml (per-ref) and chart.yml (global). Both use cancel-in-progress: false - aborting an in-flight image or chart push is worse than letting it finish. release-images is keyed on github.ref so different tags don't serialize against each other; the chart group is global because helm-gh-pages always rewrites the gh-pages branch and concurrent runs would race. - Add set -euo pipefail to the "Tag and push images without v prefix" step in release.yml. Without it, an imagetools failure on image 1 silently lets the loop continue for images 2-3, leaving the release partially retagged. The matching steps in chart.yml already use strict mode. Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * docs: propose support window and CVE response SLO in SECURITY.md Draft for maintainer discussion on this PR. The values pick a coherent trio that the release-process revamp in Azure#693 has otherwise been blocked on (Q3 in the epic): - Support window: N/N-1. Only the latest minor and the immediately preceding minor receive security patches. At the proposed ~3-month cadence this is ~6 months effective patch coverage per minor. - Response SLO: 14 days for Critical (CVSS 9.0+), 45 days for High (7.0-8.9), best-effort for Medium/Low. Marked aspirational; revisit after one quarterly cycle. - Pre-1.0 caveat called out explicitly: "supported" applies to security backports, not API stability. Reviewers: please push back on any of these on the PR thread - the values are deliberately concrete to force the conversation, not because they're settled. Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * ci: address review feedback on release-workflow gates and globs Three follow-ups from the multi-agent review of this PR: - chart.yml: filter pre-release tags via a negative pattern in the push.tags trigger. Without this, v0.4.0-rc.1 would publish an RC chart into the stable gh-pages index (helm-gh-pages appends to index.yaml), making it visible to every "helm repo add" consumer. The negative pattern form is the GitHub-idiomatic way to combine include/exclude for tags. (Blocking finding #1.) - chart.yml: scope the helm-chart-publish concurrency to the publish-github-pages job only. The OCI publish pushes immutable per-tag blobs and is safe to run in parallel across tags; serializing it added latency with no correctness benefit. (Should-fix Azure#4.) - upgrade.yml: tighten the upgrade-test tag-exclusion glob from '*-rc*' to '*-rc.*' so it only matches the project's dot-separated RC tag form and not hypothetical refs like 'release-rc-branch'. Both git rev-list --exclude and git describe --exclude get the tightened pattern. (Should-fix Azure#9.) - release.yml: add set -euo pipefail to the "Verify images" step for consistency with the imagetools step. Pure echo loop today so harmless, but the precedent prevents future bugs. (Consider.) Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * ci: scope short-tag publish to stable releases and tighten chart glob Two follow-ups from the second round of multi-agent review on this PR: - release.yml: gate the "Tag and push images without v prefix" step with if: !contains(needs.export-registry.outputs.tag, '-rc.'). RC tags continue to build and push images under the long form (e.g. :v0.4.0-rc.1) so testers can pull them, but we no longer alias them into the short-tag namespace (:0.4.0-rc.1). That namespace is reserved for stable releases that consumers pin to. Also refactor the Verify images step into a per-image loop with a matching conditional so the output reflects what was actually published. - chart.yml: tighten the negative pattern from "!*-rc.*" to "!v*-rc.*". Scopes the negation to the project's own v-prefixed tag form; hypothetical non-v-prefixed tags containing -rc. (from other tooling) would otherwise be silently dropped. Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * docs: address review feedback on CONTRIBUTING.md and SECURITY.md Bundles the response to the multi-agent review of this PR. CONTRIBUTING and SECURITY are touched together because the doc-review findings were interrelated and the fixes land cleanly as one batch. CONTRIBUTING.md: - Add release-note/* mappings for style:, interface:, util:, revert:. style/interface/util fold into release-note/chore; revert folds into release-note/fix (operationally a fix from the user's perspective; confirmed against the project's historical revert PR Azure#454). - Fix the contradiction between "carry exactly one" and the additive labels by switching to "one base ... additive labels may be stacked". - Expand the release-note/breaking threshold from "any change that breaks an API or behavior" to: requires user action (manifest edit, CRD/RBAC reapply, webhook config update, member-cluster re-join) OR alters scheduling/override/apply semantics that re-rank or re-apply existing placements without a manifest change. Pre-1.0 internal refactors of v1alpha1 shapes that don't require migration steps or change behavior do not qualify. - Sharpen the release-note/none vs ignore-for-release distinction: none keeps the PR visible in GitHub's auto-notes drafter UI; ignore-for-release hides it entirely - "default to this for CI-only or internal-cleanup PRs". SECURITY.md: - Add TODO HTML comment at the top scoping the three new sections to kubefleet-dev/kubefleet#693 Q3 + the discussion on this PR. - Switch "follows N/N-1" to "targets N/N-1". Replace the apologetic "best-effort basis" caveat with a factual statement that the project has held a roughly quarterly cadence since v0.1.0 (giving ~6 months effective patch coverage) with possible minor slippage while pre-1.0. - Add an upgrade-path sentence directing users on EOL minors to follow the project's upgrade documentation. - Add a new "Coordinated disclosure" section covering embargo window (TBD, with a floor: reporters notified before disclosure), vendor advance notification (TBD, references the CNCF TAG-Security template for the conventional distributors-list form), and GitHub private vulnerability reporting (to be enabled). All values in the new SECURITY.md sections remain proposals for the maintainer thread on this PR; the TODO comment makes that explicit. Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> * docs: correct cadence claim and generalize alpha/beta carve-out Two final wording fixes from the third round of multi-agent review on this PR. Both content reviewers flagged the cadence wording as factually inaccurate; one also flagged the alpha-version carve-out as too narrow given that v1beta1 types already exist in the codebase. - SECURITY.md: replace "roughly quarterly release cadence since v0.1.0 ... approximately six months of patch coverage" with the actual observed cadence. Real minor-release intervals: v0.0.1->v0.1 = 6.7 months (pre-sandbox outlier), v0.1->v0.2 = 2.1 months, v0.2->v0.3.0 = 2.5 months. The supported text now reads "roughly 2-3 month cadence since v0.2, giving approximately four to six months of patch coverage" which matches the data. - CONTRIBUTING.md: generalize the breaking-label carve-out from "internal refactors that touch v1alpha1 shapes" to "internal refactors of any alpha or beta API shape." KubeFleet already ships v1beta1 types (placement/v1beta1 is the current stable line), and a literal reading of the v1alpha1-only wording could mislead a future reviewer into thinking v1beta1 refactors automatically qualify as breaking. Also tighten "change semantics" to "change observable semantics" since unobservable internal-state changes are not user-breaking. Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com> --------- Signed-off-by: Yetkin Timocin <ytimocin@microsoft.com>
* Initial plan * chore: upgrade golang.org/x/crypto to v0.52.0 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
ci: bump Ginkgo CLI version to v2.23.4 to match go.mod Agent-Logs-Url: https://github.com/kubefleet-dev/kubefleet/sessions/ee40189d-043f-4727-ad2e-239b05bbbc09 Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: ytimocin <5220939+ytimocin@users.noreply.github.com>
britaniar
force-pushed
the
backport-v20260626
branch
from
12fc1a9 to
cecc32d
Compare
ytimocin
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of your changes
Fixes #
I have: backport to resolve CVEs in next release
make reviewableto ensure this PR is ready for review.How has this code been tested
Special notes for your reviewer
6df264c (cncf/main) ci: bump pinned Ginkgo CLI to v2.23.4 to match go.mod (#696)
1f6fae9 chore: upgrade golang.org/x/crypto to v0.52.0 (#744)
fdb3aac ci: prepare release pipeline for -rc tags and add autogen release notes (#713)
5b71aae chore: bump actions/checkout from 4 to 6 (#737)
3caed86 chore: bump oss/go/microsoft/golang from 1.25.11 to 1.26.4 in /docker (#738)
f836561 chore: bump golang.org/x/net to v0.55.0 and golang.org/x/sys to v0.45.0 to fix CVEs (#739)
5533f3b feat: refactor: use tree-based CEL building for the VAP manager (migrating to VAP 3/) (#736)