villebro opened a new pull request, #120: URL: https://github.com/apache/superset-kubernetes-operator/pull/120
## Summary Groups several small, independent improvements across the release workflow, the lifecycle controller, and the docs: per-image SBOM and build provenance, a warning when image-tag version comparison can't be performed, and exclusion of editor/agent context files from the source tarball. ## Details - **Supply chain:** the release workflow attaches a per-platform SPDX SBOM and SLSA build provenance to each published image via BuildKit (`sbom: true`, `provenance: mode=max`); the existing cosign signature on the image index covers them. `security.md` documents how to inspect them. - **Downgrade protection:** `checkUpgradeGates` only blocked semver downgrades and silently proceeded for non-comparable tags (`latest`, date stamps, digest pins) — running forward-only migrations against an older image undetected. It now emits a `VersionComparisonSkipped` warning event + log for that case, with a unit test and a documented note that downgrade protection requires semver tags. - **Source-release hygiene:** `CLAUDE.md`/`GEMINI.md` (symlinks to the canonical, vendor-neutral `AGENTS.md`) are now `export-ignore`d so they stay in-tree for local development but are excluded from the `git archive` source tarball. `.gitattributes` and the two symlinks are added to `.rat-excludes`; RAT still passes. - **Docs:** added a Known Limitations section to the release notes (websocket server experimental). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
