Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .claude/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,45 @@ The format is based on the regulated environment requirements:

---

## [2026-04-19 20:45] - Fix vexctl installer 404 in build.yaml

**Author:** Erick Bourgeois

### Changed
- `.github/workflows/build.yaml` (Install vexctl step): Changed the download URL from the non-existent `vexctl_${VEXCTL_VERSION}_linux_amd64.tar.gz` tarball to the raw binary `vexctl-linux-amd64`. Removed the `tar -xzf` step accordingly. Kept the version pin at `0.3.0` and the inline comment, expanded to describe the actual asset layout (raw binaries + detached Cosign `.sig`/`.pem` per platform).

### Why
The OpenVEX project does not publish versioned tarballs for vexctl. Their release assets are raw platform binaries named `vexctl-<os>-<arch>` (hyphens, no version, no `.tar.gz`). The workflow was copy-pasted from the Grype install step — which *does* ship tarballs in the format `grype_<version>_<os>_<arch>.tar.gz` — so the pattern looked reasonable but 404ed on the first CI run. Verified the correct asset name against `api.github.com/repos/openvex/vexctl/releases/tags/v0.3.0`. Grype's own installer was audited and is correct.

### Impact
- [ ] Breaking change
- [ ] Requires cluster rollout
- [x] Config change only (CI workflow)
- [ ] Documentation only

### Follow-up (optional, not in this commit)
vexctl ships detached Cosign signatures (`vexctl-linux-amd64.sig` + `.pem`). A follow-up could verify the binary with `cosign verify-blob` before installing, closing a small supply-chain gap on the installer itself.

---

## [2026-04-19 20:30] - Add Community section to README (FINOS Slack #5-spot)

**Author:** Erick Bourgeois

### Changed
- `README.md`: New `## Community` section between `## Contributing` and `## Security`, pointing to `#5-spot` on the FINOS Slack workspace (<https://finos-lf.slack.com/channels/5-spot>, join at <https://finos.org/slack>), plus GitHub Issues and GitHub Discussions as the other two canonical contact surfaces. Security-sensitive reports are explicitly redirected back to the Security section so they do not land in public Issues.

### Why
New contributors and users landing on the repo had no documented way to reach the project maintainers for usage questions short of opening an Issue. Publishing the FINOS Slack channel — now that the project lives under the FINOS org — gives a low-friction conversation surface and matches what every other FINOS project does.

### Impact
- [ ] Breaking change
- [ ] Requires cluster rollout
- [ ] Config change only
- [x] Documentation only

---

## [2026-04-19 20:15] - Rename Service to `controller` (RFC 1035 compliance)

**Author:** Erick Bourgeois
Expand Down
28 changes: 18 additions & 10 deletions .github/actions/extract-version/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,20 +50,28 @@ runs:
- name: Extract version information
id: extract
shell: bash
env:
GH_SHA: ${{ github.sha }}
GH_RUN_NUMBER: ${{ github.run_number }}
IN_REPOSITORY: ${{ inputs.repository }}
IN_WORKFLOW_TYPE: ${{ inputs.workflow-type }}
IN_PR_NUMBER: ${{ inputs.pr-number }}
IN_RELEASE_TAG: ${{ inputs.release-tag }}
IN_IMAGE_TAG_SUFFIX: ${{ inputs.image-tag-suffix }}
run: |
# Extract short SHA (first 7 characters)
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
SHORT_SHA="${GH_SHA:0:7}"
echo "short-sha=${SHORT_SHA}" >> $GITHUB_OUTPUT

IMAGE_REPOSITORY="${{ inputs.repository }}"
IMAGE_TAG_SUFFIX="${{ inputs.image-tag-suffix }}"
IMAGE_REPOSITORY="${IN_REPOSITORY}"
IMAGE_TAG_SUFFIX="${IN_IMAGE_TAG_SUFFIX}"
echo "image-repository=${IMAGE_REPOSITORY}" >> $GITHUB_OUTPUT

case "${{ inputs.workflow-type }}" in
case "${IN_WORKFLOW_TYPE}" in
release)
# Release workflow: extract from release tag
# Tag format: v0.2.0 (no date)
TAG_NAME="${{ inputs.release-tag }}"
TAG_NAME="${IN_RELEASE_TAG}"
VERSION="${TAG_NAME#v}"
IMAGE_TAG="${TAG_NAME}${IMAGE_TAG_SUFFIX}"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
Expand All @@ -75,9 +83,9 @@ runs:
pr)
# PR workflow: use pr-NUMBER format
# Tag format: pr-42
VERSION="pr-${{ inputs.pr-number }}"
TAG_NAME="pr-${{ inputs.pr-number }}"
IMAGE_TAG="pr-${{ inputs.pr-number }}${IMAGE_TAG_SUFFIX}"
VERSION="pr-${IN_PR_NUMBER}"
TAG_NAME="pr-${IN_PR_NUMBER}"
IMAGE_TAG="pr-${IN_PR_NUMBER}${IMAGE_TAG_SUFFIX}"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "tag-name=${TAG_NAME}" >> $GITHUB_OUTPUT
echo "image-tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
Expand All @@ -88,7 +96,7 @@ runs:
# Main branch: use main-YYYY-MM-DD format
# Tag format: main-2025-12-17
DATE=$(date +%Y-%m-%d)
VERSION="0.0.0-main.${DATE}.${{ github.run_number }}"
VERSION="0.0.0-main.${DATE}.${GH_RUN_NUMBER}"
TAG_NAME="main-${DATE}"
IMAGE_TAG="main-${DATE}${IMAGE_TAG_SUFFIX}"
echo "version=${VERSION}" >> $GITHUB_OUTPUT
Expand All @@ -98,7 +106,7 @@ runs:
;;

*)
echo "Error: Invalid workflow-type '${{ inputs.workflow-type }}'. Must be: main, pr, or release"
echo "Error: Invalid workflow-type '${IN_WORKFLOW_TYPE}'. Must be: main, pr, or release"
exit 1
;;
esac
21 changes: 14 additions & 7 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,16 @@ on:
types:
- published

# Defaults for jobs that do not declare their own permissions block.
# Jobs with special needs (docker, attest, sign, upload) override at job level.
# Top-level GITHUB_TOKEN is read-only by default (OpenSSF Scorecard
# Token-Permissions rule). Jobs that need elevated scopes — id-token:write
# for keyless Cosign / Sigstore, security-events:write for SARIF upload to
# Code Scanning, packages:write for GHCR push, attestations:write for
# actions/attest-build-provenance, contents:write for release-asset upload
# — declare them explicitly at job level. See the docker / attest /
# build-vex / semgrep-sast / iac-scan / grype / sign-artifacts /
# slsa-provenance / upload-release-assets jobs below.
permissions:
contents: read
id-token: write
security-events: write

env:
CARGO_TERM_COLOR: always
Expand Down Expand Up @@ -553,9 +557,12 @@ jobs:
VEXCTL_VERSION: '0.3.0'
run: |
set -euo pipefail
url="https://github.com/openvex/vexctl/releases/download/v${VEXCTL_VERSION}/vexctl_${VEXCTL_VERSION}_linux_amd64.tar.gz"
curl -fsSLo vexctl.tgz "$url"
tar -xzf vexctl.tgz vexctl
# OpenVEX publishes vexctl as raw platform binaries (no tarball,
# no version in the asset name), plus detached Cosign signatures.
# Asset layout: vexctl-<os>-<arch>, vexctl-<os>-<arch>.sig,
# vexctl-<os>-<arch>.pem. See the release page for the full list.
url="https://github.com/openvex/vexctl/releases/download/v${VEXCTL_VERSION}/vexctl-linux-amd64"
curl -fsSLo vexctl "$url"
sudo install -m 0755 vexctl /usr/local/bin/vexctl
vexctl version

Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/calm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,9 @@ jobs:
node-version: ${{ inputs.node-version }}

- name: Install @finos/calm-cli
run: npm install -g "@finos/calm-cli@${{ inputs.cli-version }}"
env:
CLI_VERSION: ${{ inputs.cli-version }}
run: npm install -g "@finos/calm-cli@${CLI_VERSION}"

- name: Show CLI version
run: calm --version
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,11 @@ jobs:
python-version: '3.11'

- name: Install Poetry
env:
# Pinned for reproducibility; bump alongside docs/pyproject.toml.
POETRY_VERSION: "1.8.4"
run: |
curl -sSL https://install.python-poetry.org | python3 -
curl -sSL https://install.python-poetry.org | python3 - --version "${POETRY_VERSION}"
echo "$HOME/.local/bin" >> "$GITHUB_PATH"

- name: Configure Poetry
Expand Down Expand Up @@ -147,8 +150,11 @@ jobs:
- name: Check for broken links
if: github.event_name == 'pull_request'
continue-on-error: true
env:
# Pinned for reproducibility; bump periodically.
LINKINATOR_VERSION: "6.1.2"
run: |
npm install -g linkinator
npm install -g "linkinator@${LINKINATOR_VERSION}"
linkinator docs/site/ --recurse --skip "rustdoc/.*" --verbosity error

- name: Setup Pages
Expand Down
14 changes: 14 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -470,6 +470,20 @@ Contributions welcome! Please:
5. Ensure all tests pass
6. Install git hooks: `make install-git-hooks` (prevents committing secrets)

## Community

- **Slack**: [`#5-spot`](https://finos-lf.slack.com/channels/5-spot) on the FINOS
Slack workspace. Join the workspace at <https://finos.org/slack> if you
don't already have access. Use `#5-spot` for usage questions, schedule and
reconciliation behaviour, CAPI integration questions, and release
coordination.
- **GitHub Issues**: <https://github.com/finos/5-spot/issues> for bugs,
feature requests, and CRD schema discussion. Security-sensitive reports
should follow the process in [Security](#security) below, not Issues.
- **GitHub Discussions**: <https://github.com/finos/5-spot/discussions> for
longer-form design and architecture conversations that outgrow a Slack
thread.

## Security

- **Gitleaks**: Pre-commit and CI secret scanning
Expand Down
80 changes: 80 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
<!--
Copyright (c) 2025 Erick Bourgeois, firestoned
SPDX-License-Identifier: Apache-2.0
-->

# Security Policy

5-Spot is a FINOS-incubating project. Its security posture is described
in detail under [`docs/src/security/`](./docs/src/security/); this
document gives the short version: how to report a vulnerability and what
to expect back.

## Reporting a vulnerability

**Do not open a public GitHub issue for security problems.** Please use
one of the private channels below so we can triage and coordinate
disclosure:

1. **GitHub private vulnerability report** (preferred):
<https://github.com/finos/5-spot/security/advisories/new>
2. **Email**: `security@finos.org` — for general FINOS-coordinated
disclosure. Include `5-spot` in the subject line.
3. **Direct maintainer**: `erick.bourgeois@gmail.com` — PGP-signed
messages welcome.

Please include, where possible:

- A description of the vulnerability and its impact.
- The version / commit SHA / container image digest you tested against.
- Steps to reproduce or a minimal proof-of-concept.
- Any suggested mitigation or patch.

## What to expect

| Phase | Target |
| ---------------------- | ------------------------------------------------------------------- |
| Acknowledgement | 3 business days |
| Initial triage | 7 business days |
| Fix / mitigation ETA | Shared after triage; depends on severity (CVSS) and blast radius |
| Public disclosure | After a fix is released, coordinated with the reporter |

We follow standard coordinated-disclosure practice: the reporter is
credited in the resulting advisory unless they prefer to remain
anonymous.

## Supported versions

5-Spot follows a rolling-release model until `v1.0.0`. Only the latest
release on `main` receives security fixes during the incubation phase.

## Scope

In scope:

- The 5-Spot controller binary and its container images
(`ghcr.io/finos/5-spot`, `ghcr.io/finos/5-spot-distroless`).
- The Custom Resource Definitions and admission policies shipped under
[`deploy/`](./deploy).
- The build and release pipeline
([`.github/workflows/`](./.github/workflows)) insofar as a compromise
would affect published artifacts.

Out of scope:

- Vulnerabilities in upstream dependencies that are already addressed
in our [`.vex/`](./.vex) directory as `not_affected` — these have a
documented, reviewed justification. If you disagree with one, please
still report it so we can re-evaluate.
- Findings that require the reporter to already have cluster-admin or
equivalent privileges.
- Denial-of-service against a single 5-Spot replica (the operator is
designed to be run with leader election and horizontal replicas; see
[`docs/src/operations/multi-instance.md`](./docs/src/operations/multi-instance.md)).

## Related documents

- [Threat model](./docs/src/security/threat-model.md)
- [VEX publication process](./docs/src/security/vex.md)
- [Admission policies & validation](./docs/src/security/admission-validation.md)
- [FINOS security policy](https://www.finos.org/hubfs/finos/FINOS%20Vulnerability%20Disclosure%20Policy.pdf)
13 changes: 10 additions & 3 deletions docs/src/development/contributing.md
Original file line number Diff line number Diff line change
Expand Up @@ -200,9 +200,16 @@ Include:

## Community

- **GitHub Issues**: Bug reports and feature requests
- **GitHub Discussions**: Questions and ideas
- **Pull Requests**: Code contributions
- **Slack**: [`#5-spot`](https://finos-lf.slack.com/channels/5-spot) on the
FINOS Slack workspace — join at <https://finos.org/slack>. Best for
usage questions, reconciliation behaviour, CAPI integration, and
release coordination.
- **GitHub Issues**: Bug reports and feature requests. Security-sensitive
reports should follow [`SECURITY.md`](https://github.com/finos/5-spot/blob/main/SECURITY.md),
not Issues.
- **GitHub Discussions**: Questions and longer-form design / architecture
conversations that outgrow a Slack thread.
- **Pull Requests**: Code contributions.

## License

Expand Down
11 changes: 10 additions & 1 deletion docs/src/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,8 +152,17 @@ Current version: **v0.1.0-alpha**

## Support & Community

- **GitHub Issues**: [Report bugs or request features](https://github.com/finos/5-spot/issues)
- **Slack**: [`#5-spot`](https://finos-lf.slack.com/channels/5-spot) on the
FINOS Slack workspace. Join at <https://finos.org/slack> if you don't
already have access. Use `#5-spot` for usage questions, schedule and
reconciliation behaviour, CAPI integration questions, and release
coordination.
- **GitHub Issues**: [Report bugs or request features](https://github.com/finos/5-spot/issues).
Security-sensitive reports should follow [`SECURITY.md`](https://github.com/finos/5-spot/blob/main/SECURITY.md),
not Issues.
- **GitHub Discussions**: [Ask questions and share ideas](https://github.com/finos/5-spot/discussions)
for longer-form design and architecture conversations that outgrow a
Slack thread.
- **Documentation**: You're reading it!

## License
Expand Down
Loading