This repo is in security maintenance phase, superseded by rancher/compliance-operator. Two files updated to reflect that reality.

README.md

• Fix OpenSSF Scorecard badge URL → api.securityscorecards.dev
• Apply parent PR: readme: mark as maintenance only and link to compliance-operator #878
  • Add [!IMPORTANT] maintenance-phase callout after intro
  • Add Migration section (links to Rancher Compliance App + migration guide)
  • Add Support Status table (v1.4/v1.3 = Security Only, v1.2 = EOL) and Maintenance Policy
  • Remove ## Building and ## Running sections
  • Remove ### How future release branches should be generated
  • Fix Support Compatibility Matrix link (trailing / removed, inlined)
  • Convert [rancher/security-scan] reference link to inline

.github/renovate.json

rancher-main#release opens all routine bumps — not appropriate for a maintenance-only repo. This PR adds an explicit disable rule for main so only CVE-driven alerts generate PRs. Release branches already enforce security-only via their upstream presets (rancher-2.10#release, rancher-2.11#release), no extra rule needed there.

After merging, the following open Renovate PRs can be closed as out of scope:

• chore(deps): update dependency golangci/golangci-lint to v2.2.2 #842 golangci-lint bump
• chore(deps): update gomod-k8s-dependencies #845 k8s 0.32.6 → 0.32.7
• chore(deps): update module github.com/rancher/wrangler/v3 to v3.2.2 #821 wrangler v3.2.0 → v3.2.2
• chore(deps): update module github.com/prometheus-operator/prometheus-operator/pkg/client to v0.84.0 #815 prometheus-operator/pkg/client → v0.84.0
• chore(deps): update module github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring to v0.84.0 #813 prometheus-operator/pkg/apis → v0.84.0

PR #844 (x/crypto digest) should be reviewed individually — may carry a security fix.