From c38358e4748c223f817e2ca621f52a7c4038b8ed Mon Sep 17 00:00:00 2001 From: drumato Date: Fri, 15 May 2026 19:15:20 +0900 Subject: [PATCH] improve management quality Signed-off-by: drumato --- .github/ISSUE_TEMPLATE/bug_report.md | 38 +++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 23 +++++++++++++ .github/PULL_REQUEST_TEMPLATE.md | 28 ++++++++++++++++ .github/workflows/release.yaml | 18 ++++++++++ .gitignore | 24 +++++++++++++ .goreleaser.yaml | 22 ++++++++++++ CONTRIBUTING.md | 41 +++++++++++++++++++++++ SECURITY.md | 30 +++++++++++++++++ 8 files changed, 224 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..9e53211 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: Report a bug in tazuna / tazuna のバグ報告 +title: '' +labels: bug +assignees: '' +--- + +## Description / 概要 + + + +## Reproduction / 再現手順 + + + +## Expected behaviour / 期待する挙動 + + + +## Actual behaviour / 実際の挙動 + + + +``` +(paste output here / 出力をここに貼る) +``` + +## Environment / 環境 + +- OS: +- tazuna version (`tazuna --version`): +- Kubernetes version (`kubectl version`): +- Manifest backend(s) used (kustomize / helmfile / oras / parallel): diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..88ba350 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,23 @@ +--- +name: Feature request +about: Suggest a feature or improvement / 機能提案・改善案 +title: '' +labels: enhancement +assignees: '' +--- + +## Problem / 解きたい課題 + + + +## Proposed solution / 提案する解決策 + + + +## Alternatives considered / 検討した代替案 + + + +## Additional context / 補足 + + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..637c3f1 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,28 @@ + + +## Summary / 概要 + + + +## Changes / 変更点 + + + +- +- + +## Test plan / 動作確認 + + + +- [ ] `make test` +- [ ] `make lint` +- [ ] `make test-integration` (if relevant / 関連する場合) +- [ ] `make test-e2e` (if relevant / 関連する場合) + +## Related issues / 関連 issue + + diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2c09d60..151b45f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,6 +7,11 @@ on: permissions: contents: write + # id-token is required for cosign keyless signing via Sigstore OIDC, + # and for actions/attest-build-provenance. + id-token: write + # attestations is required for actions/attest-build-provenance. + attestations: write jobs: goreleaser: @@ -20,6 +25,10 @@ jobs: uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: stable + - name: Install Syft (for SBOM) + uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 + - name: Install Cosign (for keyless signing) + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Run GoReleaser uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 with: @@ -30,3 +39,12 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # SLSA build provenance for archives, checksums and SBOMs. + # Lets users verify with: gh attestation verify --repo pepabo/tazuna + - name: Attest build provenance + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + with: + subject-path: | + dist/*.tar.gz + dist/checksums.txt + dist/*.sbom.json diff --git a/.gitignore b/.gitignore index 0e0769d..60f0132 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,27 @@ +# Build artifacts tazuna +dist/ + +# Test / coverage artifacts +*.test +*.out +coverage.out +coverage.html + +# Local environment +.env +.env.* +!.env.example + +# Editor / IDE +.vscode/ +.idea/ +*.swp +*.swo + +# macOS +.DS_Store + +# Claude Code local files .claude/ CLAUDE.md diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 63ff517..10f38e1 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -37,6 +37,28 @@ archives: checksum: name_template: 'checksums.txt' +# Software Bill of Materials. One SPDX document per archive (and one for the source). +# Generated by syft, which must be available on the runner. +sboms: + - artifacts: archive + - id: source + artifacts: source + +# Keyless signing of the checksum file via cosign + Sigstore OIDC. +# Produces a single bundle file (*.sigstore.json) that embeds both signature and certificate. +# Verify with: cosign verify-blob --bundle checksums.txt.sigstore.json checksums.txt +# Requires `id-token: write` permission and cosign installed on the runner. +signs: + - cmd: cosign + signature: "${artifact}.sigstore.json" + args: + - sign-blob + - "--bundle=${signature}" + - "${artifact}" + - "--yes" + artifacts: checksum + output: true + snapshot: name_template: "{{ incpatch .Version }}-next" diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..be762a1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,41 @@ +# Contributing to tazuna / 貢献ガイド + +Thanks for taking the time to contribute! +コントリビュートに興味を持っていただきありがとうございます。 + +## Development setup / 開発環境 + +```bash +make format # gofmt +make test # unit tests +make test-integration # integration tests (build tag: integration) +make test-e2e # end-to-end tests (requires a KinD cluster) +make lint # golangci-lint +``` + +E2E tests need a KinD cluster. Spin one up with: +E2E テストには KinD クラスタが必要です: + +```bash +make devenv-create +make devenv-destroy +``` + +## Pull Request flow / PR の流れ + +1. Fork the repo and create a feature branch from `main`. + `main` から作業ブランチを切ってください。 +2. Make your changes. Keep commits focused. + 変更はトピックごとに小さくまとめてください。 +3. Run `make test` and `make lint` locally before pushing. + push する前にローカルで `make test` と `make lint` を通してください。 +4. Open a PR against `main`. CI must be green before review. + `main` 宛に PR を作成してください。CI が green であることがレビュー前提です。 + +## Reporting bugs and proposing features / バグ報告・機能提案 + +Use the Issue templates under [.github/ISSUE_TEMPLATE/](.github/ISSUE_TEMPLATE/). +Issue テンプレートを利用してください。 + +For security issues, follow [SECURITY.md](./SECURITY.md) instead — **do not open a public issue**. +セキュリティ問題は [SECURITY.md](./SECURITY.md) を参照してください。**公開 issue にはしないでください**。 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e5e5667 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,30 @@ +# Security Policy / セキュリティポリシー + +## Reporting a Vulnerability + +If you discover a security vulnerability in `tazuna`, **please do not open a public issue**. + +Instead, report it privately through GitHub's Private Vulnerability Reporting: + +1. Open the [Security tab](https://github.com/pepabo/tazuna/security) of this repository. +2. Click **"Report a vulnerability"**. +3. Fill in the form with as much detail as possible (affected version, reproduction steps, impact). + +We will acknowledge the report and follow up through the same advisory thread. + +## 脆弱性の報告について + +`tazuna` にセキュリティ上の問題を見つけた場合、**公開 issue では報告しないでください**。 + +GitHub の Private Vulnerability Reporting を経由してください: + +1. 本リポジトリの [Security タブ](https://github.com/pepabo/tazuna/security) を開く +2. **"Report a vulnerability"** をクリック +3. 影響するバージョン、再現手順、想定される影響などを記入して送信 + +受領確認と以後のやり取りは同じ advisory スレッド上で行います。 + +## Supported Versions + +Only the latest release receives security fixes. +最新リリースのみセキュリティ修正の対象です。