docs: improve CLOMonitor contributing detection and dependency policy#144
docs: improve CLOMonitor contributing detection and dependency policy#144kubeboiii wants to merge 1 commit into
Conversation
|
@kubeboiii: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @kubeboiii! It looks like this is your first PR to volcano-sh/community 🎉 |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new CONTRIBUTING.md file, adds a comprehensive dependency-management.md policy document, and updates a heading in README.md. The reviewer provided several actionable suggestions to improve documentation navigation by linking directly to specific section anchors in referenced markdown files (such as compliance.md, contribute.md, and SECURITY.md).
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
|
||
| - Go modules in `go.mod` and `go.sum` are the source of truth for Volcano core dependencies. | ||
| - Staging API dependencies are declared in `staging/src/volcano.sh/apis/go.mod` and `go.sum`. | ||
| - Contributors must follow the [license compliance rules](compliance.md) when adding or updating dependencies. |
There was a problem hiding this comment.
To improve user navigation, consider linking directly to the #rules anchor in compliance.md instead of the top of the document. This matches the linking pattern used in contribute.md.
| - Contributors must follow the [license compliance rules](compliance.md) when adding or updating dependencies. | |
| - Contributors must follow the [license compliance rules](compliance.md#rules) when adding or updating dependencies. |
| ## Updating dependencies | ||
|
|
||
| - [Dependabot](https://github.com/volcano-sh/volcano/blob/master/.github/dependabot.yml) proposes updates to Go modules and GitHub Actions dependencies. | ||
| - Maintainers review and merge dependency update pull requests using the normal [contribution workflow](contribute.md). |
There was a problem hiding this comment.
Consider linking directly to the #contributor-workflow section in contribute.md to guide the reader directly to the relevant workflow details.
| - Maintainers review and merge dependency update pull requests using the normal [contribution workflow](contribute.md). | |
| - Maintainers review and merge dependency update pull requests using the normal [contribution workflow](contribute.md#contributor-workflow). |
|
|
||
| ## License and compliance | ||
|
|
||
| - Allowed and restricted licenses are defined in [compliance.md](compliance.md). |
There was a problem hiding this comment.
Consider linking directly to the #license-compliance-check section in compliance.md where allowed and restricted licenses are defined.
| - Allowed and restricted licenses are defined in [compliance.md](compliance.md). | |
| - Allowed and restricted licenses are defined in [compliance.md](compliance.md#license-compliance-check). |
|
|
||
| ## Security vulnerabilities in dependencies | ||
|
|
||
| - Report security issues privately as described in [SECURITY.md](SECURITY.md). |
There was a problem hiding this comment.
Consider linking directly to the #private-disclosure-processes section in SECURITY.md so that readers can immediately see how to report security issues privately.
| - Report security issues privately as described in [SECURITY.md](SECURITY.md). | |
| - Report security issues privately as described in [SECURITY.md](SECURITY.md#private-disclosure-processes). |
Part of volcano-sh/volcano#5366. Add CONTRIBUTING.md pointer, README Contributing section, and dependency-management.md for Security Insights. Signed-off-by: kubeboiii <kubeboiii@users.noreply.github.com>
kubeboiii
force-pushed
the
docs/clomonitor-community-5366
branch
from
ea8830a to
38cf25c
Compare
|
DCO sign-off added on the latest commit ( Also applied the suggested section anchors in Ready for review. Thanks! |
|
Thanks for your PR, but I have already work on this in the security team PR: https://github.com/JesseStutler/community/blob/ae9be9ee4e53458bb1f1f505daa8be9fc7d967e1/security-team/SECURITY.md#dependencies-policy, and we're going to add it as a small section in the SECURITY.md, don't need to be so complicating |
3 participants
What type of PR is this?
/kind documentation
What this PR does / why we need it:
This PR is part of the work for volcano-sh/volcano#5366 (improve CLOMonitor score). It addresses community repository items from that issue:
CONTRIBUTING.mdas a pointer tocontribute.md. Rename the README section to Contributing so CLOMonitor can detect it.dependency-management.mddescribing how Volcano declares, updates, and reports on dependencies. This file is intended to be linked fromSECURITY-INSIGHTS.ymlin the main repo for the CLOMonitordependencies_policycheck.Docs-only change in
volcano-sh/community. Does not overlap with volcano-sh/volcano#5369, #5370, #5371, or volcano-sh/website#517.Follow-up for full
dependencies_policypass: Please adddependencies.env-dependencies-policy.policy-urlin volcano-sh/volcano#5367 (or a follow-up) pointing athttps://github.com/volcano-sh/community/blob/master/dependency-management.md.The summary table CLOMonitor check still requires
summary_*fields in cncf/landscape (not this repo).Which issue(s) this PR fixes:
Part of volcano-sh/volcano#5366
Special notes for your reviewer:
dependencies_policyon the Volcano project will not pass until the Security Insights URL above is merged involcano-sh/volcano.Does this PR introduce a user-facing change?