Conversation
… and release workflows.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the project’s Go module/repository identity and Kubernetes API group from the previous zelyo-ai/aotanami.zelyo.ai naming to the new aotanami org and aotanami.com, while adding an MkDocs-based documentation site and revamping release workflows.
Changes:
- Update Go module path/imports and Kubebuilder API group/RBAC markers to
github.com/aotanami/aotanamiandaotanami.com. - Add MkDocs config + new/expanded documentation pages and styling.
- Replace the legacy monolithic release workflow with separate container-image and Helm release workflows, plus a GitHub Pages deployment workflow.
Reviewed changes
Copilot reviewed 104 out of 107 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| test/e2e/e2e_test.go | Update test utils import path |
| test/e2e/e2e_suite_test.go | Update test utils import path |
| mkdocs.yml | Add MkDocs Material site config |
| internal/webhook/v1alpha1/webhook_suite_test.go | Update API import path |
| internal/webhook/v1alpha1/securitypolicy_webhook_test.go | Update API import path |
| internal/webhook/v1alpha1/securitypolicy_webhook.go | Update API import + group name |
| internal/version/version.go | Update ldflags import paths in docs |
| internal/controller/suite_test.go | Update API import path |
| internal/controller/securitypolicy_controller_test.go | Update API import path |
| internal/controller/securitypolicy_controller.go | Update API import + RBAC group |
| internal/controller/scanreport_controller_test.go | Update API import path |
| internal/controller/scanreport_controller.go | Update API import + RBAC group |
| internal/controller/remediationpolicy_controller_test.go | Update API import path |
| internal/controller/remediationpolicy_controller.go | Update API import + RBAC group |
| internal/controller/notificationchannel_controller_test.go | Update API import path |
| internal/controller/notificationchannel_controller.go | Update API import + RBAC group |
| internal/controller/monitoringpolicy_controller_test.go | Update API import path |
| internal/controller/monitoringpolicy_controller.go | Update API import + RBAC group |
| internal/controller/gitopsrepository_controller_test.go | Update API import path |
| internal/controller/gitopsrepository_controller.go | Update API import + RBAC group |
| internal/controller/costpolicy_controller_test.go | Update API import path |
| internal/controller/costpolicy_controller.go | Update API import + RBAC group |
| internal/controller/clusterscan_controller_test.go | Update API import path |
| internal/controller/clusterscan_controller.go | Update API import + RBAC group |
| internal/controller/aotanamiconfig_controller_test.go | Update API import path |
| internal/controller/aotanamiconfig_controller.go | Update API import + RBAC group |
| go.mod | Rename module to new org/repo |
| docs/supply-chain-security.md | Expand/refresh supply-chain verification docs |
| docs/stylesheets/extra.css | Add MkDocs theme custom CSS |
| docs/security.md | Add security policy documentation page |
| docs/quickstart.md | Add quick start guide |
| docs/llm-configuration.md | Update API group in examples |
| docs/integrations.md | Update API group in examples |
| docs/index.md | Add docs homepage/landing content |
| docs/gitops-onboarding.md | Update API group in examples |
| docs/getting-started.md | Update repo clone URL + API group |
| docs/crd-reference.md | Update API group in examples |
| docs/contributing.md | Add contributing guide in docs site |
| docs/compliance.md | Update API group in examples |
| docs/code-of-conduct.md | Add Code of Conduct in docs site |
| deploy/helm/aotanami/values.yaml | Update default image repo URL |
| deploy/helm/aotanami/templates/clusterrole.yaml | Update CRD API group in RBAC |
| deploy/helm/aotanami/templates/NOTES.txt | Update documentation/sample URLs |
| deploy/helm/aotanami/Chart.yaml | Update chart metadata source URLs |
| config/webhook/manifests.yaml | Update webhook apiGroups to aotanami.com |
| config/samples/aotanami_v1alpha1_securitypolicy.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_scanreport.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_remediationpolicy.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_notificationchannel.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_monitoringpolicy.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_gitopsrepository.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_costpolicy.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_clusterscan.yaml | Update sample apiVersion group |
| config/samples/aotanami_v1alpha1_aotanamiconfig.yaml | Update sample apiVersion group |
| config/rbac/securitypolicy_viewer_role.yaml | Update API group + comments |
| config/rbac/securitypolicy_editor_role.yaml | Update API group + comments |
| config/rbac/securitypolicy_admin_role.yaml | Update API group + comments |
| config/rbac/scanreport_viewer_role.yaml | Update API group + comments |
| config/rbac/scanreport_editor_role.yaml | Update API group + comments |
| config/rbac/scanreport_admin_role.yaml | Update API group + comments |
| config/rbac/role.yaml | Update manager Role apiGroups |
| config/rbac/remediationpolicy_viewer_role.yaml | Update API group + comments |
| config/rbac/remediationpolicy_editor_role.yaml | Update API group + comments |
| config/rbac/remediationpolicy_admin_role.yaml | Update API group + comments |
| config/rbac/notificationchannel_viewer_role.yaml | Update API group + comments |
| config/rbac/notificationchannel_editor_role.yaml | Update API group + comments |
| config/rbac/notificationchannel_admin_role.yaml | Update API group + comments |
| config/rbac/monitoringpolicy_viewer_role.yaml | Update API group + comments |
| config/rbac/monitoringpolicy_editor_role.yaml | Update API group + comments |
| config/rbac/monitoringpolicy_admin_role.yaml | Update API group + comments |
| config/rbac/gitopsrepository_viewer_role.yaml | Update API group + comments |
| config/rbac/gitopsrepository_editor_role.yaml | Update API group + comments |
| config/rbac/gitopsrepository_admin_role.yaml | Update API group + comments |
| config/rbac/costpolicy_viewer_role.yaml | Update API group + comments |
| config/rbac/costpolicy_editor_role.yaml | Update API group + comments |
| config/rbac/costpolicy_admin_role.yaml | Update API group + comments |
| config/rbac/clusterscan_viewer_role.yaml | Update API group + comments |
| config/rbac/clusterscan_editor_role.yaml | Update API group + comments |
| config/rbac/clusterscan_admin_role.yaml | Update API group + comments |
| config/rbac/aotanamiconfig_viewer_role.yaml | Update API group + comments |
| config/rbac/aotanamiconfig_editor_role.yaml | Update API group + comments |
| config/rbac/aotanamiconfig_admin_role.yaml | Update API group + comments |
| config/crd/kustomization.yaml | Update CRD base filenames for new group |
| config/crd/bases/aotanami.com_securitypolicies.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_scanreports.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_remediationpolicies.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_notificationchannels.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_monitoringpolicies.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_gitopsrepositories.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_costpolicies.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_clusterscans.yaml | Rename CRD group/name to aotanami.com |
| config/crd/bases/aotanami.com_aotanamiconfigs.yaml | Rename CRD group/name to aotanami.com |
| cmd/main.go | Update module import paths |
| api/v1alpha1/groupversion_info.go | Change API groupName + GroupVersion |
| README.md | Update branding links, examples, logo path |
| PROJECT | Update repo/path values for scaffolding |
| Dockerfile | Update ldflags paths + OCI labels |
| CONTRIBUTING.md | Update repo links to new org |
| .golangci.yml | Update goimports local-prefixes |
| .gitignore | Ignore MkDocs output directory |
| .github/workflows/release.yml | Remove legacy combined release workflow |
| .github/workflows/release-image.yml | Add hardened container release pipeline |
| .github/workflows/release-helm.yml | Add hardened Helm OCI release pipeline |
| .github/workflows/pages.yml | Add docs build + GitHub Pages deploy |
| .github/workflows/ci.yml | Update CI image registry namespace |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # It is provided to allow the cluster admin to help manage permissions for users. | ||
| # | ||
| # Grants permissions to create, update, and delete resources within the aotanami.zelyo.ai. | ||
| # Grants permissions to create, update, and delete resources within the aotanami.com. |
There was a problem hiding this comment.
The sentence is grammatically incomplete: "within the aotanami.com." reads as if a noun is missing. Consider changing it to something like "within the aotanami.com API group" for clarity.
| <a href="https://goreportcard.com/report/github.com/aotanami/aotanami"><img src="https://goreportcard.com/badge/github.com/aotanami/aotanami" alt="Go Report Card" /></a> | ||
| <a href="LICENSE"><img src="https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square" alt="License" /></a> | ||
| <a href="https://artifacthub.io/packages/helm/zelyo-ai/aotanami"><img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/zelyo-ai&style=flat-square" alt="Artifact Hub" /></a> | ||
| <a href="https://artifacthub.io/packages/helm/aotanami/aotanami"><img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/zelyo-ai&style=flat-square" alt="Artifact Hub" /></a> |
There was a problem hiding this comment.
The Artifact Hub badge still points to artifacthub.io/badge/repository/zelyo-ai while the link has been updated to the aotanami/aotanami package. This will show the wrong badge (or break) after the org/repo migration; update the badge endpoint URL to the correct Artifact Hub repository slug that hosts this chart.
Suggested change
| <a href="https://artifacthub.io/packages/helm/aotanami/aotanami"><img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/zelyo-ai&style=flat-square" alt="Artifact Hub" /></a> | |
| <a href="https://artifacthub.io/packages/helm/aotanami/aotanami"><img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/aotanami&style=flat-square" alt="Artifact Hub" /></a> |
Comment on lines
15
to
19
| name: msecuritypolicy-v1alpha1.kb.io | ||
| rules: | ||
| - apiGroups: | ||
| - aotanami.zelyo.ai | ||
| - aotanami.com | ||
| apiVersions: |
There was a problem hiding this comment.
While updating this webhook to the new API group (aotanami.com), the clientConfig.service.path above still uses the old ...zelyo-ai... identifier. Consider renaming the webhook path in the same change to keep the manifests consistent with the new API identity and avoid confusing endpoints during deployment/upgrade.
Comment on lines
41
to
45
| name: vsecuritypolicy-v1alpha1.kb.io | ||
| rules: | ||
| - apiGroups: | ||
| - aotanami.zelyo.ai | ||
| - aotanami.com | ||
| apiVersions: |
There was a problem hiding this comment.
This validating webhook rule has been updated to aotanami.com, but the clientConfig.service.path above still includes the old ...zelyo-ai... identifier. Consider renaming the path as part of this migration so the deployed webhook endpoints reflect the new group/org naming.
Comment on lines
6
to
+10
| domain: zelyo.ai | ||
| layout: | ||
| - go.kubebuilder.io/v4 | ||
| projectName: aotanami | ||
| repo: github.com/zelyo-ai/aotanami | ||
| repo: github.com/aotanami/aotanami |
There was a problem hiding this comment.
The project config still declares domain: zelyo.ai (and per-resource domain: zelyo.ai), but this PR migrates the API group to aotanami.com. Leaving the old domain here is likely to cause future kubebuilder scaffolding/regeneration to drift back toward aotanami.zelyo.ai; update the PROJECT domain fields (or add a note explaining why they intentionally differ).
| # It is provided to allow the cluster admin to help manage permissions for users. | ||
| # | ||
| # Grants permissions to create, update, and delete resources within the aotanami.zelyo.ai. | ||
| # Grants permissions to create, update, and delete resources within the aotanami.com. |
There was a problem hiding this comment.
The sentence is grammatically incomplete: "within the aotanami.com." reads as if a noun is missing. Consider changing it to something like "within the aotanami.com API group" for clarity.
| # It is provided to allow the cluster admin to help manage permissions for users. | ||
| # | ||
| # Grants permissions to create, update, and delete resources within the aotanami.zelyo.ai. | ||
| # Grants permissions to create, update, and delete resources within the aotanami.com. |
There was a problem hiding this comment.
The sentence is grammatically incomplete: "within the aotanami.com." reads as if a noun is missing. Consider changing it to something like "within the aotanami.com API group" for clarity.
Suggested change
| # Grants permissions to create, update, and delete resources within the aotanami.com. | |
| # Grants permissions to create, update, and delete resources within the aotanami.com API group. |
| # It is provided to allow the cluster admin to help manage permissions for users. | ||
| # | ||
| # Grants permissions to create, update, and delete resources within the aotanami.zelyo.ai. | ||
| # Grants permissions to create, update, and delete resources within the aotanami.com. |
There was a problem hiding this comment.
The sentence is grammatically incomplete: "within the aotanami.com." reads as if a noun is missing. Consider changing it to something like "within the aotanami.com API group" for clarity.
Suggested change
| # Grants permissions to create, update, and delete resources within the aotanami.com. | |
| # Grants permissions to create, update, and delete resources within the aotanami.com API group. |
| // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation. | ||
| // NOTE: If you want to customise the 'path', use the flags '--defaulting-path' or '--validation-path'. | ||
| // +kubebuilder:webhook:path=/validate-aotanami-zelyo-ai-v1alpha1-securitypolicy,mutating=false,failurePolicy=fail,sideEffects=None,groups=aotanami.zelyo.ai,resources=securitypolicies,verbs=create;update,versions=v1alpha1,name=vsecuritypolicy-v1alpha1.kb.io,admissionReviewVersions=v1 | ||
| // +kubebuilder:webhook:path=/validate-aotanami-zelyo-ai-v1alpha1-securitypolicy,mutating=false,failurePolicy=fail,sideEffects=None,groups=aotanami.com,resources=securitypolicies,verbs=create;update,versions=v1alpha1,name=vsecuritypolicy-v1alpha1.kb.io,admissionReviewVersions=v1 |
There was a problem hiding this comment.
The validating webhook annotation path still uses the old zelyo-ai identifier (/validate-aotanami-zelyo-ai-v1alpha1-securitypolicy) despite the API group being updated to aotanami.com. Renaming the path (and regenerating/updating webhook manifests) would keep identifiers consistent and reduce operational confusion.
| actions: read | ||
| id-token: write | ||
| packages: write | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 |
There was a problem hiding this comment.
This reusable workflow is referenced by tag (@v2.0.0) rather than being pinned to a specific commit SHA. Since the supply-chain docs/workflows emphasize pinning actions/workflows, consider pinning slsa-framework/slsa-github-generator to an immutable commit SHA to reduce the risk of a compromised/moved tag affecting release provenance generation.
Suggested change
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@b0b2f4b7aa90bf34e66e4a79e927651c01fb9b31 # v2.0.0 |
mayurkr
added a commit
that referenced
this pull request
Apr 21, 2026
…g scope Bot review on PR #90 flagged three inaccuracies in the first pass: 1. targetPolicies was described as gating which incidents become PRs, but remediationpolicy_controller.go:120-134 only validates that referenced SecurityPolicies exist — processIncidents (lines 231-244) never filters incidents by their originating SecurityPolicy. Drop the claim from the README, docs/index.md, AGENTS.md, quickstart gate table, and gitops-onboarding YAML example. 2. maxConcurrentPRs was described as a global cap on open PRs. It's actually a per-reconcile-cycle cap (prsCreated resets every 5-minute requeue). Qualify the description everywhere it appears. 3. ZelyoConfig is cluster-scoped (api/v1alpha1/zelyoconfig_types.go:250). The kubectl patch/get commands had an unnecessary -n zelyo-system flag that implied otherwise. Removed. Both of the behavioral bugs (#1 and #2) have been filed as follow-up tasks so the code can be brought in line with its CRD contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mayurkr
added a commit
that referenced
this pull request
Apr 21, 2026
* docs: clarify Protect mode requires a RemediationPolicy The Operating Modes tables in README.md, docs/index.md, and AGENTS.md implied that flipping ZelyoConfig.spec.mode to protect (or onboarding a GitOpsRepository) was sufficient to start opening remediation PRs. In reality ZelyoConfig.Spec.Mode only flips the in-process remediation engine from dry-run to gitops-pr (zelyoconfig_controller.go:290-292); the RemediationPolicy controller is the only caller of GeneratePlan + ApplyPlan (remediationpolicy_controller.go:161). Without at least one RemediationPolicy targeting a configured GitOpsRepository, Protect mode emits zero PRs. Update the mode tables and Protect-mode sections to spell out the full triad (ZelyoConfig mode + GitOpsRepository + RemediationPolicy), add a mode-flip step to the quickstart's GitOps remediation flow, and tighten the gitops-onboarding Step 4 with a minimal RemediationPolicy example plus a no-PRs troubleshooting checklist. Also drops a stale claim that RemediationPolicy.spec.dryRun gates PR creation — the field is currently only logged, not enforced; the reliable kill switch remains ZelyoConfig.spec.mode: audit. Docs only. make test passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs: address review — fix targetPolicies/maxConcurrentPRs/ZelyoConfig scope Bot review on PR #90 flagged three inaccuracies in the first pass: 1. targetPolicies was described as gating which incidents become PRs, but remediationpolicy_controller.go:120-134 only validates that referenced SecurityPolicies exist — processIncidents (lines 231-244) never filters incidents by their originating SecurityPolicy. Drop the claim from the README, docs/index.md, AGENTS.md, quickstart gate table, and gitops-onboarding YAML example. 2. maxConcurrentPRs was described as a global cap on open PRs. It's actually a per-reconcile-cycle cap (prsCreated resets every 5-minute requeue). Qualify the description everywhere it appears. 3. ZelyoConfig is cluster-scoped (api/v1alpha1/zelyoconfig_types.go:250). The kubectl patch/get commands had an unnecessary -n zelyo-system flag that implied otherwise. Removed. Both of the behavioral bugs (#1 and #2) have been filed as follow-up tasks so the code can be brought in line with its CRD contract. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.