v0.4.0

Maintenance and hardening release: Go 1.26.3 toolchain, kcp stack to v0.7.1 / sdk v0.31.2, a new fuzz-testing suite, and a round of CI supply-chain hardening. The bulk of
the changes are routine dependency updates.

🚀 Features

• Enable workspace resolver to find nested workspaces by @Perseus985 in #54

🧪 Testing

• Add webhook + fieldpath fuzz tests with scheduled CI by @BergCyrill in #68

🔒 Security & supply-chain hardening

• Bump golang.org/x/net to v0.55.0 to fix OSV advisories (GO-2026-5024..5030) by @BergCyrill in #91
• Pin GitHub Actions to digests and add 1-day Renovate quarantine by @BergCyrill in #62
• Dockerfile digest pinning by @Perseus985 in #71
• Harden context interpolation in publish workflows by @BergCyrill in #67
• Add permissions declaration for Docker image build workflow by @BergCyrill in #63

📝 Documentation

• Update README and development documentation by @BergCyrill in #64

⬆️ Dependency updates

Go modules

• kcp-dev/multicluster-provider → v0.7.1 by @renovate[bot] in #50,
  #75
• kcp-dev/multicluster-provider/client → v0.7.1 by @renovate[bot] in #51,
  #76
• kcp-dev/sdk → v0.31.2 by @renovate[bot] in #81
• onsi/ginkgo/v2 → v2.29.0 by @renovate[bot] in #72,
  #73
• onsi/gomega → v1.41.0 by @renovate[bot] in #74
• apigen → v0.31.2 by @renovate[bot] in #79

GitHub Actions

• github/codeql-action → v4.36.0 by @renovate[bot] in #59,
  #69
• google/osv-scanner-action → v2.3.8 by @renovate[bot] in #65
• golangci/golangci-lint-action → v9.2.1 by @renovate[bot] in #80
• docker/login-action → v4.2.0 by @renovate[bot] in #84
• docker/build-push-action → v7.2.0 by @renovate[bot] in #83
• docker/metadata-action → v6.1.0 by @renovate[bot] in #85
• docker/setup-buildx-action → v4.1.0 by @renovate[bot] in #86
• docker/setup-qemu-action → v4.1.0 by @renovate[bot] in #88

Toolchain & dev tooling

• Go toolchain → 1.26.3 (version sync, go-overlay/dev-kit, builder image digest) by @renovate[bot] & @BergCyrill in
  #60, #87,
  #78
• opendefensecloud/dev-kit → v1.0.8 by @renovate[bot] in #82
• osv-scanner (module) → v2.3.8 by @renovate[bot] in #61

Full Changelog: v0.3.0...v0.4.0

v0.3.0

What's Changed

• feat: multi-shard support by @trevex in #41
• Add multi shard adoptions by @BergCyrill in #53

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

• Adding OpenSSF Scorecard by @Perseus985 in #4
• Update kubernetes monorepo to v0.35.4 by @renovate[bot] in #1
• Update module sigs.k8s.io/controller-runtime to v0.23.3 by @renovate[bot] in #2
• Update actions/upload-artifact action to v7.0.1 by @renovate[bot] in #5
• DependencyRule Validation Markers & Tests by @BergCyrill in #17
• feat: migrate to dev-kit by @olzemal in #16
• Update docker/metadata-action action to v6 by @renovate[bot] in #15
• Update docker/login-action action to v4 by @renovate[bot] in #14
• Update actions/setup-go action to v6 by @renovate[bot] in #13
• Update actions/checkout action to v6 by @renovate[bot] in #12
• Update module github.com/onsi/gomega to v1.39.1 by @renovate[bot] in #11
• Update module github.com/onsi/ginkgo/v2 to v2.28.2 by @renovate[bot] in #10
• Update module github.com/kcp-dev/sdk to v0.31.1 by @renovate[bot] in #9
• Update github/codeql-action action to v4.35.2 by @renovate[bot] in #7
• chore: upgrade multicluster-runtime and multicluster-provider by @trevex in #22
• Update dependency opendefensecloud/dev-kit to v1.0.6 by @renovate[bot] in #19
• chore: remove unused Resource from DepndentRef and updates test and docs. by @trevex in #37
• chore: add comments regarding readyz using healthz.Ping by @trevex in #38
• Update module addlicense to v1.2.0 by @renovate[bot] in #27
• Update module controller-gen to v0.20.1 by @renovate[bot] in #30
• Update module ginkgo to v2.28.3 by @renovate[bot] in #31
• Update module github.com/onsi/ginkgo/v2 to v2.28.3 by @renovate[bot] in #32
• Update docker/setup-buildx-action action to v4 by @renovate[bot] in #34
• Update docker/setup-qemu-action action to v4 by @renovate[bot] in #35
• Update docker/metadata-action action to v6 by @renovate[bot] in #36
• Update dependency opendefensecloud/dev-kit to v1.0.7 - autoclosed by @renovate[bot] in #42
• Update golangci/golangci-lint-action action to v9 by @renovate[bot] in #44
• Update module osv-scanner to v2.3.7 by @renovate[bot] in #46
• Update module golangci-lint to v2.12.2 by @renovate[bot] in #47
• Update github/codeql-action action to v4.35.3 by @renovate[bot] in #48
• Update module controller-gen to v0.21.0 by @renovate[bot] in #49
• Update sigstore/cosign-installer action to v4.1.2 by @renovate[bot] in #52

New Contributors

• @Perseus985 made their first contribution in #4
• @renovate[bot] made their first contribution in #1
• @BergCyrill made their first contribution in #17
• @olzemal made their first contribution in #16

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Full Changelog: https://github.com/opendefensecloud/dependency-controller/commits/v0.1.0

First release, but the project went through some iterations. A short log:

2026-04-17

Added

• Nix flake for reproducible dev environment with pinned Go version, linters, and pre-commit hooks.
• Renovate configuration for automated dependency updates.
• GitHub Actions workflows: golang.yaml (lint + test), docker.yaml (multi-arch build, cosign signing, SBOM, provenance attestation), helm-publish.yaml (OCI push + signing), helm-lint.yaml, osv-scanner.yml.
• Dockerfile improvements: multi-target build (controller, webhook, combined), BuildKit cache mounts, -ldflags="-s -w".

Changed

• Default webhook.tls.certManager.enabled to false in Helm values so chart templates render without user-provided issuer configuration.
• Updated container image registry to ghcr.io/opendefensecloud.
• DependentRef.APIExportRef (path + name) replaced with DependentRef.APIExportName (string). DependencyRules now reference only the APIExport name -- the workspace path is derived from the rule's own location, enforcing that rules can only be declared for resources in the same workspace.
• Webhook admission handler scopes dependent lookups to the same namespace as the deleted resource. Cross-namespace references are not supported.
• Copyright holder changed from "Open Defense and dependency-controller contributors" to "BWI GmbH and Dependency Controller contributors".

Removed

• Old ci.yaml and release.yaml GitHub Actions workflows (replaced by new workflow suite).
• devenv.nix (replaced by flake.nix).

2026-04-16

Added

• Getting started guide with full walkthrough for deploying on kcp.
• Helm chart with separate controller and webhook deployments, cert-manager integration, and kcp kubeconfig support.
• envtest-based controller integration test suite (moved from e2e).
• RBAC manager that dynamically maintains ClusterRoles for webhook service account access to dependency resources.
• WebhookInstaller for automatic ValidatingWebhookConfiguration management in dependency provider workspaces.
• Architecture documentation with Mermaid diagrams covering request flow, reconciliation, and component interactions.

Changed

• Adopted system:admin Bootstrap Policy Authorizer for shard-wide RBAC instead of dynamic ClusterRole/ClusterRoleBinding permission claims.
• Refactored permissions model to run controller and webhook with least privileges -- webhook uses only system:admin, controller manages VWCs via permission claims.
• Controller name validation changed to skip instead of leaking internal names.
• e2e tests restructured as proper end-to-end tests (kind + kcp + Helm), with YAML-based fixtures replacing programmatic object construction.
• Linted entire codebase, cleaned up Makefile.

2026-04-14

Added

• Readyz endpoint that blocks admission until the rule registry is fully populated, preventing deletions from slipping through during startup.
• Mermaid diagrams in README and architecture docs, with dark mode support.

Changed

• Major refactor: removed Dependency marker objects entirely. Rules are now evaluated dynamically using per-rule indexed caches over the dependent resource's virtual workspace. Field indices on dependent resources allow efficient "which dependents reference resource X?" queries without creating or cleaning up marker objects.

2026-04-10

Added

• Initial implementation of the dependency controller for kcp.
• DependencyRule CRD for declaring how resource types reference each other across workspaces.
• Validating admission webhook that blocks deletion of resources still referenced by dependents.
• Per-rule multicluster managers connected to APIExport virtual workspaces for cross-workspace dependent resource discovery.
• Automatic ValidatingWebhookConfiguration installation in dependency provider workspaces.
• Workspace-aware dependency tracking across logical clusters.
• Skip-protection annotation (dependencies.opendefense.cloud/skip-protection) to bypass deletion checks.
• Unit tests for core components.