{"id":41304709,"url":"https://github.com/kubestellar/console","last_synced_at":"2026-06-06T08:01:58.497Z","repository":{"id":332913225,"uuid":"1135473716","full_name":"kubestellar/console","owner":"kubestellar","description":"World's first fully integrated and fully Automated Kubernetes management and orchestration solution","archived":false,"fork":false,"pushed_at":"2026-05-14T08:31:35.000Z","size":233895,"stargazers_count":97,"open_issues_count":17,"forks_count":91,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-14T08:39:27.614Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://console.kubestellar.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubestellar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"docs/SUPPORT.md","governance":"GOVERNANCE.md","roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":"AGENTS.md","dco":"DCO","cla":null}},"created_at":"2026-01-16T06:32:19.000Z","updated_at":"2026-05-14T08:29:00.000Z","dependencies_parsed_at":"2026-04-23T01:07:51.905Z","dependency_job_id":null,"html_url":"https://github.com/kubestellar/console","commit_stats":null,"previous_names":["kubestellar/console"],"tags_count":108,"template":false,"template_full_name":null,"purl":"pkg:github/kubestellar/console","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubestellar%2Fconsole","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubestellar%2Fconsole/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubestellar%2Fconsole/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubestellar%2Fconsole/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubestellar","download_url":"https://codeload.github.com/kubestellar/console/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubestellar%2Fconsole/sbom","scorecard":{"id":1245999,"data":{"date":"2026-04-13T20:10:41Z","repo":{"name":"github.com/kubestellar/console","commit":"c7c6dfeaebabab559926324cb01cd367fd789b5d"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":7.1,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disable on branch 'main'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"28 out of 28 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":7,"reason":"badge detected: Silver","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: ibm.com contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: pkg/api/middleware/auth_fuzz_test.go:42","Info: GoBuiltInFuzzer integration found: pkg/settings/crypto_fuzz_test.go:42","Info: GoBuiltInFuzzer integration found: pkg/settings/crypto_fuzz_test.go:42"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-deploy.yml:64"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Info: Possibly incomplete results: error parsing shell code: case patterns must consist of words: .github/workflows/auto-qa.yml:2447","Info: Possibly incomplete results: error parsing shell code: unclosed here-document 'EOF': .github/workflows/copilot-recovery.yml:408","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/_perf-regression-issue.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/_perf-regression-issue.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/_perf-regression-issue.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/_perf-regression-issue.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/_perf-regression-issue.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/_perf-regression-issue.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/accm-history-update.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/accm-history-update.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/accm-history-update.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/accm-history-update.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/api-contract.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/api-contract.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/api-contract.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/api-contract.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/api-contract.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/api-contract.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auth-login-smoke.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auth-login-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auth-login-smoke.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auth-login-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auth-login-smoke.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auth-login-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa-tuner.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa-tuner.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa-tuner.yml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa-tuner.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa-tuner.yml:520: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa-tuner.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa-tuner.yml:816: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa-tuner.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-qa.yml:3441: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-qa.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/auto-triage.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/auto-triage.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-deploy.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/build-deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-deploy.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/build-deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/card-standard-nightly.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/card-standard-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/card-standard-nightly.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/card-standard-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/claude-code-review.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/claude-code-review.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/claude-code-review.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/claude-code-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/claude.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/claude.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/claude.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/claude.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cleanup-screenshots.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/cleanup-screenshots.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cleanup-screenshots.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/cleanup-screenshots.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/console-issue-labels.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/console-issue-labels.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-build-check.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-build-check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-build-check.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-build-check.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-build-monitor.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-build-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-comment-followup.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-comment-followup.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-pr-monitor.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-pr-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-retry.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-retry.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-review-apply.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-review-apply.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-setup-steps.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-setup-steps.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/copilot-setup-steps.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/copilot-setup-steps.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-gate.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-gate.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-gate.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-gate.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-gate.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-gate.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:100: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:251: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:258: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-hourly.yml:371: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-hourly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-weekly-review.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-weekly-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage-weekly-review.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/coverage-weekly-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ga4-error-monitor.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ga4-error-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ga4-error-monitor.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ga4-error-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ga4-error-monitor.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ga4-error-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ga4-mobile-monitor.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ga4-mobile-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ga4-mobile-monitor.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ga4-mobile-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ga4-mobile-monitor.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ga4-mobile-monitor.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:162: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:227: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:230: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:243: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:278: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:306: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:324: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:327: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-compliance.yml:392: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-compliance.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dashboard-health.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dashboard-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:243: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:246: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:257: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:299: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-dast.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-dast.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-test-suite.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-test-suite.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-test-suite.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-test-suite.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-test-suite.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-test-suite.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-test-suite.yml:285: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-test-suite.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-ux-journeys.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nightly-ux-journeys.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nil-safety.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nil-safety.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nil-safety.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nil-safety.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nil-safety.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nil-safety.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nil-safety.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nil-safety.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nil-safety.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nil-safety.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nil-safety.yml:302: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/nil-safety.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-bundle-size.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-bundle-size.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-bundle-size.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-bundle-size.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-bundle-size.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-bundle-size.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-react-commits-idle.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-react-commits-idle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-react-commits-idle.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-react-commits-idle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-react-commits-idle.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-react-commits-idle.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-react-commits.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-react-commits.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-react-commits.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-react-commits.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-react-commits.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-react-commits.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-ttfi.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-ttfi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-ttfi.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-ttfi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-ttfi.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-ttfi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/perf-ttfi.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/perf-ttfi.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright-nightly.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:185: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:251: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:254: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:264: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:287: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:306: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:316: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:348: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:351: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:361: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/playwright.yml:385: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/playwright.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-merge-verify.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/post-merge-verify.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-merge-verify.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/post-merge-verify.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-merge-verify.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/post-merge-verify.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-merge-verify.yml:210: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/post-merge-verify.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/post-merge-verify.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/post-merge-verify.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-claude-notice.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/pr-claude-notice.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-closed-verification.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/pr-closed-verification.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-closed-verification.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/pr-closed-verification.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-closed-verification.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/pr-closed-verification.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/process-screenshots.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/process-screenshots.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/process-screenshots.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/process-screenshots.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/route-smoke.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/route-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/route-smoke.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/route-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke-test.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke-test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke-test.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke-test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/startup-smoke.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/startup-smoke.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ui-ux-standard.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ui-ux-standard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ui-ux-standard.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/ui-ux-standard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-guard.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/update-guard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-guard.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/update-guard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/visual-regression.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/visual-regression.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/visual-regression.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/visual-regression.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/visual-regression.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/visual-regression.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/visual-regression.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/visual-regression.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/visual-regression.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/kubestellar/console/visual-regression.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:2","Warn: containerImage not pinned by hash: Dockerfile:21","Warn: containerImage not pinned by hash: Dockerfile:42: pin your Docker image by updating alpine:3.20 to alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805","Warn: goCommand not pinned by hash: scripts/dependency-audit-test.sh:134","Warn: goCommand not pinned by hash: scripts/gosec-test.sh:55","Warn: goCommand not pinned by hash: scripts/secret-scan-test.sh:60","Warn: pipCommand not pinned by hash: scripts/ts-sast-test.sh:62","Warn: npmCommand not pinned by hash: start-dev.sh:79","Warn: npmCommand not pinned by hash: startup-oauth.sh:98","Warn: npmCommand not pinned by hash: startup-oauth.sh:137","Warn: npmCommand not pinned by hash: .github/workflows/ga4-error-monitor.yml:58","Warn: npmCommand not pinned by hash: .github/workflows/ga4-mobile-monitor.yml:65","Warn: goCommand not pinned by hash: .github/workflows/nil-safety.yml:49","Warn: goCommand not pinned by hash: .github/workflows/nil-safety.yml:138","Info: 144 out of 338 GitHub-owned GitHubAction dependencies pinned","Info:  22 out of  27 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned","Info:  38 out of  43 npmCommand dependencies pinned","Info:   0 out of   5 goCommand dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: SAST configuration detected: CodeQL","Warn: 26 commits out of 28 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":4,"reason":"3 out of the last 5 releases have a total of 3 signed artifacts.","details":["Warn: release artifact v0.3.20 not signed: https://api.github.com/repos/kubestellar/console/releases/307962717","Warn: release artifact v0.3.20-nightly.20260412 not signed: https://api.github.com/repos/kubestellar/console/releases/307962950","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/kubestellar/console/releases/assets/393893394","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/kubestellar/console/releases/assets/393054903","Info: signed release artifact: checksums.txt.sig: https://api.github.com/repos/kubestellar/console/releases/assets/392180454","Warn: release artifact v0.3.20 does not have provenance: https://api.github.com/repos/kubestellar/console/releases/307962717","Warn: release artifact v0.3.20-nightly.20260412 does not have provenance: https://api.github.com/repos/kubestellar/console/releases/307962950","Warn: release artifact v0.3.20-nightly.20260411 does not have provenance: https://api.github.com/repos/kubestellar/console/releases/307809306","Warn: release artifact v0.3.20-nightly.20260410 does not have provenance: https://api.github.com/repos/kubestellar/console/releases/307399525","Warn: release artifact v0.3.20-nightly.20260409 does not have provenance: https://api.github.com/repos/kubestellar/console/releases/306902675"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/ai-fix.yml:20","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto-qa-tuner.yml:42","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/auto-qa-tuner.yml:44","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto-qa-tuner.yml:257","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/auto-qa-tuner.yml:259","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto-qa-tuner.yml:508","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/auto-qa-tuner.yml:510","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto-qa-tuner.yml:802","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/auto-qa-tuner.yml:804","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/auto-qa.yml:53","Info: jobLevel 'actions' permission set to 'read': .github/workflows/auto-qa.yml:56","Info: jobLevel 'contents' permission set to 'read': .github/workflows/auto-triage.lock.yml:806","Info: jobLevel 'contents' permission set to 'read': .github/workflows/auto-triage.lock.yml:919","Info: jobLevel 'contents' permission set to 'read': .github/workflows/auto-triage.lock.yml:1096","Info: jobLevel 'actions' permission set to 'read': .github/workflows/auto-triage.lock.yml:59","Info: jobLevel 'contents' permission set to 'read': .github/workflows/auto-triage.lock.yml:60","Info: jobLevel 'contents' permission set to 'read': .github/workflows/auto-triage.lock.yml:284","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-deploy.yml:77","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build-deploy.yml:147","Info: jobLevel 'contents' permission set to 'read': .github/workflows/claude-code-review.yml:26","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/claude-code-review.yml:27","Info: jobLevel 'issues' permission set to 'read': .github/workflows/claude-code-review.yml:28","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/claude.yml:26","Info: jobLevel 'issues' permission set to 'read': .github/workflows/claude.yml:27","Info: jobLevel 'actions' permission set to 'read': .github/workflows/claude.yml:29","Info: jobLevel 'contents' permission set to 'read': .github/workflows/claude.yml:25","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/cleanup-screenshots.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:25","Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yml:26","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:58","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:59","Info: jobLevel 'packages' permission set to 'read': .github/workflows/codeql.yml:60","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-automation.yml:22","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-automation.yml:25","Info: jobLevel 'contents' permission set to 'read': .github/workflows/copilot-build-check.yml:15","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-build-check.yml:18","Info: jobLevel 'contents' permission set to 'read': .github/workflows/copilot-build-monitor.yml:12","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-build-monitor.yml:15","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-pr-monitor.yml:22","Info: jobLevel 'contents' permission set to 'read': .github/workflows/copilot-pr-monitor.yml:19","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:213","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:210","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:398","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:401","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:458","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:455","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:521","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:524","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:613","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:616","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:42","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:39","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:51","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:54","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-recovery.yml:105","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/copilot-recovery.yml:108","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/copilot-review-apply.yml:15","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/helm-release.yml:18","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/helm-release.yml:20","Info: jobLevel 'actions' permission set to 'read': .github/workflows/implement-fix.lock.yml:70","Info: jobLevel 'contents' permission set to 'read': .github/workflows/implement-fix.lock.yml:71","Info: jobLevel 'contents' permission set to 'read': .github/workflows/implement-fix.lock.yml:295","Info: jobLevel 'contents' permission set to 'read': .github/workflows/implement-fix.lock.yml:862","Info: jobLevel 'contents' permission set to 'read': .github/workflows/implement-fix.lock.yml:978","Info: jobLevel 'contents' permission set to 'read': .github/workflows/implement-fix.lock.yml:1155","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/nightly-test-suite.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/perf-bundle-size.yml:127","Info: jobLevel 'actions' permission set to 'read': .github/workflows/perf-bundle-size.yml:129","Info: jobLevel 'actions' permission set to 'read': .github/workflows/perf-react-commits-idle.yml:111","Info: jobLevel 'contents' permission set to 'read': .github/workflows/perf-react-commits-idle.yml:109","Info: jobLevel 'contents' permission set to 'read': .github/workflows/perf-react-commits.yml:106","Info: jobLevel 'actions' permission set to 'read': .github/workflows/perf-react-commits.yml:108","Info: jobLevel 'contents' permission set to 'read': .github/workflows/perf-ttfi.yml:170","Info: jobLevel 'actions' permission set to 'read': .github/workflows/perf-ttfi.yml:172","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/pr-verifier.yml:12","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/pr-verifier.yml:13","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/process-screenshots.yml:22","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:395","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecard.yml:20","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecard.yml:21","Info: jobLevel 'actions' permission set to 'read': .github/workflows/stuck-detection.lock.yml:67","Info: jobLevel 'contents' permission set to 'read': .github/workflows/stuck-detection.lock.yml:68","Info: jobLevel 'contents' permission set to 'read': .github/workflows/stuck-detection.lock.yml:277","Info: jobLevel 'contents' permission set to 'read': .github/workflows/stuck-detection.lock.yml:820","Info: jobLevel 'contents' permission set to 'read': .github/workflows/stuck-detection.lock.yml:934","Info: jobLevel 'contents' permission set to 'read': .github/workflows/stuck-detection.lock.yml:1085","Info: topLevel 'contents' permission set to 'read': .github/workflows/_perf-regression-issue.yml:43","Info: topLevel 'contents' permission set to 'read': .github/workflows/accm-history-update.yml:26","Info: topLevel permissions set to 'read-all': .github/workflows/ai-fix.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/api-contract.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/auth-login-smoke.yml:28","Info: topLevel permissions set to 'read-all': .github/workflows/auto-qa-tuner.yml:24","Info: topLevel permissions set to 'read-all': .github/workflows/auto-qa.yml:48","Info: found token with 'none' permissions: .github/workflows/auto-triage.lock.yml:1","Info: topLevel permissions set to 'read-all': .github/workflows/build-deploy.yml:40","Info: topLevel permissions set to 'read-all': .github/workflows/card-standard-nightly.yml:16","Info: topLevel permissions set to 'read-all': .github/workflows/claude-code-review.yml:14","Info: topLevel permissions set to 'read-all': .github/workflows/claude.yml:14","Info: topLevel permissions set to 'read-all': .github/workflows/cleanup-screenshots.yml:18","Info: topLevel permissions set to 'read-all': .github/workflows/codeql.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/copilot-assigned.yml:11","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-automation.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-build-check.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-build-monitor.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/copilot-comment-followup.yml:11","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/copilot-comment-followup.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-dco.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-pr-monitor.yml:14","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-recovery.yml:27","Info: topLevel 'contents' permission set to 'read': .github/workflows/copilot-retry.yml:25","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/copilot-retry.yml:27","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-review-apply.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/copilot-setup-steps.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/coverage-gate.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/coverage-hourly.yml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/coverage-weekly-review.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/cross-platform-build.yml:34","Info: topLevel 'contents' permission set to 'read': .github/workflows/feedback.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/fullstack-e2e.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/ga4-error-monitor.yml:36","Info: topLevel 'contents' permission set to 'read': .github/workflows/ga4-mobile-monitor.yml:42","Info: topLevel 'contents' permission set to 'read': .github/workflows/greetings.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/helm-release.yml:12","Info: topLevel permissions set to 'read-all': .github/workflows/helm-test.yml:16","Info: found token with 'none' permissions: .github/workflows/implement-fix.lock.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/label-helper.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/nightly-compliance.yml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/nightly-dashboard-health.yml:27","Info: topLevel 'contents' permission set to 'read': .github/workflows/nightly-dast.yml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/nightly-gh-aw-version-check.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/nightly-test-suite.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/nightly-ux-journeys.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/nil-safety.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/perf-bundle-size.yml:20","Info: topLevel 'actions' permission set to 'read': .github/workflows/perf-bundle-size.yml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/perf-react-commits-idle.yml:28","Info: topLevel 'actions' permission set to 'read': .github/workflows/perf-react-commits-idle.yml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/perf-react-commits.yml:19","Info: topLevel 'actions' permission set to 'read': .github/workflows/perf-react-commits.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/perf-ttfi.yml:22","Info: topLevel 'actions' permission set to 'read': .github/workflows/perf-ttfi.yml:23","Info: topLevel permissions set to 'read-all': .github/workflows/playwright-nightly.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/playwright.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/post-merge-verify.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-claude-notice.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-closed-verification.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/pr-verifier.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/preview-status.yml:11","Info: topLevel permissions set to 'read-all': .github/workflows/process-screenshots.yml:17","Info: topLevel permissions set to 'read-all': .github/workflows/release.yml:29","Info: topLevel permissions set to 'read-all': .github/workflows/route-smoke.yml:18","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/startup-smoke-test.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/startup-smoke.yml:32","Info: found token with 'none' permissions: .github/workflows/stuck-detection.lock.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/test-installer.yml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/triage-command.yml:14","Info: topLevel permissions set to 'read-all': .github/workflows/ui-ux-standard.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/update-guard.yml:24","Info: topLevel permissions set to 'read-all': .github/workflows/visual-regression.yml:15"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-04-13T20:19:50.488Z","repository_id":332913225,"created_at":"2026-04-13T20:19:50.488Z","updated_at":"2026-04-13T20:19:50.488Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33093666,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T04:41:52.686Z","status":"ssl_error","status_checked_at":"2026-05-16T04:41:52.009Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-23T04:59:48.216Z","updated_at":"2026-06-06T08:01:58.484Z","avatar_url":"https://github.com/kubestellar.png","language":"TypeScript","funding_links":[],"categories":["LLM Ops","MCP 服务器精选列表","Multi-Cloud \u0026 Hybrid Tools","Applications","8. Visualization","Cloud Platforms","Servers","Serving","3. \u003ca name='Dev'\u003e\u003c/a\u003e💻 Dev","Features","MCP Servers","Multi-Cluster \u0026 Fleet Management","Kubernetes Security","Kubernetes","K8S-Tools","Awesome dashboards","Observability/Monitoring/AIOps Tool Blogs","📁 Recipes","Software Development","Generation Tools","Uncategorized","MCP Servers \u0026 Integrations","Platforms services and devops","Cloud Infrastructure","☁️ Cloud Platforms \u0026 Services","Tooling— Kubernetes, PAAS and Cloud services","Repositories / Tools","Productivity Tools","Cloud \u0026 Infrastructure","10. Capacity Planning","Open Source Projects","Components","Monitoring","Inside the browser","Dependency intelligence","Agentic Remediation \u0026 Runbooks","Tools per Language","Tools","Dashboards \u0026 Portals","DevOps Tools","AI SRE Tools \u0026 SRE Copilots","Build Management","Others","Agent Infrastructure","MCPs","Engine","Opensource","DevOps Platforms","📦 Other","FinOps"],"sub_categories":["Multi-Agent / Orchestration Frameworks","☁️ 云平台与服务集成 (AWS, Cloudflare, Azure, K8s, etc.)","Tools","Dashboarding","Cloud \u0026 Infrastructure","Frameworks/Servers for Serving","Infrastructure productivity and maintainability","Runtime Security","Free dashboards list for you to use in your projects","Built with Wasm","🌱 Third Party","Uncategorized","Other IDEs","Monitoring/Observability (Datadog alternatives)","🐳 Container Orchestration","Defending","MCP Servers \u0026 Integrations","Kubernetes","UI","Frontend Web App","SCA and SBOM","Go","Contents","Incident Communication","Commercial solutions","Configuration \u0026 Context Management","Desktop","Cloud MCPs","Streaming Operations"],"readme":"# KubeStellar Console\n\n![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/clubanderson/b9a9ae8469f1897a22d5a40629bc1e82/raw/coverage-badge.json)\n[![ACMM](https://img.shields.io/endpoint?url=https%3A%2F%2Fconsole.kubestellar.io%2Fapi%2Facmm%2Fbadge%3Frepo%3Dkubestellar%252Fconsole%26v%3D3)](https://console.kubestellar.io/acmm?repo=kubestellar%2Fconsole)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubestellar/console/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubestellar/console)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12343/badge?v=2)](https://www.bestpractices.dev/projects/12343)\n[![MTTR](https://img.shields.io/endpoint?url=https%3A%2F%2Fgist.githubusercontent.com%2Fclubanderson%2F4ae525a9797e8f83231ac344fcb47226%2Fraw%2Fmedian-fix.json \"Mean Time to Resolution — median time from issue filed to PR merged, updated every 5 minutes\")](https://github.com/kubestellar/console/issues)\n\nAI-powered multi-cluster Kubernetes dashboard with guided install missions for 250+ CNCF projects.\n\n[Contributing](CONTRIBUTING.md)\n\n![KubeStellar Console](docs/images/console-screenshot.png)\n\n## Try it now (no install)\n\nThe fastest way to evaluate the console is the **hosted version** — no Kubernetes cluster, no install, no configuration. Demo data is built in:\n\n\u003e 👉 **[console.kubestellar.io](https://console.kubestellar.io)**\n\nThe hosted demo is a self-contained showcase: it serves canned demo data and intentionally **does not** talk to a local agent (`LOCAL_AGENT_HTTP_URL` is disabled in the Netlify build, so the browser cannot reach a kc-agent on your laptop). Use it to explore the UI, browse missions, and test cards without touching your machine. To work against your **own** clusters or use AI features with your own keys, you need to self-host the console — see the next section.\n\n## Which path do I need?\n\n| I want to… | What to do | Need a cluster? | Need to install anything? |\n|---|---|---|---|\n| Explore the UI / evaluate the product | [console.kubestellar.io](https://console.kubestellar.io) | no | no |\n| Connect the console to **my own** clusters | [**Self-host**](#local-install-self-host) the console **and** install [**kc-agent**](#kc-agent-bridge-self-hosted-console-to-your-clusters) on the same machine | yes | yes (curl + kc-agent) |\n| Self-host the console (air-gapped, custom OAuth, etc.) | [**Local install**](#local-install-self-host) | optional | yes |\n| Run the console **inside** a cluster | [`deploy.sh`](deploy.sh) | yes | Helm-style script |\n\n\u003e **Note**: `kc-agent` is **not** consumed by the hosted demo at [console.kubestellar.io](https://console.kubestellar.io). It bridges your **self-hosted** console (running at `localhost:8080`) to your kubeconfig contexts and to AI providers. If you want the convenience of the hosted UI plus your real cluster data, you currently have to run the console locally.\n\n## Local install (self-host)\n\nThe quickest path to a working console with your own data. `start.sh` downloads the pre-built console binary and a pre-built `kc-agent`, starts both, and opens [http://localhost:8080](http://localhost:8080):\n\n```bash\ncurl -sSL https://raw.githubusercontent.com/kubestellar/console/main/start.sh | bash\n```\n\nDeploy into a cluster instead with [`deploy.sh`](deploy.sh) (`--openshift`, `--ingress \u003chost\u003e`, `--github-oauth`, `--uninstall`). See [docs/deploy.md](docs/deploy.md) for the full flag, environment-variable, exit-code, and example reference. For Helm chart installs that should talk to an in-cluster Kagenti backend, see [Connecting Kagenti](deploy/helm/kubestellar-console/README.md#connecting-kagenti) and the [Kagenti deployment guide](docs/kagenti-deployment-guide.md) for controller/agent topology, setup steps, and troubleshooting.\n\n## Development\n\nIf you want to work on the repo itself, start with these entry points:\n\n- [CLAUDE.md](CLAUDE.md) — canonical developer guide for repo structure, testing expectations, and agent rules\n- [CONTRIBUTING.md](CONTRIBUTING.md) — contribution workflow, issue/PR conventions, and inventory notes\n- [docs/README.md](docs/README.md) — index of the documentation tree, grouped by audience\n\n## kc-agent (bridge self-hosted console to your clusters)\n\n`kc-agent` is a small local HTTP/WS daemon that the **self-hosted** console talks to (default `http://127.0.0.1:8585`). It forwards requests from the browser to your kubeconfig contexts and to AI providers. The hosted demo at [console.kubestellar.io](https://console.kubestellar.io) cannot reach it (#6195) — kc-agent is only useful when you self-host.\n\n**You do not need kc-agent** if you only want to browse the UI / demo data — just use the hosted demo. **`start.sh` already installs and launches a pre-built kc-agent for you**, so most users never need to install it manually. The instructions below are for development builds or platforms without a Homebrew formula:\n\n**Prerequisites for kc-agent:**\n- A kubeconfig that points at one or more reachable clusters (`kubectl get nodes` works locally)\n- macOS, Linux, or Windows with WSL2 (see [Windows section](#windows-wsl2))\n\n```bash\n# macOS — Homebrew formula (pre-built)\nbrew tap kubestellar/tap \u0026\u0026 brew install kc-agent\n\n# Linux / from source — requires Go 1.26.4+ (matches go.mod)\nmkdir -p bin\ngo build -o bin/kc-agent ./cmd/kc-agent \u0026\u0026 ./bin/kc-agent\n```\n\n### kc-agent authentication (`KC_AGENT_TOKEN`)\n\n`kc-agent` accepts a shared secret via `KC_AGENT_TOKEN`. When it is set, browser and WebSocket requests to the agent must present `Authorization: Bearer \u003ctoken\u003e` (or `?token=\u003ctoken\u003e` for a real WebSocket upgrade). This is recommended when you want an extra layer of protection against other local processes reaching `127.0.0.1:8585`.\n\n- `start-dev.sh` and `startup-oauth.sh` auto-generate a random `KC_AGENT_TOKEN` for each session if you do not set one.\n- Set `KC_AGENT_TOKEN` yourself if you want a stable secret across restarts or if you launch `kc-agent` manually.\n- Generate one with `openssl rand -hex 32`.\n\n```bash\nexport KC_AGENT_TOKEN=\"$(openssl rand -hex 32)\"\n./bin/kc-agent\n```\n\nWhen both the self-hosted console and `kc-agent` are running, open [http://localhost:8080](http://localhost:8080) and your local clusters appear in the cluster picker.\n\n## Windows (WSL2)\n\nThe console install scripts and `kc-agent` are POSIX shell + Go, so they run unchanged inside WSL2. Native Windows (PowerShell / CMD) is not supported — install [WSL2 with Ubuntu](https://learn.microsoft.com/windows/wsl/install) and run everything from the WSL shell:\n\n```powershell\n# In PowerShell — one-time setup\nwsl --install -d Ubuntu\n```\n\nThen from inside the Ubuntu/WSL shell. **`start.sh` only needs `curl`** — it downloads pre-built binaries, no Go toolchain required:\n\n```bash\n# Prerequisite: just curl\nsudo apt-get update \u0026\u0026 sudo apt-get install -y curl\n\n# Same install command as macOS / Linux\ncurl -sSL https://raw.githubusercontent.com/kubestellar/console/main/start.sh | bash\n```\n\n\u003e **⚠️ Windows PowerShell `curl` gotcha:** In PowerShell, `curl` is an alias\n\u003e for `Invoke-WebRequest`, which behaves completely differently from the real\n\u003e curl. If you need to test endpoints from PowerShell (outside WSL), always\n\u003e use **`curl.exe`** instead of `curl`, or use the native PowerShell cmdlet:\n\u003e\n\u003e ```powershell\n\u003e # Option 1 — use curl.exe (the real curl shipped with Windows 10+)\n\u003e curl.exe -s http://localhost:8080/health\n\u003e\n\u003e # Option 2 — use PowerShell native cmdlet\n\u003e Invoke-RestMethod http://localhost:8080/health\n\u003e ```\n\n**Building `kc-agent` from source is a separate path** — only needed if you want a development build of the agent rather than the prebuilt binary that `start.sh` already installs. It requires Go **1.26.4+** (the version pinned in `go.mod`) and `git`. Ubuntu's `golang-go` package usually lags the current release; use the [official Go install](https://go.dev/doc/install) or the `longsleep/golang-backports` PPA to get a recent version:\n\n```bash\n# add-apt-repository lives in software-properties-common — install it\n# first on minimal Ubuntu/WSL images that don't ship with it.\nsudo apt-get update \u0026\u0026 sudo apt-get install -y software-properties-common\nsudo add-apt-repository -y ppa:longsleep/golang-backports\nsudo apt-get update \u0026\u0026 sudo apt-get install -y golang-1.26 git\ngit clone https://github.com/kubestellar/console.git\ncd console\nmkdir -p bin\ngo build -o bin/kc-agent ./cmd/kc-agent \u0026\u0026 ./bin/kc-agent\n```\n\nOpen http://localhost:8080 in your **Windows** browser — WSL2 forwards `localhost` automatically. Tracked by [#6185](https://github.com/kubestellar/console/issues/6185).\n\n## GitHub authentication\n\nThe console uses **two** GitHub credentials (#6190). Most users need **neither** — the hosted demo works without any GitHub auth at all.\n\n| Credential | What it does | When you need it |\n|---|---|---|\n| **GitHub OAuth App** (`GITHUB_CLIENT_ID` + `GITHUB_CLIENT_SECRET`) | Sign-in for the **self-hosted** console at `localhost:8080` | Only if you self-host the console AND want user sign-in. Skip for the hosted demo. |\n| **Consolidated GitHub PAT** (a.k.a. `FeedbackGitHubToken`) | Same single PAT powers everything: nightly E2E status, community activity, leaderboard widgets, and the `/issue` page that opens GitHub issues | Optional. Without it, `/issue` returns `503 Issue submission is not available` and the GitHub-powered dashboard widgets fall back to demo data. |\n\n**Minimum to get started**: nothing — hit [console.kubestellar.io](https://console.kubestellar.io). Everything above is opt-in.\n\n### Setting the consolidated PAT\n\nThere are two equivalent ways to supply this PAT — pick one. Both write to the same field (`FeedbackGitHubToken` in `pkg/api/handlers/feedback.go` and `pkg/api/handlers/github_proxy.go`), so you don't need to set both:\n\n1. **`.env` file at the repo root** — set on startup, no UI step needed:\n   ```\n   FEEDBACK_GITHUB_TOKEN=ghp_…\n   ```\n\n2. **Settings UI** (self-hosted only, **admin role required**) — visit Settings → GitHub Token → paste. The UI POSTs to `/api/github/token`, which is gated on the console `admin` role and persisted to `~/.kc/settings.json` by the backend. On a fresh self-hosted install, the first authenticated user is auto-bootstrapped to admin so local instances are not locked out of settings.\n\nThe hosted Netlify demo cannot persist a PAT — it has no writable local backend — so Settings UI saves don't work there. Use the env-var path for self-hosting.\n\n### Setting up GitHub OAuth (self-hosted only)\n\nIf you self-host the console and want sign-in:\n\n1. **Create a [GitHub OAuth App](https://github.com/settings/developers)**\n   - Homepage URL: `http://localhost:8080`\n   - Callback URL: `http://localhost:8080/auth/github/callback`\n   - **After creating the app**, note down your **Client ID** (visible immediately) and generate a **Client Secret** (click \"Generate a new client secret\")\n\n2. **Clone the repo** (if you haven't already):\n   ```bash\n   git clone https://github.com/kubestellar/console.git\n   cd console\n   ```\n\n3. **Create a `.env` file in the repo root** (`console/.env`):\n   ```bash\n   # Create .env file with your GitHub OAuth App credentials\n   cat \u003e .env \u003c\u003c 'EOF'\n   GITHUB_CLIENT_ID=your-client-id-here\n   GITHUB_CLIENT_SECRET=your-client-secret-here\n   EOF\n   ```\n   \n   **Replace `your-client-id-here` and `your-client-secret-here`** with the actual values from your GitHub OAuth App (step 1).\n   \n   **⚠️ Common mistakes:**\n   - **Missing `.env` file**: The console looks for `.env` in the repo root (`console/.env`), not in your home directory or elsewhere.\n   - **Wrong credentials**: Client ID and Client Secret must match **exactly** what GitHub shows in your OAuth App settings. Copy-paste to avoid typos.\n   - **Expired secret**: If you regenerate the Client Secret in GitHub, you must update `.env` with the new value.\n   \n   **Troubleshooting OAuth errors:**\n   - `\"invalid client credentials\"` → Verify `GITHUB_CLIENT_ID` and `GITHUB_CLIENT_SECRET` in your `.env` match your GitHub OAuth App at https://github.com/settings/developers\n   - `\"redirect_uri_mismatch\"` → The Callback URL in your GitHub OAuth App must be exactly `http://localhost:8080/auth/github/callback`\n\n4. **Start the console**:\n   ```bash\n   ./startup-oauth.sh\n   ```\n\nOpen http://localhost:8080 and sign in with GitHub. For Kubernetes deployments, pass `--github-oauth` to `deploy.sh` instead.\n\n### Consolidated PAT scopes\n\nWhichever path you used above (env var or Settings UI), the [Personal Access Token](https://github.com/settings/tokens) needs **either**:\n- A **classic** PAT with the `repo` scope, **or**\n- A **fine-grained** PAT with both **Issues: Read \u0026 Write** *and* **Contents: Read \u0026 Write** (verified against `pkg/api/handlers/feedback.go:71` — Contents is required, not just Issues).\n\n## AI configuration\n\nThe console can use AI for adaptive card suggestions and mission help. AI is **optional** — the UI, missions, and dashboards all work without any AI keys configured (#6191).\n\n**Important**: AI BYOK only works on the **self-hosted** console. The hosted demo at [console.kubestellar.io](https://console.kubestellar.io) explicitly disables `LOCAL_AGENT_HTTP_URL` (verified in `web/src/lib/constants/network.ts`), so the browser cannot reach a local agent there. To use your own AI keys, self-host the console first.\n\n### Supported kc-agent providers (CLI-based and operator-controlled LLMs)\n\n`kc-agent` uses **local CLI providers** and **operator-controlled OpenAI-compatible / self-hosted LLMs** for AI features that need cluster-aware tool execution. Raw vendor API keys such as `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, and `GOOGLE_API_KEY` do **not** make Anthropic/OpenAI/Gemini available as mission-capable `kc-agent` providers in the current build. Those variables are documented later for backend/Stellar paths and source-level provider configuration, while `kc-agent` itself still relies on the tooling model described in [`docs/security/SECURITY-MODEL.md`](docs/security/SECURITY-MODEL.md#3-local--self-hosted-llms).\n\n**Recommended setup paths:**\n\n1. **CLI-based agents** (with full tool execution capabilities):\n   ```bash\n   # Install Claude Desktop or claude CLI — https://claude.ai/download\n   # Install Gemini CLI — follow official Google AI SDK instructions\n   # Install GitHub Copilot CLI — gh extension install github/gh-copilot\n   # Install other CLI agents: codex, antigravity, goose, bob\n   \n   # kc-agent will auto-detect installed CLI agents — no env vars needed\n   ./bin/kc-agent\n   ```\n\n2. **Local/self-hosted LLM servers** (OpenAI-compatible endpoints):\n   ```bash\n   # Ollama (local)\n   export OLLAMA_URL=http://127.0.0.1:11434\n   export OLLAMA_MODEL=llama3.2\n   \n   # Open WebUI (self-hosted gateway)\n   export OPEN_WEBUI_URL=https://your-openwebui.example.com\n   export OPEN_WEBUI_API_KEY=your-key\n   export OPEN_WEBUI_MODEL=gpt-4\n   \n   # Other supported: llama.cpp, LocalAI, vLLM, LM Studio, Red Hat AI Inference Server\n   # See docs/security/SECURITY-MODEL.md for the full list\n   \n   ./bin/kc-agent\n   ```\n\n\u003e **Why are Anthropic/OpenAI/Gemini API keys not enough for `kc-agent`?** The agent registry intentionally excludes those upstream API-key providers because they cannot execute cluster commands AND they route traffic to a specific vendor endpoint that the operator has no control over. The console's mission and diagnostic flows require tool-capable agents that can run `kubectl`, `helm`, and other commands locally. See `pkg/agent/registry.go:378-384` for the rationale.\n\n\u003e **What do the README API-key variables enable?** `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, and `GOOGLE_API_KEY` are relevant to backend/Stellar provider configuration and source-level HTTP-provider support, while `GROQ_API_KEY` and `OPENROUTER_API_KEY` enable registered **chat-only** providers. None of those variables replace the CLI-based setup above when you need `kc-agent` missions or other tool-executing workflows.\n\n\u003e **A note on the Settings → API Keys modal**: The console UI exposes a \"Manage Keys\" button under **Settings → API Keys**. This modal is wired to the agent's `/settings/keys` endpoint, but in the current build that endpoint returns an empty providers list (`providers := []providerDef{}` in `pkg/agent/server_operations.go:288`) because API-key-driven agents are hidden there. **Use the CLI-based or local LLM setup paths above for `kc-agent` features.**\n\n**If no supported AI provider is configured**, AI-powered features fall back to deterministic / rule-based behavior. The card suggestions, missions, and dashboards remain fully usable.\n\n**Security model, air-gapped deployments, and local / self-hosted LLMs** are covered in [`docs/security/SECURITY-MODEL.md`](docs/security/SECURITY-MODEL.md). That document explains the data flow between browser, Go backend, kc-agent, and AI providers; how to run the console with no external AI access; and the currently supported self-hosted path using kc-agent's CLI-based agents.\n\n## How It Works\n\n1. **Onboarding** — Sign in with GitHub, answer role questions, get a personalized dashboard\n2. **Adaptive AI** — Tracks card interactions and suggests swaps when your focus shifts (Claude, OpenAI, or Gemini)\n3. **MCP Bridge** — Queries cluster state (pods, deployments, events, drift, security) via `kubestellar-ops` and `kubestellar-deploy`\n4. **Missions** — Step-by-step guided installs with pre-flight checks, validation, troubleshooting, and rollback\n5. **Real-time** — WebSocket-powered live event streaming from all connected clusters\n\n## Stellar (Persistent AI Operations Runtime — Alpha)\n\n**Stellar** extends the console from request/response AI interactions into a **persistent operational runtime** with mission continuity, memory, and proactive execution. It brings autonomous operations capabilities to KubeStellar with support for multi-step mission planning, long-term memory, event-driven triggers, and policy-enforced tool execution.\n\nKey capabilities:\n- **Persistent missions** — Store and re-run multi-step operational tasks (rollouts, incident response, scaling decisions)\n- **Operational memory** — Learn from incidents, postmortems, and rollout history\n- **Event-driven triggers** — Respond to Kubernetes events, Prometheus alerts, webhooks, or schedules\n- **RBAC-aware execution** — Tool runtime validates permissions before cluster actions\n- **Structured auditing** — Full audit trail of prompts, decisions, tools, and outputs\n\n**Note:** Stellar is alpha/experimental. Architecture and APIs are subject to change.\n\nFor implementation details, see [docs/stellar/architecture.md](docs/stellar/architecture.md).\n\n## Architecture\n\nSee the full [Architecture documentation](https://kubestellar.io/docs/console/overview/architecture) on the KubeStellar website.\n\n### Related Repositories\n\n- **[console-kb](https://github.com/kubestellar/console-kb)** — Knowledge base of guided installers for 250+ CNCF projects and solutions to common Kubernetes problems\n- **[console-marketplace](https://github.com/kubestellar/console-marketplace)** — Community-contributed monitoring cards per CNCF project\n- **[kc-agent](cmd/kc-agent/)** — Local agent bridging the browser to kubeconfig, coding agents (Codex, Copilot, Claude CLI), and MCP servers (`kubestellar-ops`, `kubestellar-deploy`)\n- **[claude-plugins](https://github.com/kubestellar/claude-plugins)** — Claude Code marketplace plugins for Kubernetes\n- **[homebrew-tap](https://github.com/kubestellar/homebrew-tap)** — Homebrew formulae for KubeStellar tools\n- **[KubeStellar](https://kubestellar.io)** — Multi-cluster configuration management\n\n## Quality Assurance\n\nConsole uses AI tools (GitHub Copilot, Claude Code) to accelerate development. Quality is maintained through **layered feedback loops** — every PR triggers the same automated checks regardless of author, and continuous monitoring catches what PR checks miss.\n\n- **Before commit**: TypeScript build + Go build + 5 post-build safety checks + lint\n- **Before merge**: nil-safety, ts-null-safety, array-safety, API contract, Playwright E2E, coverage gate, TTFI performance, CodeQL, Copilot code review, UI/UX standards scanner, visual regression\n- **Visual regression**: 18 UI components documented as Storybook stories with theme support. Playwright captures screenshots and diffs against baselines on every PR that touches UI components.\n- **After merge**: Targeted Playwright tests run against production (`console.kubestellar.io`); failures reopen the original issue\n- **Continuous**: Hourly coverage (12 shards), 4x daily QA, nightly E2E, nightly security scanning, real-time GA4 error tracking, UI/UX standards nightly scan\n\nWhen a regression class is identified, a maintainer adds an automated check to the earliest possible loop. See [docs/AI-QUALITY-ASSURANCE.md](docs/AI-QUALITY-ASSURANCE.md) for the full breakdown.\n\n## Environment Variables Reference\n\nThe console and kc-agent use many configurable environment variables. This section provides a consolidated reference for all available options. See [.env.example](.env.example) for a complete example file with all commented defaults.\n\n### GitHub Authentication \u0026 Integration\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `GITHUB_CLIENT_ID` | ✓ (if using GitHub OAuth) | — | GitHub OAuth App Client ID. Create at https://github.com/settings/developers |\n| `GITHUB_CLIENT_SECRET` | ✓ (if using GitHub OAuth) | — | GitHub OAuth App Client Secret. Keep this secret — never commit to version control |\n| `FEEDBACK_GITHUB_TOKEN` | Optional | — | GitHub Personal Access Token (PAT) for programmatic issue creation and screenshot uploads. Can be classic (repo scope) or fine-grained (Issues + Contents read/write). Used by feedback/contribute dialog and GitHub-powered dashboard widgets |\n| `FEEDBACK_REPO_OWNER` | Optional | `kubestellar` | GitHub repository owner for feedback issue creation |\n| `FEEDBACK_REPO_NAME` | Optional | `console` | GitHub repository name for feedback issue creation |\n| `GITHUB_WEBHOOK_SECRET` | Optional | — | Secret for validating GitHub webhooks. Generate with `openssl rand -hex 32` |\n| `GITHUB_MUTATIONS_TOKEN` | Optional | — | GitHub PAT for re-running or canceling pipelines. Requires workflow scope |\n| `GITHUB_REPO` | Optional | `kubestellar/console` | GitHub repository for update checks |\n\n### Development \u0026 UI Configuration\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `DEV_MODE` | Optional | `true` | Enable development mode features and debug logging |\n| `FRONTEND_URL` | Optional | `http://localhost:5174` | Frontend base URL for backend redirects. Must match the frontend's listening URL |\n| `SKIP_ONBOARDING` | Optional | `false` | Skip the onboarding questionnaire for new users (useful for testing/demos) |\n| `VITE_DEMO_MODE` | Optional | `false` | Enable demo/preview mode with mock data (build-time only) |\n| `VITE_API_BASE_URL` | Optional | — | API base URL override for frontend backend calls. Leave empty to use same origin. Build-time only |\n| `VITE_NO_LOCAL_AGENT` | Optional | `false` | Disable local kc-agent in the frontend. Build-time only |\n| `VITE_GEOCODING_API_URL` | Optional | `https://geocoding-api.open-meteo.com/v1/search` | Geocoding API endpoint for weather card location search |\n| `VITE_GOOGLE_FONTS_API_URL` | Optional | — | Google Fonts API URL override. Build-time only |\n| `ENABLED_DASHBOARDS` | Optional | — | Comma-separated list of dashboard IDs to show in sidebar. Empty = show all. Affects display order |\n\n### Kubernetes \u0026 Cluster Configuration\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `KUBECONFIG` | Optional | `~/.kube/config` | Path to kubeconfig file for kubectl access |\n| `CLUSTER_NAME` | Optional | — | Override the cluster name displayed in the console. Auto-detected from kubeconfig if not set |\n| `NO_LOCAL_AGENT` | Optional | `false` | Suppress local kc-agent connections (for in-cluster deployments that use backend directly) |\n\n### AI API Keys — backend features and chat-only providers\n\nThese variables are **not all equivalent**:\n\n- `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, and `GOOGLE_API_KEY` document backend/Stellar and source-level HTTP-provider configuration, but they do **not** make Anthropic/OpenAI/Gemini available as mission-capable `kc-agent` providers in the current build.\n- `GROQ_API_KEY` and `OPENROUTER_API_KEY` enable registered **chat-only** providers for analysis/chat workflows; they still do not power `kc-agent` missions or other tool-executing flows.\n- For `kc-agent` tool execution, use the CLI-based or operator-controlled local/self-hosted providers described above and in [`docs/security/SECURITY-MODEL.md`](docs/security/SECURITY-MODEL.md#3-local--self-hosted-llms).\n\nWithout any supported AI provider, the console falls back to deterministic/rule-based behavior.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `ANTHROPIC_API_KEY` | Optional | — | Anthropic Claude API key from https://console.anthropic.com/settings/keys |\n| `CLAUDE_MODEL` | Optional | `claude-sonnet-4-5-20250514` | Claude model selection |\n| `OPENAI_API_KEY` | Optional | — | OpenAI GPT API key from https://platform.openai.com/api-keys |\n| `OPENAI_MODEL` | Optional | `gpt-4-turbo` | OpenAI model selection |\n| `GOOGLE_API_KEY` | Optional | — | Google Gemini API key from https://makersuite.google.com/app/apikey |\n| `GEMINI_MODEL` | Optional | `gemini-2.0-flash` | Google Gemini model selection |\n| `OPENROUTER_API_KEY` | Optional | — | OpenRouter unified API key from https://openrouter.ai/keys (supports many models) |\n| `OPENROUTER_MODEL` | Optional | `openai/gpt-4o-mini` | OpenRouter model selection. See https://openrouter.ai/models for catalog |\n| `OPENROUTER_BASE_URL` | Optional | — | Custom base URL for self-hosted OpenRouter proxies |\n| `GROQ_API_KEY` | Optional | — | Groq LPU inference API key from https://console.groq.com/keys |\n| `GROQ_MODEL` | Optional | `llama-3.3-70b-versatile` | Groq model selection. See https://console.groq.com/docs/models |\n| `GROQ_BASE_URL` | Optional | — | Custom base URL for self-hosted Groq proxies |\n| `DEFAULT_AGENT` | Optional | — | Default AI provider if multiple are configured. Options: `claude`, `openai`, `gemini`, `openrouter`, `groq`. Auto-detected if not set |\n\n### Local/Self-Hosted LLM Servers\n\nUse for air-gapped deployments or local model serving without external vendor APIs.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `OLLAMA_BASE_URL` | Optional | `http://localhost:11434` | Ollama server endpoint for local LLM inference |\n| `OPEN_WEBUI_URL` | Optional | — | Open WebUI self-hosted gateway URL |\n| `OPEN_WEBUI_API_KEY` | Optional | — | Open WebUI API key for authentication |\n\n### Stellar Assistant Configuration\n\nThe Stellar assistant provides intelligent operational insights. Configuration is optional.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `STELLAR_DEFAULT_PROVIDER` | Optional | `ollama` | Default provider for `/api/stellar/ask` and `/api/stellar/digest` |\n| `STELLAR_DEFAULT_MODEL` | Optional | `llama3` | Default model selection |\n| `STELLAR_WATCHER_INTERVAL` | Optional | `30s` | Polling interval for Stellar event watcher |\n| `STELLAR_QUIET_START` | Optional | — | Quiet hours start time (HH:MM format) for suppressing non-urgent alerts |\n| `STELLAR_QUIET_END` | Optional | — | Quiet hours end time (HH:MM format) |\n| `STELLAR_DIGEST_HOUR` | Optional | — | Hour of day for digest generation (0-23) |\n| `STELLAR_ENCRYPTION_KEY` | Optional | — | Encryption key for sensitive Stellar data storage |\n| `STELLAR_FALLBACK_PROVIDER` | Optional | — | Fallback provider if default is unavailable |\n\n### kc-agent Authentication \u0026 Configuration\n\n`kc-agent` is the local bridge between the console and your clusters/AI providers.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `KC_AGENT_TOKEN` | Optional | — | Shared secret for securing kc-agent WebSocket access. Generate with `openssl rand -hex 32`. If unset, `start-dev.sh` and `startup-oauth.sh` auto-generate per session |\n| `KC_DEV_MODE` | Optional | `false` | Enable kc-agent development mode with verbose logging |\n| `KC_ALLOWED_ORIGINS` | Optional | — | CORS-allowed origins for WebSocket connections (comma-separated) |\n\n### Service Discovery — KAgent \u0026 KAgenti Integration\n\nFor in-cluster KAgent/KAgenti service discovery. Use controller URLs to skip discovery. For full KAgenti deployment patterns, warnings, and troubleshooting, see the [Kagenti deployment guide](docs/kagenti-deployment-guide.md).\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `KAGENT_CONTROLLER_URL` | Optional | — | Direct KAgent controller URL (skips service discovery) |\n| `KAGENT_NAMESPACE` | Optional | — | Kubernetes namespace where KAgent runs |\n| `KAGENT_SERVICE_NAME` | Optional | — | Kubernetes service name for KAgent |\n| `KAGENT_SERVICE_PORT` | Optional | — | Service port for KAgent |\n| `KAGENT_SERVICE_PROTOCOL` | Optional | `http` | Service protocol (http/https) |\n| `KAGENTI_CONTROLLER_URL` | Optional | — | Direct KAgenti controller URL (skips service discovery) |\n| `KAGENTI_AGENT_URL` | Optional | — | KAgenti agent endpoint |\n| `KAGENTI_AGENT_NAME` | Optional | — | KAgenti agent name |\n| `KAGENTI_AGENT_NAMESPACE` | Optional | — | Kubernetes namespace for KAgenti agent |\n| `KAGENTI_NAMESPACE` | Optional | — | Kubernetes namespace where KAgenti controller runs |\n| `KAGENTI_SERVICE_NAME` | Optional | — | Kubernetes service name for KAgenti |\n| `KAGENTI_SERVICE_PORT` | Optional | — | Service port for KAgenti |\n| `KAGENTI_SERVICE_PROTOCOL` | Optional | `http` | Service protocol (http/https) |\n\n### GPU Metrics \u0026 Alerting\n\nEnable GPU monitoring and set utilization thresholds.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `GPU_METRICS_ENABLED` | Optional | `false` | Enable GPU metrics collection |\n| `GPU_METRICS_DCGM_ENABLED` | Optional | `false` | Enable NVIDIA DCGM exporter scraping (requires NVIDIA GPU Operator) |\n| `GPU_METRICS_DCGM_NAMESPACE` | Optional | `gpu-operator` | Kubernetes namespace where DCGM exporter runs |\n| `GPU_METRICS_DCGM_SERVICE` | Optional | `dcgm-exporter` | Service name of the DCGM exporter |\n| `GPU_UTIL_OVER_THRESHOLD` | Optional | `90` | Alert when GPU utilization exceeds this percentage |\n| `GPU_UTIL_UNDER_THRESHOLD` | Optional | `20` | Alert when GPU utilization falls below this percentage |\n| `GPU_UTIL_POLL_INTERVAL_MS` | Optional | `1200000` | GPU metrics polling interval in milliseconds (default: 20 minutes) |\n\n### ArgoCD Integration\n\nConnect the console to an ArgoCD instance for deployment tracking and synchronization.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `ARGOCD_AUTH_TOKEN` | Optional | — | ArgoCD API authentication token. Generate via: `argocd account generate-token --account admin` |\n| `ARGOCD_SERVER_URL` | Optional | — | ArgoCD server URL for API access |\n| `ARGOCD_TLS_INSECURE` | Optional | `false` | Disable TLS certificate verification (dev/test only with self-signed certs) |\n\n### GitHub Pipelines \u0026 CI/CD\n\nMonitor and control GitHub Actions workflows.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `PIPELINE_REPOS` | Optional | — | Comma-separated list of GitHub repositories to monitor (format: `owner/repo,owner/repo2`) |\n| `ACMM_REPOS` | Optional | `PIPELINE_REPOS` or the built-in KubeStellar repos | Comma-separated list of GitHub repositories the ACMM scan and badge endpoints may query |\n| `GITHUB_MUTATIONS_TOKEN` | Optional | — | GitHub PAT for re-running or canceling pipeline runs (requires `workflow` scope) |\n\n### Analytics \u0026 Telemetry\n\nConfigure analytics and measurement.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `GA4_REAL_MEASUREMENT_ID` | Optional | — | Real GA4 Measurement ID (frontend uses a decoy ID; the proxy rewrites it) |\n| `VITE_GA_MEASUREMENT_ID` | Optional | — | Frontend GA4 Measurement ID (build-time only) |\n\n### Server Configuration\n\nCore backend and network settings.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `PORT` | Optional | `8080` | Backend listening port |\n| `DATABASE_PATH` | Optional | `./console.db` | Path to SQLite database file |\n| `MAX_BODY_BYTES` | Optional | `5242880` | Global HTTP request body size limit in bytes (default: 5 MB) |\n| `WS_MAX_CONNECTIONS` | Optional | `1000` | WebSocket connection limit (prevents resource exhaustion) |\n\n### TLS Configuration\n\nEnable HTTPS/TLS for secure connections.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `TLS_ENABLED` | Optional | `false` | Enable HTTPS with TLS certificates |\n| `TLS_CERT_FILE` | Optional | — | Path to TLS certificate file (PEM format) |\n| `TLS_KEY_FILE` | Optional | — | Path to TLS private key file (PEM format) |\n\n### In-Cluster Deployment\n\nConfiguration for running the console inside a Kubernetes cluster.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `POD_NAMESPACE` | Optional | — | Kubernetes namespace where console pod runs (used for self-upgrade feature) |\n\n### DRASI Integration (Experimental)\n\nReactive graph subscription for real-time data.\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `VITE_DRASI_SERVER_URL` | Optional | — | DRASI server URL (build-time only) |\n| `VITE_DRASI_PLATFORM_CLUSTER` | Optional | — | DRASI platform cluster identifier (build-time only) |\n| `KC_DRASI_SERVER_ALLOWED_HOSTS` | Optional | — | Comma-separated Drasi server hosts/IPs allowed for `/api/drasi/proxy?target=server`; required to permit loopback or private hosts |\n\n### Quick Setup Examples\n\n**Minimal local development (no OAuth, demo user):**\n```bash\n./start-dev.sh\n```\n\n**With GitHub OAuth:**\n```bash\ncat \u003e .env \u003c\u003c 'EOF'\nGITHUB_CLIENT_ID=your-client-id\nGITHUB_CLIENT_SECRET=your-client-secret\nEOF\n./startup-oauth.sh\n```\n\n**With backend Anthropic credentials:**\n```bash\ncat \u003e .env \u003c\u003c 'EOF'\nGITHUB_CLIENT_ID=your-client-id\nGITHUB_CLIENT_SECRET=your-client-secret\nANTHROPIC_API_KEY=your-anthropic-key\nEOF\n./startup-oauth.sh\n```\n\nThis config is useful for backend/Stellar provider paths, but `kc-agent` missions still require a supported CLI-based provider or operator-controlled local/self-hosted endpoint.\n\n**With local Ollama:**\n```bash\nexport OLLAMA_BASE_URL=http://localhost:11434\n./start-dev.sh\n```\n\n**With Kubernetes kubeconfig:**\n```bash\nexport KUBECONFIG=~/.kube/config\n./start-dev.sh\n```\n\nFor more examples and detailed setup instructions, see the [Getting Started](#local-install-self-host) and [GitHub Authentication](#github-authentication) sections above.\n\n## License\n\nApache License 2.0 — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubestellar%2Fconsole","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubestellar%2Fconsole","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubestellar%2Fconsole/lists"}