Review feedback on PR #2460: the Generate changelog using AI step ran Copilot with --allow-all-tools and GH_TOKEN set to the write-capable installation token issued to the job (contents: write, pull-requests: write on all cozystack/* repos). The scope rules in docs/agents/changelog.md and the step prompt tell the agent not to use those permissions, but nothing at the token layer prevented it. Mint a second, read-only installation token from the same app (same COZYSTACK_CI_APP_ID / COZYSTACK_CI_PRIVATE_KEY, scoped to contents/pull-requests/metadata read) and pass that one to the AI step instead. The write-capable token is still used by the checkout, commit/push, and PR-creation steps that actually need it. This is defense in depth: even if a future prompt change or agent misbehavior ignored the scope rules, the token itself has no write capability on any repository in the cozystack org. No new secret, no new GitHub App install, no admin-side change — the RO token is minted in the same workflow from the same app credentials. Signed-off-by: Myasnikov Daniil <myasnikovdaniil2001@gmail.com> |
||
|---|---|---|
| .gemini | ||
| .github | ||
| api | ||
| cmd | ||
| dashboards | ||
| docs | ||
| examples/backups/vmi | ||
| hack | ||
| img | ||
| internal | ||
| packages | ||
| pkg | ||
| tools/openapi-gen | ||
| .coderabbit.yaml | ||
| .gitignore | ||
| .pre-commit-config.yaml | ||
| ADOPTERS.md | ||
| AGENTS.md | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| CONTRIBUTOR_LADDER.md | ||
| go.mod | ||
| go.sum | ||
| GOVERNANCE.md | ||
| LICENSE | ||
| MAINTAINERS.md | ||
| Makefile | ||
| README.md | ||
| SECURITY.md | ||
Cozystack
Cozystack is a free platform and framework for building clouds.
Cozystack is a CNCF Sandbox Level Project that was originally built and sponsored by Ænix.
With Cozystack, you can transform a bunch of servers into an intelligent system with a simple REST API for spawning Kubernetes clusters, Database-as-a-Service, virtual machines, load balancers, HTTP caching services, and other services with ease.
Use Cozystack to build your own cloud or provide a cost-effective development environment.
Use-Cases
-
Using Cozystack to build a public cloud
You can use Cozystack as a backend for a public cloud -
Using Cozystack to build a private cloud
You can use Cozystack as a platform to build a private cloud powered by Infrastructure-as-Code approach -
Using Cozystack as a Kubernetes distribution
You can use Cozystack as a Kubernetes distribution for Bare Metal
Documentation
The documentation is located on the cozystack.io website.
Read the Getting Started section for a quick start.
If you encounter any difficulties, start with the troubleshooting guide and work your way through the process that we've outlined.
Versioning
Versioning adheres to the Semantic Versioning principles.
A full list of the available releases is available in the GitHub repository's Release section.
Contributions
Contributions are highly appreciated and very welcomed!
In case of bugs, please check if the issue has already been opened by checking the GitHub Issues section. If it isn't, you can open a new one. A detailed report will help us replicate it, assess it, and work on a fix.
You can express your intention to on the fix on your own. Commits are used to generate the changelog, and their author will be referenced in it.
If you have Feature Requests please use the Discussion's Feature Request section.
Community
You are welcome to join our Telegram group and come to our weekly community meetings. Add them to your Google Calendar or iCal for convenience.
License
Cozystack is licensed under Apache 2.0.
The code is provided as-is with no warranties.
Commercial Support
A list of companies providing commercial support for this project can be found on official site.
