Project Governance

Contribute / Project Governance

Use these pages when you are changing how the project is governed, secured, or published.

This section is for policy and maintainer work: SDLC expectations, supply-chain controls, and dependency license rules. It is not the place to start for normal feature work, but it is the right place when you are changing how OpenBao Operator proves trust or manages release risk.

Open SDLCOpen supply chain security

Use this section when you need to

• understand how the project models secure development and release flow end to end
• review or change supply-chain controls, provenance expectations, or reproducibility requirements
• understand which dependency licenses are allowed for shipped binaries
• separate project policy work from normal day-to-day implementation work

Project governance guides

1. 01

   Software development lifecycle

   See how planning, implementation, verification, release, and operations map into the project’s secure lifecycle.

   Open
2. 02

   Supply chain security

   Review provenance, reproducibility, signing, evidence, and release-control expectations.

   Open
3. 03

   Supply-chain incident response

   Use the maintainer runbook when you need to freeze Actions, suspend release automation, rotate trust roots, or inspect recent publication state.

   Open
4. 04

   Dependency license policy

   Understand which licenses are allowed for shipped binaries and how the policy is enforced.

   Open

Related maintainer work

Release managementUse the concrete release workflow when policy turns into an actual release event.Continuous integrationReview the CI implementation that enforces many of these policy expectations in practice.