cncf
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.golangci.yml‎
Lines changed: 4 additions & 3 deletions b/‎.golangci.yml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎AGENTS.MD‎
Lines changed: 15 additions & 0 deletions b/‎AGENTS.MD‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 7 additions & 2 deletions b/‎Dockerfile‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎Makefile‎
Lines changed: 73 additions & 20 deletions b/‎Makefile‎
Lines changed: 73 additions & 20 deletions
diff --git a/‎apis/maintainers/v1alpha1/types.go‎
Lines changed: 39 additions & 0 deletions b/‎apis/maintainers/v1alpha1/types.go‎
Lines changed: 39 additions & 0 deletions
@@ -11,3 +11,4 @@ demo.db
 .gocache/
 .modcache/
 coverage.out
+.kcp/
@@ -2,9 +2,6 @@ version: "2"
 run:
   modules-download-mode: readonly
   tests: true
-  skip-dirs:
-    - .modcache
-    - .gocache
 linters:
   enable:
     - bodyclose
@@ -64,6 +61,8 @@ linters:
           - govet
         path: (cmd/bootstrap|plugins/fossa/client)\.go
     paths:
+      - \.modcache/
+      - \.gocache/
       - third_party$
       - builtin$
       - examples$
@@ -77,6 +76,8 @@ formatters:
   exclusions:
     generated: lax
     paths:
+      - \.modcache/
+      - \.gocache/
       - third_party$
       - builtin$
       - examples$
@@ -34,4 +34,19 @@ This document gives agents instructions and tips for working in this repository.
 - Keep changes minimal and focused. Match existing Go style and module layout.
 - Avoid unrelated refactors in the same change. Update docs/Makefile if deployment surface changes.
 - Use the "The Friends method" of writing commit messages to describe patches where each commit message is notionally pre-fixed with the sentence, "This is the change that " and then the commit message continues this sentence, for example, (this is the change that) "adds the repo being monitored to log output at loglevel INFO"
+
+## CRD Workflow (Generated)
+- CRDs and deepcopy files are generated; do not hand-edit `config/crd/bases/*.yaml`, `config/kcp/*.yaml`, or `apis/maintainers/v1alpha1/zz_generated.deepcopy.go`.
+- When changing existing CRDs: update Go types and kubebuilder markers in `apis/maintainers/v1alpha1/types.go`, then regenerate.
+- When adding new CRDs: add the new type + kubebuilder markers in `apis/maintainers/v1alpha1/types.go`, include it in `addKnownTypes`, then regenerate.
+- Regeneration command: `make kcp-generate` (requires `controller-gen` and `apigen`; run `make kcp-install` if needed).
+- CRDs are generated from `apis/maintainers/v1alpha1/types.go`, not from `model/main.go`. DB model changes do not automatically reflect in CRDs; update API types explicitly when you want schema changes exposed.
+
+## Model → CRD Exposure Checklist
+- Decide whether the DB change should be exposed via CRD or remain internal.
+- If exposed, update `apis/maintainers/v1alpha1/types.go` (fields + kubebuilder markers). Add to `addKnownTypes` for new resources.
+- Update the sync/mapping layer to populate the new fields (e.g., `cmd/sync/main.go` or store accessors).
+- Regenerate artifacts: `make kcp-generate`.
+- Review generated diffs under `config/crd/bases/` and `config/kcp/`.
+- Run CI (at least `make ci-local` or lint + tests).
 f
@@ -13,9 +13,14 @@ COPY . .
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
     go build -o /bootstrap ./cmd/bootstrap && \
-    go build -o /maintainerd ./main.go
+    go build -o /maintainerd ./main.go && \
+    go build -o /sync ./cmd/sync
 
-FROM gcr.io/distroless/base-debian12
+FROM gcr.io/distroless/base-debian12 AS maintainerd
 COPY --from=build /bootstrap /usr/local/bin/bootstrap
 COPY --from=build /maintainerd /usr/local/bin/maintainerd
 ENTRYPOINT ["/usr/local/bin/maintainerd"]
+
+FROM gcr.io/distroless/base-debian12 AS sync
+COPY --from=build /sync /usr/local/bin/sync
+ENTRYPOINT ["/usr/local/bin/sync"]
@@ -1,8 +1,14 @@
 TOPDIR=$(PWD)
 GH_ORG_LC=robertkielty
 REGISTRY ?= ghcr.io
-IMAGE ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd:latest
-SYNC_IMAGE ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd-sync:latest
+GIT_SHA ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo unknown)
+BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '[:upper:]' '[:lower:]' | tr '/_' '--')
+BUILD_DATE ?= $(shell date -u '+%a-%b-%d-%Y' | tr '[:lower:]' '[:upper:]')
+TAG ?= $(BRANCH)-$(GIT_SHA)-$(BUILD_DATE)
+IMAGE ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd:$(TAG)
+IMAGE_LATEST ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd:latest
+SYNC_IMAGE ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd-sync:$(TAG)
+SYNC_IMAGE_LATEST ?= $(REGISTRY)/$(GH_ORG_LC)/maintainerd-sync:latest
 WHOAMI=$(shell whoami)
 
 # Helpful context string for logs
@@ -35,18 +41,18 @@ GHCR_TOKEN ?= $(GITHUB_GHCR_TOKEN)
 
 
 # ---- Image ----
-.PHONY: image-build
-image-build:
+.PHONY: mntrd-image-build
+mntrd-image-build:
 	@echo "Building container image: $(IMAGE)"
-	@docker buildx build -t $(IMAGE) -f Dockerfile .
+	@docker buildx build -t $(IMAGE) -f Dockerfile --target maintainerd .
 
 .PHONY: sync-image-build
 sync-image-build:
 	@echo "Building sync image: $(SYNC_IMAGE)"
-	@docker buildx build -t $(SYNC_IMAGE) -f deploy/sync/Dockerfile .
+	@docker buildx build -t $(SYNC_IMAGE) -f Dockerfile --target sync .
 
-.PHONY: image-push
-image-push: image-build
+.PHONY: mntrd-image-push
+mntrd-image-push: mntrd-image-build
 	@echo "Ensuring docker is logged in to $(REGISTRY) (uses GHCR_TOKEN if set)"
 	@if [ -n "$(GHCR_TOKEN)" ]; then \
 		echo "Logging into $(REGISTRY) as $(GHCR_USER) using token from GHCR_TOKEN"; \
@@ -56,9 +62,12 @@ image-push: image-build
 	fi
 	@echo "Pushing image: $(IMAGE)"
 	@docker push $(IMAGE)
+	@echo "Tagging and pushing latest: $(IMAGE_LATEST)"
+	@docker tag $(IMAGE) $(IMAGE_LATEST)
+	@docker push $(IMAGE_LATEST)
 
-.PHONY: image-deploy
-image-deploy: image-push
+.PHONY: mntrd-image-deploy
+mntrd-image-deploy: mntrd-image-push
 	@echo "Image pushed. Attempting rollout on context $(CTX_STR)."
 	@CTX_FLAG="$(if $(KUBECONTEXT),--context $(KUBECONTEXT))" ; \
 	if kubectl $$CTX_FLAG config current-context >/dev/null 2>&1; then \
@@ -83,6 +92,9 @@ sync-image-push: sync-image-build
 	fi
 	@echo "Pushing image: $(SYNC_IMAGE)"
 	@docker push $(SYNC_IMAGE)
+	@echo "Tagging and pushing latest: $(SYNC_IMAGE_LATEST)"
+	@docker tag $(SYNC_IMAGE) $(SYNC_IMAGE_LATEST)
+	@docker push $(SYNC_IMAGE_LATEST)
 
 .PHONY: sync-image-deploy
 sync-image-deploy: sync-image-push
@@ -93,7 +105,7 @@ sync-image-deploy: sync-image-push
 	fi ; \
 	if ! kubectl -n $(NAMESPACE) $$CTX_FLAG get cronjob/maintainer-sync >/dev/null 2>&1; then \
 		echo "CronJob/maintainer-sync not found in namespace $(NAMESPACE)."; \
-		echo "Hint: apply deploy/manifests/sync.yaml or run 'make sync-apply' (or 'make manifests-apply')."; \
+		echo "Hint: apply deploy/manifests/cronjob.yaml + deploy/manifests/sync-rbac.yaml or run 'make sync-apply' (or 'make manifests-apply')."; \
 		exit 1; \
 	fi ; \
 	kubectl -n $(NAMESPACE) $$CTX_FLAG set image cronjob/maintainer-sync '*=$(SYNC_IMAGE)'; \
@@ -103,14 +115,50 @@ sync-image-deploy: sync-image-push
 .PHONY: sync-apply
 sync-apply:
 	@echo "Applying sync resources in namespace $(NAMESPACE) [ctx=$(CTX_STR)]"
-	@kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) apply -f deploy/manifests/sync.yaml
-
-.PHONY: image
-image: image-build
+	@kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) apply -f deploy/manifests/cronjob.yaml -f deploy/manifests/sync-rbac.yaml
+
+.PHONY: sync-run
+sync-run:
+	@bash -c 'set -euo pipefail; \
+	job="maintainer-sync-manual-$$(date +%s)"; \
+	echo "Creating sync job $$job in namespace $(NAMESPACE) [ctx=$(CTX_STR)]"; \
+	kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) create job --from=cronjob/maintainer-sync $$job; \
+	'
+
+.PHONY: migrate-schema
+migrate-schema:
+	@echo "Running schema migration job in namespace $(NAMESPACE) [ctx=$(CTX_STR)]"
+	@kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) apply -f deploy/manifests/maintainerd-migrate-schema-job.yaml
+
+.PHONY: migrate-schema-safe
+migrate-schema-safe:
+	@bash -c 'set -euo pipefail; \
+	echo "Scaling Deployment/maintainerd to 0 for schema migration [ctx=$(CTX_STR)]"; \
+	kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) scale deploy/maintainerd --replicas=0; \
+	echo "Resolving PVC attachment node for maintainerd-db [ctx=$(CTX_STR)]"; \
+	pv="$$(kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) get pvc maintainerd-db -o jsonpath="{.spec.volumeName}")"; \
+	node="$$(kubectl get volumeattachment -o jsonpath="{range .items[?(@.spec.source.persistentVolumeName==\"$${pv}\")]}{.spec.nodeName}{end}")"; \
+	kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) delete job maintainerd-migrate --ignore-not-found; \
+	if [ -n "$${node}" ]; then \
+		echo "Running schema migration job pinned to node $${node} [ctx=$(CTX_STR)]"; \
+		kubectl create -f deploy/manifests/maintainerd-migrate-schema-job.yaml --dry-run=client -o json | \
+		kubectl patch --local -f - -p "{\"spec\":{\"template\":{\"spec\":{\"nodeName\":\"$${node}\"}}}}" -o json | \
+		kubectl apply -f -; \
+	else \
+		echo "No attachment node found; running migration job without pinning [ctx=$(CTX_STR)]"; \
+		kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) apply -f deploy/manifests/maintainerd-migrate-schema-job.yaml; \
+	fi; \
+	kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) wait --for=condition=complete job/maintainerd-migrate --timeout=300s; \
+	echo "Scaling Deployment/maintainerd back to 1 [ctx=$(CTX_STR)]"; \
+	kubectl -n $(NAMESPACE) $(if $(KUBECONTEXT),--context $(KUBECONTEXT)) scale deploy/maintainerd --replicas=1; \
+	'
+
+.PHONY: mntrd-image
+mntrd-image: mntrd-image-build
 	@true
 
-.PHONY: image-run
-image-run: image
+.PHONY: mntrd-image-run
+mntrd-image-run: mntrd-image
 	@docker run -ti --rm $(IMAGE)
 
 # ---- Config ----
@@ -146,15 +194,20 @@ help:
 	@echo "make lint            -> run linters (requires golangci-lint)"
 	@echo ""
 	@echo "== Deployment =="
+	@echo "Image tags: <branch>-<shortsha>-<DAY-MON-DD-YYYY> (UTC), plus latest"
 	@echo "make secrets         -> build $(ENVOUT) from $(ENVSRC) and apply both Secrets"
 	@echo "make env             -> build $(ENVOUT) from $(ENVSRC)"
 	@echo "make apply-env       -> create/update $(ENV_SECRET_NAME) from $(ENVOUT)"
 	@echo "make apply-creds     -> create/update $(CREDS_SECRET_NAME) from $(CREDS_FILE)"
 	@echo "make clean-env       -> remove $(ENVOUT)"
 	@echo "make print           -> show which keys would be loaded (without values)"
-	@echo "make image-build     -> build container image $(IMAGE) locally"
-	@echo "make image-push      -> build and push $(IMAGE) (uses GHCR_TOKEN/GITHUB_GHCR_TOKEN + GHCR_USER/DOCKER_REGISTRY_USERNAME for ghcr login)"
-	@echo "make image-deploy    -> build, push, and restart Deployment in $(NAMESPACE)"
+	@echo "make mntrd-image-build  -> build maintainerd image $(IMAGE) locally"
+	@echo "make mntrd-image-push   -> build and push $(IMAGE) (uses GHCR_TOKEN/GITHUB_GHCR_TOKEN + GHCR_USER/DOCKER_REGISTRY_USERNAME for ghcr login)"
+	@echo "make mntrd-image-deploy -> build, push, and restart Deployment in $(NAMESPACE)"
+	@echo "make sync-apply      -> apply CronJob + RBAC for the sync job"
+	@echo "make sync-run        -> trigger a manual sync job and tail logs"
+	@echo "make migrate-schema  -> run one-off schema migration job"
+	@echo "make migrate-schema-safe -> scale down, run migration pinned to attached node, scale back up"
 	@echo "make ensure-ns       -> ensure namespace $(NAMESPACE) exists"
 	@echo "make apply-ghcr-secret -> create/update docker-registry Secret 'ghcr-secret'"
 	@echo "make manifests-apply -> kubectl apply -f deploy/manifests (prod-only)"
 
@@ -87,6 +87,44 @@ type MaintainerList struct {
 	Items           []Maintainer `json:"items"`
 }
 
+// StaffMemberSpec captures desired staff member attributes.
+type StaffMemberSpec struct {
+	DisplayName   string             `json:"displayName"`
+	PrimaryEmail  string             `json:"primaryEmail,omitempty"`
+	GitHubAccount string             `json:"gitHubAccount,omitempty"`
+	GitHubEmail   string             `json:"gitHubEmail,omitempty"`
+	FoundationRef *ResourceReference `json:"foundationRef,omitempty"`
+	RegisteredAt  *metav1.Time       `json:"registeredAt,omitempty"`
+	ExternalIDs   map[string]string  `json:"externalIDs,omitempty"`
+}
+
+// StaffMemberStatus surfaces derived information gathered by controllers.
+type StaffMemberStatus struct {
+	LastSynced *metav1.Time `json:"lastSynced,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=staffmembers,scope=Namespaced,shortName=staff,categories=maintainerd
+// +kubebuilder:subresource:status
+
+// StaffMember represents a foundation staff member.
+type StaffMember struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   StaffMemberSpec   `json:"spec,omitempty"`
+	Status StaffMemberStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// StaffMemberList is a list of StaffMember resources.
+type StaffMemberList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []StaffMember `json:"items"`
+}
+
 // CollaboratorSpec captures collaborator specific attributes.
 type CollaboratorSpec struct {
 	DisplayName   string              `json:"displayName"`
@@ -437,6 +475,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(
 		SchemeGroupVersion,
 		&Maintainer{}, &MaintainerList{},
+		&StaffMember{}, &StaffMemberList{},
 		&Collaborator{}, &CollaboratorList{},
 		&Project{}, &ProjectList{},
 		&Company{}, &CompanyList{},