implement openssf best practices changes #1216
Conversation
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1216 +/- ##
=======================================
Coverage 52.74% 52.74%
=======================================
Files 84 84
Lines 7616 7616
=======================================
Hits 4017 4017
Misses 3310 3310
Partials 289 289 ☔ View full report in Codecov by Sentry. |
| # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | ||
| # - you want to enable the Branch-Protection check on a *public* repository, or | ||
| # - you are installing Scorecard on a *private* repository | ||
| # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. | ||
| # repo_token: ${{ secrets.SCORECARD_TOKEN }} |
There was a problem hiding this comment.
I'm unclear here -- do we need the repo_token line or not?
- you want to enable the Branch-Protection check on a public repository, or
There was a problem hiding this comment.
I left the rep_token line because of this issue here: devfile/api#1417
It is planned in the future to add the PAT so the scorecard correctly picks up on branch protection rules so I left that section commented for reference. If it's preferred or you don't want to add it for this repo I can remove it.
There was a problem hiding this comment.
That makes sense, it's just a slightly confusing doc -- to be clear we're currently not enabling branch protection checks in the repo and so do not need the repo_token, correct?
I'm fine leaving it in there if the plan is to add it at some point in the future.
There was a problem hiding this comment.
Yes this PR is not going to have branch protection checks and the plan is to add all of those checks for Devfile repos in the future as part of the issue I linked
I can make the comment surrounding that token more clear?
There was a problem hiding this comment.
I don't think the comment is necessary, thanks for the clarification
Signed-off-by: Jordan Dubrick <jdubrick@redhat.com>
|
I don't have write access to this repo, would one of the approvers be able to merge? Thank you :) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, AObuchow, ibuziuk, Jdubrick The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
What does this PR do?
This PR implements changes to the repository to align us more closely with OpenSSF and CNCF best practices. Below is a summary and explanation of all the changes:
OpenSSF Badges
These badges are displayed in the readme so that anyone can view them and see how the repository is adhering to these practices. The
Best Practicesbadge can be filled out and viewed in more detail here.The
Scorecardbadge gives the repository a score based on how secure it is. A summary of that can be found here.Scorecard GitHub Workflow
This is tied to the
Scorecardbadge and is the code scanning aspect of it. This provides vulnerability scanning on the repository and will provide us with information regarding found vulnerabilities. More information about this scanning can be found here.CLOMonitor Exemption
This exemption has been added to every devfile repository as we decided we are not going to implement it.
Contributing
In order to standardize our repositories and adhere to the best practices we should have contributing instructions for anyone who wants to add to this project. The contributing file is the same format as all of the other devfile repositories. For the issues section I included a link to the issues contained in this repository as it looks like you are storing issues there instead of in
devfile/api.What issues does this PR fix or reference?
fixes devfile/api#1389
Is it tested? How?
All changes were either made to documentation files or by adding new files unrelated to the project function.
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-pathto trigger)v8-devworkspace-operator-e2e: DevWorkspace e2e testv8-che-happy-path: Happy path for verification integration with Che