Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(openSSF scorecard): introduce CI + badge #472

Open
wants to merge 3 commits into
base: unstable
Choose a base branch
from
Open

feat(openSSF scorecard): introduce CI + badge #472

wants to merge 3 commits into from

Conversation

AugustinMauroy
Copy link

@AugustinMauroy AugustinMauroy commented May 8, 2024
edited

Adding openSSF scorecard. It's add CI and badge. Also action allow us to have an UI to see what is wrong or good.

Fixes #211

@AugustinMauroy
feat(openSSF scorecard): introduce CI+badge
9b6508c 
Signed-off-by: Augustin Mauroy <augustin.mauroy@outlook.fr>
madolson
madolson reviewed May 9, 2024
View reviewed changes
README.md Outdated Show resolved Hide resolved
@madolson
Copy link
Member

madolson commented May 9, 2024

@bjosv Does this seem right to you?

@AugustinMauroy @madolson
fix typo
769010b 
Co-authored-by: Madelyn Olson <madelyneolson@gmail.com>
zuiderkwast
zuiderkwast reviewed May 10, 2024
View reviewed changes
Copy link
Contributor

@zuiderkwast zuiderkwast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AugustinMauroy Can you add it on your fork's unstable branch so we can see that it works there?

.github/workflows/scorecard.yml Outdated
schedule:
- cron: '25 6 * * 6'
push:
branches: [ "main" ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't have branch called "main".

@codecov Codecov
Copy link

codecov bot commented May 10, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.83%. Comparing base (315b757) to head (769010b).
Report is 17 commits behind head on unstable.

❗ Current head 769010b differs from pull request most recent head d9fdec2. Consider uploading reports for the commit d9fdec2 to get more accurate results

Additional details and impacted files 
@@             Coverage Diff              @@
##           unstable     #472      +/-   ##
============================================
+ Coverage     68.90%   69.83%   +0.92%     
============================================
  Files           109      109              
  Lines         61793    61791       -2     
============================================
+ Hits          42579    43150     +571     
+ Misses        19214    18641     -573

see 37 files with indirect coverage changes

bjosv
bjosv reviewed May 13, 2024
View reviewed changes
Copy link
Contributor

@bjosv bjosv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, but some comments below.

Is this based on a template that I haven't seen, or is taken from https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml ?

.github/workflows/scorecard.yml Outdated Show resolved Hide resolved
.github/workflows/scorecard.yml
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
# contents: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed? The default permission is read-all already.

.github/workflows/scorecard.yml
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should remove comments about private repos here in the valkey repo?

.github/workflows/scorecard.yml
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ossf's examples uses the latest version of actions/upload-artifact, i.e. v4.3.3.
Any reason for using v3?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

template i had found use v3 so we can update it

.github/workflows/scorecard.yml
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a v3.25.3 now.

@AugustinMauroy @bjosv
fix branch
d9fdec2 
Co-authored-by: Björn Svensson <bjorn.a.svensson@est.tech>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zuiderkwast zuiderkwast zuiderkwast left review comments

@madolson madolson madolson left review comments

@bjosv bjosv bjosv left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenSSF scorecard + openSSF best practice.
4 participants
@AugustinMauroy @madolson @zuiderkwast @bjosv