Skip to content

ci: add ossf scorecard workflow #539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 29, 2024
Merged

ci: add ossf scorecard workflow #539

merged 1 commit into from
Jul 29, 2024

Conversation

@JamieMagee
Copy link
Member

@JamieMagee JamieMagee commented Jul 26, 2024

Add a workflow for OpenSSF Scorecards. This allows us to more easily follow the best security practices for open source packages.

Before the change?

  • No insight into the scorecard result

After the change?

  • OpenSSF scorecard is on every push to main, and weekly on a schedule.

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@github-actions
Copy link

github-actions bot commented Jul 26, 2024

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@JamieMagee JamieMagee force-pushed the scorecard-workflow branch from b4b2754 to e262c5f Compare July 26, 2024 18:39
@JamieMagee JamieMagee enabled auto-merge (squash) July 28, 2024 01:55
kfcampbell
kfcampbell approved these changes Jul 29, 2024
View reviewed changes
Copy link
Contributor

@kfcampbell kfcampbell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, why OSSF?

@JamieMagee JamieMagee merged commit 6fadd28 into main Jul 29, 2024
@JamieMagee JamieMagee deleted the scorecard-workflow branch July 29, 2024 20:57
@JamieMagee
Copy link
Member Author

JamieMagee commented Jul 29, 2024

@kfcampbell GitHub is a founding member of the OSSF. We already contribute to a lot of projects, and use a lot of tooling from the OSSF throughout GitHub. I found OSSF Scorecard useful when working in other projects, so I thought it would be a good idea to add it here as well.

Looks like we've got a score of 8.2 already! https://scorecard.dev/viewer/?uri=github.com/octokit/webhooks.net

@kfcampbell
Copy link
Contributor

kfcampbell commented Jul 29, 2024

Understood, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kfcampbell kfcampbell kfcampbell approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

🧰 Octokit Active
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JamieMagee @kfcampbell