Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Fine-grained PAT For OpenSSF Scorecard #1417

Open
8 tasks
Jdubrick opened this issue Jan 8, 2024 · 3 comments
Open
8 tasks

Implement Fine-grained PAT For OpenSSF Scorecard #1417

Jdubrick opened this issue Jan 8, 2024 · 3 comments
Labels
area/alizer Enhancement or issue related to the alizer repo area/api Enhancement or issue related to the api/devfile specification area/devworkspace Improvent or additions to the DevWorkspaces CRD area/library Common devfile library for interacting with devfiles area/registry Devfile registry for stacks and infrastructure area/registry-viewer devtools-week kind/user-story User story for new enhancement

Comments

@Jdubrick
Copy link
Contributor

Jdubrick commented Jan 8, 2024
edited
Loading

/kind user-story

Which area this user story is related to?

/area api
/area library
/area registry
/area alizer
/area devworkspace
/area registry-viewer

User Story

After the completion of #1298 we will need to add a Fine-grained PAT for our various repositories (may be possible to implement this on an organization level). This token will allow the OpenSSF scorecard to properly detect our branch protection rules and reflect that in the badge score.

During the implementation of the OpenSSF scorecards we left out the portion that included the Fine-grained PAT as it requires an owner to do so. The scorecard functions without that token but as stated above leaves out the branch protection score.

Each repository has a workflow file titled scorecard.yml, inside this file you will be able to find the commented instructions about the addition of this token. Example: https://github.com/devfile/library/blob/main/.github/workflows/scorecard.yml#L40

More information about the token and its implementation/setup can be found here:
https://github.com/marketplace/actions/ossf-scorecard-action#authentication-with-fine-grained-pat-optional
https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md

Acceptance Criteria

Step 1

  • Create Fine-grained token

Step 2

This token will need to be added to the following repositories (either as a repo secret or if possible as an org secret) as well as referencing it in the scorecard.yml workflow files for each repository.

  • devfile/alizer
  • devfile/api
  • devfile/library
  • devfile/registry-operator
  • devfile/registry-support
  • devfile/devfile-web
  • devfile/devworkspace-operator
@openshift-ci openshift-ci bot added kind/user-story User story for new enhancement area/api Enhancement or issue related to the api/devfile specification area/library Common devfile library for interacting with devfiles area/registry Devfile registry for stacks and infrastructure area/alizer Enhancement or issue related to the alizer repo area/devworkspace Improvent or additions to the DevWorkspaces CRD area/landing-page Issues with the Landing Page labels Jan 8, 2024
@Jdubrick Jdubrick added area/registry-viewer and removed area/landing-page Issues with the Landing Page labels Jan 8, 2024
@thepetk thepetk mentioned this issue Jan 9, 2024
Merged
2 tasks
This was referenced Jan 9, 2024
Merged
Merged
@Jdubrick Jdubrick moved this to Refinement in Devfile Project Feb 29, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 8, 2024

This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment or this will be closed in 60 days.

@github-actions github-actions bot added the lifecycle/stale Stale items. These items have not been updated for 90 days. label Apr 8, 2024
@Jdubrick Jdubrick added devtools-week and removed lifecycle/stale Stale items. These items have not been updated for 90 days. labels Apr 8, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment or this will be closed in 60 days.

@github-actions github-actions bot added the lifecycle/stale Stale items. These items have not been updated for 90 days. label Sep 26, 2024
@github-actions github-actions bot added the lifecycle/rotten Rotten items. These items have been stale for 60 days and are now closed. label Nov 25, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 25, 2024
@github-project-automation github-project-automation bot moved this from Refinement to Done ✅ in Devfile Project Nov 25, 2024
@Jdubrick
Copy link
Contributor Author

Reopening for devtools week

@Jdubrick Jdubrick reopened this Nov 25, 2024
@Jdubrick Jdubrick moved this from Done ✅ to Backlog in Devfile Project Nov 25, 2024
@Jdubrick Jdubrick removed lifecycle/stale Stale items. These items have not been updated for 90 days. lifecycle/rotten Rotten items. These items have been stale for 60 days and are now closed. labels Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/alizer Enhancement or issue related to the alizer repo area/api Enhancement or issue related to the api/devfile specification area/devworkspace Improvent or additions to the DevWorkspaces CRD area/library Common devfile library for interacting with devfiles area/registry Devfile registry for stacks and infrastructure area/registry-viewer devtools-week kind/user-story User story for new enhancement
Projects
Devfile Project
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jdubrick