Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo adjustments for CLOMonitor #1508

Open
18 of 21 tasks
eddie-knight opened this issue Oct 5, 2022 · 9 comments
Open
18 of 21 tasks

Repo adjustments for CLOMonitor #1508

eddie-knight opened this issue Oct 5, 2022 · 9 comments
Labels
enhancement New feature or request no-issue-activity on-hold Issues or Pull Requests with this label will never be considered stale

Comments

@eddie-knight
Copy link
Contributor

eddie-knight commented Oct 5, 2022

Is your feature request related to a problem?

This relates to the discussion surrounding CLOMonitoring. I spoke offline with @pdrastil and it was determined that we should make an effort to hold this repository to a complete code standard as defined in the CLOMonitor docs.

CLOMonitor report

Summary

Repository: argo-helm
URL: https://github.com/argoproj/argo-helm
Checks sets: CODE
Score: 74

Checks passed per category

Category Score
Documentation 100%
License 75%
Best Practices 38%
Security 80%
Legal n/a

Checks

Documentation [100%]

License [75%]

  • Apache-2.0 (docs)
  • Approved license (docs)
  • License scanning (docs)

Best Practices [38%]

Security [80%]

  • Binary artifacts (docs)
  • Code review (docs)
  • Dangerous workflow (docs)
  • Dependency update tool (docs) EXEMPT
  • Maintained (docs)
  • Software bill of materials (SBOM) (docs) EXEMPT
  • Security policy (docs)
  • Signed releases (docs)
  • Token permissions (docs)

For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.

@eddie-knight eddie-knight added the enhancement New feature or request label Oct 5, 2022
@eddie-knight
Copy link
Contributor Author

Note: exemptions are tolerated, even for repos that are scanned as part of the official CNCF project.

See example here: https://github.com/cncf/clomonitor/blob/main/docs/metadata/.clomonitor.yml

@eddie-knight
Copy link
Contributor Author

Regarding the artifact hub check... I'm thinking the options available are to either:

  1. skip the check (because there isn't one single badge to be added to the README)
  2. Add a list of badges to the README showing all of the available charts

@tegioz
Copy link

tegioz commented Oct 5, 2022

Hi @eddie-knight 👋

Just in case it helps, the link in the Artifact Hub badge generated from the control panel points to the repository, not to a single package. In the case of the argo repo, it should point to https://artifacthub.io/packages/search?repo=argo, covering all the charts 🙂

Screen Shot 2022-10-05 at 20 09 50

@eddie-knight
Copy link
Contributor Author

Thanks @tegioz -- appreciate the timely response!

@pdrastil
Copy link
Member

pdrastil commented Oct 7, 2022

@eddie-knight for dependency updates I found following combination based on this article

@eddie-knight
Copy link
Contributor Author

@pdrastil I just added an exclusion for dependency-related checks until we can get a good PR up to implement the dependency scanning and SBOM creation

@eddie-knight
Copy link
Contributor Author

The last change necessary for the Security checks would be to adjust the publish.yml to use helm package with package signing.

Currently that workflow is using helm/chart-releaser-action, which is a wrapper for helm/chart-releaser, and I found this note in chart-releaser:

If you wish to use advanced packaging options such as creating signed
packages or updating chart dependencies please use "helm package" instead.`,

https://github.com/helm/chart-releaser/blob/main/cr/cmd/package.go#L32-L33

Is this something we want to action?

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 28, 2022
@mkilchhofer mkilchhofer reopened this May 5, 2023
@github-actions
Copy link

github-actions bot commented Jul 6, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@mkilchhofer mkilchhofer added the on-hold Issues or Pull Requests with this label will never be considered stale label Jul 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request no-issue-activity on-hold Issues or Pull Requests with this label will never be considered stale
Projects
None yet
Development

No branches or pull requests

4 participants