Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QG checks (Release 24.12) #303

Closed
44 tasks done
evegufy opened this issue Nov 18, 2024 · 4 comments
Closed
44 tasks done

QG checks (Release 24.12) #303

evegufy opened this issue Nov 18, 2024 · 4 comments
Assignees
@Phil91 @evegufy @dhiren-singh-007
Labels
documentation Improvements or additions to documentation
Milestone
Release 1.2.0 (24...

Comments

@evegufy
Copy link
Contributor

evegufy commented Nov 18, 2024
edited
Loading

QG checks

Please open and fill in this issue in your product repository to document the compliance with our Tractus-X Release Guideline (TRGs)

Show compliance with TRGs by referencing to a tagged link in the respective repository where possible, example: TRG 1.01 (see github.com/eclipse-tractusx/example-repo/tree/1.0.0/README.md)

Close this issue once the compliance with the TRGs has been documented

Committer(s): @Phil91 @evegufy @ntruchsess
Helm Chart Version: 1.2.0
App Version: 1.2.0

Release Management Reference Issue: eclipse-tractusx/sig-release#921

Check of Tractus-X Release Guidelines

TRG 1 Documentation

TRG 2 Git

TRG 3 Kubernetes

  • TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

  • TRG 4.01 semantic versioning and tagging
  • TRG 4.02 base image is agreed
  • TRG 4.03 image has USER command and Non Root Container
  • TRG 4.05 released image must be placed in DockerHub, remove GHCR references
  • TRG 4.06 separate notice file for DockerHub has all necessary information
  • TRG 4.07 root file system is set to read access by default, but can be overwritten by the user

TRG 5 Helm

  • TRG 5.01 Helm chart requirements
  • TRG 5.02 Helm chart location in /charts directory and correct structure
  • TRG 5.03 proper version strategy
  • TRG 5.04 CPU / MEM resource requests and limits and are properly set
  • TRG 5.06 Application must be configurable through the Helm chart
  • TRG 5.07 Dependencies are present and properly configured in the Chart.yaml
  • TRG 5.08 Product has a single deployable helm chart that contains all components
  • TRG 5.09 Helm Test running properly
  • TRG 5.10 Products need to support 3 versions at a time
  • TRG 5.11 Upgradeability

TRG 6 Released Helm Chart

TRG 7 Open Source Governance

  • TRG 7.01 Legal Documentation
  • TRG 7.02 License and copyright header
  • TRG 7.03 IP checks for project content
  • TRG 7.04 IP checks for 3rd party content
  • TRG 7.05 Legal information for distributions
  • TRG 7.06 Legal information for end user content
  • TRG 7.07 Legal notice for documentation (non-code)
  • TRG 7.08 Legal notice for KIT documentation

TRG 8 Security

  • TRG 8.01 Mitigate high and above findings in CodeQL
  • TRG 8.02 Mitigate high and above findings in KICS
  • TRG 8.04 Mitigate high and above findings in Trivy
  • TRG 8.03 No secret findings by GitGuardian or TruffleHog

TRG 9 UX/UI Styleguide

  • TRG 9.01 UI consistency/styleguide for UI

Hints

Information Sharing
@evegufy evegufy added the documentation Improvements or additions to documentation label Nov 18, 2024
@github-project-automation github-project-automation bot moved this to NEW USER REQUEST in Portal Nov 18, 2024
@evegufy evegufy moved this from NEW USER REQUEST to BACKLOG in Portal Nov 18, 2024
@evegufy
Copy link
Contributor Author

evegufy commented Nov 21, 2024

example from previous release #223

@dhiren-singh-007
Copy link
Contributor

dhiren-singh-007 commented Nov 22, 2024
edited
Loading

TRG 1 Documentation

TRG 2 Git

TRG 3 Kubernetes

  • TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

TRG 4 Container

TRG 5 Helm

TRG 6 Released Helm Chart

TRG 7 Open Source Governance

TRG 8 Security

Hints

Information Sharing

@evegufy evegufy added this to the Release 1.2.0 (24.12) milestone Nov 27, 2024
evegufy added a commit that referenced this issue Nov 27, 2024
@evegufy
chore: fix changelog for 1.2.0-rc.1 and rc.2 mix up
b02b94d 
#303
evegufy added a commit that referenced this issue Nov 27, 2024
@evegufy
chore: fix changelog for 1.2.0-rc.1 and rc.2 mix up
d0d4087 
#303
@evegufy
Copy link
Contributor Author

evegufy commented Nov 27, 2024

Hi @dhiren-singh-007 it's great that you get to know the Tractus-X Release guidelines!

In the following some explanation for the TRG's which aren't check boxed yet:

Please see final version https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/CHANGELOG.md

Please see final version https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0/docs/admin

N/A due to the nature of the product.

Please see final version https://github.com/eclipse-tractusx/ssi-credential-issuer/tree/v1.2.0/docs/api

  • TRG 3.02 persistent volume and persistent volume claim or database dependency (subchart) are in place when needed

The chart has a db subchart in place which manages the persistence https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/charts/ssi-credential-issuer/Chart.yaml#L27

  • TRG 5.02 Helm chart location in /charts directory and correct structure

helmignore file is available https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/charts/ssi-credential-issuer/.helmignore but adding
values?.yaml
values?.yml
wouldn't make sense as we don't maintain any such file in the charts directory. Example for when such an entry makes sense: https://github.com/eclipse-tractusx/sd-factory/tree/v2.1.14/charts/sdfactory

  • TRG 7.03 IP checks for project content <!-- for each PR containing more than 1000 relevant lines there must be an approved [IP review for Code Contributions]

Here you should try to understand what the dependencies check does https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/.github/workflows/dependencies.yml and check if it rans without any error on the tag. In addition you should familiarise yourself with the Eclipse Dash Tool, and execute the Eclipse Dash Tool commands in the workflow locally to make sure that no dependencies restricted, see https://github.com/eclipse-tractusx/ssi-credential-issuer/blob/v1.2.0/DEPENDENCIES

  • TRG 7.04 IP checks for 3rd party content

In this repository there are no examples of such 3rd party content, but you should still be familiar with the content of the TRG

  • TRG 7.06 Legal information for end user content

The repository doesn't include a frontend component, therefore N/A.

@evegufy
Copy link
Contributor Author

evegufy commented Nov 27, 2024

Regarding

Yes, right, in order to check this, you'd need access to the security tab of the repo, which requires maintenance/committer permissions. I check it's all fine.

The same applies also to the following TRGs:

TRG 8 Security

  • TRG 8.01 Mitigate high and above findings in CodeQL
  • TRG 8.02 Mitigate high and above findings in KICS
  • TRG 8.04 Mitigate high and above findings in Trivy
  • TRG 8.03 No secret findings by GitGuardian or TruffleHog

Checking the workflow, especially the runs is good, but constantly monitoring the security tab and making sure that security alerts are managed, is also the responsibly of a committer.

@evegufy evegufy closed this as completed Nov 27, 2024
@github-project-automation github-project-automation bot moved this from BACKLOG to USER READY in Portal Nov 27, 2024
This was referenced Nov 27, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Phil91 Phil91

@evegufy evegufy

@dhiren-singh-007 dhiren-singh-007

Labels
documentation Improvements or additions to documentation
Projects
Portal
Archived in project
Milestone
Release 1.2.0 (24.12)
Development

No branches or pull requests
3 participants
@Phil91 @evegufy @dhiren-singh-007