Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DISCUSSION: v4 milestone #1121

Closed
laurentsimon opened this issue Oct 7, 2021 · 20 comments
Closed

DISCUSSION: v4 milestone #1121

laurentsimon opened this issue Oct 7, 2021 · 20 comments
Labels
kind/enhancement New feature or request
Milestone

Comments

@laurentsimon
Copy link
Contributor

laurentsimon commented Oct 7, 2021

To start thinking of our next step towards v4 release, let's write some ideas in this issue. We're thinking of v4 release for EOY 2021.

We can talk about them during next scorecard meeting, create issues and assign them to contributors, and then have them as milestones. Here a list to start with:

  • Scorecard scaled to 1M+ repos (P1)
  • Scorecard adoption (could be showcasing how to use scorecard to vet dependencies @naveensrinivasan)
  • Scorecard CI/CD action finished (market place and verified?)
  • Allstar policy for scorecard (joint with allstar)
  • Scorecard badges
  • Scorecard E2E tests
  • Stackdriver cost optimization
  • GitHub API rate limits
  • Scorecard contributing + communication process
  • SLSA compliance checks, verification (doc, 1-2 checks)

Please add what you think is worth discussing about. This will help for selection and prioritization.

Thanks everyone!

@laurentsimon laurentsimon added the kind/enhancement New feature or request label Oct 7, 2021
@asraa
Copy link
Contributor

asraa commented Oct 7, 2021

Random thought that might be nice to do for another release (not sure when v4 is on the timeline): scorecard as in-toto attestation? would mean defining a scorecard predicate and having an output format for that.

Higher levels could sign the envelope (e.g. a github-runner could run scorecard and then sign the in-toto proving that it ran scorecard.

@laurentsimon
Copy link
Contributor Author

Random thought that might be nice to do for another release (not sure when v4 is on the timeline): scorecard as in-toto attestation? would mean defining a scorecard predicate and having an output format for that.

Higher levels could sign the envelope (e.g. a github-runner could run scorecard and then sign the in-toto proving that it ran scorecard.

Thanks for the suggestion, @asraa!
We were thinking v4 release EOY.

@naveensrinivasan
Copy link
Member

@laurentsimon Thanks, Probably add this as a milestone once we have consensus?

@azeemshaikh38
Copy link
Contributor

To expand on Laurent's comment, we are looking for contributors interested in owning some these KRs end-to-end.

  • Scorecard E2E tests

(i) enable e2e tests on ossf-test repos #861
(ii) generalize e2e tests to run on RepoClient interface - #1113 (comment)

Also, the below KRs either require community inputs or a general helping hand:

  • Scorecard adoption (could be showcasing how to use scorecard to vet dependencies @naveensrinivasan)
  • Scorecard contributing + communication process

Finally, items to help reduce technical debt. Not part of Milestone V4, more like ongoing KRs which help improve code quality:

@naveensrinivasan @chrismcgehee @david-a-wheeler FYI. Let us know if you would like to see anything else added here.

@laurentsimon
Copy link
Contributor Author

@naveensrinivasan also proposed doing a scorecard demo/blog post on using scorecard to vet dependencies automatically.

@naveensrinivasan
Copy link
Member

@naveensrinivasan also proposed doing a scorecard demo/blog post on using scorecard to vet dependencies automatically.

More understand the state of dependencies with scorecard data

@laurentsimon
Copy link
Contributor Author

automatic documentation generation #898

@laurentsimon
Copy link
Contributor Author

GitHub action issue #193. v4 milestone added.

@laurentsimon
Copy link
Contributor Author

This issue #426 is an important one, especially the pull_request_target trigger.

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Oct 20, 2021

Adding lines/filenames to our results #725 is an important issue we should tackle for v4 since it improves the UX experience in the GitHub scanning dashboard

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Oct 20, 2021

@oliverchang will tackle #1148. Thanks Oliver!

@laurentsimon
Copy link
Contributor Author

FYI, Asra @asraa will tackle part of #426. Thanks you Asra!

@laurentsimon
Copy link
Contributor Author

This is also useful #435 (comment)

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Nov 15, 2021

Would love to have dangerous workflows in v4 #1168, if possible
Long-term, I think we'll merge Token-Permissions into it, as well as the GH workflow pinning that currently lives under pinned dependencies.

@azeemshaikh38 azeemshaikh38 added this to the milestone v4 milestone Nov 16, 2021
@azeemshaikh38
Copy link
Contributor

We seem to have a lot more v4 issues than initially discussed. Do we have the time commitment to complete all these extra items? Please note that we are aiming for a mid-Jan timeframe for a v4 release. And with a winter break, it does not give us a lot of time. @laurentsimon @naveensrinivasan

Extra issues I noted: #1174, #1196, #1038, #1260, #1270, #1275, #1238.

@laurentsimon
Copy link
Contributor Author

I've removed the first one. The others are best effort. Many are simple enough that it's doable, and they improve the checks: I think it's god if we can fix those small issues before releasing. The ignore list for binary artifacts would be great, so I added in case I have time.

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Dec 10, 2021

Aiming for a release mid-January 2022. What's left:

  1. verify GH action for market place (WIP)
  2. documentation of the action
  3. submit starter workflows (WIP)
  4. Test end to end flow of installation
  5. Install action on a few repos OSSF owns and others
  6. Release notes
  7. Blog post prep

We have a v1 milestone on the action repo https://github.com/ossf/scorecard-action/issues?q=is%3Aopen+is%3Aissue+milestone%3Av1

@georgettica
Copy link

hey! I found this v4 when testing locally

docker run -v ${PWD}:/app -e SCORECARD_V4=y -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --local=/app

makes it much faster to make my codebase comply with scorecard

@laurentsimon
Copy link
Contributor Author

laurentsimon commented Dec 21, 2021

note that when running on a local repo --local=, not all the checks are run. Checks that are run are those that do not use GitHub APIs. Supported checks are indicated thru a repos: local in this file https://github.com/ossf/scorecard/blob/main/docs/checks/internal/checks.yaml#L47

FYI, this https://github.com/ossf/scorecard/pull/1405/files will remove the need for SCORECARD_V4 once merged.

@laurentsimon
Copy link
Contributor Author

Closing since v4 is out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants