-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DISCUSSION: v4 milestone #1121
Comments
Random thought that might be nice to do for another release (not sure when v4 is on the timeline): scorecard as in-toto attestation? would mean defining a scorecard predicate and having an output format for that. Higher levels could sign the envelope (e.g. a github-runner could run scorecard and then sign the in-toto proving that it ran scorecard. |
Thanks for the suggestion, @asraa! |
@laurentsimon Thanks, Probably add this as a milestone once we have consensus? |
To expand on Laurent's comment, we are looking for contributors interested in owning some these KRs end-to-end.
(i) enable e2e tests on Also, the below KRs either require community inputs or a general helping hand:
Finally, items to help reduce technical debt. Not part of Milestone V4, more like ongoing KRs which help improve code quality:
@naveensrinivasan @chrismcgehee @david-a-wheeler FYI. Let us know if you would like to see anything else added here. |
@naveensrinivasan also proposed doing a scorecard demo/blog post on using scorecard to vet dependencies automatically. |
More understand the state of dependencies with scorecard data |
automatic documentation generation #898 |
GitHub action issue #193. v4 milestone added. |
This issue #426 is an important one, especially the |
Adding lines/filenames to our results #725 is an important issue we should tackle for v4 since it improves the UX experience in the GitHub scanning dashboard |
@oliverchang will tackle #1148. Thanks Oliver! |
This is also useful #435 (comment) |
Would love to have dangerous workflows in v4 #1168, if possible |
We seem to have a lot more v4 issues than initially discussed. Do we have the time commitment to complete all these extra items? Please note that we are aiming for a mid-Jan timeframe for a v4 release. And with a winter break, it does not give us a lot of time. @laurentsimon @naveensrinivasan Extra issues I noted: #1174, #1196, #1038, #1260, #1270, #1275, #1238. |
I've removed the first one. The others are best effort. Many are simple enough that it's doable, and they improve the checks: I think it's god if we can fix those small issues before releasing. The ignore list for binary artifacts would be great, so I added in case I have time. |
Aiming for a release mid-January 2022. What's left:
We have a v1 milestone on the action repo https://github.com/ossf/scorecard-action/issues?q=is%3Aopen+is%3Aissue+milestone%3Av1 |
hey! I found this v4 when testing locally
makes it much faster to make my codebase comply with scorecard |
note that when running on a local repo FYI, this https://github.com/ossf/scorecard/pull/1405/files will remove the need for |
Closing since v4 is out. |
To start thinking of our next step towards v4 release, let's write some ideas in this issue. We're thinking of v4 release for EOY 2021.
We can talk about them during next scorecard meeting, create issues and assign them to contributors, and then have them as milestones. Here a list to start with:
Please add what you think is worth discussing about. This will help for selection and prioritization.
Thanks everyone!
The text was updated successfully, but these errors were encountered: