Skip to content

Commit

Permalink
docs: Minor cleanups including lint warnings and structure
Browse files Browse the repository at this point in the history
Signed-off-by: Stephen Augustus <foo@auggie.dev>
  • Loading branch information
justaugustus authored and UlisesGascon committed Jun 27, 2024
1 parent 93b107a commit a3a9c4c
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 53 deletions.
6 changes: 1 addition & 5 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,14 @@

All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

### [1.0.1](https://github.com/ossf/scorecard-monitor/compare/v1.0.0...v1.0.1) (2023-02-15)

## [1.0.1](https://github.com/ossf/scorecard-monitor/compare/v1.0.0...v1.0.1) (2023-02-15)

### Other

* added github action branding ([831364a](https://github.com/ossf/scorecard-monitor/commits/831364aaf4654af1bbc4747fcbc414539b9d7a74))

## 1.0.0 (2023-02-15)


### Features

* added basic github action definition ([f98ce7c](https://github.com/ossf/scorecard-monitor/commits/f98ce7c0affd8559f37e5fbf2f9a2c3e30242eca))
Expand All @@ -32,12 +30,10 @@ All notable changes to this project will be documented in this file. See [standa
* simplified legacy code ([eb024ed](https://github.com/ossf/scorecard-monitor/commits/eb024ed84e505433bb89098c65140e43b5784e7c))
* WIP core logic ([939ebba](https://github.com/ossf/scorecard-monitor/commits/939ebba0c1d773237366620cefd77e2a54afff09))


### Bug Fixes

* minor bugs ([#4](https://github.com/ossf/scorecard-monitor/issues/4)) ([e07d7f7](https://github.com/ossf/scorecard-monitor/commits/e07d7f7dd38efa5caaf64d0c548752f2ae54ed45))


### Other

* added actions dependencies ([42029e2](https://github.com/ossf/scorecard-monitor/commits/42029e2788dfae7ad0b2ffd9011b085d46b10416))
Expand Down
53 changes: 26 additions & 27 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,50 +13,49 @@ project. This document describes the contribution guidelines for the project.
> For more details, see the [LF DCO wiki](https://wiki.linuxfoundation.org/dco)
> or [this Pi-hole signoff guide](https://docs.pi-hole.net/guides/github/how-to-signoff/).
* [Contributing code](#contributing-code)
* [Getting started](#getting-started)
* [Environment Setup](#environment-setup)
* [New to Node.js?](#new-to-nodejs)
* [Contributing steps](#contributing-steps)
* [Running the project locally](#running-the-project-locally)
* [Installing the project dependencies](#installing-the-project-dependencies)
* [Running tests](#running-tests)
* [Linting the codebase](#linting-the-codebase)
* [What to do before submitting a pull request](#what-to-do-before-submitting-a-pull-request)
* [PR Process](#pr-process)
* [Where the CI Tests are configured](#where-the-ci-tests-are-configured)
* [Updating Docs](#updating-docs)
- [Contributing code](#contributing-code)
- [Getting started](#getting-started)
- [Environment Setup](#environment-setup)
- [New to Node.js?](#new-to-nodejs)
- [Contributing steps](#contributing-steps)
- [Running the project locally](#running-the-project-locally)
- [Installing the project dependencies](#installing-the-project-dependencies)
- [Running tests](#running-tests)
- [Linting the codebase](#linting-the-codebase)
- [What to do before submitting a pull request](#what-to-do-before-submitting-a-pull-request)
- [PR Process](#pr-process)
- [Where the CI Tests are configured](#where-the-ci-tests-are-configured)
- [Updating Docs](#updating-docs)

## Contributing code

### Getting started

1. Create [a GitHub account](https://github.com/join)
1. Create a [personal access token](https://docs.github.com/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
1. Set up your [development environment](#environment-setup)
1. Create [a GitHub account](https://github.com/join)
1. Create a [personal access token](https://docs.github.com/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
1. Set up your [development environment](#environment-setup)

### Environment Setup

You must install these tools:

1. [`git`](https://help.github.com/articles/set-up-git/): For source control
1. [`git`](https://help.github.com/articles/set-up-git/): For source control

1. [`node`](https://nodejs.org/en/download/package-manager): You need node version
`v20+`. The project includes support for [nvm](https://github.com/nvm-sh/nvm).
1. [`node`](https://nodejs.org/en/download/package-manager): You need node version `v20+`. The project includes support for [nvm](https://github.com/nvm-sh/nvm).

### New to Node.js?

If you're unfamiliar with Node.js, there are plenty of articles, resources, and books.
We recommend starting with several resources from the official Node.js website:

* [Introduction to Node.js](https://nodejs.org/en/learn/getting-started/introduction-to-nodejs)
- [Introduction to Node.js](https://nodejs.org/en/learn/getting-started/introduction-to-nodejs)

## Contributing steps

1. Identify an existing issue you would like to work on, or submit an issue describing your proposed change to the repo in question.
1. The maintainers will respond to your issue promptly.
1. Fork this repo, develop, and test your code changes.
1. Submit a pull request.
1. Identify an existing issue you would like to work on, or submit an issue describing your proposed change to the repo in question.
1. The maintainers will respond to your issue promptly.
1. Fork this repo, develop, and test your code changes.
1. Submit a pull request.

## Running the project locally

Expand All @@ -73,6 +72,7 @@ First, check that you are using Node v20+ and then execute `npm ci` instead of `
Currently, the project is using [Jest](https://jestjs.io/) and [Snapshot Testing](https://jestjs.io/docs/snapshot-testing).

You have several options to run the tests:

- `npm run test`: this will run the tests
- `npm run test:update`: this will run the tests and update the snapshots
- `npm run test:coverage` this will run the tests and generate a coverage report as terminal output and in HTML format that can be found in the `coverage/` folder
Expand Down Expand Up @@ -109,9 +109,8 @@ change, it's generally encouraged to submit the bugfix separately, but if you mu
## Where the CI Tests are configured

1. See the [action files](.github/workflows) to check its tests, and the
scripts used on it.
1. See the [action files](.github/workflows) to check its tests, and the scripts used on it.

## Updating Docs

The documentation can be found in the [README](./README.md). Any changes that are merged to `main` will be reflected directly on https://github.com/marketplace/actions/openssf-scorecard-monitor. Therefore, documentation changes do not require a specific release.
The documentation can be found in the [README](./README.md). Any changes that are merged to `main` will be reflected directly on the [GitHub Actions Marketplace](https://github.com/marketplace/actions/openssf-scorecard-monitor), so documentation changes do not require a specific release.
20 changes: 7 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,19 @@

**Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts.**

---

**📢 IMPORTANT**

This project is now part of the [OpenSSF](https://openssf.org/) organization. You can find more information about it in [this announcement](https://github.com/ossf/scorecard-monitor/issues/79).

---
*This project is part of [OpenSSF Scorecard](https://github.com/ossf/scorecard). Read [the announcement](https://github.com/ossf/scorecard-monitor/issues/79) for more details.*

## 🔮 About

If you're feeling overwhelmed by an avalanche of repository scorecards in your organization, you can breathe easy: Automation is here to make your life easier! It will streamline the process of keeping track of them all by providing a comprehensive report in Markdown and a local database in JSON with all the scores. Furthermore, to stay on top of any changes in the scores, you can choose to get notifications through Github Issues.
If you're feeling overwhelmed by an avalanche of scorecards across your organizations, you can breathe easy: automation is here to make your life easier! Scorecard Monitor streamlines the process of keeping track of them all by providing a comprehensive report in Markdown and a local database in JSON with all the scores. To stay on top of any changes in the scores, you can also choose to get notifications through Github Issues.

## ✅ Requirements

Please ensure that any repository you wish to track with Scorecard Monitor has already been analyzed by [OpenSSF Scorecard](https://github.com/ossf/scorecard) at least once. This can be accomplished using the official [GitHub Action](https://github.com/ossf/scorecard-action) or the [Scorecard CLI](https://github.com/ossf/scorecard?tab=readme-ov-file#scorecard-command-line-interface).

It's also possible that some repositories in your organization are already being [automatically tracked](https://github.com/ossf/scorecard/blob/main/docs/faq.md#can-i-preview-my-projects-score) by OpenSSF in this [CSV file](https://github.com/ossf/scorecard/blob/main/cron/internal/data/projects.csv) via weekly cronjob. One caveat: Automatically tracked projects _do not_ include [certain checks](https://github.com/ossf/scorecard/issues/3438) in their analysis (`CI-Tests,Contributors,Dependency-Update-Tool,Webhooks`).

If you're not sure whether a specific project is already using Scorecard, you can always spot-check with the following URL pattern: `https://securityscorecards.dev/viewer/?uri=github.com/<ORG_NAME>/<REPO_NAME>` (substitute `<ORG_NAME>` and `<REPO_NAME>` as appropriate). The [Scorecard API](https://api.securityscorecards.dev/) is also able to fetch scores for a given repository.
If you're not sure whether a specific project is already using OpenSSF Scorecard, you can always spot-check with the following URL pattern: `https://securityscorecards.dev/viewer/?uri=github.com/<ORG_NAME>/<REPO_NAME>` (substitute `<ORG_NAME>` and `<REPO_NAME>` as appropriate). The [Scorecard API](https://api.scorecard.dev/) is also able to fetch scores for a given repository.

## 📺 Tutorial

Expand All @@ -31,7 +25,7 @@ If you would like to contribute to the documentation, please feel free to open a

- Easy to use with great customization
- Easy to patch the scoring as the reports includes a direct link to [StepSecurity](https://app.stepsecurity.io)
- Easy way to visualize the scorecard results with [The Scorecard Visualizer](https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node) or [deps.dev](https://deps.dev/project/github/nodejs%2Fnode)
- Easy way to visualize results with [Scorecard Visualizer](https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node) or [deps.dev](https://deps.dev/project/github/nodejs%2Fnode)
- Cutting-edge feature that effortlessly compares OpenSSF scorecards between previous and current commits with [The Scorecard Visualizer Comparator](https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node/compare/39a08ee8b8d3818677eb823cb566f36b1b1c4671/19fa9f1bc47b0666be0747583bea8cb3d8ad5eb1)
- Discovery mode: list all the repos in one or many organizations that are already being tracked with [OpenSSF Scorecard](https://github.com/ossf/scorecard)
- Reporting in Markdown with essential information (hash, date, score) and comparative against the prior score
Expand All @@ -42,7 +36,7 @@ If you would like to contribute to the documentation, please feel free to open a
- Extend the markdown template with you own content by using tags
- Easy to modify the files and ensure the integrity with JSON Schemas
- The report data is exported as an output and can be used in the pipeline
- Great test coverage (in progress)
- Great test coverage

### 🎉 Demo

Expand Down Expand Up @@ -136,7 +130,7 @@ jobs:
- `report-tags-enabled`: Defines if the markdown report must be created/updated around tags by default is disabled. This is useful if the report is going to be include in a file that has other content on it, like docusaurus docs site or similar
- `report-start-tag` Defines the start tag, default `<!-- OPENSSF-SCORECARD-MONITOR:START -->`
- `report-end-tag`: Defines the closing tag, default `<!-- OPENSSF-SCORECARD-MONITOR:END -->`
- `render-badge`: Defines if the OpenSSF badge must be rendered in the reportor to only show the score
- `render-badge`: Defines if the OpenSSF Scorecard badge must be rendered in the reporter to only show the score
- `report-tool`: Defines the reporting review tool in place: `scorecard-visualizer` [Example](https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node) or `deps.dev` [Example](https://deps.dev/project/github/nodejs%2Fnode), by default `scorecard-visualizer`

### Outputs
Expand Down Expand Up @@ -285,4 +279,4 @@ Just for reference, the database will store the current value and previous value

## 💪 Contributing

Please read [CONTRIBUTING.md](https://github.com/UlisesGascon/.github/blob/main/contributing.md) for details on our code of conduct and the process for submitting pull requests to us. You need to accept DCO 1.1 in order to make contributions.
Please read [CONTRIBUTING.md](https://github.com/ossf/scorecard-monitor/blob/main/CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests to us. You need to accept DCO 1.1 in order to make contributions.
8 changes: 3 additions & 5 deletions RELEASE.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,12 @@ This document describes the process for releasing a new version of the Scorecard

In order to generate a new release, it is recommended to use the commands:


```
```console
npm run release:minor
npm run release:patch
npm run release:major
```


This includes all the changes in the [CHANGELOG](./CHANGELOG.md) and ensures that the `package.json` and `package-lock.json` are up to date.

You can discard the tag that has been generated locally, as we won't use it.
Expand All @@ -33,5 +31,5 @@ In order to create a new release, follow these steps:
3. Target the new release version, like `v.1.0.3-beta5`. Note that you can use metadata like `-beta5` and you must include `v` as prefix.
4. Mark `Set as the latest release`
5. (Optionally) mark `Set as a pre-release` if it is non-production ready.
6. :bulb: **Hint:** You can check another release ([example](https://github.com/ossf/scorecard-monitor/releases/tag/v2.0.0-beta7)) to follow the style for title and description (_Main Changes, PRs, New contributions_).
7. Click the `Generate release notes` button in the top right to automatically populate the release description.
6. :bulb: **Hint:** You can check another release ([example](https://github.com/ossf/scorecard-monitor/releases/tag/v2.0.0-beta7)) to follow the style for title and description (_Main Changes, PRs, New contributions_).
7. Click the `Generate release notes` button in the top right to automatically populate the release description.
6 changes: 3 additions & 3 deletions action.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: 'OpenSSF Scorecard Monitor'
description: 'Monitor OpenSSF Scorecard Evolution over time'
author: 'Ulises Gascon'
description: 'Monitor OpenSSF Scorecard evolution over time'
author: 'OpenSSF Scorecard Authors'

inputs:
scope:
Expand Down Expand Up @@ -56,7 +56,7 @@ inputs:
required: false
default: "10"
render-badge:
description: 'Render the OSSF badge in the report'
description: 'Render the OpenSSF Scorecard badge in the report'
required: false
default: "false"
report-tool:
Expand Down

0 comments on commit a3a9c4c

Please sign in to comment.