ably / repository-audit

Oversight for our estate of repositories, in particular those in the public domain. Audit. Monitor. Conform.
Apache License 2.0
11 stars 2 forks source link

Status badges for repositories to use to show their audit status #39

Open QuintinWillison opened 3 years ago

QuintinWillison commented 3 years ago

I've been happily musing away on this in another issue (here and then here, in response to @paddybyers's comment here).

I'm now creating this issue to represent this feature.

My current thinking is that a badge for our ably-js repository, indicating status for all checks run across that repository, would live at:

https://sdk.ably.com/builds/ably/repository-audit/main/badges/ably-js.svg

Deep-linking into the downstream repository report output:

https://github.com/ably/repository-audit-report/blob/main/ably.md#ably-js

Therefore the following being added to the top of the README.md document in ably-js:

[![Audit Status](https://sdk.ably.com/builds/ably/repository-audit/main/badges/ably-js.svg)](https://github.com/ably/repository-audit-report/blob/main/ably.md#ably-js)

An implication for this is that the report document would always need to have a deep-linkable heading for every repository it's audited (in this case #ably-js), even if everything was a PASS.

QuintinWillison commented 3 years ago

An alternative could be for the status badge svg files to live in the downstream report repository, which has the advantage that they would be committed as an atomic change in the same commit that changed the report which has some result meaning that they needed to change.

We could then use GitHub's ability to serve repository contents up raw. So, for example:

https://raw.githubusercontent.com/ably/repository-audit/main/badges/ably-js.svg

However, there may be limits that suggest our using this feature would be borderline abusive of GitHub's offering. 🤔

Though, even if we don't serve them via raw.githubusercontent.com, it is perhaps still logical as a workflow for us to commit them to the downstream repository anyway. This means that the S3 upload operation could be kept discrete, meaning that it can be run independently of the report publish (to re-sync, or if it fails for reasons unrelated to pure audit report generation).