OpenTelemetry SIG Maintainers Allstar Onboarding Guide

Welcome, SIG Maintainers! This document serves as a comprehensive guide to onboard your repositories into the Allstar governance framework, part of the Open Source Security Foundation (OpenSSF) initiative to ensure security best practices. Ensuring your repositories are compliant with Allstar checks is a significant step toward maintaining high security standards, which is crucial especially for those looking to graduate within the OpenTelemetry organization.

Prerequisites

Before proceeding, ensure you are a SIG maintainer with administrative access to the repository(s) you wish to onboard.

Understanding the Allstar Checks

Allstar enforces various security policies through checks:

• Security Policy security.yaml: Verifies the presence of a SECURITY.md file for reporting security issues.
• Binary Artifacts binary_artifacts.yaml: Prevents binary artifacts in code, with designated exceptions.
• Branch Protection branch_protection.yaml: Ensures proper branch protection settings.
• GitHub Actions actions.yaml: Monitors for compliance with specific GitHub Action requirements.
• Repository Administrators admin.yaml: Checks for adherence to repository administrator guidelines.

Step 1: Prepare Your Repository

1. Review Allstar Checks: Familiarize yourself with the list of Allstar checks and understand what each policy entails.
2. Compliance: Ensure your repository complies with the guidelines outlined in each check. This may involve adding a SECURITY.md file, adjusting branch protection rules, managing binary artifacts, setting up specific GitHub Actions, and revising repository administrator privileges.

Step 2: Onboarding Request

1. Open an Issue: Navigate to the .allstar repository within the OpenTelemetry organization on GitHub and open a new issue for your onboarding request.
2. Issue Details: Include the following information in your issue:
   • The name of the SIG and repository(s) you wish to onboard.
   • A statement confirming your review and compliance with the Allstar checks.
   • Any specific configurations or exceptions you wish to apply to your repository.

Step 3: Configuration

Upon approval of your request, the repository will be configured according to the Allstar policies. This involves:

1. Adding Your Repository to the Config: The .allstar repository will be updated to include your repository in the optInRepos list or any specific policy configurations you discussed.
2. Customization: If your repository requires special considerations, these will be addressed during the configuration phase.

Step 4: Monitoring and Maintenance

With Allstar enabled:

• Automatic Checking: Allstar will periodically check your repository for compliance with the configured policies.
• Issue Creation: If non-compliance is detected, Allstar will automatically open issues in your repository, detailing the findings and providing steps for resolution.
• Stay Compliant: It's crucial to address the issues raised by Allstar promptly to maintain security standards.

Conclusion

Onboarding your repository with Allstar is a significant step towards enhancing the security and integrity of the OpenTelemetry project. By following this guide, you will streamline the process, ensuring your repository meets the organization's requirements for graduation and beyond.