Repo adjustments for CLOMonitor

[eddie-knight]

Is your feature request related to a problem?

This relates to the discussion surrounding CLOMonitoring. I spoke offline with @pdrastil and it was determined that we should make an effort to hold this repository to a complete code standard as defined in the CLOMonitor docs.

CLOMonitor report

Summary

Repository: argo-helm URL: https://github.com/argoproj/argo-helm Checks sets: CODE Score: 74

Checks passed per category

Category	Score
Documentation	100%
License	75%
Best Practices	38%
Security	80%
Legal	n/a

Checks

Documentation [100%]

• [x] Changelog (docs)
• [x] Contributing (docs)
• [x] Maintainers (docs)
• [x] Readme (docs)

License [75%]

• [x] Apache-2.0 (docs)
• [x] Approved license (docs)
• [ ] License scanning (docs)

Best Practices [38%]

• [x] Artifact Hub badge (docs)
• [x] Contributor License Agreement (docs) EXEMPT
• [x] Developer Certificate of Origin (docs)
• [x] OpenSSF badge (docs)
• [x] Recent release (docs)

Security [80%]

• [x] Binary artifacts (docs)
• [x] Code review (docs)
• [x] Dangerous workflow (docs)
• [x] Dependency update tool (docs) EXEMPT
• [x] Maintained (docs)
• [x] Software bill of materials (SBOM) (docs) EXEMPT
• [x] Security policy (docs)
• [ ] Signed releases (docs)
• [ ] Token permissions (docs)

For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.

[eddie-knight]

Note: exemptions are tolerated, even for repos that are scanned as part of the official CNCF project.

See example here: https://github.com/cncf/clomonitor/blob/main/docs/metadata/.clomonitor.yml

[eddie-knight]

Regarding the artifact hub check... I'm thinking the options available are to either:

1. skip the check (because there isn't one single badge to be added to the README)
2. Add a list of badges to the README showing all of the available charts

[tegioz]

Hi @eddie-knight 👋

Just in case it helps, the link in the Artifact Hub badge generated from the control panel points to the repository, not to a single package. In the case of the argo repo, it should point to https://artifacthub.io/packages/search?repo=argo, covering all the charts 🙂

[eddie-knight]

Thanks @tegioz -- appreciate the timely response!

[pdrastil]

@eddie-knight for dependency updates I found following combination based on this article

• updatecli - https://github.com/updatecli/updatecli

[eddie-knight]

@pdrastil I just added an exclusion for dependency-related checks until we can get a good PR up to implement the dependency scanning and SBOM creation

[eddie-knight]

The last change necessary for the Security checks would be to adjust the publish.yml to use helm package with package signing.

Currently that workflow is using helm/chart-releaser-action, which is a wrapper for helm/chart-releaser, and I found this note in chart-releaser:

If you wish to use advanced packaging options such as creating signed
packages or updating chart dependencies please use "helm package" instead.`,

https://github.com/helm/chart-releaser/blob/main/cr/cmd/package.go#L32-L33

Is this something we want to action?

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.