Closed amye closed 11 months ago
aaguiarz
commented
2 years ago @amye our CI/CD pipeline currently uses tools like Semgrep/Snyk for vulnerability scanning/FOSSA for licensing, in their non-free tiers, paid by Okta. Those runs from Github Actions.
I see we can get FOSSA with CNCF's help, not sure if we can get Snyk for vulnerability scanning.
Can we keep using Snyk for vulnerability scanning and the paid Semgrep tier, or should we move to free tiers?
Thanks
aaguiarz
commented
2 years ago
- [X] Understand the project proposal process and reqs: https://github.com/cncf/toc/blob/main/process/project_proposals.md#introduction
- [X] Understand the services available for your project at CNCF https://www.cncf.io/services-for-projects/
- [X] Ensure your project meets the CNCF IP Policy: https://github.com/cncf/foundation/blob/master/charter.md#11-ip-policy
- [X] Review the online programs guidelines: https://github.com/cncf/foundation/blob/master/online-programs-guidelines.md
- [X] Understand the trademark guidelines: https://www.linuxfoundation.org/en/trademark-usage/
- [X] Understand the license allowlist: https://github.com/cncf/foundation/blob/master/allowed-third-party-license-policy.md#approved-licenses-for-allowlist
- [X] Is your project working on written, open governance? see https://contribute.cncf.io/maintainers/governance/
- [] Slack: Are your slack channels migrated to the Kubernetes or CNCF Slack? (see https://slack.com/help/articles/217872578-Import-data-from-one-Slack-workspace-to-another for more details)
We are currently using Discord. Should we start using Slack?
[X] Create maintainer list + add to aggregated https://maintainers.cncf.io list by submitting a PR to it https://github.com/cncf/foundation/pull/422
[X] Provide emails for the maintainers added to https://maintainers.cncf.io in order to get access to the maintainers mailing list and ServiceDesk
Adrian Tam adrian.tam@okta.com (@adriantam) Andres Aguiar <andres.aguiar@okta.com (@aaguiarz) Craig Pastro craig.pastro@okta.com (@craigpastro) Damian Schenkelman damian@okta.com (@dschenkelman) Jakub Hertyk jakub.hertyk@okta.com (@curfew-marathon) Jonathan Whitaker jonathan.whitaker@okta.com (@jon-whit) Maria Ines Parnisari maria.inesparnisari@okta.com (@miparnisari) Mat Dupont mat.dupont@okta.com (@matldupont) Matthew Pereira matthew.pereira@okta.com (@matthewpereira) Raghd Hamzeh raghd.hamzeh@okta.com (@rhamzeh) Yamil Asusta yamil.asusta@okta.com (@elbuo8)
[X] GitHub: ensure that hat the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub https://github.com/openfga/.github/blob/main/CODE_OF_CONDUCT.md
[X] CII: Start on a CII best practices badge https://bestpractices.coreinfrastructure.org/en
https://bestpractices.coreinfrastructure.org/en/projects/6374
aaguiarz
commented
2 years ago GitHub: ensure DCO or CLA are enabled for all GitHub repositories of the project
Do you have a preference?
We are currently using https://cla-assistant.io/ for CLAs, can we use https://easycla.lfx.linuxfoundation.org/#/ instead?
aaguiarz
commented
2 years ago
- Website: Analytics transferred to projects@cncf.io
We don't have analytics on the website. Should we integrate an analytics service? Any preference?
amye
commented
2 years ago
- Website: Analytics transferred to projects@cncf.io
We don't have analytics on the website. Should we integrate an analytics service? Any preference?
If you don't already have one, no need!
amye
commented
2 years ago GitHub: ensure DCO or CLA are enabled for all GitHub repositories of the project
Do you have a preference?
We are currently using https://cla-assistant.io/ for CLAs, can we use https://easycla.lfx.linuxfoundation.org/#/ instead?
Yes, the EasyCLA team is at https://jira.linuxfoundation.org/plugins/servlet/theme/portal/4/create/143 - they'll be able to help you out!
amye
commented
2 years ago @amye our CI/CD pipeline currently uses tools like Semgrep/Snyk for vulnerability scanning/FOSSA for licensing, in their non-free tiers, paid by Okta. Those runs from Github Actions.
I see we can get FOSSA with CNCF's help, not sure if we can get Snyk for vulnerability scanning.
Can we keep using Snyk for vulnerability scanning and the paid Semgrep tier, or should we move to free tiers?
Thanks
@jeefy can help with Synk or FOSSA
aaguiarz
commented
2 years ago
- [X] Website: Analytics transferred to projects@cncf.io We don't have website analytics
aaguiarz
commented
2 years ago jeefy can help with Synk or FOSSA
@amye Can we keep Semgrep using our Okta license, or do we need to move to create an account for OpenFGA and move to a free tier?
Thanks!
lukaszgryglicki
commented
2 years ago DevStats page added.
aaguiarz
commented
2 years ago For transferring the domain here https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/create/63 should I set it this way?
Project: "None" LF Stakeholder email: @caniszczyk's Community Stakeholder email: mine
Thanks!
amye
commented
2 years ago For transferring the domain here https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/create/63 should I set it this way?
Project: "None" LF Stakeholder email: @caniszczyk's Community Stakeholder email: mine
Thanks! You want Project to be 'CNCF'.
aaguiarz
commented
2 years ago
- [X] Submitted a Pull request to add your project as a sandbox project to https://landscape.cncf.io/ https://github.com/cncf/landscape/pull/2766
aaguiarz
commented
1 year ago
- [X] Artwork: Submit a pull request to https://github.com/cncf/artwork with your artwork https://github.com/cncf/artwork/pull/362
aaguiarz
commented
1 year ago @amye Is it OK if we send the agreement in https://github.com/cncf/foundation/tree/main/agreements to @caniszczyk 's email through DocuSign? Should we send it to someone else?
amye
commented
1 year ago @amye Is it OK if we send the agreement in https://github.com/cncf/foundation/tree/main/agreements to @caniszczyk 's email through DocuSign? Should we send it to someone else?
Send it to project-onboarding@cncf.io
aaguiarz
commented
1 year ago
- [X] Trademarks: transfer any trademark and logo mark assets over to the LF - https://github.com/cncf/foundation/tree/master/agreements has agreements
aaguiarz
commented
1 year ago
- [X] Is your project in its own separate neutral github organization?
- [X] GitHub: ensure 'thelinuxfoundation' and 'caniszczyk' are added as initial org owners, this helps us make sure we have continuity of GH ownership
aaguiarz
commented
1 year ago @jeefy could you please help me with Synk and FOSSA?
aaguiarz
commented
1 year ago @amye In our notice.txt files we have "Copyright 2022 Okta, Inc.". I see other projects use "The
caniszczyk
commented
1 year ago Andres, please see: https://github.com/cncf/foundation/blob/main/copyright-notices.md#copyright-notices
On Thu, Oct 20, 2022 at 8:44 AM Andrés Aguiar @.***> wrote:
@amye https://github.com/amye In our notice.txt files we have "Copyright 2022 Okta, Inc.". I see other projects use "The Authors". Is it OK if we use "The OpenFGA Project Authors"? Should we mention CNCF?
— Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/921#issuecomment-1285568975, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSINN5DWYJGCXCUWY6Z3WEFEELANCNFSM6AAAAAAQLVWZDI . You are receiving this because you were mentioned.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
aaguiarz
commented
1 year ago
- [X] Website: ensure LF footer is there and website guidelines followed (if your project doesn't have a dedicated website, please adopt those guidelines to the README file of your project on GitHub).
Check https://openfga.dev/
caniszczyk
commented
1 year ago Also make sure you work on any issues found here :) https://clomonitor.io/projects/cncf/openfga
On Fri, Oct 21, 2022 at 7:28 AM Andrés Aguiar @.***> wrote:
- Website: ensure LF footer is there and website guidelines https://github.com/cncf/foundation/blob/master/website-guidelines.md followed (if your project doesn't have a dedicated website, please adopt those guidelines to the README file of your project on GitHub).
Check https://openfga.dev/
— Reply to this email directly, view it on GitHub https://github.com/cncf/toc/issues/921#issuecomment-1286896194, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIOQTJUNDPE5WQXRYVTWEKD7ZANCNFSM6AAAAAAQLVWZDI . You are receiving this because you were mentioned.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
aaguiarz
commented
1 year ago @jeefy now the Github org is part of CNCF's org, would it be possible to setup the integration with Synk and FOSSA? Thanks a lot.
aaguiarz
commented
1 year ago @amye can you confirm if I should use @caniszczyk 's emails as "LF Stakeholder" when transferring the domains? Thanks!
amye
commented
1 year ago It can be me, that's fine.
aaguiarz
commented
1 year ago
- [X] Domain: transfer domain to the CNCF - https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/create/63
https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-24780
aaguiarz
commented
1 year ago I think we are done from our side, we still need help to:
Thanks for your help!
aaguiarz
commented
1 year ago aaguiarz
commented
1 year ago
- [X] Domain: transfer domain to the CNCF - https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/create/63
Domain transfer was completed.
aaguiarz
commented
1 year ago @amye The rest of the items that are unchecked are completed too:
[X] Artwork: Submit a pull request to https://github.com/cncf/artwork with your artwork https://github.com/cncf/artwork/tree/master/projects/openfga
[X] Slack: Are your slack channels migrated to the Kubernetes or CNCF Slack? (see https://slack.com/help/articles/217872578-Import-data-from-one-Slack-workspace-to-another for more details)
We don't have Slack channels, we are using Discord. Should we create a Slack channel in CNCF's Slack?
[X] GitHub: ensure that hat the CNCF Code of Conduct (or your adopted version of it) are explicitly referenced at the project's README on GitHub https://github.com/openfga/.github/blob/main/CODE_OF_CONDUCT.md
[X] Website: ensure LF footer is there and website guidelines followed (if your project doesn't have a dedicated website, please adopt those guidelines to the README file of your project on GitHub).
In Openfga.dev, there's a CNCF icon at the bottom left that links to https://www.linuxfoundation.org/legal/trademark-usage let us know if that does not work.
aaguiarz
commented
1 year ago @amye @jeefy can we get help with FOSSA/Snyk? We are using our own configuration and we want to make sure the license checks are compliant with CNCF's.
Thanks a lot
amye
commented
1 year ago I'll let @jeefy weigh in on Fossa, but last thing: do you want a space on community.cncf.io?
aaguiarz
commented
1 year ago @amye Not yet, can we do it later, when we start to see the need? Thanks!
amye
commented
1 year ago Awesome!
aaguiarz
commented
1 year ago @jeefy can you help us integrate FOSSA/Snyk?
aaguiarz
commented
1 year ago @jeefy ping :) We really need to get that integration done... Thanks!
amye
commented
1 year ago This is our our list, @RobertKielty may also be assisting here :)
jeefy
commented
1 year ago Not only did this fall off my radar, my radar just ceased functioning. My bad.
@aaguiarz all maintainers should have invitations to Snyk in their inboxes (if not already, soon)
aaguiarz
commented
1 year ago Thanks @jeefy ! Can we also get access to FOSSA? We have it already configured for OSS Licensing Compliance but we are using our keys.
aaguiarz
commented
1 year ago aaguiarz
commented
1 year ago Also make sure you work on any issues found here :) https://clomonitor.io/projects/cncf/openfga
We got there! ☺️ cc @caniszczyk
Cmierly
commented
11 months ago All tasks have been completed! Closing this out.
Welcome to CNCF Project Onboarding! This is an issue created to help onboard your project into the CNCF after the TOC has voted to accept your project. We would like to complete onboarding within one month of acceptance.
From the project side, please ensure that you:
Things that CNCF will need from the project:
Things that the CNCF will do or help the project to do: