github-actions[bot]
commented
6 months ago This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment or this will be closed in 60 days.
Open Jdubrick opened 9 months ago
github-actions[bot]
commented
6 months ago This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment or this will be closed in 60 days.
github-actions[bot]
commented
2 weeks ago This issue is stale because it has been open for 90 days with no activity. Remove stale label or comment or this will be closed in 60 days.
/kind user-story
Which area this user story is related to?
/area api /area library /area registry /area alizer /area devworkspace /area registry-viewer
User Story
After the completion of https://github.com/devfile/api/issues/1298 we will need to add a Fine-grained PAT for our various repositories (may be possible to implement this on an organization level). This token will allow the OpenSSF scorecard to properly detect our branch protection rules and reflect that in the badge score.
During the implementation of the OpenSSF scorecards we left out the portion that included the Fine-grained PAT as it requires an owner to do so. The scorecard functions without that token but as stated above leaves out the branch protection score.
Each repository has a workflow file titled
scorecard.yml, inside this file you will be able to find the commented instructions about the addition of this token. Example: https://github.com/devfile/library/blob/main/.github/workflows/scorecard.yml#L40More information about the token and its implementation/setup can be found here: https://github.com/marketplace/actions/ossf-scorecard-action#authentication-with-fine-grained-pat-optional https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Acceptance Criteria
Step 1
Step 2
This token will need to be added to the following repositories (either as a repo secret or if possible as an org secret) as well as referencing it in the
scorecard.ymlworkflow files for each repository.