Open Jdubrick opened 4 months ago
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Jdubrick Once this PR has been reviewed and has the lgtm label, please assign aobuchow for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
@Jdubrick Thank you for the PR :) I added some comments for clarification on certain details.
Is there a link to the schema for
SECURITY-INSIGHTS.yml
that I should consult?
Hey Andrew that is my fault, I forgot to include the link in my description. You can find it here: https://github.com/ossf/security-insights-spec/blob/main/specification.md
To answer your comments:
project-release
is just the release number that the SECURITY-INSIGHTS.yml
file is confirmed to cover, I believe you can release and not update the insights but then it would technically be 'outdated'.
commit-hash
is the last commit that the SECURITY-INSIGHTS.yml
file covers.
Yes that is correct it should point to the cycle, is there a better link that I should place there?
@Jdubrick Thank you for the PR :) I added some comments for clarification on certain details. Is there a link to the schema for
SECURITY-INSIGHTS.yml
that I should consult?Hey Andrew that is my fault, I forgot to include the link in my description. You can find it here: https://github.com/ossf/security-insights-spec/blob/main/specification.md
To answer your comments:
project-release
is just the release number that theSECURITY-INSIGHTS.yml
file is confirmed to cover, I believe you can release and not update the insights but then it would technically be 'outdated'.commit-hash
is the last commit that theSECURITY-INSIGHTS.yml
file covers.- Yes that is correct it should point to the cycle, is there a better link that I should place there?
As we are currently working through this to add the insight file to Devfile repos can we place this PR on hold until it is fully hashed out? Noticing issues related to certain fields in one of our other repos.
cc @AObuchow
What does this PR do?
This PR adds the
SECURITY-INSIGHTS.yml
file that is required as part of https://github.com/devfile/api/issues/1396. This is due to an effort to increase our score on the CLOMonitor where we are actively trying to improve our repositories and adhere to open source best practices. The addition of this file will provide the monitor with valuable information such as current release, licensing, repo activity status, current maintainers, contributing policy and dependencies.What issues does this PR fix or reference?
fixes https://github.com/devfile/api/issues/1396
Is it tested? How?
No testing required the file does not alter the way the project works.
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-path
to trigger)v8-devworkspace-operator-e2e
: DevWorkspace e2e testv8-che-happy-path
: Happy path for verification integration with Che