Closed alinskens closed 1 year ago
We do have Helm charts maintained by the community here https://artifacthub.io/packages/helm/fluxcd-community/flux2 but I can't figure out the badge URL for ArtifactHub. As for Dependency update tool, we have our own GitHub Action.
Token permissions (from OpenSSF Scorecard) ID: token_permissions This check determines whether the project’s automated workflows tokens are set to read-only by default.
@alinskens this requirement feels very wrong to me. How are we suppose to use Goreleaser and publish signed checksums, binaries, container images, SBOM, etc if the release workflow must be set to read-only? For reference here is our workflow: https://github.com/fluxcd/flux2/blob/main/.github/workflows/release.yaml
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
@alinskens can you please remove the fluxcd/flux
repo from this https://clomonitor.io/projects/cncf/flux-project? Flux v1 is no longer maintained and we'll archive that repo on 1st of November this year. cc @dholbach
How are we suppose to use Goreleaser and publish signed checksums, binaries, container images, SBOM, etc if the release workflow must be set to read-only?
This has been an ongoing discussion, and I've currently got an open PR to address the issue.
@eddie-knight @alinskens thanks for all the help. The only thing left is the "Token permissions", should we keep this issue opened till https://github.com/ossf/scorecard/pull/2355 is fixed? From our side there is nothing left to do.
@stefanprodan We got that issue released on Scorecard yesterday and integrated into CLOMonitor this morning! 👏
The only thing left to do is take advantage of the changes by moving write
permission allocations to the job level. I'll try to get a PR up this morning if I can spare a cycle for it.
This repo is signed up as part of the KubeCon Security Slam. I'm bringing to your attention the checklist from the official CLOMonitor page for Flux -- it refreshes every hour, so it should be up-to-date.
CLOMonitor report
Summary
Repository: flux2 URL: https://github.com/fluxcd/flux2 Checks sets:
CODE
Score: 86Checks passed per category
Checks
Documentation [100%]
License [100%]
Best Practices [100%]
EXEMPT
Security [90%]
For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.