zhzhuang-zju
commented
3 weeks ago /help
Open zhzhuang-zju opened 3 weeks ago
zhzhuang-zju
commented
3 weeks ago /help
karmada-bot
commented
3 weeks ago @zhzhuang-zju: This request has been marked as needing help from a contributor.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
zhzhuang-zju
commented
3 weeks ago cc @B1F030
B1F030
commented
3 weeks ago I'm glad to help! Can I take the license scanning first?
zhzhuang-zju
commented
3 weeks ago I'm glad to help! Can I take the
license scanningfirst?
done~
RainbowMango
commented
3 weeks ago Maybe we can have the badge of CLomonitor. See example at https://github.com/kubeflow/kubeflow/blob/master/README.md.
aditya7302
commented
3 weeks ago @RainbowMango I have added the CLOMonitor badge in my PR.
Akash-Singh04
commented
3 weeks ago Hey does this issue require any more help?If so, I would like to work on it
zhzhuang-zju
commented
3 weeks ago Hey does this issue require any more help?If so, I would like to work on it
Sure, go ahead. Please pick what interests you and do it~
aditya7302
commented
2 weeks ago @RainbowMango @zhzhuang-zju I have added top-level permission for ci-image-scanning workflow. Please review it.
Akash-Singh04
commented
2 weeks ago @RainbowMango @zhzhuang-zju I have added top-level permission for ci.yml and cli.yml workflow. Please review it.
zhzhuang-zju
commented
1 week ago @aditya7302 @Akash-Singh04 Thanks for your efforts on task Token permissions. Defining the minimal permission set for workflow is actually difficult, do you have any experiences to share? Besides, how can we effectively go about verifying the results(all I can think of at the moment is local verification)? Other than that, have you encountered any other difficulties? Looking forward to your feedback!
zhzhuang-zju
commented
1 week ago @aditya7302 @Akash-Singh04 Thanks for your efforts on task Token permissions. Defining the minimal permission set for workflow is actually difficult, do you have any experiences to share? Besides, how can we effectively go about verifying the results(all I can think of at the moment is local verification)? Other than that, have you encountered any other difficulties? Looking forward to your feedback!
I found the recommended steps and an online tool to complete the task Token permissions! refer to https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions:
The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the top level and the required write permissions are declared at the run-level.
Following this criterion, the recommended steps are:
So, we had a problem with the previous implementation and needed to be revised.
To help determine the permissions needed for our workflows, we can use StepSecurity's online tool by ticking the "Restrict permissions for GITHUB_TOKEN". NOTE: Cleanup workflow's previously defined permissions before using it, and the result may be more precise.
aditya7302
commented
5 days ago @zhzhuang-zju As I am new to learning workflows, I primarily use local verification to test them. This method helps me ensure that the workflows function correctly within a controlled environment. However, I think that defining the minimal permission set for large workflows can be quite challenging.
zhzhuang-zju
commented
5 days ago @zhzhuang-zju As I am new to learning workflows, I primarily use local verification to test them. This method helps me ensure that the workflows function correctly within a controlled environment. However, I think that defining the minimal permission set for large workflows can be quite challenging.
I can't agree more~ Local verification is actually the safest way. Now with the tool Scan, this process is even easier. However, in some cases, the tool's database does not have permissions information of a certain action, we can only verify them locally or refer to other user-defined permissions. BTW, thank @aditya7302 and @Akash-Singh04 for your contributions.
What would you like to be added: CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices, and will provide a score card for each project based on the check results. Here is the score card for karmada: https://clomonitor.io/projects/cncf/karmada. As you can see, there's still some work to be done. Here list the check set that karmada did not pass.
[x] license scanning (@B1F030 #5050) Karamda completes the license scanning software scans in fossa workflow, so we only need add the
FOSSAlink in theREADMEfile. Regexps used:"(https://app.fossa.(?:io|com)/projects/[^"'\)]+)"[x] Artifact Hub badge (@B1F030 #5051)
[x] OpenSSF Scorecard badge (@B1F030 #5055) We have added the
OpenSSFScorecard badge in theREADMEfile in #5022, but the urlhttps://api.scorecard.dev/projects/github.com/karmada-io/karmada/badgedoes not match the specified regexps"(https://api.securityscorecards.dev/projects/github.com/[^/]+/[^/]+)/badge"and needs to be modified.[ ] Dependencies policy (@zhzhuang-zju)
[x] Software bill of materials (SBOM)(@zhzhuang-zju #5110)
[ ] Security insights (@zhzhuang-zju)
[ ] Signed releases Karmada images have been signed with
cosignsincerelease1.7, but we need add the SLSA provenance file in the assets for release (*.intoto.jsonl)[ ] Token permissions define topLevel permission for each workflow
Reference:
Why is this needed: Improving scores is not the ultimate goal, I hope to use this issue to make Karmada healthier and more mature