New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENH: Add OSSF scorecard action to quantify open-source health #7197
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable to me. Do others want to comment before we merge?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense, and moving forward we should definitely introduce more badges in the README 👌
The badge currently associated with the README renders like this:
Since the contributed GitHub action has been tested independently in https://securityscorecards.dev/viewer/?uri=github.com/jamesobutler/Slicer, integrating makes sense.
Associated GitHub workflow completed ✅ See https://github.com/Slicer/Slicer/actions/runs/6005904413/job/16289500870 |
And score card renders as expected ✔️ See https://securityscorecards.dev/viewer/?uri=github.com/Slicer/Slicer |
Qt lupdate threw warnings about unconsumed metadata for lines that had translator's comments (that is exported to the language translation file to provide additonal context for translators) in the same line as the translatable text. For example: this->SupportedReadFileTypes->InsertNextValue(vtkMRMLTr("vtkMRMLColorTableStorageNode", "MRML Color Table") + " (.ctbl)"); //: file format name The issue with this is that Qt expects translator comment to be in the previous line like this: //: File format name this->SupportedReadFileTypes->InsertNextValue(vtkMRMLTr("vtkMRMLColorTableStorageNode", "MRML Color Table") + " (.ctbl)");
This adds the OSSF scorecard action (https://github.com/ossf/scorecard-action) to display open-source health.
Some security engineering groups have requested that open-source repositories should display their OSSF score. Adding this GitHub action will help fulfill their request.
numpy
is a major open source repo that has adopted the OSSF score and present the badge on their readme.numpy
's full scorecard https://securityscorecards.dev/viewer/?uri=github.com/numpy/numpy reports a 7.5 score.As of right now the Slicer OSSF score is a 5.4 for my fork specifically (this will be slightly different for the Slicer upstream as there are protected branches in the upstream which will give a higher score). You may be able to see the score reported on my branch https://securityscorecards.dev/viewer/?uri=github.com/jamesobutler/Slicer.