Description
Five public, non-archived repos in the platform-mesh org are missing the ossf-scorecard.yml workflow, so they have no Scorecard data. We're flying blind on these repos.
The .github repo or any repo using the standard workflow can be used as a template.
Repos that need a Scorecard workflow
Repos to skip (intentional)
These are docs/community/config repos where Scorecard adds little signal:
architecture — design docscommunity — meeting notes / governancebacklog — issue tracker (this repo)coderabbit — central reviewer config
Steps (per repo)
- Copy
.github/workflows/ossf-scorecard.yml from a repo that already has it (e.g. account-operator).
- Open a PR against the repo's default branch.
- After merge, wait for the next scheduled run, then verify at
https://api.securityscorecards.dev/projects/github.com/platform-mesh/<repo>.
Objectives
- All five repos publish Scorecard results.
- New issues filed in this epic for any high-severity findings that turn up.
Demo Required
None
Demo Steps
No response
Epic: #278
Description
Five public, non-archived repos in the platform-mesh org are missing the
ossf-scorecard.ymlworkflow, so they have no Scorecard data. We're flying blind on these repos.The
.githubrepo or any repo using the standard workflow can be used as a template.Repos that need a Scorecard workflow
kube-bind-providerexample-httpbin-operatorexample-mongodb-multiclusterruntimesamples-opendesk-ocm-landscaperpoc-kcp-observabilityRepos to skip (intentional)
These are docs/community/config repos where Scorecard adds little signal:
architecture— design docscommunity— meeting notes / governancebacklog— issue tracker (this repo)coderabbit— central reviewer configSteps (per repo)
.github/workflows/ossf-scorecard.ymlfrom a repo that already has it (e.g.account-operator).https://api.securityscorecards.dev/projects/github.com/platform-mesh/<repo>.Objectives
Demo Required
None
Demo Steps
No response
Epic: #278