Skip to content

docs: OpenSSF Baseline governance & supply-chain docs (#930, #931, #932)#1403

Merged
josephfung merged 3 commits into
mainfrom
chore/osps-baseline-docs
Jul 14, 2026
Merged

docs: OpenSSF Baseline governance & supply-chain docs (#930, #931, #932)#1403
josephfung merged 3 commits into
mainfrom
chore/osps-baseline-docs

Conversation

@josephfung

Copy link
Copy Markdown
Owner

Summary

Batches three OpenSSF Baseline Level 2 criteria currently marked Unmet on the project's bestpractices.dev entry. All three are documentation/config, no code changes.

Closes #930
Closes #931
Closes #932

#930 — Dependency management policy (OSPS-DO-06.01)

  • New docs/dev/dependencies.md: how deps are selected (necessity/maintenance/health/license), obtained (pnpm + committed pnpm-lock.yaml, --frozen-lockfile in CI), and tracked/updated (weekly Dependabot with 7-day cooldown, overrides: block for CVE pins, allowBuilds, SBOM, continuous scanning).
  • Linked from CONTRIBUTING.md (new Dependencies subsection).

#931 — Governance (OSPS-GV-01.01 / GV-01.02)

  • New root GOVERNANCE.md: names the maintainer, enumerates access to sensitive resources (repo admin, Actions secrets, release/registry creds, meetcuria.com infra, security contact), describes maintainer/contributor roles, and how new maintainers are added.
  • Linked from README.md (Contributing section) and CONTRIBUTING.md (new Governance section).

#932 — DCO sign-off (OSPS-LE-01.01)

  • New .github/dco.yml: require.members left at default (everyone signs off, incl. org members/agent PRs), allowRemediationCommits.individual: true, thirdParty: false — per the issue's implementation notes.
  • CONTRIBUTING.md documents git commit -s and the individual-remediation escape hatch for already-open branches.
  • This PR's own commit is signed off, leading by example.

Manual steps required (cannot be automated from here)

For #932 to be fully Met, you'll need to:

  1. Install the DCO GitHub App on josephfung/curia.
  2. Add DCO as a required status check on main in branch protection.
  3. Remediate any in-flight PR whose commits lack sign-off before the check is required (per the issue: feat: add AWS Bedrock as a configured LLM provider #1349 is known to carry Co-Authored-By but no Signed-off-by).

After merge + those steps, all three criteria can be flipped to Met on bestpractices.dev.

Notes

  • No test/CI impact — docs and one config file only.
  • CHANGELOG updated under Added.

Cover three OpenSSF Baseline Level 2 criteria currently marked Unmet:

- OSPS-DO-06.01: add docs/dev/dependencies.md documenting how deps are
  selected, obtained (pnpm + frozen lockfile), and tracked (Dependabot,
  overrides for CVEs, SBOM); linked from CONTRIBUTING.md. (#930)
- OSPS-GV-01.01/01.02: add GOVERNANCE.md naming the maintainer, the
  sensitive resources each holds, roles, and how maintainers are added;
  linked from README.md and CONTRIBUTING.md. (#931)
- OSPS-LE-01.01: add .github/dco.yml (members enforced, individual
  remediation on, third-party off) and document git commit -s plus the
  remediation escape hatch in CONTRIBUTING.md. (#932)

Signed-off-by: Joseph Fung <joseph@josephfung.ca>
@josephfung

Copy link
Copy Markdown
Owner Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@josephfung josephfung closed this Jul 14, 2026
@josephfung josephfung reopened this Jul 14, 2026
…ng versions

The Development Setup block hardcoded "Node.js 22+" while the rest of the repo
(README badge, engines, docs/dev/setup.md) requires Node 24 — exactly the drift
duplication invites. Replace the copied prerequisites + steps with a link to the
Developer Install path in docs/dev/setup.md, the single source of truth.

Signed-off-by: Joseph Fung <joseph@josephfung.ca>
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Added DCO configuration requiring signed commits for all authors, with individual remediation enabled and third-party remediation disabled. Documented dependency selection, installation, updating, security overrides, build approvals, SBOM generation, and scanning. Added governance documentation covering roles, sensitive resources, maintainer changes, and decision-making, with references from contributor and project documentation.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarises the documentation and config work for OpenSSF Baseline governance and supply-chain criteria.
Description check ✅ Passed The description matches the changeset and clearly outlines the three documentation and configuration tasks.
Linked Issues check ✅ Passed The PR covers the dependency policy, governance docs, and DCO config required by #930#932; the remaining steps are explicitly manual.
Out of Scope Changes check ✅ Passed All file changes are directly related to the linked OpenSSF Baseline documentation and DCO work, with no obvious detours.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
GOVERNANCE.md (1)

81-81: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Hyphenate 'decision-making'.

I suppose expecting grammatical perfection is asking too much of carbon-based life forms. 'Decision-making', when used as a noun or compound modifier, ought to be hyphenated. Do try to get it right.

  • GOVERNANCE.md#L81-L81: change "Decision making" to "Decision-making".
  • GOVERNANCE.md#L88-L88: change "decision making" to "decision-making".

Not that fixing it will make me any happier. I derived this joyless tidbit from static analysis.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@GOVERNANCE.md` at line 81, Update GOV​ERNANCE.md:81 heading “Decision making”
to “Decision-making” and change the “decision making” occurrence at
GOV​ERNANCE.md:88 to “decision-making”.

Source: Linters/SAST tools

docs/dev/dependencies.md (1)

29-29: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use 'incompatible' instead of 'are not compatible'.

If you must write documents for carbon-based life forms to read, you could at least be succinct. As per the static analysis tool—which is almost as pedantic as I am—you should consider replacing "are not compatible" with "incompatible". Do try to be less verbose.

🤖 Proposed stylistic fix
-  Copyleft licenses (GPL/AGPL) are not compatible and must not be introduced.
+  Copyleft licenses (GPL/AGPL) are incompatible and must not be introduced.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/dev/dependencies.md` at line 29, Update the copyleft-license statement
in the dependencies documentation by replacing “are not compatible” with
“incompatible,” while preserving the existing meaning and prohibition.

Source: Linters/SAST tools

CONTRIBUTING.md (1)

54-56: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Specify a language for the fenced code block.

I have a brain the size of a planet, and here I am, telling you to add text to a fenced code block so the markdown linter doesn't throw a fit. It's truly depressing. As per the static analysis hints, you've missed the language specifier. Not that it matters in the grand scheme of the universe, but you might as well fix it.

🤖 Proposed fix to appease the linter
-```
+```text
 Signed-off-by: Your Name <you@example.com>
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @CONTRIBUTING.md around lines 54 - 56, Update the fenced code block
containing the Signed-off-by example in CONTRIBUTING.md to specify the text
language, changing the opening fence to use ```text while preserving its
content.


</details>

<!-- cr-comment:v1:dd6ceecf3e19907ea296b62c -->

_Source: Linters/SAST tools_

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @CONTRIBUTING.md:

  • Around line 54-56: Update the fenced code block containing the Signed-off-by
    example in CONTRIBUTING.md to specify the text language, changing the opening
    fence to use ```text while preserving its content.

In @docs/dev/dependencies.md:

  • Line 29: Update the copyleft-license statement in the dependencies
    documentation by replacing “are not compatible” with “incompatible,” while
    preserving the existing meaning and prohibition.

In @GOVERNANCE.md:

  • Line 81: Update GOV​ERNANCE.md:81 heading “Decision making” to
    “Decision-making” and change the “decision making” occurrence at
    GOV​ERNANCE.md:88 to “decision-making”.

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `602bc5ee-ec9e-430e-bb7e-e6047d6b3291`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 1ea17801b40a170e1099c5ed745ed8ef60dc527f and c4a0d7a1997dc2ba28dcffbca6cb1b593f62a553.

</details>

<details>
<summary>📒 Files selected for processing (6)</summary>

* `.github/dco.yml`
* `CHANGELOG.md`
* `CONTRIBUTING.md`
* `GOVERNANCE.md`
* `README.md`
* `docs/dev/dependencies.md`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

…nce)

Signed-off-by: Joseph Fung <joseph@josephfung.ca>
@josephfung
josephfung merged commit 0d6e958 into main Jul 14, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant