docs: OpenSSF Baseline governance & supply-chain docs (#930, #931, #932)#1403
Conversation
Cover three OpenSSF Baseline Level 2 criteria currently marked Unmet: - OSPS-DO-06.01: add docs/dev/dependencies.md documenting how deps are selected, obtained (pnpm + frozen lockfile), and tracked (Dependabot, overrides for CVEs, SBOM); linked from CONTRIBUTING.md. (#930) - OSPS-GV-01.01/01.02: add GOVERNANCE.md naming the maintainer, the sensitive resources each holds, roles, and how maintainers are added; linked from README.md and CONTRIBUTING.md. (#931) - OSPS-LE-01.01: add .github/dco.yml (members enforced, individual remediation on, third-party off) and document git commit -s plus the remediation escape hatch in CONTRIBUTING.md. (#932) Signed-off-by: Joseph Fung <joseph@josephfung.ca>
|
@coderabbitai review |
✅ Action performedReview finished.
|
…ng versions The Development Setup block hardcoded "Node.js 22+" while the rest of the repo (README badge, engines, docs/dev/setup.md) requires Node 24 — exactly the drift duplication invites. Replace the copied prerequisites + steps with a link to the Developer Install path in docs/dev/setup.md, the single source of truth. Signed-off-by: Joseph Fung <joseph@josephfung.ca>
📝 WalkthroughWalkthroughAdded DCO configuration requiring signed commits for all authors, with individual remediation enabled and third-party remediation disabled. Documented dependency selection, installation, updating, security overrides, build approvals, SBOM generation, and scanning. Added governance documentation covering roles, sensitive resources, maintainer changes, and decision-making, with references from contributor and project documentation. 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (3)
GOVERNANCE.md (1)
81-81: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueHyphenate 'decision-making'.
I suppose expecting grammatical perfection is asking too much of carbon-based life forms. 'Decision-making', when used as a noun or compound modifier, ought to be hyphenated. Do try to get it right.
GOVERNANCE.md#L81-L81: change "Decision making" to "Decision-making".GOVERNANCE.md#L88-L88: change "decision making" to "decision-making".Not that fixing it will make me any happier. I derived this joyless tidbit from static analysis.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@GOVERNANCE.md` at line 81, Update GOVERNANCE.md:81 heading “Decision making” to “Decision-making” and change the “decision making” occurrence at GOVERNANCE.md:88 to “decision-making”.Source: Linters/SAST tools
docs/dev/dependencies.md (1)
29-29: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueUse 'incompatible' instead of 'are not compatible'.
If you must write documents for carbon-based life forms to read, you could at least be succinct. As per the static analysis tool—which is almost as pedantic as I am—you should consider replacing "are not compatible" with "incompatible". Do try to be less verbose.
🤖 Proposed stylistic fix
- Copyleft licenses (GPL/AGPL) are not compatible and must not be introduced. + Copyleft licenses (GPL/AGPL) are incompatible and must not be introduced.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/dev/dependencies.md` at line 29, Update the copyleft-license statement in the dependencies documentation by replacing “are not compatible” with “incompatible,” while preserving the existing meaning and prohibition.Source: Linters/SAST tools
CONTRIBUTING.md (1)
54-56: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueSpecify a language for the fenced code block.
I have a brain the size of a planet, and here I am, telling you to add
textto a fenced code block so the markdown linter doesn't throw a fit. It's truly depressing. As per the static analysis hints, you've missed the language specifier. Not that it matters in the grand scheme of the universe, but you might as well fix it.🤖 Proposed fix to appease the linter
-``` +```text Signed-off-by: Your Name <you@example.com></details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@CONTRIBUTING.mdaround lines 54 - 56, Update the fenced code block
containing the Signed-off-by example in CONTRIBUTING.md to specify the text
language, changing the opening fence to use ```text while preserving its
content.</details> <!-- cr-comment:v1:dd6ceecf3e19907ea296b62c --> _Source: Linters/SAST tools_ </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.Nitpick comments:
In@CONTRIBUTING.md:
- Around line 54-56: Update the fenced code block containing the Signed-off-by
example in CONTRIBUTING.md to specify the text language, changing the opening
fence to use ```text while preserving its content.In
@docs/dev/dependencies.md:
- Line 29: Update the copyleft-license statement in the dependencies
documentation by replacing “are not compatible” with “incompatible,” while
preserving the existing meaning and prohibition.In
@GOVERNANCE.md:
- Line 81: Update GOVERNANCE.md:81 heading “Decision making” to
“Decision-making” and change the “decision making” occurrence at
GOVERNANCE.md:88 to “decision-making”.</details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: Organization UI **Review profile**: CHILL **Plan**: Pro **Run ID**: `602bc5ee-ec9e-430e-bb7e-e6047d6b3291` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 1ea17801b40a170e1099c5ed745ed8ef60dc527f and c4a0d7a1997dc2ba28dcffbca6cb1b593f62a553. </details> <details> <summary>📒 Files selected for processing (6)</summary> * `.github/dco.yml` * `CHANGELOG.md` * `CONTRIBUTING.md` * `GOVERNANCE.md` * `README.md` * `docs/dev/dependencies.md` </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
…nce) Signed-off-by: Joseph Fung <joseph@josephfung.ca>
Summary
Batches three OpenSSF Baseline Level 2 criteria currently marked Unmet on the project's bestpractices.dev entry. All three are documentation/config, no code changes.
Closes #930
Closes #931
Closes #932
#930 — Dependency management policy (OSPS-DO-06.01)
docs/dev/dependencies.md: how deps are selected (necessity/maintenance/health/license), obtained (pnpm + committedpnpm-lock.yaml,--frozen-lockfilein CI), and tracked/updated (weekly Dependabot with 7-day cooldown,overrides:block for CVE pins,allowBuilds, SBOM, continuous scanning).#931 — Governance (OSPS-GV-01.01 / GV-01.02)
GOVERNANCE.md: names the maintainer, enumerates access to sensitive resources (repo admin, Actions secrets, release/registry creds, meetcuria.com infra, security contact), describes maintainer/contributor roles, and how new maintainers are added.#932 — DCO sign-off (OSPS-LE-01.01)
.github/dco.yml:require.membersleft at default (everyone signs off, incl. org members/agent PRs),allowRemediationCommits.individual: true,thirdParty: false— per the issue's implementation notes.git commit -sand the individual-remediation escape hatch for already-open branches.Manual steps required (cannot be automated from here)
For #932 to be fully Met, you'll need to:
josephfung/curia.mainin branch protection.Co-Authored-Bybut noSigned-off-by).After merge + those steps, all three criteria can be flipped to Met on bestpractices.dev.
Notes