-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ scorecard badges #301
✨ scorecard badges #301
Conversation
Initial implementation for generating scorecard badges. The calculation of score is right now simple logic. The badge service uses the cron results to calculate the score. The service is a HTTP endpoint which is stateless.
Integration tests success for 92146ee6a0311020606dadf570307db6816d5680 |
Integration tests success for 9a5ce07e3727d85bc56cc2aef37357ec75c3736d |
ping @inferno-chromium |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this change!
However I'm not sure this approach will scale, and it adds significant maintenance cost since this renders the badge on demand and we need to maintain this service for serving the badges.
A much more scalable approach here would be to publish these rendered badges in a public GCS bucket instead so that we don't have to worry about the actual serving.
GCS buckets also allow access over HTTP. This is also what we do for OSS-Fuzz. See e.g. https://oss-fuzz-build-logs.storage.googleapis.com/badges/envoy.svg
How do you think this won’t scale could you please explain further? |
I'd say it's probably less about scalability, a stateless web server would likely be fine :) Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running. |
I agree on that. It makes sense. |
Integration tests success for 3fb3a272d8f7110f7b087e16afd71bc1951b8546 |
it should be very simple to do this in cron code here - https://github.com/ossf/scorecard/blob/main/cron/main.go#L68 |
I agree we could move the score calculation to the main scorecard binary. I think it should not be cronjob responsibility to generate the badge. There needs to be separation of concerns. The cronjob responsibility needs to be as is. The reason I am calling for that is because others in the community could use the same cronjob to run scorecard on bunch of repos , but they might not want badge generation. |
Nobody else is running cron. We can make this configurable which is just like we have GCS_BUCKET, we can do GCS_BADGES_BUCKET, which if set, then we write the badges as well. you can create a seperate cron for badges too, but then there will be race conditions on when to generate etc. Best to keep it simple. |
Sounds good. I will change the implementation. Thanks |
Thanks @naveensrinivasan ! |
Closing it to open a new one with the latest refacoring |
- install: Move action installation into a separate package - Add missing license headers - install: Fix unrecognized variables - lint: Fix warnings and attempt to auto-fix issues (where supported) - install: Parameterize config - install: Borrow GitHub client pattern from sigs.k8s.io/release-sdk - install: Use package-internal GitHub interface - install: Provide installation options as struct - install: Initial error/log handling cleanups - install: Use cobra for CLI - Remove inaccurate instances of workflow configuration file - multi-repo-action: Disable incomplete tests - install: Retrieve the correct action configuration from local path Signed-off-by: Stephen Augustus <[email protected]>
Manually tested. Need to do automate it.
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Feature
What is the current behavior? (You can also link to an open issue here)
Feature Scorecard badges #271
What is the new behavior (if this is a feature change)?
https://somefqdn/host/owner/repo
examplehttps://localhost:8000/github.com/18F/identity-idp
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
None
Other information:
Fixes Feature Scorecard badges #271
Example of a generated badge that generated after running
curl -o badge.svg https://localhost:8000/github.com/18F/identity-idp