Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ scorecard badges #301

Closed
wants to merge 3 commits into from
Closed

✨ scorecard badges #301

wants to merge 3 commits into from

Conversation

naveensrinivasan
Copy link
Member

@naveensrinivasan naveensrinivasan commented Mar 22, 2021

  • Please check if the PR fulfills these requirements
  • Tests for the changes have been added (for bug fixes / features)
    Manually tested. Need to do automate it.
  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
    Feature

  • What is the current behavior? (You can also link to an open issue here)
    Feature Scorecard badges #271

  • What is the new behavior (if this is a feature change)?

    • Initial implementation for generating scorecard badges.
    • The calculation of the score is right now simple logic.
    • The request for the badge would be something like https://somefqdn/host/owner/repo example https://localhost:8000/github.com/18F/identity-idp
    • The badge service uses the cron results to calculate the score.
    • The service is an HTTP endpoint that is stateless.
  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
    None

  • Other information:
    Fixes Feature Scorecard badges #271

  • Example of a generated badge that generated after running curl -o badge.svg https://localhost:8000/github.com/18F/identity-idp
    image

    Initial implementation for generating scorecard badges.
    The calculation of score is right now simple logic.
    The badge service uses the cron results to calculate the score.
    The service is a HTTP endpoint which is stateless.
@github-actions
Copy link

Integration tests success for 92146ee6a0311020606dadf570307db6816d5680

@github-actions
Copy link

Integration tests success for 9a5ce07e3727d85bc56cc2aef37357ec75c3736d

@naveensrinivasan
Copy link
Member Author

ping @inferno-chromium

Copy link
Contributor

@oliverchang oliverchang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this change!

However I'm not sure this approach will scale, and it adds significant maintenance cost since this renders the badge on demand and we need to maintain this service for serving the badges.

A much more scalable approach here would be to publish these rendered badges in a public GCS bucket instead so that we don't have to worry about the actual serving.

GCS buckets also allow access over HTTP. This is also what we do for OSS-Fuzz. See e.g. https://oss-fuzz-build-logs.storage.googleapis.com/badges/envoy.svg

@naveensrinivasan
Copy link
Member Author

we

How do you think this won’t scale could you please explain further?

@dlorenc
Copy link
Contributor

dlorenc commented Mar 25, 2021

I'd say it's probably less about scalability, a stateless web server would likely be fine :)

Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

@naveensrinivasan
Copy link
Member Author

I'd say it's probably less about scalability, a stateless web server would likely be fine :)

Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

I agree on that. It makes sense.

@github-actions
Copy link

Integration tests success for 3fb3a272d8f7110f7b087e16afd71bc1951b8546

@inferno-chromium
Copy link
Contributor

I'd say it's probably less about scalability, a stateless web server would likely be fine :)
Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

I agree on that. It makes sense.

it should be very simple to do this in cron code here - https://github.com/ossf/scorecard/blob/main/cron/main.go#L68
add that overall % calc logic in main scorecard code, so in json it gives that number too, and then parse that output in json in cron/main.go and create the badges in a bucket, like ossf-scorecard-badges/repo/url/badge.svg or something. this web service needs some thought and we are still thinking on dash and stuff. so, doing this unblocks and start working right away.

@naveensrinivasan
Copy link
Member Author

I'd say it's probably less about scalability, a stateless web server would likely be fine :)
Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

I agree on that. It makes sense.

it should be very simple to do this in cron code here - https://github.com/ossf/scorecard/blob/main/cron/main.go#L68
add that overall % calc logic in main scorecard code, so in json it gives that number too, and then parse that output in json in cron/main.go and create the badges in a bucket, like ossf-scorecard-badges/repo/url/badge.svg or something. this web service needs some thought and we are still thinking on dash and stuff. so, doing this unblocks and start working right away.

I agree we could move the score calculation to the main scorecard binary.

I think it should not be cronjob responsibility to generate the badge. There needs to be separation of concerns. The cronjob responsibility needs to be as is.

The reason I am calling for that is because others in the community could use the same cronjob to run scorecard on bunch of repos , but they might not want badge generation.

@inferno-chromium
Copy link
Contributor

I'd say it's probably less about scalability, a stateless web server would likely be fine :)
Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

I agree on that. It makes sense.

it should be very simple to do this in cron code here - https://github.com/ossf/scorecard/blob/main/cron/main.go#L68
add that overall % calc logic in main scorecard code, so in json it gives that number too, and then parse that output in json in cron/main.go and create the badges in a bucket, like ossf-scorecard-badges/repo/url/badge.svg or something. this web service needs some thought and we are still thinking on dash and stuff. so, doing this unblocks and start working right away.

I agree we could move the score calculation to the main scorecard binary.

I think it should not be cronjob responsibility to generate the badge. There needs to be separation of concerns. The cronjob responsibility needs to be as is.

The reason I am calling for that is because others in the community could use the same cronjob to run scorecard on bunch of repos , but they might not want badge generation.

Nobody else is running cron. We can make this configurable which is just like we have GCS_BUCKET, we can do GCS_BADGES_BUCKET, which if set, then we write the badges as well. you can create a seperate cron for badges too, but then there will be race conditions on when to generate etc. Best to keep it simple.

@naveensrinivasan
Copy link
Member Author

I'd say it's probably less about scalability, a stateless web server would likely be fine :)
Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

I agree on that. It makes sense.

it should be very simple to do this in cron code here - https://github.com/ossf/scorecard/blob/main/cron/main.go#L68
add that overall % calc logic in main scorecard code, so in json it gives that number too, and then parse that output in json in cron/main.go and create the badges in a bucket, like ossf-scorecard-badges/repo/url/badge.svg or something. this web service needs some thought and we are still thinking on dash and stuff. so, doing this unblocks and start working right away.

I agree we could move the score calculation to the main scorecard binary.
I think it should not be cronjob responsibility to generate the badge. There needs to be separation of concerns. The cronjob responsibility needs to be as is.
The reason I am calling for that is because others in the community could use the same cronjob to run scorecard on bunch of repos , but they might not want badge generation.

Nobody else is running cron. We can make this configurable which is just like we have GCS_BUCKET, we can do GCS_BADGES_BUCKET, which if set, then we write the badges as well. you can create a seperate cron for badges too, but then there will be race conditions on when to generate etc. Best to keep it simple.

Sounds good. I will change the implementation. Thanks

@oliverchang
Copy link
Contributor

oliverchang commented Mar 29, 2021

I'd say it's probably less about scalability, a stateless web server would likely be fine :)
Using GCS would simplify things though, and likely be more reliable/easier to maintain since we just don't have to worry about keeping things running.

I agree on that. It makes sense.

it should be very simple to do this in cron code here - https://github.com/ossf/scorecard/blob/main/cron/main.go#L68
add that overall % calc logic in main scorecard code, so in json it gives that number too, and then parse that output in json in cron/main.go and create the badges in a bucket, like ossf-scorecard-badges/repo/url/badge.svg or something. this web service needs some thought and we are still thinking on dash and stuff. so, doing this unblocks and start working right away.

I agree we could move the score calculation to the main scorecard binary.
I think it should not be cronjob responsibility to generate the badge. There needs to be separation of concerns. The cronjob responsibility needs to be as is.
The reason I am calling for that is because others in the community could use the same cronjob to run scorecard on bunch of repos , but they might not want badge generation.

Nobody else is running cron. We can make this configurable which is just like we have GCS_BUCKET, we can do GCS_BADGES_BUCKET, which if set, then we write the badges as well. you can create a seperate cron for badges too, but then there will be race conditions on when to generate etc. Best to keep it simple.

Sounds good. I will change the implementation. Thanks

Thanks @naveensrinivasan !

@naveensrinivasan
Copy link
Member Author

Closing it to open a new one with the latest refacoring

@naveensrinivasan naveensrinivasan deleted the feat/scorecard-badge branch April 16, 2021 22:25
justaugustus added a commit to justaugustus/scorecard that referenced this pull request May 25, 2022
- install: Move action installation into a separate package
- Add missing license headers
- install: Fix unrecognized variables
- lint: Fix warnings and attempt to auto-fix issues (where supported)
- install: Parameterize config
- install: Borrow GitHub client pattern from sigs.k8s.io/release-sdk
- install: Use package-internal GitHub interface
- install: Provide installation options as struct
- install: Initial error/log handling cleanups
- install: Use cobra for CLI
- Remove inaccurate instances of workflow configuration file
- multi-repo-action: Disable incomplete tests
- install: Retrieve the correct action configuration from local path

Signed-off-by: Stephen Augustus <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority/must-do Upcoming release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Scorecard badges
4 participants