chore: #28 Add community health + security information to improve CLO…

… Monitor Signed-off-by: Laurent Broudoux <[email protected]>
microcks · Oct 16, 2024 · d5990e5 · d5990e5
1 parent 039480c
commit d5990e5
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 5 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+version: 2
+updates:
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: monthly
+ day: sunday
+ open-pull-requests-limit: 3
+ rebase-strategy: disabled
diff --git a/README.md b/README.md
@@ -1,9 +1,36 @@
 ## GitHub Action for launching a Microcks test
-### What is it?
 
 This is a GitHub Action you may use in your Workflow to launch a Microcks test on a deployed API endpoint. Microcks tests allow you to validate an API endpoint against its OpenAPI specification, AsyncAPI specification or Postman collection definition. If test succeeds (ie. API endpoint is compliant with API contract) the workflow is pursuing, if not it fails. This action is basically a wrapper around the [Microcks CLI](https://github.com/microcks/microcks-cli) and provides the same configuration capabilities.
 
-The `test` command of the CLI needs 3 arguments:
+[![License](https://img.shields.io/github/license/microcks/microcks-cli?style=for-the-badge&logo=apache)](https://www.apache.org/licenses/LICENSE-2.0)
+[![Project Chat](https://img.shields.io/badge/discord-microcks-pink.svg?color=7289da&style=for-the-badge&logo=discord)](https://microcks.io/discord-invite/)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/microcks-cli-image&style=for-the-badge)](https://artifacthub.io/packages/search?repo=microcks-cli-image)
+[![CNCF Landscape](https://img.shields.io/badge/CNCF%20Landscape-5699C6?style=for-the-badge&logo=cncf)](https://landscape.cncf.io/?item=app-definition-and-development--application-definition-image-build--microcks)
+
+### Build Status
+
+#### Fossa license and security scans
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action?ref=badge_shield&issueType=license)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action.svg?type=shield&issueType=security)](https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action?ref=badge_shield&issueType=security)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action.svg?type=small)](https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action?ref=badge_small)
+
+#### OpenSSF best practices on Microcks core
+
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/7513/badge)](https://bestpractices.coreinfrastructure.org/projects/7513)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/microcks/microcks/badge)](https://securityscorecards.dev/viewer/?uri=github.com/microcks/microcks)
+
+## Community
+
+* [Documentation](https://microcks.io/documentation/tutorials/getting-started/)
+* [Microcks Community](https://github.com/microcks/community) and community meeting
+* Join us on [Discord](https://microcks.io/discord-invite/), on [GitHub Discussions](https://github.com/orgs/microcks/discussions) or [CNCF Slack #microcks channel](https://cloud-native.slack.com/archives/C05BYHW1TNJ)
+
+To get involved with our community, please make sure you are familiar with the project's [Code of Conduct](./CODE_OF_CONDUCT.md).
+
+## What it needs?
+
+The `test` action needs 3 arguments:
 
 * `<apiName:apiVersion>` : Service to test reference. Exemple: `'Beer Catalog API:0.9'`
 * `<testEndpoint>` : URL where is deployed implementation to test
@@ -22,15 +49,15 @@ And some optional ones:
 * `--filteredOperations=<JSON>` allows to filter a list of operations to launch a test for,
 * `--operationsHeaders=<JSON>` allows to override some operations headers for the tests to launch.
 
-### How to use it?
+## How to use it?
 
 Obviously we can find this action with [GitHub Actions Marketplace](https://github.com/marketplace?type=actions) :wink:
 
 You may add the Action to your Workflow directly from the GitHub UI.
 
 ![marketplace](./assets/marketplace.png)
 
-#### Step 1 - Configure the GitHub action
+### Step 1 - Configure the GitHub action
 
 ```yaml
 name: my-workflow
@@ -51,7 +78,7 @@ jobs:
  waitFor: '10sec'
 ```
 
-#### Step 2 - Configure the Secrets
+### Step 2 - Configure the Secrets
 
 As you probably saw just above, we do think it's a best practice to use GitHub Secrets (general or tied to `Environment` like in the example) to hold the Keycloak credentials (client Id and Secret). See below the Secrets configuration we've used for the example:
 

diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,56 @@
+header:
+ schema-version: 1.0.0
+ last-updated: '2024-10-16'
+ last-reviewed: '2024-10-16'
+ expiration-date: '2025-10-16T01:00:00.000Z'
+ project-url: https://github.com/microcks/test-github-action
+ project-release: '0.5.5'
+ changelog: https://github.com/microcks/test-github-action/blob/main/CHANGELOG.md
+ license: https://github.com/microcks/test-github-action/blob/main/LICENSE
+project-lifecycle:
+ status: active
+ roadmap: https://github.com/microcks/test-github-action/blob/main/ROADMAP.md
+ bug-fixes-only: false
+ core-maintainers:
+ - github:lbroudoux
+ - github:yada
+contribution-policy:
+ accepts-pull-requests: true
+ accepts-automated-pull-requests: true
+ code-of-conduct: https://github.com/microcks/.github/blob/master/CODE_OF_CONDUCT.md
+ contributing-policy: https://github.com/microcks/.github/blob/master/CONTRIBUTING.md
+documentation:
+ - https://microcks.io
+distribution-points:
+ - https://microcks.io
+ - https://github.com/microcks/test-github-action
+ - https://quay.io/microcks
+security-artifacts:
+ threat-model:
+ threat-model-created: false
+security-testing:
+ - tool-type: sca
+ tool-name: Dependabot
+ tool-version: latest
+ integration:
+ ad-hoc: true
+ ci: false
+ before-release: false
+ comment: |
+ Dependabot is enabled for this repo on a weekly scheduled basis.
+security-contacts:
+ - type: email
+ value: [email protected]
+vulnerability-reporting:
+ accepts-vulnerability-reports: true
+ security-policy: https://github.com/microcks/test-github-action/security/policy
+ email-contact: [email protected]
+ comment: |
+ To report a security issue for one of the libraries owned by the Microcks community, write an email with a detailed description of the issue to [email protected].
+dependencies:
+ third-party-packages: true
+ dependencies-lists:
+ - https://github.com/microcks/test-github-action/network/dependencies
+ - https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action/refs/branch/main/039480c82861572a25e5880f82c5c7be670c5caf/browse/dependencies
+ env-dependencies-policy:
+ policy-url: https://github.com/microcks/test-github-action/blob/main/DEPENDENCY_POLICY.md