From d5990e5b564d94ca405aad954c2e979f1b254c3e Mon Sep 17 00:00:00 2001
From: Laurent Broudoux <laurent.broudoux@gmail.com>
Date: Wed, 16 Oct 2024 15:23:10 +0200
Subject: [PATCH] chore: #28 Add community health + security information to
 improve CLO Monitor Signed-off-by: Laurent Broudoux
 <laurent.broudoux@gmail.com>

---
 .github/dependabot.yml |  9 +++++++
 README.md              | 37 ++++++++++++++++++++++++----
 SECURITY-INSIGHTS.yml  | 56 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+), 5 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 SECURITY-INSIGHTS.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..bb03ee7
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+      day: sunday
+    open-pull-requests-limit: 3
+    rebase-strategy: disabled
diff --git a/README.md b/README.md
index fac58d6..9f1db03 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,36 @@
 ## GitHub Action for launching a Microcks test
-### What is it?
 
 This is a GitHub Action you may use in your Workflow to launch a Microcks test on a deployed API endpoint. Microcks tests allow you to validate an API endpoint against its OpenAPI specification, AsyncAPI specification or Postman collection definition. If test succeeds (ie. API endpoint is compliant with API contract) the workflow is pursuing, if not it fails. This action is basically a wrapper around the [Microcks CLI](https://github.com/microcks/microcks-cli) and provides the same configuration capabilities.
 
-The `test` command of the CLI needs 3 arguments:
+[![License](https://img.shields.io/github/license/microcks/microcks-cli?style=for-the-badge&logo=apache)](https://www.apache.org/licenses/LICENSE-2.0)
+[![Project Chat](https://img.shields.io/badge/discord-microcks-pink.svg?color=7289da&style=for-the-badge&logo=discord)](https://microcks.io/discord-invite/)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/microcks-cli-image&style=for-the-badge)](https://artifacthub.io/packages/search?repo=microcks-cli-image)
+[![CNCF Landscape](https://img.shields.io/badge/CNCF%20Landscape-5699C6?style=for-the-badge&logo=cncf)](https://landscape.cncf.io/?item=app-definition-and-development--application-definition-image-build--microcks)
+
+### Build Status
+
+#### Fossa license and security scans
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action?ref=badge_shield&issueType=license)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action.svg?type=shield&issueType=security)](https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action?ref=badge_shield&issueType=security)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action.svg?type=small)](https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action?ref=badge_small)
+
+#### OpenSSF best practices on Microcks core
+
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/7513/badge)](https://bestpractices.coreinfrastructure.org/projects/7513)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/microcks/microcks/badge)](https://securityscorecards.dev/viewer/?uri=github.com/microcks/microcks)
+
+## Community
+
+* [Documentation](https://microcks.io/documentation/tutorials/getting-started/)
+* [Microcks Community](https://github.com/microcks/community) and community meeting
+* Join us on [Discord](https://microcks.io/discord-invite/), on [GitHub Discussions](https://github.com/orgs/microcks/discussions) or [CNCF Slack #microcks channel](https://cloud-native.slack.com/archives/C05BYHW1TNJ)
+
+To get involved with our community, please make sure you are familiar with the project's [Code of Conduct](./CODE_OF_CONDUCT.md).
+
+## What it needs?
+
+The `test` action needs 3 arguments:
 
 * `<apiName:apiVersion>` : Service to test reference. Exemple: `'Beer Catalog API:0.9'`
 * `<testEndpoint>` : URL where is deployed implementation to test
@@ -22,7 +49,7 @@ And some optional ones:
 * `--filteredOperations=<JSON>` allows to filter a list of operations to launch a test for,
 * `--operationsHeaders=<JSON>` allows to override some operations headers for the tests to launch.
 
-### How to use it?
+## How to use it?
 
 Obviously we can find this action with [GitHub Actions Marketplace](https://github.com/marketplace?type=actions) :wink:
 
@@ -30,7 +57,7 @@ You may add the Action to your Workflow directly from the GitHub UI.
 
 ![marketplace](./assets/marketplace.png)
 
-#### Step 1 - Configure the GitHub action
+### Step 1 - Configure the GitHub action
 
 ```yaml
 name: my-workflow
@@ -51,7 +78,7 @@ jobs:
           waitFor: '10sec'
 ```
 
-#### Step 2 - Configure the Secrets
+### Step 2 - Configure the Secrets
 
 As you probably saw just above, we do think it's a best practice to use GitHub Secrets (general or tied to `Environment` like in the example) to hold the Keycloak credentials (client Id and Secret). See below the Secrets configuration we've used for the example:
 
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
new file mode 100644
index 0000000..3061fa3
--- /dev/null
+++ b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,56 @@
+header:
+  schema-version: 1.0.0
+  last-updated: '2024-10-16'
+  last-reviewed: '2024-10-16'
+  expiration-date: '2025-10-16T01:00:00.000Z'
+  project-url: https://github.com/microcks/test-github-action
+  project-release: '0.5.5'
+  changelog: https://github.com/microcks/test-github-action/blob/main/CHANGELOG.md
+  license: https://github.com/microcks/test-github-action/blob/main/LICENSE
+project-lifecycle:
+  status: active
+  roadmap: https://github.com/microcks/test-github-action/blob/main/ROADMAP.md
+  bug-fixes-only: false
+  core-maintainers:
+    - github:lbroudoux
+    - github:yada
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  code-of-conduct: https://github.com/microcks/.github/blob/master/CODE_OF_CONDUCT.md
+  contributing-policy: https://github.com/microcks/.github/blob/master/CONTRIBUTING.md
+documentation:
+  - https://microcks.io
+distribution-points:
+  - https://microcks.io
+  - https://github.com/microcks/test-github-action
+  - https://quay.io/microcks
+security-artifacts:
+  threat-model:
+    threat-model-created: false
+security-testing:
+  - tool-type: sca
+    tool-name: Dependabot
+    tool-version: latest
+    integration:
+      ad-hoc: true
+      ci: false
+      before-release: false
+    comment: |
+      Dependabot is enabled for this repo on a weekly scheduled basis.
+security-contacts:
+  - type: email
+    value: security@microcks.io
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  security-policy: https://github.com/microcks/test-github-action/security/policy
+  email-contact: security@microcks.io
+  comment: |
+    To report a security issue for one of the libraries owned by the Microcks community, write an email with a detailed description of the issue to security@microcks.io.
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+    - https://github.com/microcks/test-github-action/network/dependencies
+    - https://app.fossa.com/projects/git%2Bgithub.com%2Fmicrocks%2Ftest-github-action/refs/branch/main/039480c82861572a25e5880f82c5c7be670c5caf/browse/dependencies
+  env-dependencies-policy:
+    policy-url: https://github.com/microcks/test-github-action/blob/main/DEPENDENCY_POLICY.md
\ No newline at end of file