karmada [Umbrella] Enhancement of Karmada maturity based on Clomonitor check sets

What would you like to be added: CLOMonitor is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices, and will provide a score card for each project based on the check results. Here is the score card for karmada: https://clomonitor.io/projects/cncf/karmada. As you can see, there's still some work to be done. Here list the check set that karmada did not pass.

[x] license scanning (@B1F030 #5050) Karamda completes the license scanning software scans in fossa workflow, so we only need add the FOSSA link in the README file. Regexps used: "(https://app.fossa.(?:io|com)/projects/[^"'\)]+)"
[x] Artifact Hub badge (@B1F030 #5051)
[x] OpenSSF Scorecard badge (@B1F030 #5055) We have added the OpenSSF Scorecard badge in the README file in #5022, but the url https://api.scorecard.dev/projects/github.com/karmada-io/karmada/badge does not match the specified regexps "(https://api.securityscorecards.dev/projects/github.com/[^/]+/[^/]+)/badge" and needs to be modified.
[ ] Dependencies policy
[x] Software bill of materials (SBOM)(@zhzhuang-zju #5110)
[ ] Security insights
[ ] Signed releases Karmada images have been signed with cosign since release1.7, but we need add the SLSA provenance file in the assets for release (*.intoto.jsonl)
[ ] Token permissions define topLevel permission for each workflow
- [x] ci-image-scanning.yaml (@aditya7302 #5059)
- [ ] ci-schedule-compatibility.yaml (@aditya7302 #5068 )
- [ ] ci-schedule.yml (@aditya7302 #5069)
- [ ] ci.yml (@Akash-Singh04 #5078)
- [ ] cli.yaml (@Akash-Singh04 #5079)
- [ ] dockerhub-latest-chart.yml (@aditya7302 #5082)
- [ ] dockerhub-latest-image.yml
- [ ] dockerhub-released-chart.yml
- [ ] dockerhub-released-image.yml
- [ ] fossa.yml (@aditya7302 #5080)
- [ ] lint-chart.yaml(@aditya7302 #5081 )
- [ ] release.yml
- [ ] swr-latest-image.yml
- [ ] swr-released-image.yml

Reference:

https://clomonitor.io/projects/cncf/karmada
https://clomonitor.io/docs/topics/checks/
https://scorecard.dev/viewer/?uri=github.com/karmada-io/karmada

Why is this needed: Improving scores is not the ultimate goal, I hope to use this issue to make Karmada healthier and more mature

Jun 13 '24 08:06 zhzhuang-zju

/help

Jun 13 '24 08:06 zhzhuang-zju

@zhzhuang-zju: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Jun 13 '24 08:06 karmada-bot

cc @B1F030

Jun 13 '24 09:06 zhzhuang-zju

I'm glad to help! Can I take the license scanning first?

Jun 13 '24 11:06 B1F030

I'm glad to help! Can I take the license scanning first?

done~

Jun 13 '24 11:06 zhzhuang-zju

Maybe we can have the badge of CLomonitor. See example at https://github.com/kubeflow/kubeflow/blob/master/README.md.

Jun 15 '24 14:06 RainbowMango

@RainbowMango I have added the CLOMonitor badge in my PR.

Jun 16 '24 12:06 aditya7302

Hey does this issue require any more help?If so, I would like to work on it

Jun 17 '24 16:06 SkySingh04

Hey does this issue require any more help?If so, I would like to work on it

Sure, go ahead. Please pick what interests you and do it~

Jun 18 '24 01:06 zhzhuang-zju

@RainbowMango @zhzhuang-zju I have added top-level permission for ci-image-scanning workflow. Please review it.

Jun 18 '24 05:06 aditya7302

@RainbowMango @zhzhuang-zju I have added top-level permission for ci.yml and cli.yml workflow. Please review it.

Jun 22 '24 06:06 SkySingh04

@aditya7302 @Akash-Singh04 Thanks for your efforts on task Token permissions. Defining the minimal permission set for workflow is actually difficult, do you have any experiences to share? Besides, how can we effectively go about verifying the results(all I can think of at the moment is local verification)? Other than that, have you encountered any other difficulties? Looking forward to your feedback!

Jul 02 '24 02:07 zhzhuang-zju

@aditya7302 @Akash-Singh04 Thanks for your efforts on task Token permissions. Defining the minimal permission set for workflow is actually difficult, do you have any experiences to share? Besides, how can we effectively go about verifying the results(all I can think of at the moment is local verification)? Other than that, have you encountered any other difficulties? Looking forward to your feedback!

I found the recommended steps and an online tool to complete the task Token permissions! refer to https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions:

The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the top level and the required write permissions are declared at the run-level.

Following this criterion, the recommended steps are:

Set top-level permissions as read-all or contents: read as described in GitHub's documentation.
Set any required write permissions at the job-level. Only set the permissions required for that job; do not set permissions: write-all at the job level.

So, we had a problem with the previous implementation and needed to be revised.

To help determine the permissions needed for our workflows, we can use StepSecurity's online tool by ticking the "Restrict permissions for GITHUB_TOKEN". NOTE: Cleanup workflow's previously defined permissions before using it, and the result may be more precise.

Jul 02 '24 04:07 zhzhuang-zju

@zhzhuang-zju As I am new to learning workflows, I primarily use local verification to test them. This method helps me ensure that the workflows function correctly within a controlled environment. However, I think that defining the minimal permission set for large workflows can be quite challenging.

Jul 03 '24 11:07 aditya7302

@zhzhuang-zju As I am new to learning workflows, I primarily use local verification to test them. This method helps me ensure that the workflows function correctly within a controlled environment. However, I think that defining the minimal permission set for large workflows can be quite challenging.

I can't agree more~ Local verification is actually the safest way. Now with the tool Scan, this process is even easier. However, in some cases, the tool's database does not have permissions information of a certain action, we can only verify them locally or refer to other user-defined permissions. BTW, thank @aditya7302 and @Akash-Singh04 for your contributions.

Jul 04 '24 01:07 zhzhuang-zju

All tasks are done! Thank you all for your hard work! @B1F030 @zhzhuang-zju @aditya7302 @SkySingh04

For now, we reached a 99 score, and the last check(Signed releases) will pass after 5 releases, there is nothing we need to do on our part.

/close

Aug 26 '24 03:08 RainbowMango

@RainbowMango: Closing this issue.

In response to this:

All tasks are done! Thank you all for your hard work! @B1F030 @zhzhuang-zju @aditya7302 @SkySingh04

For now, we reached a 99 score, and the last check(Signed releases) will pass after 5 releases, there is nothing we need to do on our part.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Aug 26 '24 03:08 karmada-bot