wg-best-practices-os-developers icon indicating copy to clipboard operation
wg-best-practices-os-developers copied to clipboard

Published 20 hours ago verified publisher icon ossf

Add secret scanning to SCM guide, fixes #488

Open david-a-wheeler opened this issue 9 months ago • 6 comments

david-a-wheeler avatar May 14 '24 21:05 david-a-wheeler

@SecurityCRob - comments?

I did not try to edit best-practices.yml. I'm not sure what that yml file is doing. Is that the source & the README is generated? I don't see any code to do the generation. If the .yml file is generated from the README, then please run that tool. If they're edited simultaneously, well, yuck :-(. In any case, there should be a clear document somewhere what their relationship is.

david-a-wheeler avatar May 16 '24 19:05 david-a-wheeler

@SecurityCRob - comments?

I did not try to edit best-practices.yml. I'm not sure what that yml file is doing. Is that the source & the README is generated? I don't see any code to do the generation. If the .yml file is generated from the README, then please run that tool. If they're edited simultaneously, well, yuck :-(. In any case, there should be a clear document somewhere what their relationship is.

I think Randall put that in place. I'm also unsure how that works. We should ask him to start.

SecurityCRob avatar May 21 '24 12:05 SecurityCRob

@SecurityCRob - comments? I did not try to edit best-practices.yml. I'm not sure what that yml file is doing. Is that the source & the README is generated? I don't see any code to do the generation. If the .yml file is generated from the README, then please run that tool. If they're edited simultaneously, well, yuck :-(. In any case, there should be a clear document somewhere what their relationship is.

I think Randall put that in place. I'm also unsure how that works. We should ask him to start.

I think that might relate to how the Legitify was used to produce these recommendations. maybe @noamd-legit can comment on this and suggest how to add new ones?

balteravishay avatar May 21 '24 13:05 balteravishay

The best-practices.yml is generated automatically and does not require manual edits. In fact, I believe we can remove it entirely from this repository.

To update the document, simply edit the markdown file. If we need to regenerate the base version, I will handle any differences that arise.

noamd-legit avatar May 23 '24 13:05 noamd-legit

In that case, I suggest removing the .yml file (in a separate pull request). We generally don't want generated files in the source repo.

@noamd-legit - would you mind creating that PR?

david-a-wheeler avatar May 23 '24 15:05 david-a-wheeler

@david-a-wheeler Removed the file here: https://github.com/ossf/wg-best-practices-os-developers/pull/508

noamd-legit avatar May 30 '24 09:05 noamd-legit