Skip to content

Add OSS Health pages and footer OpenSSF badge #470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tym83 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add OSS Health pages and footer OpenSSF badge #470

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f72239e
Add OSS health pages and OpenSSF footer badge
tym83 Apr 5, 2026
ee3adf0
Merge remote-tracking branch 'origin/main' into feat/oss-health-pages
tym83 Apr 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions .github/workflows/update-oss-health.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Update OSS health snapshots

on:
workflow_dispatch:
schedule:
- cron: '0 4 1 * *'

jobs:
update-oss-health:
runs-on: ubuntu-latest
Comment on lines +1 to +10
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify missing explicit permissions and presence of write operations
rg -n '^\s*permissions:' .github/workflows/update-oss-health.yaml || true
rg -n 'git push|gh pr create' .github/workflows/update-oss-health.yaml

Repository: cozystack/website

Length of output: 160

🏁 Script executed:

cat -n .github/workflows/update-oss-health.yaml

Repository: cozystack/website

Length of output: 2341

Add explicit workflow token permissions for push and PR creation operations.

The workflow performs write operations (git push at line 42 and gh pr create at lines 54–58) without declaring explicit permissions. In environments where the default GITHUB_TOKEN is read-only, these operations will fail. Add the following permissions block:

🔧 Proposed fix 
 name: Update OSS health snapshots
 
 on:
   workflow_dispatch:
   schedule:
     - cron: '0 4 1 * *'
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-oss-health:
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-oss-health.yaml around lines 1 - 10, The workflow
"Update OSS health snapshots" performs git push and gh pr create but lacks
explicit GITHUB_TOKEN permissions; add a top-level permissions block for the
workflow (not per-job) that grants at least contents: write and pull-requests:
write so the push and PR creation succeed in environments with read-only default
tokens, e.g., insert a permissions section with keys "contents" set to "write"
and "pull-requests" set to "write" near the top of the workflow (alongside
name/on) to enable the write operations executed in the update-oss-health job.


steps:
- name: Checkout target repo
uses: actions/checkout@v4
with:
ref: 'main'

- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.12'

- name: Update OSS health data
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
make update-oss-health
git status -s

- name: Commit & push changes
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add data/oss-health static/oss-health-data content/en/oss-health
if git diff --cached --quiet; then
echo "No changes to commit"
exit 0
fi
git branch -D update-oss-health || true
git checkout -b update-oss-health
git commit --signoff -m "[oss-health] Update monthly OSS health snapshot $(date -u +'%Y-%m-%d %H:%M:%S')"
git push --force --set-upstream origin update-oss-health

- name: Open pull request if not exists
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pr_state=$(gh pr view update-oss-health --json state --jq .state 2>/dev/null || echo "")
echo "Current PR state: ${pr_state:-NONE}"

if [[ "$pr_state" == "OPEN" ]]; then
echo "An open pull request already exists – skipping creation."
else
gh pr create \
--title "[oss-health] Update monthly OSS health snapshot" \
--body "Automated update via workflow." \
--head update-oss-health \
--base main
fi
5 changes: 4 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ NETWORKING_DEST_DIR ?= content/en/docs/v1/networking
SERVICES_DEST_DIR ?= content/en/docs/v1/operations/services
BRANCH ?= main

.PHONY: update-apps update-vms update-networking update-k8s update-services update-all template-apps template-vms template-networking template-k8s template-services template-all
.PHONY: update-apps update-vms update-networking update-k8s update-services update-oss-health update-all template-apps template-vms template-networking template-k8s template-services template-all
update-apps:
./hack/update_apps.sh --apps "$(APPS)" --dest "$(APPS_DEST_DIR)" --branch "$(BRANCH)"

Expand All @@ -27,6 +27,9 @@ update-k8s:
update-services:
./hack/update_apps.sh --apps "$(SERVICES)" --dest "$(SERVICES_DEST_DIR)" --branch "$(BRANCH)" --pkgdir extra

update-oss-health:
./hack/update_oss_health.py

# requires cluster authentication
# to be replaced with downloading a build/release artifact from github.com/cozystack/cozystack
update-api:
Expand Down
Loading