Ossf/gha scorecard (#10)

gimlichael · web-flow · commit aac2364e05cd · 2024-11-16T13:57:02.000+01:00
👷 support for OpenSSF Scorecard

💬 updated community health pages
diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
@@ -0,0 +1,135 @@
+﻿# Contributor Covenant Code of Conduct
+
+This document is adapted from the Contributor Covenant which is used by many open source projects,
+including those under the [.NET Foundation](https://dotnetfoundation.org/code-of-conduct).
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+[https://www.contributor-covenant.org/version/2/0/code_of_conduct.html][v2.0].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available
+at [https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.0]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -0,0 +1,52 @@
+﻿# Contributing to `Shared Kernel API by Codebelt`
+When contributing to this repository, please first discuss the change you wish to make via issue,
+email, or any other method with the owners of this repository before making a change.
+
+Please note we have a code of conduct, please follow it in all your interactions with the project.
+
+## Code of Conduct
+Please review our [code of conduct](CODE_OF_CONDUCT.md).
+
+## Our Development Process
+We use `trunk` based branching model that is aligned with todays DevSecOps practices.
+All new features and/or fixes are merged into the `main` branch by creating a Pull Request.
+
+## Pull Requests
+We actively welcome your pull requests.
+
+1. Fork the repo and create your branch from `main`
+2. If you've added code that should be tested, add tests (DO follow [Microsoft Engineering Guidelines](https://github.com/dotnet/aspnetcore/wiki/Engineering-guidelines))
+3. Any changes or additions requires documentation in the form of documenting public members
+4. Ensure that all existing as well as new test passes
+5. Issue that pull request with a big and heartful thanks for contributing
+
+## Issues
+We use GitHub issues to track public bugs. Please ensure your description is
+clear and has sufficient instructions to be able to reproduce the issue.
+
+## Coding Guidelines
+* Please follow [Framework Design Guidelines](https://learn.microsoft.com/en-us/dotnet/standard/design-guidelines/)
+* Please follow SOLID principles
+* Please follow [Microsoft Engineering Guidelines](https://github.com/dotnet/aspnetcore/wiki/Engineering-guidelines)
+
+## Manifesto
+As aspiring Software Craftsmen we are raising the bar of professional software development by practicing it and helping others learn the craft.
+
+Through this work we have come to value:
+
+* Not only working software,
+but also well-crafted software
+* Not only responding to change,
+but also steadily adding value
+* Not only individuals and interactions,
+but also a community of professionals
+* Not only customer collaboration,
+but also productive partnerships
+
+That is, in pursuit of the items on the left we have found the items on the right to be indispensable.
+
+[Manifesto for Software Craftsmanship](https://manifesto.softwarecraftsmanship.org/) is the originator of this text.
+
+## License
+By contributing to `Shared Kernel API by Codebelt`, you agree that your contributions will be licensed
+under the MIT license.
diff --git a/.github/codecov.yml b/.github/codecov.yml
@@ -0,0 +1,2 @@
+ignore:
+  - "test"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: "nuget"
+    directory: "/src"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "nuget"
+    directory: "/test"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml
@@ -3,9 +3,10 @@ on:
   pull_request:
     branches: [main]
     paths-ignore:
-      - .github/**
+      - .codecov/**
+      - .docfx/**
       - .nuget/**
-      - '**.md'
+      - '**/*.md'
   workflow_dispatch:
     inputs:
       configuration:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,42 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '45 17 * * 2'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # Shared Kernel API by Codebelt
 
-[![Shared Kernel CI/CD Pipeline](https://github.com/codebeltnet/shared-kernel/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/shared-kernel/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/shared-kernel/graph/badge.svg?token=xdDAkBq1s3)](https://codecov.io/gh/codebeltnet/shared-kernel) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=alert_status)](https://sonarcloud.io/dashboard?id=sharedkernel) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=sharedkernel) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=sharedkernel) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=security_rating)](https://sonarcloud.io/dashboard?id=sharedkernel)
+[![Shared Kernel CI/CD Pipeline](https://github.com/codebeltnet/shared-kernel/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/shared-kernel/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/shared-kernel/graph/badge.svg?token=xdDAkBq1s3)](https://codecov.io/gh/codebeltnet/shared-kernel) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=alert_status)](https://sonarcloud.io/dashboard?id=sharedkernel) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=sharedkernel) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=sharedkernel) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=sharedkernel&metric=security_rating)](https://sonarcloud.io/dashboard?id=sharedkernel) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codebeltnet/shared-kernel/badge)](https://scorecard.dev/viewer/?uri=github.com/codebeltnet/shared-kernel)
 
 An open-source project offering a lightweight .NET library with essential components for implementing the shared kernel pattern within the context of Domain-Driven Design (DDD). It provides generic and reusable (Single) Value Objects utilizing the [Savvyio.Domain](https://www.nuget.org/packages/Savvyio.Domain) package for fundamental classes, records and interfaces.
 
