Skip to content

feat/scorecard certifier#72

Merged
lumjjb merged 5 commits into
guacsec:mainfrom
himasree424:feat/scorecard-certifier
Feb 9, 2026
Merged

feat/scorecard certifier#72
lumjjb merged 5 commits into
guacsec:mainfrom
himasree424:feat/scorecard-certifier

Conversation

@himasree424

Copy link
Copy Markdown
  • Adds scorecard service account and deployment files
  • Adds respective tests
  • Update chart version to 0.7.0

Nichenametla Hima Sree added 2 commits November 18, 2025 10:11
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>

@brandtkeller brandtkeller left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor thoughts on the overall approach. Otherwise I'll probably do some local testing to validate default configuration.

@@ -0,0 +1,90 @@
# Copyright Kusari, Inc. and GUAC contributors
# Licensed under the MIT license. See LICENSE file in the project root for details.
{{ if .Values.guac.scorecardCertifier.enabled }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we update the values.yaml to reflect these resources existing?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added the scorecard certifier changes to values.yaml

command:
{{ toYaml .Values.guac.scorecardCertifier.image.command | indent 10 }}
workingDir: {{ .Values.guac.guacImage.workingDir }}
{{- if .Values.guac.scorecardCertifier.ports }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This conditional uses .Values.guac.scorecardCertifier.ports but the content following uses .Values.guac.scorecardCertifier.image.ports - is this a mismatch?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional and follows the same pattern used across all other deployment templates in this repository. The conditional .Values.guac.scorecardCertifier.ports acts as a boolean flag to enable/disable port rendering, while .Values.guac.scorecardCertifier.image.ports contains the actual port configuration.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great points - it does follow current standards.

Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
Comment thread charts/guac/values.yaml
# GITHUB_AUTH_TOKEN is required for scorecard certifier to fetch scorecards from GitHub
# Users should create a Kubernetes secret with their GitHub token and reference it here
# Example:
# kubectl create secret generic github-token --from-literal=token=<your-github-token>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't hold any hard opinions here - but I am curious if we should disable this certifier deployment by default given the dependency on an existing secret?

@himasree424 himasree424 Nov 24, 2025

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, disabled scorecard by default

Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>

@brandtkeller brandtkeller left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't hold approval authority over this repository but have been spending time thinking over improvements.

I'd recommend these changes for merge. Current state is backwards compatible given the opt-in values and does follow current standards.

I want to look further at improving devex for values schema generation recommendations and CI pipelines for this repository.

value: scorecard-certifier
- equal:
path: spec.template.spec.containers[0].image
value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this is not in other files but can you add a tag on which guac version this represents?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The corresponding version is v0.1.1, I have updated that and fixed tests as well.

@lumjjb lumjjb requested a review from pxp928 December 10, 2025 23:05
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
@himasree424 himasree424 force-pushed the feat/scorecard-certifier branch from d7443e0 to a6273c9 Compare December 11, 2025 04:44
@himasree424

himasree424 commented Jan 22, 2026

Copy link
Copy Markdown
Author

Since this has been approved, could we please proceed with merging the PR

@lumjjb lumjjb merged commit e4415b3 into guacsec:main Feb 9, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants