feat/scorecard certifier#72
Conversation
himasree424
commented
Nov 18, 2025
- Adds scorecard service account and deployment files
- Adds respective tests
- Update chart version to 0.7.0
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
brandtkeller
left a comment
There was a problem hiding this comment.
Minor thoughts on the overall approach. Otherwise I'll probably do some local testing to validate default configuration.
| @@ -0,0 +1,90 @@ | |||
| # Copyright Kusari, Inc. and GUAC contributors | |||
| # Licensed under the MIT license. See LICENSE file in the project root for details. | |||
| {{ if .Values.guac.scorecardCertifier.enabled }} | |||
There was a problem hiding this comment.
Should we update the values.yaml to reflect these resources existing?
There was a problem hiding this comment.
I have added the scorecard certifier changes to values.yaml
| command: | ||
| {{ toYaml .Values.guac.scorecardCertifier.image.command | indent 10 }} | ||
| workingDir: {{ .Values.guac.guacImage.workingDir }} | ||
| {{- if .Values.guac.scorecardCertifier.ports }} |
There was a problem hiding this comment.
This conditional uses .Values.guac.scorecardCertifier.ports but the content following uses .Values.guac.scorecardCertifier.image.ports - is this a mismatch?
There was a problem hiding this comment.
This is intentional and follows the same pattern used across all other deployment templates in this repository. The conditional .Values.guac.scorecardCertifier.ports acts as a boolean flag to enable/disable port rendering, while .Values.guac.scorecardCertifier.image.ports contains the actual port configuration.
There was a problem hiding this comment.
great points - it does follow current standards.
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
| # GITHUB_AUTH_TOKEN is required for scorecard certifier to fetch scorecards from GitHub | ||
| # Users should create a Kubernetes secret with their GitHub token and reference it here | ||
| # Example: | ||
| # kubectl create secret generic github-token --from-literal=token=<your-github-token> |
There was a problem hiding this comment.
I don't hold any hard opinions here - but I am curious if we should disable this certifier deployment by default given the dependency on an existing secret?
There was a problem hiding this comment.
Agreed, disabled scorecard by default
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
brandtkeller
left a comment
There was a problem hiding this comment.
I don't hold approval authority over this repository but have been spending time thinking over improvements.
I'd recommend these changes for merge. Current state is backwards compatible given the opt-in values and does follow current standards.
I want to look further at improving devex for values schema generation recommendations and CI pipelines for this repository.
| value: scorecard-certifier | ||
| - equal: | ||
| path: spec.template.spec.containers[0].image | ||
| value: ghcr.io/guacsec/guac@sha256:167e823f36e268f66b12a79d4c4b39df23c2f87847817c161b6c6ddbc9ee5c4e |
There was a problem hiding this comment.
I know this is not in other files but can you add a tag on which guac version this represents?
There was a problem hiding this comment.
The corresponding version is v0.1.1, I have updated that and fixed tests as well.
Signed-off-by: Nichenametla Hima Sree <nhimasree@guidewire.com>
d7443e0 to
a6273c9
Compare
|
Since this has been approved, could we please proceed with merging the PR |