diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..10fb6fbc --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,27 @@ +on: + push: + tags: + - '*' +permissions: + id-token: write # Undocumented OIDC support. + packages: write # To publish container images to GHCR + contents: write # To create a release +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: 1.17 + - uses: sigstore/cosign-installer@main + - run: go install github.com/google/ko@v0.10.0 + - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.workflow }} --password-stdin + - run: KO_DOCKER_REPO=ghcr.io/${{ github.repository_owner }} ko publish -B ./cmd/allstar > container + - run: docker pull $(cat container) + - run: docker tag $(cat container) ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }} + - run: docker push ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }} + - run: COSIGN_EXPERIMENTAL=1 cosign sign -a git_sha=$GITHUB_SHA ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }} + - run: gh release create ${{ github.ref_name }} --notes "ghcr.io/${{ github.repository_owner }}/allstar:${{ github.ref_name }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index ab04364c..06fd5132 100644 --- a/README.md +++ b/README.md @@ -2,22 +2,26 @@ # **Allstar** -## Overview +## Overview - [What Is Allstar?](#what-is-allstar) +## What's new with Allstar + +- [whats-new.md](whats-new.md) + ## Disabling Unwanted Issues - [Help! I'm getting issues created by Allstar and I don't want them!](#disabling-unwanted-issues-1) -## Getting Started +## Getting Started -- [Background](#background) -- [Org-Level Options](#org-level-options) +- [Background](#background) +- [Org-Level Options](#org-level-options) - [Installation Options](#installation-options) - [Quickstart Installation](#quickstart-installation) - [Manual Installation](#manual-installation) - + ## Policies and Actions - [Actions](#actions) - [Policies](#policies) @@ -32,21 +36,27 @@ ________ ________ -## Overview +## Overview ### What is Allstar? -Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices. -If Allstar detects a security policy violation, it creates an issue to alert the repository or organization owner. -For some security policies, Allstar can also automatically change the project setting that caused the violation, reverting it to the expected state. +Allstar is a GitHub App that continuously monitors GitHub organizations or +repositories for adherence to security best practices. If Allstar detects a +security policy violation, it creates an issue to alert the repository or +organization owner. For some security policies, Allstar can also automatically +change the project setting that caused the violation, reverting it to the +expected state. -Allstar’s goal is to give you finely tuned control over the files and settings that affect the security of your projects. -You can choose which security policies to monitor at both the organization and repository level, and how to handle policy violations. -You can also develop or contribute new policies. +Allstar’s goal is to give you finely tuned control over the files and settings +that affect the security of your projects. You can choose which security +policies to monitor at both the organization and repository level, and how to +handle policy violations. You can also develop or contribute new policies. Allstar is developed under the [OpenSSF](https://openssf.org/) organization, as a part of the [Securing Critical Projects Working -Group](https://github.com/ossf/wg-securing-critical-projects). +Group](https://github.com/ossf/wg-securing-critical-projects). + +## [What's new with Allstar](whats-new.md) ## Disabling Unwanted Issues If you're getting unwanted issues created by Allstar, follow [these directions](opt-out.md) to opt out. diff --git a/whats-new.md b/whats-new.md new file mode 100644 index 00000000..137243c6 --- /dev/null +++ b/whats-new.md @@ -0,0 +1,53 @@ +# What's new with Allstar + +Major features and changes added to Allstar. + +## Added since last release + +- + +## Release v2.0 + +- Branch Protection added the `requireStatusChecks` setting to ensure listed + status checks are set in protection settings. Also enforces the + `requireUpToDateBranch` option, if `requireStatusChecks` is set. + +- You may now opt-out of repos marked as "archived" in GitHub with the + `optOutArchivedRepos` option. + +- Binary Artifacts policy issue text improved. + +- A custom footer can be added to all issues created in an organization with + the `issueFooter` option. + +- Branch Protection now supports the "fix" action. + +## Proposed functionality changes in v2.0 + +- Option `testingOwnerlessAllowed` in Outside Collaborator policy. Currently + defaults true, proposal to default to false in next release. + + - Note: this was temporarily enabled in Jan, but then turned off due to a bug. + +## Pre v2.0 + +Regular releases were not made before v2.0, so all previous notes are here. + +- All issues for an org can be routed to a single repo using the `issueRepo` + setting. + +- Org config can now be located in `.github/allstar` as a secondary location + after the `.allstar` repo. + +- Issues can be created with a custom label using the `issueLabel` option. + +- Private or Public repositories can be opt-out as a group with the + `optOutPrivateRepos` or `optOutPublicRepos` options. + +- We will retroactively call this Allstar v1.0: Allstar announced + https://openssf.org/blog/2021/08/11/introducing-the-allstar-github-app/ + +- Initial policies and features built + +- Allstar was proposed to the OpenSSF Securing Critical Projects WG and + accepted https://youtu.be/o3SiBDUTCrw?t=300