Repository to demonstrate use of Legit-Labs Legitify for repository governance.
Legitify provides a GitHub action that can be used. The action needs authentication through a personal access token. As this is not neccessarily best practice, an approach using a GitHub App is investigated as well. Read the next section to get further details about the two methods.
Legitify check for a number policies that are documented in Legitify's docs.
The target perform the scan through a GitHub app to avoid using a PAT. This does not work yet and needs to be further investigated.
This is the main workflow to scan this repository manually according to Legitify's default policies. In a productive setting this scan should be scheduled on a daily or weekly basis.
The workflow creates an issue on success or failure to notify about the results. The issues are created from templates located at .github/templates. The templates contain placeholder that are replaced in the workflow run using jinja2.