Skip to content

Update contributing and security guidelines #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nitbharambe wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −0
Open

Update contributing and security guidelines #99

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,14 @@ There are other great tools out there to manage DCO signoffs for developers to m
* Additionally, it is possible to use shell scripting to automatically apply the sign-off. For an example for bash to be put into a .bashrc file, see [here](https://wiki.lfenergy.org/display/HOME/Contribution+and+Compliance+Guidelines).
* Alternatively, you can add `prepare-commit-msg hook` in .git/hooks directory. For an example, see [here](https://github.com/Samsung/ONE-vscode/wiki/ONE-vscode-Developer's-Certificate-of-Origin).

## Automated workflow review process

In all repositories, automated workflows via github actions are used to evaluate code quality. Some basic checks are already covered by [Pre-commit hooks](#pre-commit-hooks).
More extensive checks are not included in the pre-commit hooks, such as building the full C++ project, running `clang-tidy`, and building documentation with Sphinx and Read the Docs.
These checks are mandatory before any merge. For security reasons, maintainers review each pull request every time before approving workflow runs for a commit.
This increases review effort and can delay the overall process.
When possible, contributors are encouraged to run and fix these checks on their own development machine before starting the [Code reviews](#code-reviews) process.

## Code reviews

All patches and contributions, including patches and contributions by project members, require review by one of the maintainers of the project. We
Expand Down
10 changes: 10 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,16 @@ possible.
On repositories for which Private Vulnerability Reporting is not enabled, please report vulnerabilities as bugs via the
GitHub issues tab.

## Third-Party Software and Development Tools

Like most software projects, our repositories rely on external dependencies.
We aim to keep these dependencies to a minimum and select sources that are mature, widely used, and trusted.
Users remain responsible for evaluating whether these dependencies satisfy their own security requirements.

We also provide recommendations for development tools in our build guides and VS Code extensions in the `.vscode/extentions.json` for each repository.
These recommendations are optional.
Developers should evaluate them against their own security policies before installation and use.

### power-grid-model

[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7298/badge)](https://bestpractices.coreinfrastructure.org/projects/7298)
Expand Down