Description
Certain artifacts such as SECURITY.md, CODE_OF_CONDUCT.md, and certain GitHub Actions Workflow files need to be consistent across our GitHub Repositories. To achieve this, we can utilise TODO Group's repolinter, which provides an epressive, declarative JSON- and YAML-based format for validating the existence of files and directories and validating file hashes, just to name a few. Notably, repolinter supports remote URLs for its configuration file, which we can exploit to ensure a consistent configuration that's hosted in this Git Repository.
In addition repolinter can be used to either scan the current or remote Git Repositories, which allows us to perform "meta validation" whereby we host a GitHub Action Workflow in this Git Repository to periodically scan all of our Git Repositories for a standardised GitHub Action Workflow which triggers the repolinter scans for that Git Repository.
TODO Group is under the Linux Foundation, and repolinter can be considered a mature project.
Philips Labs' Continuous Compliance Action is a fork of repolinter with some additional features which attempt to complete the compliance reporting lifecycle. From its README:
We started working on a fork of Repolinter, one that introduced the ability create different GitHub issues per rule that was broken.
Currently it's considered a work-in-progress, and could be considered as an alternative to repolinter.
For certain artifacts such as SECURITY.md and CODE_OF_CONDUCT.md, GitHub can provide links to a centralised copy hosted in the .github Git Repository for those that don't already have their own. This is what the Node.js GitHub Organisation is doing: nodejs/admin#644. However, the tradeoffs are:
- Only limited artifacts are replicated
- GitHub Action Workflows cannot be replicated
- These artifacts are not visible when performing a
git pullto a local machine