This action calculates a security rating or an OSS rule of play rating for an open source project. The rating contains a score and a label. The score is a number from 0 to 10.
It shows how well the project cares about security or open source community/maintenance aspects. The ratings take several aspects into account. You can find all the details regarding the various aspects in the section "What the security rating takes into account" of the security rating documentation and the section "What the OSS rules of play rating takes into account" of the OSS rules of play documentation. Additional information about Fosstars, how the ratings are calculated and related content is available in the documentation as well.
Fosstars uses only publicly available data about open source projects.
The action creates a detailed report that explains how the rating was calculated. In addition, the report contains recommendations for improving the respective rating.
The action generates one of the following badges that reflect the labels of the respective ratings (see security or OSS rules of play):
The report and the badge are stored in a specified branch.
rating
Required The rating this action should determine, can be security
or oss-rules-of-play
. Default security
.
report-branch
Required A branch where the report and the badge should be stored. Default fosstars
.
fosstars-version
Required A version of Fosstars
to be used for calculating a rating. Default v1.11.0
.
token
Required A token for fetching data about the project via GitHub API, and for committing the report and badge to the specified branch.
report-file
Optional A file name for the report. Default fosstars_report.md
.
badge-file
Optional A file name for the badge. Default fosstars_badge.svg
.
data-provider-config-urls
Optional A comma-separated list of data provider configuration URLs.
The individual file names need to have the format ProviderClassName.yaml
or ProviderClassName.config.yaml
.
As some data providers of the OSS Rules of Play rating require configuration files to work correctly, SAP default configuration files are being used if the oss-rules-of-play
rating is specified and no configuration URLs are passed to the action.
git-user-name
Optional The git user name used when performing the report commit. Default Fosstars
.
git-user-email
Optional The git user email address used when performing the report commit. Default [email protected]
.
Here is an example workflow that updates the report every day, or when a commit is pushed.
The report is stored to the fosstars-report
branch.
name: "Fosstars"
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * *"
jobs:
create_fosstars_report:
runs-on: ubuntu-latest
name: "Security rating"
steps:
- uses: actions/[email protected]
- uses: SAP/[email protected]
with:
rating: security
report-branch: fosstars-report
report-file: fosstars_security_rating.md
badge-file: fosstars_security_rating.svg
token: ${{ secrets.GITHUB_TOKEN }}
data-provider-config-urls: https://raw.githubusercontent.com/your-org/your-repo/main/conf/ReadmeInfo.config.yml,https://raw.githubusercontent.com/your-org/your-repo/main/conf/ContributingGuidelineInfo.config.yml,https://raw.githubusercontent.com/your-org/your-repo/main/conf/LicenseInfo.config.yml
The badge will be stored to the same branch. It can be used in a README file:
[![Fosstars security rating](https://raw.githubusercontent.com/your-organisation/your-project/fosstars-report/fosstars-security-rating.svg)](https://github.com/your-organisation/your-project/blob/fosstars-report/fosstars_security_rating.md)
Check out an example workflow that runs the action. The workflow stores a report in fosstars-report branch.
Please see GitHub issues.
Please create a new GitHub issue if you found a bug, or you'd like to suggest an enhancement. If you think you found a security issue, please follow this guideline.
If you have a question, please open a discussion.
We appreciate feedback, ideas for improvements and, of course, pull requests.
Please follow this guideline if you'd like to contribute to the project.