Merge branch 'main' into joel/repo-setup

strangelove-ventures · Jun 25, 2024 · 1806ed7 · 1806ed7
2 parents b722fdf + edea444
commit 1806ed7
Show file tree

Hide file tree

Showing 4 changed files with 183 additions and 5 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,11 +2,11 @@
 
 The Strangelove team and the IBC community take security issues seriously. We appreciate your efforts to responsibly disclose your findings, and we will make all reasonable efforts to acknowledge your contributions.
 
-To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](security/advisories/new) tab. Please provide any data you have, and the more you can provide the more rapidly we can respond. However, do not let lack of knowledge delay your report. You may leave blank any areas of the security advisory except the detailed description of the issue, the steps to reproduce, and the version or versions you know to be affected.
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) tab. Please provide any data you have, and the more you can provide the more rapidly we can respond. However, do not let lack of knowledge delay your report. You may leave blank any areas of the security advisory except the detailed description of the issue, the steps to reproduce, and the version or versions you know to be affected.
 
 The Strangelove team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. We may also coordinate with Amulet or other security consultants in the Cosmos/IBC space. 
 
 Report security bugs in third-party modules or plugins to the person or team maintaining the module. 
 
 The GitHub Security Advisory "Report a Vulnerability" tab should always be the first step in reporting a security related issue. 
-If for some reason you are unable to report through GitHub, please contact the Strangelove team at [email protected].
+If for some reason you are unable to report through GitHub, please contact the Strangelove team at [email protected].
diff --git a/docs/SETTINGS.md b/docs/SETTINGS.md
@@ -0,0 +1,178 @@
+# Repository Settings
+
+These are the default settings that should be configured in each repo, changes can be made as needed.
+The settings described here should serve as a baseline, it is more important that there is some setting in place rather 
+than the exact settings being used across every repo.
+
+After a repo's settings are configured this file can be safely deleted from the repo since it is not needed for the
+project to run.
+
+## General
+
+### Default Branch
+- Default branch should be `main`
+
+### Features
+- Enable `Issues` 
+- Enable `Projects` 
+
+`Wikis` and `Discussions` can be enabled if needed.
+
+### Pull Requests
+- Disable allow merge commits
+- Enable squash merging with default commit message set to `Pull request title`
+- Disable allow rebase merging
+- Enable always suggest updating pull request branches
+- Enable allow auto-merge
+- Enable automatically delete head branches
+
+## Collaborators and teams  
+
+Every repo should have a team or set of teams configured in the `Manage Access` section. Ideally there should be
+two teams where one team is given `Admin` access and the other team is given either `Maintain` or `Write` access.
+
+The team responsible for code review should also be added to the [CODEOWNERS](../.github/CODEOWNERS) file so that
+they are automatically added as reviewers when a PR is opened. Read more on code owners [here](https://help.github.com/articles/about-codeowners/).
+
+If it is unclear which teams should be configured as codeowners or have admin access, please reach out in Slack in the
+`#help-github` channel.
+
+## Moderation options
+
+### Interaction limits
+
+Default settings should be alright here and can also be configured across the entire organization 
+in the [organization settings](https://github.com/organizations/strangelove-ventures/settings/interaction_limits).
+
+### Code review limits
+
+Default settings should be alright here.
+
+### Reported content
+
+Default settings should be alright here.
+
+## Branches
+
+A new branch protection rule should be created for the `main` branch. This rule should have the following settings:
+
+- Enable require a pull request before merging
+- Enable require approvals with at least 1 approval needed before merging
+- Enable require review from Code Owners
+- Enable require status checks to pass before merging with the following CI actions being required:
+  - Lint PR titles to validate they follow conventional commit format
+  - golangci-lint should be passing
+  - All unit, integration, and e2e tests are passing
+  - Codebase is compiling from the branch used in the PR
+- The following CI actions should run on every PR but should not be required status checks before merging:
+  - Markdown link checker
+  - CodeQL analysis
+  - Spell checker
+- Enable require branches to be up-to-date before merging
+- Enable do not allow bypassing the above settings
+
+Additional branch protection rules should be created for branches that are currently being maintained, used for releases,
+and/or other important branches that should not be merged into without proper review and restrictions in place. 
+
+## Tags  
+
+Default settings should be alright here. 
+
+## Rules  
+
+### Rulesets
+
+Default settings should be alright here.
+
+### Insights 
+
+Default settings should be alright here.
+
+## Actions
+
+### General
+
+#### Actions permissions
+
+- Allow all actions and reusable workflows
+
+#### Artifact and log retention 
+
+- Default value of 90 days should be alright here
+
+#### Fork pull request workflows from outside collaborators
+
+- Require approval for first-time contributors
+
+#### Workflow permissions
+
+- Read and write permissions
+- Allow GitHub Actions to create and approve pull requests
+
+### Runners
+
+Default settings should be alright here.
+
+## Webhooks  
+
+Default settings should be alright here.
+
+## Copilot  
+
+Default settings should be alright here.
+
+## Environments  
+
+Default settings should be alright here.
+
+## Codespaces  
+
+Default settings should be alright here.
+
+## Pages  
+
+Default settings should be alright here.
+
+## Custom Properties 
+
+Default settings should be alright here.
+
+## Code security and analysis
+
+- Enable Private vulnerability reporting
+- Enable dependency graph
+
+It is important to ensure that at least two maintainers are subscribed to receive alerts for security vulnerabilities.
+To ensure this is the case, you need to ensure that you are watching the repo and that you enable `Custom` events for
+`Security alerts`. After that you will need to navigate to your personal GitHub account settings and ensure that
+you have `Notifications` configured to receive alerts for `Participating`, `@mentions`, and `custom` such that you 
+will receive notifications via email.
+
+To read more about how to ensure you are receiving notifications for security alerts please review the comment found in
+[this issue](https://github.com/strangelove-ventures/oss-repo-template-golang/pull/31#issuecomment-2142932841). If you
+are unsure about any of this or need further guidance please reach out in the `#help-github` channel in Slack.
+
+### Dependabot
+
+- Enable Dependabot alerts
+- Enable Dependabot security updates
+- Enable Dependabot version updates
+
+### Code scanning
+
+- Enable CodeQL analysis
+
+### Secret scanning
+
+- Enable secret scanning to receive alerts on GitHub for detected secrets, keys, or other tokens.
+
+## Deploy keys  
+
+Default settings should be alright here and can be adjusted as needed.
+
+## Secrets and variables
+
+Default settings should be alright here and can be adjusted as needed.
+
+
+
diff --git a/go.mod b/go.mod
@@ -114,7 +114,7 @@ require (
 	github.com/gtank/merlin v0.1.1 // indirect
 	github.com/gtank/ristretto255 v0.1.2 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-getter v1.7.4 // indirect
+	github.com/hashicorp/go-getter v1.7.5 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect

diff --git a/go.sum b/go.sum
@@ -674,8 +674,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-getter v1.7.4 h1:3yQjWuxICvSpYwqSayAdKRFcvBl1y/vogCxczWSmix0=
-github.com/hashicorp/go-getter v1.7.4/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
+github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4=
+github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
 github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=