github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/CONTRIBUTING.md (about) 1 # Contributor Guide 2 3 This guide will help you understand the overall organization of the 4 [slsa-github-generator](https://github.com/yogeshkumararora/slsa-github-generator) 5 project, and direct you to the best places to get started contributing. You'll 6 be able to pick up issues, write code to fix them, and get your work reviewed 7 and merged. 8 9 This document is the single source of truth for how to contribute to the code 10 base. Feel free to browse the [open issues] and file new ones, all feedback is 11 welcome! 12 13 <!-- markdown-toc --bullets="-" -i CONTRIBUTING.md --> 14 15 <!-- toc --> 16 17 - [How can I help?](#how-can-i-help) 18 - [Development](#development) 19 - [Prerequisites](#prerequisites) 20 - [Create a GitHub account](#create-a-github-account) 21 - [Code of Conduct](#code-of-conduct) 22 - [Setting up your development environment](#setting-up-your-development-environment) 23 - [Making Changes](#making-changes) 24 - [Create a fork](#create-a-fork) 25 - [Create a test repo](#create-a-test-repo) 26 - [Development Basics](#development-basics) 27 - [Make your changes](#make-your-changes) 28 - [Run tests](#run-tests) 29 - [Updating Github Actions Dependencies](#updating-github-actions-dependencies) 30 - [Renovate-Bot PRs](#renovate-bot-prs) 31 - [Submit a PR](#submit-a-pr) 32 - [Preferred Languages](#preferred-languages) 33 - [Testing](#testing) 34 - [Pre-submits and Unit Tests](#pre-submits-and-unit-tests) 35 - [End-to-End (e2e) Tests](#end-to-end-e2e-tests) 36 - [Linters](#linters) 37 - [Releasing](#releasing) 38 - [Community](#community) 39 - [Communication](#communication) 40 41 <!-- tocstop --> 42 43 ## How can I help? 44 45 There are many areas in the project that need help. These are managed in GitHub 46 issues. Please let us know if you are willing to work on the issue and how you 47 can contribute. 48 49 - For new developers and contributors, please see issues labeled 50 [good first issue]. These issues should require minimal background knowledge 51 to contribute. 52 - For slightly more involved changes that may require some background knowledge, 53 please see issues labeled [help wanted] 54 - For experienced developers, any of our [open issues] is open to contribution. 55 56 If you don't find an existing issue for your contribution feel free to [create a 57 new 58 one](https://github.com/yogeshkumararora/slsa-github-generator/issues/new/choose). 59 60 ## Development 61 62 This section covers what you need to set up a development environment, how 63 to make changes, and how to submit them. 64 65 Before you decide to make a change, please take some time to identify an 66 existing issue where you would like to contribute, or create a new issue. See 67 [How can I help?](#how-can-i-help) for more info. 68 69 ### Prerequisites 70 71 Before submitting code, you should first complete the following 72 prerequisites. 73 74 #### Create a GitHub account 75 76 Before you get started, you will need to [signup](http://github.com/signup) for 77 a GitHub user account. 78 79 #### Code of Conduct 80 81 Please make sure to read and observe the [Code of Conduct]. 82 83 #### Setting up your development environment 84 85 It is not required to set up a developer environment in order to contribute to 86 slsa-github-generator but it may be required for code changes. 87 88 slsa-github-generator uses primarily [Go](https://go.dev/) and 89 [TypeScript](https://www.typescriptlang.org/) programming languages. However 90 much of the logic of the project is implemented in GitHub Actions workflows that 91 are written in [YAML](https://yaml.org/) and make heavy use of Bash scripts. 92 93 - [Install Go](https://go.dev/doc/install) 94 - [Install Node.js](https://nodejs.org/en/download/) 95 96 Some Node.js projects require Jest as a testing framework. 97 98 - [Install Jest](https://jestjs.io/docs/getting-started) 99 100 This project also uses several linters in order to maintain code quality. If you 101 wish to run these linters locally, follow the instructions for each of these to 102 install them on your development machine. 103 104 - [yamllint](https://yamllint.readthedocs.io/) 105 - [golangci-lint](https://golangci-lint.run/) 106 - [shellcheck](https://www.shellcheck.net/) 107 - [eslint](https://eslint.org/) (NOTE: eslint is installed automatically so you 108 don't need to install it) 109 110 ### Making Changes 111 112 This section will cover how to make changes and test them. 113 114 #### Create a fork 115 116 Since this project includes reusable workflows for use on GitHub Actions local 117 development is limited to building and testing the binaries used by the reusable 118 workflows. The workflows themselves must be tested in your own fork. You can 119 fork the slsa-github-generator repo via the [Fork 120 button](https://github.com/yogeshkumararora/slsa-github-generator/fork). 121 122 #### Create a test repo 123 124 Most workflows are actually run when pushing to GitHub so in order to test that 125 a code change is working you may want to set up a GitHub repository for testing. 126 This repository should have some workflows that call the actions or reusable 127 workflows you are testing. 128 129 Some example test repos: 130 131 - [actions-test](https://github.com/ianlewis/actions-test/tree/main/.github/workflows) 132 - [slsa-on-github-test](https://github.com/laurentsimon/slsa-on-github-test/tree/main/.github/workflows) 133 134 #### Development Basics 135 136 Local commands that can be used for development are defined in the 137 [`Makefile`](./Makefile). You can list the available targets by running `make`. 138 139 ```shell 140 make 141 ``` 142 143 #### Make your changes 144 145 When making changes in your fork, start by making a new branch. 146 147 ```shell 148 git checkout -b my-feature-branch 149 ``` 150 151 Make your changes and then commit them to your branch. Make sure to sign-off on 152 your commits. This establishes [Developer Certificate of Origin] which indicates 153 that you are the author of the changes and are able to submit it under the 154 project [LICENSE]. 155 156 ```shell 157 git commit -s 158 ``` 159 160 You may periodically need to merge with the main branch. Be sure to sign-off on 161 the merges as well. 162 163 ```shell 164 git merge --signoff main 165 ``` 166 167 #### Run tests 168 169 Before you submit your change run the unit tests and linters to ensure your 170 changes are ready to go. See the [Testing](#testing) section for more info. 171 172 #### Updating Github Actions Dependencies 173 174 ##### Renovate-Bot PRs 175 176 `renovate-bot` will periodically send PRs to update the `package.json` and `package-lock.json` in the Github Actions of this repo. 177 But, it will not also automatically recompile the packages into `.js` files. 178 179 We use a Workflow [Update actions dist post-commit](../.github/workflows/update-actions-dist-post-commit.yml) to 180 help maintainers easily recompile the Github Actions against a PR. 181 182 Use the UI to invoke the workflow 183 184 [update-actions-dist-post-commit.yml](https://github.com/slsa-framework/slsa-verifier/actions/workflows/update-actions-dist-post-commit.yml) 185 186 or invoke with 187 188 ```shell 189 gh workflow run update-actions-dist-post-commit.yml -F pr_number=<pull request number> 190 ``` 191 192 #### Submit a PR 193 194 Once your change is ready you can submit a PR via the website. 195 196 The title of your PR should include a [Conventional Commits] prefix label. For 197 example, bug fixes should be prefixed with "fix:". PRs for new features should 198 be prefixed with "feat:" etc. 199 200 Please also include as much information as your can about your change and any 201 relevant issues in the PR description. 202 203 ### Preferred Languages 204 205 We prefer the use of the following programming languages: 206 207 - [Go](https://go.dev/) - For builders/generators. 208 - [TypeScript](https://www.typescriptlang.org/) - For GitHub actions. 209 - [Bash](https://www.gnu.org/software/bash/) - For scripts in GitHub actions and workflows. 210 211 We do not have a strict rule that proscribes the use of a specific language. 212 However, any PRs that introduce a new language should include justification for 213 adding the new language as well as a plan for adding the necessary tooling and 214 testing infrastructure. 215 216 We will generally reject PRs that introduce the use of memory-unsafe 217 languages or use of existing languages in memory-unsafe ways (e.g. the Go 218 [unsafe](https://pkg.go.dev/unsafe) package). See the 219 [Security Policy](./SECURITY.md) for more info. 220 221 ## Testing 222 223 A number of automated tests and linters are used to maintain stability and 224 good code quality. New PRs that include new functionality should include 225 automated tests for that functionality. 226 227 ### Pre-submits and Unit Tests 228 229 Pre-submits run on each Pull Request and will block it from being merged if 230 they fail. These tests are located in the [`.github/workflows`](.github/workflows) 231 directory and begin with the prefix `pre-sumbit`. 232 233 Unit tests are run as pre-submit tests in the 234 [`pre-submit.units.yml`](.github/workflows/pre-submit.units.yml) file. You can run 235 unit tests locally using `make`. This requires that the Go runtime be installed. 236 237 ```shell 238 make unit-test 239 ``` 240 241 Tests for GitHub Actions created with Typescript require [Jest](https://jestjs.io). 242 243 ```shell 244 make ts-test 245 ``` 246 247 ### End-to-End (e2e) Tests 248 249 This project has a number of End-to-End tests that are scheduled to run daily. 250 These tests are located in the 251 [`example-package`](https://github.com/slsa-framework/example-package/tree/main/.github/workflows) 252 repository and include a number of testing workflows. Please read the e2e 253 testing 254 [`README.md`](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/README.md) 255 for more information about e2e tests. 256 257 ### Linters 258 259 You can run all linters using `make`. 260 261 ```shell 262 make lint 263 ``` 264 265 These linters will also run as GitHub checks for pull requests via 266 [`pre-submit.lint.yml`](.github/workflows/pre-submit.lint.yml) file. 267 268 ## Releasing 269 270 Please see [`RELEASE.md`](RELEASE.md). 271 272 ## Community 273 274 This project is part of the [SLSA Community](https://slsa.dev/community) working 275 with the SLSA Tooling SIG. 276 277 ## Communication 278 279 The [`#slsa-tooling`](https://slack.com/app_redirect?team=T019QHUBYQ3&channel=slsa-tooling) 280 channel in the [OpenSSF Slack](https://slack.openssf.org/) is used for 281 communication and sharing ideas. 282 283 Communication about bugs, usage, and new feature development is also done on 284 [GitHub issues](https://github.com/yogeshkumararora/slsa-github-generator/issues). 285 286 [code of conduct]: https://github.com/slsa-framework/governance/blob/main/8._Code_of_Conduct.md 287 [conventional commits]: https://www.conventionalcommits.org/en/v1.0.0/ 288 [developer certificate of origin]: https://developercertificate.org/ 289 [license]: ./LICENSE 290 [good first issue]: https://github.com/yogeshkumararora/slsa-github-generator/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22 291 [help wanted]: https://github.com/yogeshkumararora/slsa-github-generator/issues?q=is%3Aissue+is%3Aopen+label%3A%22status%3Ahelp+wanted%22 292 [open issues]: https://github.com/yogeshkumararora/slsa-github-generator/issues