Skip to content

Earn OpenSSF Best Practices badge and OSPS Baseline L1/L2/L3 (partial)#147

Merged
timlnx merged 6 commits into
masterfrom
ossf-bestpractices
May 24, 2026
Merged

Earn OpenSSF Best Practices badge and OSPS Baseline L1/L2/L3 (partial)#147
timlnx merged 6 commits into
masterfrom
ossf-bestpractices

Conversation

@timlnx
Copy link
Copy Markdown
Owner

@timlnx timlnx commented May 24, 2026
edited
Loading

Summary

This branch picks up the OpenSSF Best Practices passing badge and works through OSPS Baseline Levels 1, 2, and 3. The substantive deliverables are policy, verification, and architecture documents that survive both human review and the OpenSSF automated scanner.

Final score against each badge:

  • OpenSSF Best Practices (passing): badge embedded in README and docsite.
  • OSPS Baseline Level 1: 23 Met / 2 N/A / 0 Unmet.
  • OSPS Baseline Level 2: 19 Met / 0 Unmet (after this branch).
  • OSPS Baseline Level 3: 18 Met / 2 N/A / 1 structurally blocked (OSPS-QA-07.01 requires a non-author reviewer; cannot satisfy as a single-maintainer project without changing governance).

Documents added at repository root

  • MAINTAINERS.md — sole maintainer, sensitive resource access, responsibilities, and a standing open call for a Debian/Ubuntu co-maintainer (references issue Deb Maintainer Wanted #117).
  • ARCHITECTURE.md — design documentation covering runtime architecture, build/release pipeline, CI gates, trust boundaries, and documentation pipeline. Lives at root so the OpenSSF scanner picks it up via filename match.
  • SECURITY_ASSESSMENT.md — standing threat model describing attack surfaces, mitigations, and the automated security tooling stack.
  • SECURITY_POLICIES.md — combined SAST/SCA remediation thresholds and release-blocking criteria.
  • VERIFICATION.md — downstream consumer guide for verifying release integrity (SHA-256), authenticity (PEP 740 attestations via pypi-attestations), and provenance (CycloneDX SBOM).

Documents updated

  • SECURITY.md — added explicit CVD response timeframes (72h acknowledge, 7d triage), Scope of Support and Duration of Support sections, and Secrets and Credentials Policy.
  • docsite/source/contributing.rst — added Project Architecture section pointing at ARCHITECTURE.md; converted Automated Tests into a Testing Policy with MUST language for major changes.
  • README.rst and docsite/source/index.rst.in — three OSSF/security badges (Scorecard, Best Practices, Baseline) grouped on a new top row above the existing CI/PyPI badge cluster.

Tooling added

  • .github/workflows/sca.yml — pip-audit (PyPA-official) on every push and pull request, plus weekly schedule.
  • .github/workflows/publish.yml — CycloneDX SBOM generation step that installs the built wheel into an isolated venv, snapshots it with cyclonedx-py, and attaches the resulting bitmath-<version>.cdx.json to the GitHub release.

⚠️ One manual follow-up after merge

To make sca.yml enforce the SCA policy as a merge gate (required for OSPS-VM-05.03), add the audit job to the required status checks on master:

Settings → Branches → master → Edit protection rule → Status checks → Add: audit

The first PR after merge will create the check run that you can then add to the required list.

Test plan

  • make ci passes on local working tree
  • make docs rebuilds cleanly with zero Sphinx warnings
  • CycloneDX SBOM generation smoke-tested locally against built wheel (produced expected components: bitmath + pip + setuptools)
  • Both new workflow YAMLs parse cleanly
  • All cross-references and anchor links verified intact after the testing-policy anchor rename
  • Zero em-dashes in any new prose
  • All section headers in new docs comply with project title-case convention
  • CI passes on the PR
  • After merge, add audit to required status checks

timlnx added 6 commits May 23, 2026 23:25
@timlnx
Add OpenSSF Best Practices badge
8d16e05
@timlnx
Add OpenSSF Baseline badge and group OSSF badges at top
234b55b
@timlnx
Add MAINTAINERS, SECURITY_ASSESSMENT, and CVD response timeframes
c36e48e 
Closes OSPS Baseline Level 2 gaps:
- OSPS-GV-01.01 / OSPS-GV-01.02: MAINTAINERS.md documents sole
  maintainer, sensitive resource access, responsibilities, and an
  open ask for a Debian/Ubuntu co-maintainer (issue #117).
- OSPS-VM-01.01: SECURITY.md now states explicit response
  timeframes (72h acknowledgement, 7d initial triage, coordinated
  disclosure on patch readiness).
- OSPS-SA-03.01: SECURITY_ASSESSMENT.md is a standing threat model
  covering the parser, filesystem helpers, query_device_capacity,
  and the build/release pipeline, plus the automated tooling stack
  (Bandit, CodeQL, OSSF Scorecard, Dependabot, secret scanning).
@timlnx
Add ARCHITECTURE.md design documentation
8402ac6 
Closes the last OSPS Baseline Level 2 gap (OSPS-SA-01.01). The
document covers two scopes: the runtime library (actors and actions
inside the consumer's process) and the build and release pipeline
(actors and actions that produce the released artifacts). CI gates,
trust boundaries, and the documentation pipeline are summarized in
their own sections with pointers to the source of truth for each.

The contributing guide gets a new Project Architecture section that
points contributors at ARCHITECTURE.md and states the update
contract: any change to a public API, the build pipeline, or a
trust boundary requires the corresponding architecture update in
the same PR.
@timlnx
Add Baseline Level 3 paperwork, SBOM, and SCA tooling
4d0f656 
Phase A (paperwork):
- SECURITY.md: explicit Scope of Support and Duration of Support
  language; new Secrets and Credentials Policy section that lays out
  the no-long-lived-secrets stance (OIDC for PyPI, OAuth for RTD,
  zero GitHub Actions secrets configured). Closes OSPS-BR-07.02,
  OSPS-DO-04.01, OSPS-DO-05.01.
- VERIFICATION.md: how downstream consumers verify a release.
  Covers SHA-256 hash verification, PEP 740 attestation verification
  via pypi-attestations CLI, and SBOM verification. Closes
  OSPS-DO-03.01 and OSPS-DO-03.02.
- SECURITY_POLICIES.md: combined SAST and SCA policies. CVSS-based
  remediation thresholds, release-blocking criteria, suppression
  rules, license compliance posture. Closes OSPS-VM-05.01,
  OSPS-VM-05.02, and OSPS-VM-06.01.
- contributing.rst: 'Automated Tests' becomes 'Testing Policy' with
  MUST language for major changes and an explicit definition of
  what counts as major. Closes OSPS-QA-06.03.

Phase B (tooling):
- publish.yml: CycloneDX SBOM generation step that installs the
  built wheel into an isolated venv, snapshots it with
  cyclonedx-py, and attaches the resulting bitmath-<version>.cdx.json
  to the GitHub release alongside the wheel and sdist. Closes
  OSPS-QA-02.02.
- sca.yml: new workflow that runs pip-audit (PyPA's official audit
  tool) against requirements.txt on every push and pull request.
  Pinned to v1.1.0 by SHA. Needs to be added to required status
  checks on master to enforce blocking. Closes OSPS-VM-05.03.

ARCHITECTURE.md and SECURITY_ASSESSMENT.md headers were also
title-cased to align with the project documentation header
conventions; cross-references were verified intact.
@timlnx
Document Packit RPM distribution pipeline in ARCHITECTURE.md
368ad8e 
The release pipeline diagram only covered the PyPI flow, but the
same release event also fires Packit to build and ship Fedora and
EPEL RPMs in parallel. Add the missing components (.packit.yaml,
python-bitmath.spec, Packit, Copr, dist-git, Koji, Bodhi) to the
component inventory and a second diagram showing the RPM
distribution path alongside the existing PyPI path.

Notes the known-stale target matrix (fedora-rawhide, fedora-42,
epel-9, epel-10) so the document does not pretend to be current
on that front.
@timlnx timlnx merged commit b6bd8b0 into master May 24, 2026
39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@timlnx