OpenSSF Scorecard API and website
scorecard-webapp
Code for https://securityscorecards.dev
(./scorecards-site
) and
https://api.securityscorecards.dev (./app
).
The site is deployed on Netlify and the deployment configuration is in
netlify.toml. Any changes committed to
netlify.toml and scorecards-site/ on
main
branch gets automatically deployed to production. So please make sure to
review deploy previews when making changes to the site.
The API uses OpenAPI spec and
go-swagger to auto-generate server and client code. Any
changes committed to openapi.yaml on the main
branch gets
deployed to the staging site only. To make changes to the production API, a new
Git tag needs to be generated which will auto deploy the latest tag to
production.
Release process
GitHub release
Cut a release for the project via the GitHub UX or by pushing a new tag.
TODO: automate these steps
Any updates made to openapi.yaml needs to be deployed onto
Google Cloud Endpoints. To do that, follow these steps:
$ gcloud auth login
$ gcloud endpoints services deploy openapi.yaml --project openssf --quiet --format=json > /tmp/gcloud.json
$ wget https://raw.githubusercontent.com/GoogleCloudPlatform/esp-v2/master/docker/serverless/gcloud_build_image \
--output-document=/tmp/gcloud_build_image
$ chmod +x /tmp/gcloud_build_image
$ /tmp/gcloud_build_image -c $(cat /tmp/gcloud.json | jq -r .serviceConfig.id) \
-s $(cat /tmp/gcloud.json | jq -r .serviceConfig.name) \
-p openssf -z us
$ gcloud run deploy scorecard-endpoints-prod \
--image=<image-from-above-step> \
--project=openssf
# For region prompt, choose us-central1.