Bring CLOMonitor Score to 100%

[alinskens]

This repo is signed up as part of the KubeCon Security Slam. I'm bringing to your attention the checklist from the official CLOMonitor page for Flux -- it refreshes every hour, so it should be up-to-date.

CLOMonitor report

Summary

Repository: flux2
URL: https://github.com/fluxcd/flux2
Checks sets: CODE
Score: 86

Checks passed per category

Category	Score
Documentation	100%
License	100%
Best Practices	100%
Security	90%
Legal	n/a

Checks

Documentation [100%]

• Changelog (docs)
• Contributing (docs)
• Maintainers (docs)
• Readme (docs)

License [100%]

• Apache-2.0 (docs)
• Approved license (docs)
• License scanning (docs)

Best Practices [100%]

• Artifact Hub badge (docs)
• Contributor License Agreement (docs) EXEMPT
• Developer Certificate of Origin (docs)
• OpenSSF badge (docs)
• Recent release (docs)

Security [90%]

• Binary artifacts (docs)
• Code review (docs)
• Dangerous workflow (docs)
• Dependency update tool (docs)
• Maintained (docs)
• Software bill of materials (SBOM) (docs)
• Security policy (docs)
• Signed releases (docs)
• Token permissions (docs)

For more information about the checks sets available and how each of the checks work, please see the CLOMonitor's documentation.

[stefanprodan]

We do have Helm charts maintained by the community here https://artifacthub.io/packages/helm/fluxcd-community/flux2 but I can't figure out the badge URL for ArtifactHub. As for Dependency update tool, we have our own GitHub Action.

[stefanprodan]

Token permissions (from OpenSSF Scorecard)
ID: token_permissions
This check determines whether the project’s automated workflows tokens are set to read-only by default.

@alinskens this requirement feels very wrong to me. How are we suppose to use Goreleaser and publish signed checksums, binaries, container images, SBOM, etc if the release workflow must be set to read-only? For reference here is our workflow: https://github.com/fluxcd/flux2/blob/main/.github/workflows/release.yaml

permissions:
  contents: write # needed to write releases
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access

[stefanprodan]

@alinskens can you please remove the fluxcd/flux repo from this https://clomonitor.io/projects/cncf/flux-project? Flux v1 is no longer maintained and we'll archive that repo on 1st of November this year. cc @dholbach

[eddie-knight]

How are we suppose to use Goreleaser and publish signed checksums, binaries, container images, SBOM, etc if the release workflow must be set to read-only?

This has been an ongoing discussion, and I've currently got an open PR to address the issue.

[stefanprodan]

@eddie-knight @alinskens thanks for all the help. The only thing left is the "Token permissions", should we keep this issue opened till ossf/scorecard#2355 is fixed? From our side there is nothing left to do.

[eddie-knight]

@stefanprodan We got that issue released on Scorecard yesterday and integrated into CLOMonitor this morning! 👏

The only thing left to do is take advantage of the changes by moving write permission allocations to the job level. I'll try to get a PR up this morning if I can spare a cycle for it.