Scorecard-fixes - Security hardening, CI cleanup, FDC3 2.2 package consolidation, and example apps workspace#272
Merged
SeeWhatsOn merged 51 commits intofinos:mainfrom Apr 27, 2026
Conversation
* Update README.md to enhance badge display and improve alignment - Replaced HTML paragraph tags with a div for better alignment of badges. - Updated badge links to reflect the correct project and added a Semgrep badge for CI integration. * Update README.md to improve badge organization and add new badges - Corrected the closing tag for the main header. - Added new badges for GitHub Release, Repo stars, CI, and Node.js CVE scanning. - Enhanced the layout with divs for better alignment and readability. * Add OSPS Security Assessment workflow - Introduced a new GitHub Actions workflow for Open Source Project Security Assessment (OSPS). - Configured to run weekly on Mondays at 9 AM UTC and allows manual triggering. - Includes steps for checking out the repository, running the OSPS baseline scanner, and uploading assessment results as artifacts with a retention period of 30 days. * Update OSPS workflow to use the latest version of the baseline scanner action (v1.3.2) for improved security assessment capabilities.
* Update README.md to enhance badge display and improve alignment - Replaced HTML paragraph tags with a div for better alignment of badges. - Updated badge links to reflect the correct project and added a Semgrep badge for CI integration. * Update README.md to improve badge organization and add new badges - Corrected the closing tag for the main header. - Added new badges for GitHub Release, Repo stars, CI, and Node.js CVE scanning. - Enhanced the layout with divs for better alignment and readability. * Add OSPS Security Assessment workflow - Introduced a new GitHub Actions workflow for Open Source Project Security Assessment (OSPS). - Configured to run weekly on Mondays at 9 AM UTC and allows manual triggering. - Includes steps for checking out the repository, running the OSPS baseline scanner, and uploading assessment results as artifacts with a retention period of 30 days. * Update OSPS workflow to use the latest version of the baseline scanner action (v1.3.2) for improved security assessment capabilities. * Update OSPS workflow to use specific versions of actions for improved stability and compatibility. Changed checkout action to v6.0.0 and upload-artifact action to v7.0.0.
Updated OSPS action version from a specific commit to a tagged version.
Comment out the scanner-build-from-source option in OSPS workflow.
- Updated README.md to improve formatting and add new badges for GitHub Release, Repo stars, CI, and security assessments. - Introduced a new GitHub Actions workflow for Dependency Review to flag vulnerable dependencies. - Added a scheduled workflow for OSPS Security Assessment to enhance project security. These changes aim to improve project visibility and security practices.
…og name (#7) - Changed `actions/checkout` to a specific commit version for stability. - Updated `osps-baseline-action` to a specific commit version for consistency. - Modified the catalog name from "osps-baseline-2026-02" to "osps-baseline" for clarity. - Updated `actions/upload-artifact` to a specific commit version for reliability.
…ractices - Added permissions for `contents`, `actions`, and `security-events` in multiple workflow files to ensure proper access levels. - Updated `ci.yml`, `cve-scanning.yml`, `OSPS.yml`, `ql.yml`, and `semgrep.yml` to reflect these changes, promoting better security and functionality across workflows.
… and consistency - Changed `actions/checkout` to a specific commit version across multiple workflow files for improved reliability. - Updated `actions/setup-node`, `actions/setup-python`, and `github/codeql-action` to specific commit versions to ensure compatibility and enhance security practices. - These updates aim to standardize the workflow configurations and reduce potential issues with action updates.
… code quality checks - Introduced a new `lint-staged.config.mjs` file to define formatting and linting rules for various file types. - Updated `package.json` to include `vitest` as a dependency. - Modified the pre-commit hook to run `lint-staged` with the `--concurrent false` option for better performance during commits.
…esting - Added `vitest` as a dependency in `package.json` and `package-lock.json` for testing purposes. - Updated CI workflow to include a new job for running property tests on the common package. - Introduced a `test` script in the common package's `package.json` to facilitate testing with `vitest`. - Created a new configuration file for `vitest` to define testing environment and include test files. - Implemented a new utility function `normalizeIdentityUrl` and corresponding tests to ensure proper URL normalization.
- Changed the job name from "Property tests (common)" to "Test" for clarity. - Updated the test command to run all tests instead of targeting a specific package, streamlining the testing process.
- Added new entries to .gitignore for build artifacts and cache directories. - Enhanced CONTRIBUTING.md with clearer formatting for roles and contribution rules. - Updated package.json and package-lock.json to include new dependencies for improved functionality. - Modified npm scripts for better development experience, including a new script for example apps. - Removed outdated JSON files from the directory structure to streamline the project. These changes aim to improve project organization and enhance the development workflow.
- Upgraded `brace-expansion` to version 2.1.0 across multiple modules. - Updated `picomatch` to version 4.0.4 in relevant modules. - Upgraded `minimatch` to version 9.0.9 in the TypeScript ESLint module. - Updated `axios` to version 1.15.2 and its dependencies for improved functionality. - Upgraded `basic-ftp` to version 5.3.0. - Updated `body-parser` to version 1.20.5 and its dependencies for better performance. - Removed outdated `minimatch` entries from the lock file to streamline dependencies. These changes enhance the project's dependency management and ensure compatibility with the latest versions.
- Ensured consistent formatting in the cve-scanning.yml file by removing an unnecessary space in the setup-node action version. - Added a newline at the end of the OSPS.yml file to adhere to best practices for file formatting. These changes improve the readability and maintainability of the workflow files.
- Added links for joining and registering for FDC3 Sail meetings to improve accessibility for participants. - Updated formatting for clarity and consistency in the meeting section. These changes aim to facilitate community engagement and streamline meeting participation.
Contributor
Author
|
I will follow up to fix the test linting issues. |
robmoffat
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request tightens GitHub Actions security (pinned actions, explicit permissions), streamlines CI, improves local quality gates with lint-staged and Husky, consolidates FDC3 dependencies on @finos/fdc3, introduces a dedicated packages/fdc3-example-apps workspace (and removes duplicated example-app sources from packages/web), and carries follow-on refactors across the web server, DA handlers, and shared packages. It also adds or wires OpenSSF Scorecard, OSPS baseline scanning, README badge updates, and earlier work such as the Sail security demo and dependency bumps (including a lodash override).
Motivation
Align with OpenSSF / supply-chain best practices (pinned third-party actions, least-privilege permissions, Scorecard + OSPS visibility).
Keep CI fast and easy to reason about: install, Prettier, ESLint, build, test on a single Node version.
Reduce duplication and coupling by moving example apps into their own workspace and depending on a single FDC3 npm surface (@finos/fdc3).
Catch regressions with stronger checks at commit time (lint-staged) and targeted property tests where appropriate.
Notable changes
GitHub Actions & security
CI (.github/workflows/ci.yml): explicit contents: read at workflow level; job uses pinned actions/checkout and actions/setup-node; Node 24 with npm cache; steps for format:check, lint, build, and test.
Scorecard (.github/workflows/scorecard.yml): pinned ossf/scorecard-action and github/codeql-action/upload-sarif; SARIF upload to code scanning.
OSPS (.github/workflows/OSPS.yml): revanite-io/osps-baseline-action with SARIF upload and artifact retention for assessment results; scoped job permissions.
Other workflows updated for pinned action versions and tighter default permissions where applicable.
Repository & developer workflow
Root package.json: lint-staged (ESLint on staged packages/*/src TS, Prettier on the rest), husky prepare, lodash override, examples:dev script for the new workspace.
CONTRIBUTING.md / SECURITY.md and issue templates touched as part of hygiene (if those commits are included in the PR range).
FDC3 packages & DA implementation
packages/common and packages/da-impl: depend on @finos/fdc3 instead of separate @finos/fdc3-schema / @finos/fdc3-web-impl / @finos/fdc3-agent-proxy (and similar) combinations.
packages/da-impl: App Directory OpenAPI generation uses local appd.schema.json instead of a path under an external FDC3 tree.
packages/common: fast-check dev dependency and property-based test(s) (e.g. identity URL normalization).
Example apps & web package
New packages/fdc3-example-apps (directories, Vite apps, security demo assets, etc.).
packages/web: example-app implementations and static copies removed or redirected in favor of the shared examples package; updates to PM2, Vite, server/DA code paths, styling modules, and embed/util behavior as needed for the new layout.
Misc
README: badge / alignment improvements where merged from upstream-style PRs in this branch history.
How to test
npm i
npm run format:check && npm run lint && npm run build && npm run test
Optional local full stack: npm start (web + electron + examples, per root scripts).
Risk / review notes
Large surface area (~300+ files): reviewers may want to focus on workflow YAML, root package.json / lockfile, packages/common and packages/da-impl dependency and API changes, then spot-check packages/web server and client entry points for regressions.
Confirm secrets (e.g. PVTR_GITHUB_TOKEN for OSPS) and Advanced Security / code scanning are enabled where SARIF upload is expected.
You can trim sections if this PR is only a subset of the branch, or rename the title to match how you are marketing the change (e.g. emphasize only Scorecard if you split the rest).