Glimpse/Glimpse.Client.Hud

Automate "OSPO Witness Generation"

mike-kaufman opened this issue · 0 comments

mike-kaufman commented

PR #72 adds in a script to automatically run Microsoft's "OSPO Witness Client" process, which scans our dependencies and sends them to a microsoft endpoint to make sure all our deps are legit from a legal perspective.

Now,

  • These scripts require a personal access token.
  • We want to automate this, probably so we run it with every version tag.
  • We need a safe way to manage our personal access token.

Recommendation from Microsoft's OSPO office is to do the following:

Set up a single VSTS build definition (which is protected behind AAD) to detect changes to your GitHub repository and do nothing except:

  1. Clone the repository
  2. Generate the shrinkwrap
  3. Run our tool to register your dependencies

Also note that once we do this for Glimpse.Client.Hud, we need to do this for Glimpse.Client & Glimpse.Browser.Agent repos also.