Code scanning is not implemented
Closed this issue · 6 comments
I was searching for a bot to assign roles in a Discord chat hosted by someone I knew.
And then I found rolebot, ok, my first thought process was doing a background check, look at forums for if this was a virus.
Then I just followed the links and it led me here, great, this was a great trust boost in the project, but before going to the meat of the subject, why didn't you say in the website FAQ this was open source, it would have brought a lot more visibility and trust to the project and maybe people who would not have done what I did would be able to contribute without paying you, but this is just a nitpick.
Now here is what I don't understand, why not integrate code scanning into your project, there are free code scanning actions out there for public repositories.
Github even recently launched a code scanning tool to Javascript and TypeScript projects, this is a Typescript project.
The problem for me now isn't that I think this is a virus, but because this project doesn't have enough eyes on it for me to trust there is nothing wrong with it, the least you could do is get a code scanner for it so trust in your project does not rely solely on you, sure there's another contributor but how many commits did he do? 9, you did 285. Not to mention his commits date back to August.
So, as the sole maintainer, I beg you to either get a code scanner or bring more visibility to this open source side of the project in the FAQ and about section of rolebot.gg, other than saying to pay to support the project, I'm not meaning to defame you saying this, its okay to ask for money to maintain a project. But if you brought visibility to the open source side paranoids who have seen too much like me would be reassured seeing there is at least a minimum of a peer check, not to mention you could get a few more contributor to help if they like the project.
This is the end of my rant, I wish the best to you and your project.
The other contributor is a friend of mine that wanted to try out something new well over a year ago at this point it feels. They don't work on the bot.
I've only recently added to the Top.gg page and inside the bot's help message that you can self host the bot if you want.
I can easily add it to the site, I just haven't updated it since I've been focused on other projects. I'm not begging for money for the bot and am fortunately able to run and maintain the bot myself without extra, just thought it was nice to add after several users asked if I had a patreon so I made a quick ko-fi account.
Never heard about code scanners before, I've just used github as a place to host all my code simply. I can look into that kind of thing if it truly helps out others.
I added Code quality analysis to the workflow. Hopefully it's up to your standards, I just followed the basic action adding for it. Currently working on adding an option to the site in FAQs and maybe the landing page.
No problem, just wanted to shoutout what you could do better, have more visibility for the project.
About code scanners you can get one up and running easily by going to the security tab in your github project and look for code scanner. And yeah if you set one up it would reassure me and others who probably got here because they were doing a background check on who exactly do this project, hell, even multiple free ones, doesn't cost anything.
Update: Yeah, its okay, the more the better, it was just a trust issue anyway.
And I'm not some bigshot or anything, just a freaked out Linux user who has seen too much to feel absolutely safe with anything.
Edit: And I didn't want to infect the lobby I was suggesting my friend to add the bot.
I understand the paranoia. Hopefully you'll still consider using it, or self-hosting 🙏
Any and all support for the bot is great. I keep it all free and open source for a reason. Other larger bots that paywall or lock behind voting and keep restrictions are a pain to deal with and that's everything RoleBot is against.
Thanks for the issue. If I answered all your worries I'll be closing the issue.
Btw might be a good idea to go to your settings and toggle on 'Discussions', so if people want to comment without it being much of an issue, give feedback maybe, they don't have to open an issue. probably would have opened an issue anyway bu you get my point.
Update: And yes, I have nothing to add, great to hear you have the FLOSS spirit.