Feature: Probe whether repo has up-to-date CODEOWNERS

Question

Feature: Probe whether repo has up-to-date CODEOWNERS

Opened this issue 10 months ago · 5 comments

Scorecard should have a probe for whether users in a CODEOWNERS file are still members of the org that the repo belongs to. An up-to-date CODEOWNERS file makes it easier for a contributor to know who can help with a PR or a question about the project. This could use the "Get Organization membership for user" API (which requires a PAT).

Might be a good fit for either the Contributors or Maintained checks.

References:

https://github.blog/2024-03-04-keeping-repository-maintainer-information-accurate/

Answer 1 · 2024-03-11T01:34:02.000Z

Might be a good fit for either the Contributors or Maintained checks.

It may be better to have an "OSPO" focused category for these sort of admin required checks (like Webhooks).

whether users in a CODEOWNERS file are still members of the org that the repo belongs to

Note: I think this makes an assumption about no external collaborators. I'm guessing the GitHub OSPO didn't have these sort of scenarios.

Answer 2 · 2024-04-15T21:05:13.000Z

I'm interested in this issue. I'm here at OpenSSF.

Answer 3 · 2024-04-25T03:11:57.000Z

Is there a way to tell whether a repo or org is enforcing org membership for maintainer activities? Maybe the check ignores org membership where it's not enforced.

Answer 4 · 2024-04-30T22:46:02.000Z

Duplicate of #1554

(trying to do some issue bookkeeping)

Answer 5 · 2024-07-08T14:23:12.000Z

Users listed in the CODEOWNERS file should also be listed as contributors/maintainers, informing either the Contributors or Maintained check.