Is there a way for a GitHub repo to (easily) incorporate the best practices into their workflows?

[andrewpollock]

Hi,

I <3 the The Checklist Manifesto and checklists are a great way to repeatably ensure consistent following of something like a set of best practice.

I also <3 how GitHub makes it possible to include a checklist into a PR's description or comments.

So, is there a way to turn this into an awesome best practice club sandwich? A quick Google search discovered Pull Request Checklist Buddy, so I'm going to go with "yes", it's just a case of making it really easy (i.e. turnkey, can be done in under 30 minutes by an unfamiliar GitHub repo owner) for this to get done.

Here's a half-baked user journey I have in mind:

I, as a time-poor repository owner, wish to ensure that all subsequent pull requests that add a new dependency to lockfiles in my repository have gone through the OpenSSF's Concise Guide for Evaluating Open Source Software

To achieve this I do $THING to ensure that for all such pull requests, a default checklist is added as a comment for the pull request author to assert that they have followed. This enables pull request reviewers to know (without having to remember to ask) that the pull request author has appropriately evaluated the new dependency.

[derekmurawsky]

Initial thoughts: This "just" sounds like a github bot or custom action. Ensuring a manual sign off / attestation should be fairly simple. Automation of the verification itself would be the harder part. The github action (easiest deployment method) could check the PR to see if the checklist was included. If not, it could prompt, via a comment on the PR, for the user to include the checklist in the PR. On every subsequent PR update, it could re-rerun to confirm that the checklist has been checked off.

I see this leveraging the following features:

• Use a PR template to provide the checklist when a new PR is created.
• Create a github action that runs on pull_request [opened, edited, ready_for_review, review_requested]
  • Action checks if the checklist exists, if not, it puts a comment on the PR with the required checklist items
  • Action checks if the required items in the checklist are checked. This can just be a separate github workflow job that runs on the trigger above. If it reads the PR and sees the checklist is checked, it succeeds. The build passes. Everyone is happy. If it fails, the build fails, the check is an X, and branch protection rules can deny the ability to merge to main.
• The configuration for the checklist tool could be a yaml file in the source code which allows the user to define what checks are required, and which are optional. This would allow the tool to be used for more than just this simple use case to start with.

This is tightly coupled to github, but the pattern should work with most of the VCS hosting options out there. The action would either have to be extended to support those platforms, or new actions would need to be created for them.

A config could be as simple as just listing the questions where, if the question is in the configured list, it is required to be checked. I could see an enhancement being a link to a doc explaining the process /requirement behind the question.

---
required-attestations:
  - exact text of checkbox question 1: URL
  - exact text of checkbox question 2: URL

Perhaps it would be beneficial to allow for more metadata in the question format, too, to auto-generate the checklist/comment. For example, a brief description explaining the goal of the question instead of just a URL link to a separate area.

[andrewpollock]

Thanks for the thoughtful response. My less thoughtful following thought was is there an integration opportunity with https://securityscorecards.dev/ here?