From 6879536dfc15d1c923627393bcb3f085fe80d3a3 Mon Sep 17 00:00:00 2001 From: Craig Edwards Date: Thu, 10 Aug 2023 00:00:48 +0000 Subject: [PATCH 1/4] docs: governance, roadmap, security pages for best practices badge --- docpages/04_advanced_reference.md | 3 +++ docpages/advanced_reference/governance.md | 19 +++++++++++++++++++ docpages/advanced_reference/roadmap.md | 7 +++++++ docpages/advanced_reference/security.md | 10 ++++++++++ 4 files changed, 39 insertions(+) create mode 100644 docpages/advanced_reference/governance.md create mode 100644 docpages/advanced_reference/roadmap.md create mode 100644 docpages/advanced_reference/security.md diff --git a/docpages/04_advanced_reference.md b/docpages/04_advanced_reference.md index dfb8f08383..8137fa0913 100644 --- a/docpages/04_advanced_reference.md +++ b/docpages/04_advanced_reference.md @@ -6,3 +6,6 @@ * \subpage unit-tests "Unit Tests" * \subpage lambdas-and-locals "Ownership of local variables and safely transferring into a lambda" * \subpage coroutines "Advanced commands with coroutines" +* \subpage governance "Project Governance" +* \subpage roadmap "Development Roadmap" +* \subpage security "Security" \ No newline at end of file diff --git a/docpages/advanced_reference/governance.md b/docpages/advanced_reference/governance.md new file mode 100644 index 0000000000..2d5138636a --- /dev/null +++ b/docpages/advanced_reference/governance.md @@ -0,0 +1,19 @@ +\page governance Governance and Project Development Structure + +The D++ Project was originally created by Craig Edwards, A.K.A. @brain on Discord. + +## Governance + +@brain steers the project, but in effect the project is entirely built upon the contributions of others via pull requests and feedback. For most decisions and most changes, control is ceded to whoever is creating a feature or change, with oversight given to make sure only that the code is stable and scalable and does not operate in a way counter-intuitive to the design of the library. + +## Project Maintainers + +Other maintainers with access to merge pull requests (those with the `@PR Review` role on the discord) have access to and responsibility for checking pull requests sent in by contributors and may request additional changes to keep the pulls aligned with the project goals. These members of the D++ team may and do also merge pull requests at their discretion. + +## Decision Making + +For most decisions, these are discussed in our `#library-development` channel on Discord. This channel is public for all to view but only contributors may comment. This helps keep the chat clean of discussion that may derail development topics. + +## Contingency + +*In the case of any unforseen disaster such as death of the project leader, control over domain (the only part of the project which has a direct cost attached) would pass to his next of kin who would arrange for transfer to a pre-arranged trusted third party who would adminisrate the domain going forward. Everything else relating to D++ is hosted on GitHub and would continue as normal.* \ No newline at end of file diff --git a/docpages/advanced_reference/roadmap.md b/docpages/advanced_reference/roadmap.md new file mode 100644 index 0000000000..ab966dd60b --- /dev/null +++ b/docpages/advanced_reference/roadmap.md @@ -0,0 +1,7 @@ +\page roadmap Development Roadmap + +At present our roadmap is: + +*Short term (6 months):*: Stabilise coroutine support and release it as stable a feature + +*Long term*: Continue development of the library to implement Discord new features as they add them. Discord do not share their internal roadmap with library developers, so we are informed of these new features shortly before they become public given enough time to implement them. This is our permanent ongoing goal. \ No newline at end of file diff --git a/docpages/advanced_reference/security.md b/docpages/advanced_reference/security.md new file mode 100644 index 0000000000..9c87e08eb7 --- /dev/null +++ b/docpages/advanced_reference/security.md @@ -0,0 +1,10 @@ +\page security Project Security Design + +D++ is designed with the following security goals in mind: + +* D++ design will be user friendly to help avoid shooting yourself in the foot and introducing security vulnerabilities in the code. +* D++ will keep external dependencies to an absolute minimum at all times so there is less chance of third party code making your bot vulnerable to attack. +* D++ design will take the path of 'least surprise', and will be simple and straightforward to use, leading to less developer errors that could lead to vulnerabilities +* Any reported CVEs which are logged via the proper channels will be fixed within 14 days +* All settings, configuration and parameters will be secure by default +* D++ settings and design will conform to Discord TOS and will not implement or support features that break the Discord TOS. From 2a2d37d2e2513ef57c5933821b1fdefb72b14eae Mon Sep 17 00:00:00 2001 From: Craig Edwards Date: Thu, 10 Aug 2023 00:07:50 +0000 Subject: [PATCH 2/4] fix: accidentally removed the preamble from the DCO, we arent allowed to do this - i put it back --- .github/pull_request_template.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index c2ba644023..0875e6e7cd 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -16,8 +16,16 @@ When contributing to this repository, please do not feel intimidated! We welcome 7. Your PR must pass the CI actions before being allowed to be merged. Our PR actions check that the build will compile on various platforms before release and makes precompiled versions of the library. 8. Automated changes e.g. via grammarly or a static analysis tool will not usually be accepted into the code without proper thought out justification (by a human being, not an AI or an App) as to why the changes are required. Generally a PR should do more than fix a single spelling error for example as this just takes precious time for something which could be resolved a direct commit to the dev branch. +9. All contributors agree to the terms of the DCO (Developer Certificate of Origin) as listed below. This document is to protect you, and us, from any legal issues by making clear that code you contribute to this project becomes part the D++ project. ``` +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I From 864022c145b3fbfb561de59700b0d57ecdaafa5d Mon Sep 17 00:00:00 2001 From: Craig Edwards Date: Thu, 10 Aug 2023 00:23:09 +0000 Subject: [PATCH 3/4] docs: make the PR template less bloaty --- .github/pull_request_template.md | 61 +++---------------- .../coding_style_standards.md | 37 +++++++++++ 2 files changed, 45 insertions(+), 53 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 0875e6e7cd..01fee46d2f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,53 +1,8 @@ -# Contributing - -When contributing to this repository, please do not feel intimidated! We welcome PRs from developers of all levels of experience and we were all new once. - -## Pull Request Process - -1. Pull requests should be made against the `dev` branch. -2. Ensure that the changed library can be built on your target system. Do not introduce any platform- - specific code. -3. Ensure that all methods and functions you add are **fully documented** using doxygen style comments. -4. Test your commit! Make a simple single-file test bot to demonstrate the change, include this with the PR - as an attached file on a comment, so we can test and see how it works. -5. Ensure that you do not break any existing API calls without discussing on Discord first! -6. Be sure to follow the coding style guide (if you are not sure, match the code style of existing files - including indent style etc). -7. Your PR must pass the CI actions before being allowed to be merged. Our PR actions check that the - build will compile on various platforms before release and makes precompiled versions of the library. -8. Automated changes e.g. via grammarly or a static analysis tool will not usually be accepted into the code without proper thought out justification (by a human being, not an AI or an App) as to why the changes are required. Generally a PR should do more than fix a single spelling error for example as this just takes precious time for something which could be resolved a direct commit to the dev branch. -9. All contributors agree to the terms of the DCO (Developer Certificate of Origin) as listed below. This document is to protect you, and us, from any legal issues by making clear that code you contribute to this project becomes part the D++ project. - -``` -Version 1.1 - -Copyright (C) 2004, 2006 The Linux Foundation and its contributors. - -Everyone is permitted to copy and distribute verbatim copies of this -license document, but changing it is not allowed. - -By making a contribution to this project, I certify that: - -(a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license - indicated in the file; or - -(b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source - license and I have the right under that license to submit that - work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am - permitted to submit under a different license), as indicated - in the file; or - -(c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified - it. - -(d) I understand and agree that this project and the contribution - are public and that a record of the contribution (including all - personal information I submit with it, including my sign-off) is - maintained indefinitely and may be redistributed consistent with - this project or the open source license(s) involved. -``` - +- [ ] My pull request is made against the `dev` branch. +- [ ] I have ensured that the changed library can be built on your target system. I did not introduce any platform-specific code. +- [ ] I have ensured that all methods and functions are **fully documented** using doxygen style comments. +- [ ] I tested my commits, by adding a test case to the unit tests if needed +- [ ] I have ensured that I did not break any existing API calls. +- [ ] My code follows the [coding style guide](https://dpp.dev/coding-standards.html) (if you are not sure, match the code style of existing files including indent style etc). +- [ ] I have not built my pull request using AI, a static analysis tool or similar without any human oversight. Where I have generated this pull request using a tool, I have justified why this is needed. +- [ ] I agree to the terms of the [DCO (Developer Certificate of Origin)]((https://dpp.dev/coding-standards.html)) diff --git a/docpages/advanced_reference/coding_style_standards.md b/docpages/advanced_reference/coding_style_standards.md index 25ef47412a..672b31c80e 100644 --- a/docpages/advanced_reference/coding_style_standards.md +++ b/docpages/advanced_reference/coding_style_standards.md @@ -127,3 +127,40 @@ It’s good to have descriptive commit messages, or PR titles so that other cont ### GitHub Actions All PRs must pass the [GitHub Actions](https://github.com/brainboxdotcc/DPP/actions) tests before being allowed to be merged. This is to ensure that no code committed into the project fails to compile on any of our officially supported platforms or architectures. + +### Developer Certificate of Origin + +All code contributed to D++ must be submitted under agreement of the Linux Foundation Developer Certificate of Origin. This is a simple agreement which protects you and us from any potential legal issues: + +``` +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` \ No newline at end of file From 282c0e0f00135dd92b336f292289673e4d7111eb Mon Sep 17 00:00:00 2001 From: Brain Date: Thu, 10 Aug 2023 02:34:44 +0100 Subject: [PATCH 4/4] docs: improve build speed of codeql (#769) --- .github/workflows/codeql.yml | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e478fd9faa..56445e1d5c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,10 +10,11 @@ # supported CodeQL languages. # name: "CodeQL" - on: + push: + pull_request: schedule: - - cron: "0 0 * * 1" + - cron: '0 0 * * *' permissions: contents: read @@ -21,7 +22,7 @@ permissions: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: actions: read contents: read @@ -52,20 +53,12 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + - name: Build + run: | + mkdir build + cd build + cmake -DDPP_NO_VCPKG=ON -DCMAKE_BUILD_TYPE=Debug .. + make -j2 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3