community: Is there a contributor ladder?

[justaugustus]

Opening this to ask if there's a contributor ladder defined for this project.
Here's an example: https://github.com/kubernetes/community/blob/master/community-membership.md

Subtext: I'd be happy to help do PR review here, with the hopes of working towards maintainership, if there's a path for that :)

Previous contributions:

• ⚠️ Create a dedicated logging package to encapsulate calls to zap #1502
• 🌱 go.mod: Update github.com/google/go-containerregistry to v0.8.0 #1506
• ⚠️ log: Initial logr/logrusr implementation #1516

Maybe this is something like expanding CODEOWNERS, similar to openclarity/apiclarity.io#29.
Ideas on general org/repo mgmt (some of which you're likely already doing): todogroup/governance#106 (comment)

cc: @inferno-chromium @naveensrinivasan @azeemshaikh38 @laurentsimon (ref:

scorecard/.github/CODEOWNERS

Line 3 in e774015

.github/workflows/* @inferno-chromium @naveensrinivasan @azeemshaikh38 @laurentsimon

)

[laurentsimon]

Opening this to ask if there's a contributor ladder defined for this project. Here's an example: https://github.com/kubernetes/community/blob/master/community-membership.md

Subtext: I'd be happy to help do PR review here, with the hopes of working towards maintainership, if there's a path for that :)

Hi @justaugustus

super excited to see you're interested in scorecard, and appreciate the greats PRs you have contributed and the ones yet to come :-)!

We don't have a contributor ladder today, we only have https://github.com/ossf/scorecard#connect-with-the-scorecards-community. So far, the scorecard's codebase has remained small enough that we have not found the need to separate owners for sub-modules within scorecard. But you make a good point about scaling the project.

We welcome new maintainers as well, although we don't have clear rules about that either. Looking forward to your input/advice here. Do you want to join our next meeting on Thu?

Previous contributions:

• ⚠️ Create a dedicated logging package to encapsulate calls to zap #1502
• 🌱 go.mod: Update github.com/google/go-containerregistry to v0.8.0 #1506
• ⚠️ log: Initial logr/logrusr implementation #1516

Maybe this is something like expanding CODEOWNERS, similar to apiclarity/apiclarity.io#29. Ideas on general org/repo mgmt (some of which you're likely already doing): todogroup/governance#106 (comment)

cc: @inferno-chromium @naveensrinivasan @azeemshaikh38 @laurentsimon (ref:

scorecard/.github/CODEOWNERS

Line 3 in e774015

.github/workflows/* @inferno-chromium @naveensrinivasan @azeemshaikh38 @laurentsimon

)

[azeemshaikh38]

Subtext: I'd be happy to help do PR review here, with the hopes of working towards maintainership

So far, our path to maintainership has been to just ask :P I'm happy to have you on as a maintainer right away. @laurentsimon @naveensrinivasan @inferno-chromium any objections to adding @justaugustus as a Scorecard maintainer?

Opening this to ask if there's a contributor ladder defined for this project.
Here's an example: https://github.com/kubernetes/community/blob/master/community-membership.md

We do need a well-defined contributor ladder in the long-run. We can discuss more about this during our upcoming sync like Laurent suggested. Can also use this issue for tracking the discussion.

[inferno-chromium]

Subtext: I'd be happy to help do PR review here, with the hopes of working towards maintainership

So far, our path to maintainership has been to just ask :P I'm happy to have you on as a maintainer right away. @laurentsimon @naveensrinivasan @inferno-chromium any objections to adding @justaugustus as a Scorecard maintainer?

No objections and very happy to see Stephen's (@justaugustus) contributions here.

Opening this to ask if there's a contributor ladder defined for this project.
Here's an example: https://github.com/kubernetes/community/blob/master/community-membership.md

We do need a well-defined contributor ladder in the long-run. We can discuss more about this during our upcoming sync like Laurent suggested. Can also use this issue for tracking the discussion.

We need these processes for OpenSSF in general. Could be nice to have this at OpenSSF org level somewhere in a generic place, rather than in AllStar project. @justaugustus @david-a-wheeler - thoughts on this front.

[justaugustus]

Thanks so much for the support!
I've opened #1530 to make the CODEOWNERS changes.

We don't have a contributor ladder today, we only have https://github.com/ossf/scorecard#connect-with-the-scorecards-community. So far, the scorecard's codebase has remained small enough that we have not found the need to separate owners for sub-modules within scorecard. But you make a good point about scaling the project.

We welcome new maintainers as well, although we don't have clear rules about that either. Looking forward to your input/advice here. Do you want to join our next meeting on Thu?

Is this Thursday, 4pm ET?
If so, I can pop by for the latter half of the meeting :)

We do need a well-defined contributor ladder in the long-run. We can discuss more about this during our upcoming sync like Laurent suggested. Can also use this issue for tracking the discussion.

SGTM!

We need these processes for OpenSSF in general. Could be nice to have this at OpenSSF org level somewhere in a generic place, rather than in AllStar project. @justaugustus @david-a-wheeler - thoughts on this front.

Strong agree!
I think generic contribution guidelines, along w/ repo-specific guidelines make a lot of sense.

I would suggest leveraging the .github repo for this: https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file

We can set up an organization-level README to point people to some good places to engage and yep, I can help out with that!

[justaugustus]

From #308:

**Is your feature request related to a problem?

We need to define governance.

* How does one become a commiter?

* How does one become a owner?

* How does one become an approver ?

This will help new contributors understand the policies

ref: #1553

[pnacht]

GOSST's Upstream team has drafted a contribution ladder. It's currently written generically, as if describing the process for all OpenSSF projects, but could be simplified to focus solely on Scorecard if that's preferable.

I'm sending it as this linked doc to make collaboration easier, but can also send it as a PR if preferred.

Credit where it's due, this draft is based off Sigstore's ladder with multiple changes.

[spencerschrock]

Given the comments in ossf/tac#173, this document should be interpreted as Scorecard specific.

I think the general premise of the levels works for Scorecard:

• Triager (currently missing)
• Maintainer (Raghav and I were here for a while, and could merge PRs but not change repo settings)
• Admin (currently where all maintainers fall)

I'm still not sure what "Community member"/"contributor" would entail, as that seems to be the default case for how github works now for someone who has made one contribution to Scorecard.

In terms of next steps, there are a few open comments in the doc. Once answered, a section can be added to a relevant markdown file.

[pnacht]

I've made a modified copy of the ladder suggested above. This one is modified to only include things relevant for Scorecard, but is still very similar to the OpenSSF one.

Once again, I'm sending this as a Google Doc because I find them easier to collaborate on text, but I'll be happy to send this over as a PR instead, if preferred.

I've currently left the Community Member rung on the ladder in order to get input from others, but I agree it might not be too relevant for Scorecard (especially if ossf/tac#171 gets accepted, such that membership in the OpenSSF org should be "free").