Add more information on github setup & core requirements

Signed-off-by: Nigel Jones <[email protected]>
pq-code-package · Mar 7, 2024 · dc8c160 · dc8c160
1 parent a1cd4ec
commit dc8c160
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 2 deletions.
diff --git a/2024-04-hackathon.md b/2024-04-hackathon.md
@@ -40,7 +40,9 @@ For raising issues around pq-code-package generally:
 ## Onboarding projects
 
 - [List of projects & contacts we hope to onboard](candidate-projects.md)
-- [getting started with setting up a new project](project-onboarding.md)
+- [Github project creation](project-onboarding.md)
+- [source code requirements](source-requirements.md)
+- [code scanning](code-scanning.md)
 - Common documentation
 
 ## Other useful links

diff --git a/code-scanning.md b/code-scanning.md
@@ -0,0 +1,13 @@
+# Code Scanning
+
+# OSSF Scorecard
+
+Each project should integrate a scan using the OSSF scorecard
+
+See https://github.com/ossf/scorecard
+
+# vulnarability scanning
+
+tbd
+
+# linting & other checks
diff --git a/project-onboarding.md b/project-onboarding.md
@@ -5,6 +5,8 @@
 - Project source should be either under the Apache-2.0 or MIT license
 - Documentation should be CC-BY-4.0
 
+Any other license will need legal approval
+
 ## Creating a Github repo
 
 1. Decide on an initial name for the repo. 
@@ -32,4 +34,15 @@
                 - any other relevant access into
         - anything else relevant...
 
-    - Alternatively in the issue specify the source repo to migrate the code from & engage in a discussion as to the best way to acheive this
+    - Alternatively in the issue specify the source repo to migrate the code from & engage in a discussion as to the best way to achieve this
+
+## Teams
+
+All access should be controlled through teams
+
+To be written
+
+Branch Protection
+Approvals
+other settings
+project setup
diff --git a/source-requirements.md b/source-requirements.md
@@ -0,0 +1,16 @@
+# Source code requirements
+
+## Licensing
+
+All source code should contain SPDX license headers.
+
+
+* https://spdx.dev/learn/handling-license-info/ for more documentation
+* https://spdx.org/licenses/ has a full list of labels
+
+The following are ok to use, others need legal review
+
+| SPDX Tag | Example | Used for |
+| --- | --- | --- |
+Apache-2.0 | | Source code|
+CC-BY-4.0 | | Documentation