Merge pull request github#52 from github/ashleywolf-update-ospo

ahpook · web-flow · commit 3e4e3c377b0a · 2023-10-19T14:39:33.000-07:00
Updating docs and adding new content
diff --git a/docs/commercial-licenses.md b/docs/commercial-licenses.md
@@ -2,4 +2,4 @@
 
 Should you wish to contribute to a project that requires a proprietary license to do so, <COMPANY_NAME> will need to purchase a license after making the decision whether or not to do so.
 
-If there is no existing proprietary license, an issue can be opened at [Governance, Risk, Compliance & Communication (GRCC)](XXX) or a workflow in Ironclad to begin the process of reviewing the vendor for our data privacy and security protections to purchase a license. See more on the Procurement process [here](XXX).
+If there is no existing proprietary license, an issue can be opened at [Governance, Risk, Compliance & Communication (GRCC)](XXX) or a workflow in [tool] to begin the process of reviewing the vendor for our data privacy and security protections to purchase a license. See more on the Procurement process [here](XXX).
diff --git a/docs/ospo-tools-and-external-guides.md b/docs/ospo-tools-and-external-guides.md
@@ -1,40 +1,48 @@
 ## Tools
 
-These are tools published by employees that can be used by OSPOs for managing open source at scale. Please consider adding the OSPO label to GitHub projects that are valuable to open source program office teams and submit a PR to add them to this file.
+These tools, whether developed by GitHub or the broader community, are useful for OSPOs to manage and scale open source initiatives effectively. While we are highlighting some of the tools and guides we encounter that solve common use cases for OSPOs, there are even more out there. To help curate a more robust toolkit, consider adding the `OSPO` [topic](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics#adding-topics-to-your-repository) to relevant repositories. See the full list of OSPO topic repositories [here](https://github.com/topics/ospo). If you're looking for more tools you can also check out [`awesome-ospo`](https://github.com/todogroup/awesome-ospo) that provides a list of packages and projects OSPOs in the TODO Group have found useful.
+
+### Compliance
+
+Compliance tools focus on ensuring that projects adhere to licensing requirements, security standards, and policies. They are important for OSPOs to mitigate legal risks and maintain the integrity of their codebase.
+
+- [GitHub's Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems)
+- [Licensee: A Ruby Gem to detect under what license a project is distributed](https://github.com/licensee/licensee)
+- [Licensed: A Ruby gem to cache and verify the licenses of dependencies](https://github.com/github/licensed)
+- [GitHub API for licenses (uses `licensee` from above)](https://docs.github.com/en/rest/reference/licenses)
+- [Policy as Code GitHub Action: Allow users to configure their risk threshold for security issues reported by GitHub Code Scanning, Secret Scanning and Dependabot Security.](https://github.com/marketplace/actions/ghas-policy-as-code)
+- [Safe Settings: an app to manage policy-as-code and apply repository settings to repositories across an organization.](https://github.com/github/safe-settings)
+
+### Contributions
+
+Simplifying the process of contributing to projects by automating tasks like fork creation and reviews makes it easier for OSPOs to encourage and manage community contributions.
+
+- [Forker: GitHub Action to automate fork creation. This action uses octokit.js and the GitHub API to automatically create a repository fork, either in your personal GitHub account or a GitHub organization that you administer](https://github.com/wayfair-incubator/forker)
 
 ### Project administration
 
+Project administration tools are designed to streamline the setup and ongoing management of repositories. For OSPOs, these tools are essential for maintaining the health of multiple projects. They help in tasks like renaming branches, ensuring the presence of CONTRIBUTING.md files, and detecting codes of conduct, thereby standardizing project setups.
+
 - [Changing the default branch name for GitHub repositories](https://github.com/github/renaming#renaming-existing-branches)
 - [GitHub Action: Automatically open a pull request for repositories that have no CONTRIBUTING.md file](https://github.com/github/automatic-contrib-prs)
 - [Code of conduct detector based off Licensee](https://github.com/benbalter/coconductor)
 
-### Compliance
-
-- [License compliance - A Ruby Gem to detect under what license a project is distributed](https://github.com/licensee/licensee)
-- [Licensed: A Ruby gem to cache and verify the licenses of dependencies](https://github.com/github/licensed)
-- [GitHub Action: Allow users to configure their risk threshold for security issues reported by GitHub Code Scanning, Secret Scanning and Dependabot Security.](https://github.com/marketplace/actions/ghas-policy-as-code)
-- [Safe Settings - an app to manage policy-as-code and apply repository settings to repositories across an organization.](https://github.com/github/safe-settings)
+### Project and Organization Metrics
 
-### Policy
+Metrics tools provide data-driven insights into project health and community engagement. For OSPOs, understanding these metrics is key to making informed decisions. These tools offer analytics on various aspects like code contributions, dependency graphs, and overall activity within the organization.
 
-- [GitHub's Balanced Employee IP Agreement](https://github.com/github/balanced-employee-ip-agreement) - A policy which balances preserving the ability of employees to work on open source projects with the need to protect GitHub's intellectual property.
+- [Cauldron - Software development analytics](https://cauldron.io/)
+- [GitHub Organization Insights](https://docs.github.com/en/enterprise-cloud@latest/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-your-organization)
 
 ### User administration
 
-- [A simple Oauth app to automatically add users to an organization](https://github.com/benbalter/add-to-org)
-
-### GitHub Product features
+User administration tools help OSPOs manage their community and internal team members more efficiently. These tools automate the process of adding users to an organization, thereby reducing manual errors and saving time.
 
-- [Product: Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems)
-- [Default community health file](https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file)
-- [License detection and APIs (uses `licensee` from above)](https://docs.github.com/en/rest/reference/licenses)
-- [Organization Insights](https://docs.github.com/en/enterprise-cloud@latest/organizations/collaborating-with-groups-in-organizations/viewing-insights-for-your-organization)
-
-### Project Metrics
+- [A simple Oauth app to automatically add users to an organization](https://github.com/benbalter/add-to-org)
 
-- [https://cauldron.io/](https://cauldron.io/)
+## Community open source and OSPO guides
 
-## External guides
+These guides serve as comprehensive resources for best practices, strategies, and frameworks that OSPOs can adopt. They are curated by reputable organizations and experts in the field, providing a wealth of knowledge for setting up and scaling open source programs effectively.
 
 - TODO Group: [https://todogroup.org/guides/](https://todogroup.org/guides/)
 - GitHub: [opensource.guide](opensource.guide)
diff --git a/release template/ISSUE_TEMPLATE/open-source-release-form.yml b/release template/ISSUE_TEMPLATE/open-source-release-form.yml
@@ -0,0 +1,106 @@
+---
+name: Open Source Software (OSS) Release
+description: File an open source release
+assignees: ashleywolf, zkoppert
+title: "Open Source: [org/project]"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this open source release form! Please answer all questions in this form to the best of your ability. Questions? Ping us [here](xxx). Read the full [open source release policy](xxx) and [releasing documentation](xxx).
+
+        🛑 You do not need to fill out this open source release issue if:
+          * The project is considered a product release that is not open source-related
+          * You are creating this repository under your personal account (e.g. mikemcquaid/strap) and it's not used by GitHub or related to your work at GitHub.
+
+        🟢 You should fill this issue out if:
+          * The project is considered an open source-related product release. Make sure to create an issue in `@/releases` first!
+          * You are releasing an open source project related to your work (including field service projects).
+          * You are publishing work-related open source code under your personal account (e.g. mikemcquaid/strap) or a GitHub organization
+  - type: dropdown
+    attributes:
+      label: Code and Assets
+      description: Did your team write all the code and create all of the assets you are releasing (images, fonts, documentation, machine learning models, etc.)?  For licensing questions discuss with `github/legal` and add link to that issue in this issue
+      options:
+        - Yes, all created by my team
+        - No, created by other teams
+  - type: dropdown
+    attributes:
+      label: Data
+      description: Does this project send any data or telemetry back to GitHub? If yes, open an issue in `[repo](xxx)` and link to that issue in this issue
+      options:
+        - Yes, telemetry
+        - No.
+  - type: dropdown
+    attributes:
+      label: Cryptography
+      description: Does the project implement cryptography? If yes, open an issue in `[repo](xxx) and link to that issue in this issue
+      options:
+        - Yes, implements cryptography
+        - No.
+  - type: dropdown
+    attributes:
+      label: Project License
+      description: What license will you be releasing with? MIT is GitHub's preferred open source license unless a specific community requires a different license. If not MIT, open an issue in [repo](xxx) and link to that issue in this issue
+      options:
+        - MIT License
+        - Other
+  - type: input
+    attributes:
+      label: Repo URL
+      description: Provide the link to the repo URL
+      placeholder: https://github.com/github/project-name
+  - type: textarea
+    attributes:
+      label: Project description
+      description: Describe the primary use cases for this project - what problem does it solve for users, and why do existing solutions not work?
+      value: |
+        ...
+  - type: textarea
+    attributes:
+      label: Business implications
+      description: Does the project overlap with existing projects or paid products in GitHub portfolio?
+      value: |
+        ...
+  - type: input
+    attributes:
+      label: Community/marketing support
+      description: Do you expect a large community of contributors on the project? Is it something that would be beneficial for GitHub to promote through community/marketing channels?
+      placeholder: ...
+  - type: input
+    attributes:
+      label: Owning Team
+      description: "Name of the team that will own/maintain the project."
+      placeholder: "@github/teamname"
+  - type: checkboxes
+    attributes:
+      label: Prepare Project
+      options:
+        - label: Review and address items in the [release guidelines](https://github.com/github/open-source-releases/blob/main/releasing.md)
+        - label: Add `employees` to the repo with at read permission.
+        - label: Ensure the repo has a meaningful description, tags, release, packages, and link when applicable
+        - label: Consult the product manager(s) of any GitHub products that the open source release may interact with or overlap with by tagging them in this issue. To find who the product owner for a given product might be, check out service catalog
+        - label: Remove sensitive materials in the revision history, issues, or pull requests
+        - label: "Add LICENSE file (preferred: [MIT LICENSE](https://github.com/github/open-source-releases/blob/main/templates/LICENSE.txt))"
+        - label: Update README.md to include sections seen in [`README.md`](https://github.com/github/open-source-releases/blob/main/templates/README.md)
+        - label: Add and update [`CODEOWNERS`](https://github.com/github/open-source-releases/blob/main/templates/CODEOWNERS) to list maintainers
+        - label: Add and update CONTRIBUTING.md.  Language specific templates are available (e.g. [CONTRIBUTING-ruby.md](https://github.com/github/open-source-releases/blob/main/templates/CONTRIBUTING-ruby.md), [CONTRIBUTING-go.md](https://github.com/github/open-source-releases/blob/main/templates/CONTRIBUTING-go.md))
+        - label: Add and update [SUPPORT.md](https://github.com/github/open-source-releases/blob/main/templates/SUPPORT.md)
+        - label: Add [`CODE_OF_CONDUCT.md`](https://github.com/github/open-source-releases/blob/main/templates/CODE_OF_CONDUCT.md)
+        - label: Add [SECURITY.md](https://github.com/github/open-source-releases/blob/main/templates/SECURITY.md)
+        - label: "Add branch protection rules to secure how branches are used. Examples: Require a pull request before merging; Require approvals on pull requests;"
+  - type: checkboxes
+    attributes:
+      label: Support
+      options:
+        - label: Define ownership by creating a Service Catalog entry. If you have questions, start at the FAQ for establishing ownership for open source repositories.
+        - label: Follow [best practices for maintainers](https://opensource.guide/best-practices/)
+        - label: Join the GitHub maintainer community in discussions.
+  - type: checkboxes
+    attributes:
+      label: Ship It
+      options:
+        - label: Reserve your project name on distribution platforms. If your project is Ruby, reserve the Rubygems gem name. If your project is Python, reserve the Pypi project. This will prevent confusion with namesquatting even if you don't plan to publish to these platforms.
+        - label: Publish your project!
+        - label: Share your project! Post in `internal channels`, on your personal social channels, and the [GitHub blog](https://github.blog/).
+        - label: (optional) Give feedback on this process.

Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@`
`2`	`2`
`3`	`3`	`Should you wish to contribute to a project that requires a proprietary license to do so, <COMPANY_NAME> will need to purchase a license after making the decision whether or not to do so.`
`4`	`4`
`5`		`-If there is no existing proprietary license, an issue can be opened at [Governance, Risk, Compliance & Communication (GRCC)](XXX) or a workflow in Ironclad to begin the process of reviewing the vendor for our data privacy and security protections to purchase a license. See more on the Procurement process [here](XXX).`
	`5`	`+If there is no existing proprietary license, an issue can be opened at [Governance, Risk, Compliance & Communication (GRCC)](XXX) or a workflow in [tool] to begin the process of reviewing the vendor for our data privacy and security protections to purchase a license. See more on the Procurement process [here](XXX).`