• Generate dashboard to track:
  • Number of issues each month/quarter.
  • Breakdown by status (e.g. No response, Confirmed, Wishlist, Resolved.)
  • Time to first response.
  • Average time to final resolution (e.g. Closed, Resolved.)
  • Top contributors (CyberArk staff and community members.)

The template repository should include:

• README.md with instructions on getting started (that are deleted on copying)
• LICENSE
• CONTRIBUTING.md
• template Jenkinsfile
• issue templates
• PR templates
• ...

Standard issue templates have been added to all public repositories

AC:

• The default templates have been updated with actual default Bug and Feature Request templates
• Each public repo has at minimum a Bug and Feature Request issue template

Add daily build triggers to the Jenkinsfile for any repos in this list that have pipelines but don't already have it turned on:

• conjurdemos/cloudfoundry-conjur-demo
• conjurdemos/kubernetes-conjur-demo
• conjurdemos/pet-store-demo
• conjurinc/cloudfoundry-conjur-tile
• cyberark/ansible-conjur-host-identity
• cyberark/cloudfoundry-conjur-buildpack
• cyberark/conjur-puppet
• cyberark/conjur-service-broker
• cyberark/sidecar-injector
• cyberark/terraform-provider-conjur
• conjurinc/secretless-broker-e2e-tests
• conjurinc/secretless-demo
• conjurinc/secretless-server
• cyberark/go-mssqldb
• cyberark/secretless-broker
• conjurinc/summon-chefapi
• conjurinc/summon-conjurcli
• conjurinc/summon-keyring
• conjurinc/summon-s3
• cyberark/summon
• cyberark/summon-aws-secrets
• cyberark/summon-conjur
• cyberark/summon-file

Daily pipeline builds can be turned on by adding

triggers {
  cron(getDailyCronString())
}

to the Jenkinsfile

Each public repository should include an open source acknowledgements file that is kept up-to-date with the OSS dependencies in the project

AC:

• The cyberark/community repo has a README that:
  • Introduces CyberArk Commons and has a "Welcome to CyberArk Commons" message
  • Refers to Discourse, conjur.org, blogs.conjur.org
  • Talks about the three primary groups that have software in the cyberark GitHub org, and links to READMEs in separate folders for those three groups. There should be a bullet for each group that is involved - CyberArk Labs, CyberArk Conjur, and CyberArk Cloud Solutions - and the bullets should each link to a README in a folder for each group (eg labs, conjur, and cloud).

Once this is merged and live in the repo, we'll ask PMM for feedback on the main community README, and alert the cloud and lab teams to let them know to add content to their folders

We may need to define this process for the OSS community first. Suggested flow:

• Deliver internal issue tracking for public issues (in GitHub):
  • Set up statuses.
  • Set up any issue templates (e.g. for support issus to be redirected to Discourse.)
• Deliver internal issue tracking for private issues (in GitHub):
  • Set up statuses.

AC:
There is an initial OSS suite release with:

• CHANGELOG in the repo
• GitHub tag and release with release notes
• Updated documentation and release notes published on conjur.org

AC:
The following templates have been added to the repo, with appropriate component labels:

• Bug template
• Feature request template

We'd love to have a future contributor look through the community repo and give us feedback on what could be clearer and how we can improve it.

TBD - depends on whether the github landing page is live. If so, we can advise to find the appropriate repository's issue page and click "new issue". Otherwise we may need to come up with more generic guidelines.

All public repos have bug and feature request issue templates.

Suggested templates:

• Bug template
• Feature request template

Repos:

• conjurinc/appliance-docker-ami
• cyberark/bash-lib#21
• cyberark/conjur-aws#20
• cyberark/homebrew-tools#9
• conjurdemos/cloudfoundry-conjur-demo#53
• conjurdemos/kubernetes-conjur-demo#87
• conjurdemos/pet-store-demo#21
• cyberark/ansible-conjur-host-identity#24
• cyberark/cloudfoundry-conjur-buildpack#54
• cyberark/conjur-puppet#56
• cyberark/conjur-service-broker#145
• cyberark/sidecar-injector#12
• cyberark/terraform-provider-conjur#38
• conjurinc/tenfactorci
• cyberark/dev-flow
• cyberark/parse-a-changelog#12
• conjurdemos/conjur-intro
• cyberark/conjur-quickstart
• cyberark/go-mssqldb
• cyberark/secretless-broker
• conjurinc/summon-conjurcli#4
• cyberark/summon#127
• cyberark/summon-aws-secrets#23
• cyberark/summon-chefapi#7
• cyberark/summon-conjur#48
• cyberark/summon-file#4
• cyberark/summon-keyring#10
• cyberark/summon-s3#10
• #25
• cyberark/conjur-oss-suite-release#32
• cyberark/secrets-provider-for-k8s#66
• cyberark/conjur-authn-k8s-client#81

AC:

• Juxtaposer 1 hour, single thread, recreateConnections=false (aka persistent connection) performance tests have been run for MSSQL in a realistic environment (eg the XA env)
• The tabular results of the performance tests have been attached to this issue

@diverdane recently did a POC of revising the [Secretless demo](https://github.com/cyberark/secretless-broker/tree/master/demos/k8s-demo/] to run using KinD: https://github.com/diverdane/secretless-k8s-demo

This would make an interesting blog post. Some points to consider hitting:

• the evolution of local K8s dev
• the differences between KinD and other options
• considerations when choosing a local tool to try k8s
• whether you'd use KinD for local dev if you have access to an actual k8s cluster

All public repos should require pull requests for submitting code to the master branch.

AC:

• Review all public repos to determine master branch protection status
• Turn on master branch protection (with re-review required if new changes are pushed) if a repository does not yet have it on

AC:

• Finalize how PRs are reviewed (applying to both staff and community members.)
• Document this process on conjur.org and in the community repo

The broken terraform provider build here needs to be fixed.

User Stories

Open Source Users

OSS Suite Component Maintainers

Conjur OSS Contributors

Conjur OSS Suite Release Managers

Conjur Core Downstream Developer

In cyberark/conjur#1261 it was noted that the Conjur github repo still links to Slack in its README.

Our other public repos need to also be reviewed to ensure that they do not also link to Slack - if they do, they should be updated to refer to CyberArk Commons instead.

Our public repositories should clearly document what process non-employees should do to report potential security bugs. This could involve:

• Including a SECURITY.md file, or similar
• Including a snippet in the README or CONTRIBUTING that refers to the security bug policy
• Other options?

In this effort, we will define the standard way Conjur Open Source repos should document security vulnerabilities, and we will update the current set of public non-archived repositories to follow this process.

AC:

• There is a process defined for documenting how to report security vulnerabilities
• Any new repo templates or guidelines are updated with this policy
• All existing public non-archived repos follow this process

The copyrights on our license files in all Conjur-owned repos are updated to

Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.

Given a project that is written in Go and uses Go modules for package management
Then an acknowledgements file (NOTICES.txt) can automatically be created from the go.mod
And when the go.mod is updated
Then the pipeline can auto-detect an update to the acknowledgements is needed
And there is a script to auto-update the acknowledgements file given the new go.mod

Potential tools to leverage to automate this:

• https://github.com/nexB/scancode-toolkit
• https://github.com/vmware/tern
• https://github.com/pivotal/LicenseFinder (currently used by Secretless and the PCF integration)

Improve the workflow to make "in progress" and "merged but not released" issues more visibile in GitHub / to people without ZenHub access

The top-level README.md in the community repo should give a clear and detailed introduction to each team (Conjur, Cloud Solutions, Labs, etc.)

• Table of contents containing links to other sections of the readme detailing the teams
• Full sections that detail information about each group
  • "Who we are"-type section
  • "What we do"-type section
  • Dropdown table with repos owned by the team

AC:

• Every repo in the list below has a basic CONTRIBUTING.md file (template here) - add a file if there isn't one, even if it includes almost no content now
• Every CONTRIBUTING.md file links to the community repo "for general contributor information"

Note: as you're adding new contributing files please be sure to update the README to link to the project CONTRIBUTING, and move all contributor focused content from the README to the project CONTRIBUTING.

This means that PRs where you add CONTRIBUTING.md should change two files - CONTRIBUTING and the README. Repos where you update the existing contributing to link to the generic guidelines will just change one file.

Repos:

higher priority repos

• cyberark/conjur
• cyberark/conjur-api-dotnet
• cyberark/conjur-api-go
• cyberark/conjur-api-java
• cyberark/conjur-api-python3
• cyberark/conjur-api-ruby
• cyberark/conjur-authn-k8s-client
• cyberark/conjur-cli
• cyberark/conjur-google-cloud-marketplace
• cyberark/conjur-oss-helm-chart
• cyberark/bash-lib
• cyberark/conjur-aws
• cyberark/homebrew-tools
• conjurdemos/cloudfoundry-conjur-demo
• conjurdemos/kubernetes-conjur-demo
• conjurdemos/pet-store-demo
• cyberark/ansible-conjur-host-identity
• cyberark/cloudfoundry-conjur-buildpack
• cyberark/conjur-puppet
• cyberark/conjur-service-broker
• cyberark/sidecar-injector
• cyberark/terraform-provider-conjur
• cyberark/go-mssqldb
• cyberark/secretless-broker
• conjurinc/summon-conjurcli
• cyberark/summon
• cyberark/summon-aws-secrets
• cyberark/summon-chefapi
• cyberark/summon-conjur
• cyberark/summon-file
• cyberark/summon-keyring
• cyberark/summon-s3
• cyberark/kubernetes-conjur-deploy
• cyberark/parse-a-changelog
• cyberark/conjur-quickstart

lower priority repos

• conjurinc/api-node
• conjurinc/api-python
• conjurinc/debify
• conjurinc/memtar
  - [ ] conjurinc/pg_random_id
• cyberark/conjur-rack
• cyberark/helm-charts
• cyberark/io-grab
• cyberark/ruby-keyutils
• cyberark/slosilo
• conjurinc/appliance-docker-ami
  - [ ] conjurinc/tenfactorci
• cyberark/dev-flow
• conjurdemos/conjur-intro
  - [ ] cyberark/css
  - [ ] cyberark/javascript
  - [ ] cyberark/ruby
  - [ ] cyberark/sudoku-validator

The following projects should be updated to have the same pull request template as the one used in Conjur, here: https://github.com/cyberark/conjur/blob/master/.github/PULL_REQUEST_TEMPLATE.md.

• cyberark/ansible-conjur-collection
• cyberark/conjur-authn-iam-client-python
• cyberark/bash-lib
• cyberark/conjur
• cyberark/conjur-oss-helm-chart
• cyberark/conjur-google-cloud-marketplace
• cyberark/conjur-cli
• cyberark/conjur-api-dotnet
• cyberark/conjur-api-go
• cyberark/conjur-api-java
• cyberark/conjur-api-python3
• cyberark/conjur-api-ruby
• cyberark/conjur-authn-k8s-client
• cyberark/conjur-google-cloud-marketplace
• cyberark/conjur-oss-suite-release
• cyberark/conjur-quickstart
• cyberark/dev-flow
• cyberark/secrets-provider-for-k8s
• cyberark/conjur-service-broker
• cyberark/cloudfoundry-conjur-buildpack
• cyberark/ansible-conjur-host-identity
• cyberark/conjur-credentials-plugin
• cyberark/conjur-puppet
• cyberark/kubernetes-conjur-deploy
• cyberark/parse-a-changelog
• cyberark/terraform-provider-conjur
• cyberark/sidecar-injector
• cyberark/slosilo
• cyberark/summon
• cyberark/summon-aws-secrets
• cyberark/summon-chefapi
• cyberark/summon-conjur
• cyberark/summon-keyring
• cyberark/summon-s3

These repos already have a pull request template, please review them and determine whether they can be updated to a format like the Conjur template, or if they need to remain as-is:

• cyberark/conjur
• cyberark/conjur-template
• cyberark/secretless-broker

NewConnectionDetails has support for SSLOptions, similar to the PG and MySQL adapter.

• sslOptions exists as a value in the connectiondetails struct
• "sslrootcert", "sslkey", "sslcert" can be specified in the secretless.yml
• unit tests exist for the proper handling of these values

• Finalize how PRs are reviewed (applying to both staff and community members.)
• Document this process on conjur.org and in the repo.

GIVEN I am the OSS suite release manager
AND I know what is available to release
AND I have determined what I want to include in the next OSS suite release
AND I know the version of the next OSS suite release
THEN I know the process for creating a new OSS suite release
AND I can follow that process to create a new OSS suite release

AC:

• README for release manager is written

wrong place

AC:

• Populate the repo with the contributor license agreement, guidelines on contributing, info on how to get started finding issues, software quality standards and expectations, the process for submitting work and getting it merged
• Update existing repositories to refer to the central community repo as appropriate

AC:

• The gist published here: https://gist.github.com/doodlesbykumbi/d2f3a90796e0f83792bb47f310da79ca
  is edited based on the feedback already given and migrated to WordPress to be published on blogs.conjur.org

• Generate dashboard to track:
  • Time to first response for a new PR.
  • Number of submitted PRs each quarter.
  • Average time from submission to approval.
  • Top contributors (CyberArk staff and community members.)

The current Conjur Puppet page lists Zendesk for support (see the support section

The page needs to be updated with current contact information for Conjur support, i.e. the Conjur channel in Discourse here or this github repo's issues section.

Using a documented manual but repeatable process, metrics are collected on the following:

• Time to first response for a new PR.
• Number of submitted PRs per month
• Average time from submission to approval
• Top contributors (CyberArk staff and community members)
• Number of issues each month/quarter.
• Breakdown by status (e.g. No response, Confirmed, Wishlist, Resolved.) (Note - mapping to these statuses is TBD)
• Time to first response.
• Average time to final resolution (e.g. Closed, Resolved.)
• Top contributors (CyberArk staff and community members.)

Aha card: https://cyberark.aha.io/features/AAM-264

The basis for the proposal includes the following:

• The original release checklist
• @andytinkham's DoD spreadsheet
• @brikelly's Slack draft contribution levels

The goal is to define maturity levels for contributions so that we can enable community contributions while continuing to be clear to end users about expected maturity of features in the open source suite of products.

AC:

• There is a blog post on lessons gleaned from the theatre surrounding healthy team dynamics

This is a follow-up to #26, which (oops) did not include all relevant repos.

Suggested templates:

• Bug template
• Feature request template

AC: Add or update feature request and bug templates in the following repos:

• cyberark/conjur
• cyberark/conjur-oss-helm-chart
• cyberark/conjur-aws
• cyberark/conjur-cli
• cyberark/conjur-api-dotnet
• cyberark/conjur-api-go
• cyberark/conjur-api-java
• cyberark/conjur-api-python3
• cyberark/conjur-api-ruby
• cyberark/conjur-credentials-plugin

Add a header to the top of all source code files (e.g. .go and .rb files, etc) with:

// Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
// Use of this source code is governed by an Apache 2.0
// license that can be found in the LICENSE file.

The following repos should have a CODEOWNERS file in .github/CODEOWNERS that includes the single line:

* @cyberark/community-and-integrations-team

• cyberark/community
• cyberark/conjur-oss-suite-release
• conjurdemos/cloudfoundry-conjur-demo
• conjurdemos/kubernetes-conjur-demo
• conjurdemos/pet-store-demo
• conjurinc/cloudfoundry-conjur-tile
• cyberark/ansible-conjur-host-identity
• cyberark/cloudfoundry-conjur-buildpack
• cyberark/conjur-puppet
• cyberark/conjur-service-broker
• cyberark/sidecar-injector
• cyberark/terraform-provider-conjur
• conjurinc/secretless-broker-e2e-tests
• conjurinc/secretless-demo
• conjurinc/secretless-server
• cyberark/go-mssqldb
• cyberark/secretless-broker
• conjurinc/summon-conjurcli
• cyberark/summon
• cyberark/summon-aws-secrets
• cyberark/summon-chefapi
• cyberark/summon-conjur
• cyberark/summon-keyring
• cyberark/summon-s3

AC:
In the Conjur folder, there needs to be:

• A README for Conjur Open Source that refers to the content below
• A folder for style guides (eg Ruby, Golang, Bash) that is linked to from the README - use existing style guides when possible, and if none exists just create a minimal simple style guide for this directory that liinks to existing content from the pinned style guides in the about-X channels in Slack
• A CONTRIBUTING file with:
  • Info on looking for CONTRIBUTING.md in other repos
  • Info on generic contribution workflow (eg fork, change, PR, etc)
  • Special git-flow guidelines that we use, that community users should know about (ie clean commit history, rebase vs merge, etc - can be pulled from our git guide
  • General info on typical testing patterns / how to run tests

As with every project, the community repo is open to contributions from the external and internal community.

• A CONTRIBUTING.md exists in the top-level directory
• Details for internal and external contributors to improve documentation and clarity of community docs structure and content
• Details for connecting a project back to the community repo through a README
• Common conventions for making a project open for contributions

We verify that connection succeeds with simple queries when connecting to Secretless through JDBC

AC:

• The CONTRIBUTING file in the conjur folder of the community repo has guidelines on using the DCO (for MIT / Apache / BSD licensed repos) vs the CLA (can be based on guidelines here)
• The community repo includes a copy of the CLA to serve as a central place for projects that use it to refer to it

The jdbc jar in /tests/util/jdbc currently sits around 4.3 MB, and it would be better practice if we built it for our tests instead of storing the binary in our repository. There are several ways we could approach this, and several steps.

• There isn't native support for MsSQL in the JAR, it has to be added along with the official driver from microsoft.
• We need to modify the configuration and MANIFEST.md files each time to map the command to the MsSQL driver
• Currently, there exists a dependency on eclipse for compiling and exporting. We should try to remove this dependency if possible.
• We could introduce building the JAR file as part of our dockerfile build process for the test container

The Golang Style guide is missing a few categories that are relevant to the work of the Conjur team projects.

• Code Coverage - Add target coverage, and example commands to run to get coverage.
• Mocking - Determine if we need anything here, e.g. "avoid the use of global variables for mockable interface declarations, and instead propagate mockable interfaces from highest possible level down"
• Copyright Notices - Add a sample copyright notice
• Logging - Determine what needs to be added here