Week of 04 March 2024

# Week of 25 March 2024 ## OSP Health Dashboard Brainstorm Notes 1. KT: git latest release version was outdated - fixed already, reason: GH release was in pre-release mode - AI: @leordev to check if KT releases are final! 2. mvn badge (remove jitpack) - Call it "Maven Central" or other reasonable title, which is a repository - `mvn` is a build tool. If we can. 3. fossa badges (security scan + license scan) - Remove current scan badge - ![image](https://hackmd.io/_uploads/H1mpfgz1C.png) - Can be found [here](https://app.fossa.com/projects/custom%2B588%2Fgithub.com%2FTBD54566975%2Fweb5-kt/refs/branch/main/f5a0488fbf2e8327c0b9694e9490fb6652a65423) 4. todos items 5. think about project representations - About `main` - Monorepo Things - CI Status - License (GitHub) - FOSSA License - FOSSA Security - OSSF - CodeQL - link to [here](https://github.com/TBD54566975/web5-js/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ACodeQL) for instance. Note that this is available for viewing only to contributors. - CodeCov - BuildKite (we may remove for now, see section on this below, but it belongs here when ready) - Spec Compliance (Vectors) - May need reorganization because it's all pointing to one page, may want to split between tbDEX and Web5, organize package level, and generally take on into OSP if the upstream teams would like us to maintain going forward - Docs CI - Package Things - About Past Releases (including Latest Release) - Package or Repo Thing depending upon impl language - Git Tag (read prefix because this exists at repo level) - GitHub Release (read prefix because this exists at repo level) - BOMs - Docs Publish - Docs Release - Package Things - License (Artifact Repo ie. `npm`, `Maven Central`) - Monorepo Things - FOSSA Security scan 6. BuildKite - Temporarily remove for now, pending this work: - No badge from because we're just uploading results - We should talk to them - Get useful information out of them - Then implement 7. Need @web5/credentials Row 8. Need web5-swift Row 9. Need tbdex-swift Row # Week of 11 March 2024 ## SDK Sync Updates Leo: - web5-js Changesets setup release PR (WIP - Almost there) - FOSSA Checks refactor to a global repo (WIP) ALR: - Maven build PR and changes to release workflow for `web5-kt` incoming soon (by tomorrow); will need a more extensive review to validate feature parity and CI / release management improvements. This makes it so we can align dependencies in the Kotlin suite for the tbDEX platform. Will request expedited handling to unblock a follow-on PR for `tbdex-kt`. Finn: - trying to add snapshot releases to web5-js, so new features can be pulled into tbdex-js and developer.tbd.website before web5-js has done a proper release. ### Highlights to Share with TBD SDKs DRI on Weekly Sync Meeting - Mavenizing (web5-kt and tbdex-kt) - Motivation Recap - to be able to comply with BOM POMs - right packaging distribution to consumers - PR Almost ready, need some review - This work also includes a bunch of CI improvements: - Improved release workflow triggers: a workflow that automatically tags, updates pom, etc. - Dokka publication bug fix: we are publishing on every main push, it should be only on releases - Artifactory publishing - so that DevRels can test snapshot previews - Preview Snapshots - Motivation recap - to be able to consume preview snapshots in our upstream services - when web5-js packages have a snapshot we can: - test things in tbdex-js - devrels can test things and update guides early - (sometimes they want to use a feature that is already in main) - could anticipate issues in bundler bonanza test suite - tbdex-swift has it for free because of the SPM repo nature - PR ready for review on Web5-js - WIP for tbdex-js, for kt the mavenizing process already encompasses it - FOSSA Checks Refactor - Motivation recap - main goal: to have a better devexperience - we split security scan vs licenses checks - also, we fixed the biggest complain where PRs were failing even though they didnt introduce the security/license issue - Done since last week for tbdex-kt as a pilot - Refactor to a global github Workflow pipelines in repo is a WIP - NPM Tokens for publishing - # Week of 04 March 2024 # Team ## Weekly Retro and Action Items - (to be done at close of week) ## Focus for the Week *What are you working towards in filling the Cycle? May be a burndown list of what you hope to achieve this week, and is likely the most important part of the Standup Process.* - ALR: Kotlin projects, upstream contributor issue (builds fail from non-upstream forks), Release Management w/ Leo - Nick: Single dep declaration (propagate deps), [Shnip whitespace](https://github.com/TBD54566975/developer.tbd.website/issues/1301), Dev Site WARNs (see OSP Board "this week") - Leo: Artifactory publishing, FOSSA improvements in the checks (separating out) ## What's Not Yet Done for mid-April - Dashboard Stuff (can ask Finn) - Pull Snyk off - Add developer.tbd.website - Also needs to be done as CI jobs in pipeline, remove how we do it now as OAuth application - Fill in missing widgets - BOMs - Docs CI - Docs - Maven Dependencies in upstream SDKs - Should be aligned between Web5 and tbDEX - ALR needs to write it up briefly - External contributor PRs in upstream SDKs - They fail the build right now. Fix. [Discussion in Discord](https://discord.com/channels/937858703112155166/1212197845743042560). - Release Management - ALR: Discord about helping DevRel get earlier insight into what's coming - from `main` builds, published, or as SNAPSHOTs - Building all SDK projects on `main` and putting those artifacts in Artifactory - Template / steps for what a release looks like and which teams are responsible for which pieces - ie. how we've done for Web5 JS API - [issue about automated gh releases on kotlin that I need to check](https://github.com/orgs/TBD54566975/projects/29/views/4?pane=issue&itemId=44309337) *leo* - Current Status: - Artifactory setup for Kotlin projects - NPM, Swift aren't setup - We don't know how to name snapshot builds or what the conventions are for either of those languages ([some info for npm](https://stackoverflow.com/questions/31156766/using-snapshot-in-private-npm-like-in-maven)) - No automated snapshot release for any repos - ideally this will happen for every merge to main - Security Stuff - [Create Security Policy and roll out to projects](https://github.com/orgs/TBD54566975/projects/29/views/4?pane=issue&itemId=54435991) - split license checks from security checks (FOSSA) *leo* - license and security checks PR filters (FOSSA) *leo* ## Where I’m blocked - ## I’d like to raise… (Optional) No problem-solving, just visibility-raising. -