Hey Devs!
Recently, ROUTE06, Inc. has made two products, Giselle and Liam, open-source.
In this article, I'll share the "OSS Publishing Tutorial" that ROUTE06, Inc.'s OSS Promotion Office created and used when making these products open-source. Some internal links and references have been omitted.
👉 ROUTE06, Inc.'s OSS Promotion Office functions as an Open Source Program Office (OSPO), responsible for promoting OSS utilization, managing risks, supporting community contributions, and advancing the open-sourcing of internal products and projects.
- OSS Publishing Tutorial
- Conclusion
- Supplement: About Giselle and Liam as OSS
OSS Publishing Tutorial
This is a tutorial on how to publish an OSS repository on GitHub.
💡 The OSS Promotion Office is available to consult on topics like license selection and other aspects.
1. Preparation
- Decide which GitHub organization will host the repository
- Choose whether to create the repository under https://github.com/route06inc or another organization1
- Decide the repository name
- Choose a name for the repository under the organization
- Decide when to make the repository public
- Typically, start as Private and switch to Public when preparations are complete
- If everything is ready, create it as Public from the beginning
- Agree to enable all repository features except for Wikis
- Issues, Pull requests, Discussions, Projects
- Note: To encourage external contributions, this is the default policy
- Decide whether to use English, Japanese, or both in various parts of the repository
- Repository description
- Issues, Pull Requests, Discussions, Projects
- Title, Content, Comments
- Source code comments
- Git commit messages
- Documentation
- README.md, LICENSE, CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md
- English is required, Japanese is optional. Both are allowed
- Other text files
- README.md, LICENSE, CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md
- Note: Decide within the limits of what won't hinder development. Add this later to CONTRIBUTING.md
- Decide the name of the private repository for internal communication
- Create a private repository for purposes like the following. For example,
route06/*-internal- Medium- to long-term planning
- Discussions about vulnerabilities not yet ready for disclosure
- Discussions involving confidential or collaborator-only2 information
- Others
- Use public repositories whenever possible to ensure transparency. For example:
- Feature proposals
- Bug reports
- General Q&A
- Code reviews
- Documentation updates
- Create a private repository for purposes like the following. For example,
- Decide on the repository's operation policy immediately after publishing
- While it's unlikely there will be too many contributions right after publishing, set some guidelines. For example:
- Keep operations light at the start
- When an Issue, Pull Request, or Discussion from a Contributor comes in, ⚪︎⚪︎ responds to it as needed
- Establish triage policies when contributions increase
- While it's unlikely there will be too many contributions right after publishing, set some guidelines. For example:
2. Repository Setup
2-1. Setup Items
Create a repository in the organization decided in "1. Preparation" and proceed with the setup. All items are required unless otherwise discussed.
| Item | Notes | Official Documentation |
|---|---|---|
| Create the repository and invite members | Available to use route06inc/template as a template | Link |
| Enable Issues, Discussions, Projects, and disable Wiki | ||
| Set the Description | ||
| Configure Topics | Link | |
| Create README.md | Link | |
| Create LICENSE | Included in route06inc/template | Link |
| Create issue templates | Included in route06inc/template | Link |
| Create pull request templates | Included in route06inc/template | Link |
| Create CONTRIBUTING.md | Included in route06inc/template | Link |
| Create SECURITY.md | Included in route06inc/template | Link |
| Create CODE_OF_CONDUCT.md | Included in route06inc/template | Link |
| Configure automatic deletion of merged branches | Enable "Automatically delete head branches" | Link |
| Protect the default branch | Define and configure rulesets | Link |
| Enable Dependabot Alerts | Detect vulnerable dependencies | Link |
| Enable GitHub Advanced Security (GHAS) | Always enabled for public repositories | Link |
| Configure CodeQL | Part of GHAS for detecting vulnerabilities. GitHub Actions workflow included in route06inc/template, so no additional setup required3. | Link |
| Make Dependency Review a required status before PR merges | A GHAS feature to catch vulnerable dependencies before PR merges. GitHub Actions workflow included in route06inc/template. | Link |
| Enable Secret scanning and Push protection | A GHAS feature to detect secrets in code and block new pushes | Link |
| Create CODEOWNERS (optional) | Link |
Column: What to write in [INSERT CONTACT EMAIL]?
In templates like CODE_OF_CONDUCT.md and SECURITY.md, replace [INSERT CONTACT EMAIL] as follows:
If you want to use separate email addresses for each purpose:
-
conduct@example.com
- Specify in CODE_OF_CONDUCT.md
-
security@example.com
- Specify in SECURITY.md
If you want a single email address for all community inquiries:
- Example 1: community@example.com
- Example 2: oss@example.com
2-2. Create a Slack channel #gh-*
💡 At ROUTE06, Inc., creating a #gh-* Slack channel for GitHub repository notifications is encouraged.
Once the channel is created, run the following command in it. Replace ORG/REPO as needed.
/github subscribe ORG/REPO issues, pulls, commits, releases, deployments, reviews, comments, discussions
This will enable notifications. Check the configuration with /github subscribe list features.
By default, notifications are posted in threads. Disable this by following these steps:
- Run
/github settingsin the channel - Click
Disableunder "Disable threading for Pull Request and Issue notifications"
ref: https://github.com/integrations/slack/issues/1500#issuecomment-1335564029
3. Pre-Publishing Review
3-1. Conduct a Security Review
- Verify that the
SECURITY.mdfile is added to the repository and that it clearly outlines the security policy and vulnerability reporting procedure - Ensure that the following GHAS features are enabled
- Code scanning (CodeQL)
- Confirm the
.github/workflows/codeql.ymlcommit
- Confirm the
- Secret scanning and Push protection
- Code scanning (CodeQL)
- Confirm that Dependabot Alerts is enabled
- Ensure that no internal information is hardcoded in the repository's source code
- Example: Preventing non-company email addresses from being registered as a safeguard
- Confirm there are no internal links in the repository's source code or commit messages
- Example: Slack URLs, internal private repository URLs, issue numbers starting with
#, etc. - If such links exist, they do not need to be erased from history with
git rebase. Just ensure they are not included going forward
- Example: Slack URLs, internal private repository URLs, issue numbers starting with
- Verify that no proprietary names appear in the repository's source code or commit messages
- Example:
$ git log -p | grep -E '(◯◯|□□|△△)'
- Example:
- Use full commit hashes for third-party GitHub Actions version specifications (optional)
- Example:
- uses: owner/action-name@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v1.0.0
- Example:
3-2. Confirm Compliance
- Verify licensing
- Ensure the
LICENSEfile is added to the repository and that the selected license applies appropriately to the source code without infringing on third-party rights - Confirm compatibility between the repository's license and the licenses of dependent libraries
- Reference:
- Ensure the
- Check export regulations
- Confirm that the project does not include technologies subject to export regulations
3-3. Obtain Internal Approval for OSS Publishing
This step requires that you first decide on a license for your project. Handle this as soon as the license is finalized.
4. Repository Publishing
4-1. Publish the Repository
Coordinate as needed with a blog post or a press release.
4-2. Conduct a Post-Publishing Review by the OSS Promotion Office
Even after publishing the repository, verify that the repository settings are configured as intended.
- Check for any omissions in "2. Repository Setup"
- Confirm that the following GHAS features are enabled: Code scanning (CodeQL), Secret scanning, Push protection
- Verify that Dependabot Alerts is enabled
- Ensure the "Report a Vulnerability" link in the repository's
SECURITY.mdfile works for both:- Members of the GitHub organization
- External users of the GitHub organization
- If the link results in a 404 Not Found error for external users, Private vulnerability reporting might be disabled
- Confirm that
Reported contentin Reported content settings is set toPrior contributors and collaborators- 💡 This setting restricts or relaxes who can report vulnerabilities
Conclusion
In this article, I shared the "OSS Publishing Tutorial" that we created and used when making Giselle and Liam open-source.
Although I have experience with open-sourcing projects personally, I initially thought, "Isn't it just about publishing a repository?" However, in a professional setting, numerous other things to consider came to light, resulting in this detailed "OSS Publishing Tutorial." We plan to keep updating it moving forward.
I hope this serves as a useful reference.
Supplement: About Giselle and Liam as OSS
The giselles-ai/giselle repository recently published as OSS is for Giselle, a platform that enables no-code creation of agents and workflows utilizing generative AI. Detailed information can be found on the Giselle service website: https://giselles.ai/.
The liam-hq/liam repository is for Liam, a tool that effortlessly generates beautiful and easy-to-read ER diagrams. Detailed information can be found on the Liam service website: https://liambx.com/.
-
Example: https://github.com/giselles-ai, https://github.com/liam-hq ↩
-
ROUTE06, Inc. employees or partners with Admin/Write permissions for the repository ↩
-
Requires using the default CodeQL configuration to set it as a required status before PR merges ↩
Top comments (0)