oss-signal

Adoption Kit

This page gives maintainers a copy-paste path for trying oss-signal and leaving useful public evidence.

For a first trial, use the no-fail workflow in maintainer-trial.md. It publishes a report without gating CI.

Try The CLI

Run against a public repository without cloning:

npm exec --yes --package=oss-signal@0.8.4 -- oss-signal owner/repo --format markdown --output oss-signal-report.md

Run against the current checkout:

npx oss-signal . --format markdown --output oss-signal-report.md

Generate a human-reviewed issue body:

npx oss-signal owner/repo --format issue --output maintainer-follow-up.md

Generate a no-fail trial workflow:

npx oss-signal owner/repo --format workflow --output .github/workflows/oss-signal-trial.yml

Add The GitHub Action

This example gates CI with fail-under. For a first trial in another maintainer’s repository, start with examples/maintainer-trial-workflow.yml instead.

name: Repository health

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

jobs:
  oss-signal:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: SalmonPlays/oss-signal@v0.8.4
        id: oss-signal
        with:
          fail-under: "80"
          output: oss-signal-report.md
          summary: "true"
      - uses: actions/upload-artifact@v5
        with:
          name: oss-signal-report
          path: oss-signal-report.md

Add SARIF To Code Scanning

permissions:
  contents: read
  security-events: write

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

steps:
  - uses: actions/checkout@v5
  - uses: SalmonPlays/oss-signal@v0.8.4
    with:
      format: sarif
      output: oss-signal.sarif
      summary: "false"
  - uses: github/codeql-action/upload-sarif@v4
    with:
      sarif_file: oss-signal.sarif

Full walkthrough: sarif-code-scanning.md

Share Evidence

Useful adoption evidence is concrete and public:

• A workflow run that uses SalmonPlays/oss-signal@v0.8.4.
• A Markdown report attached as a workflow artifact.
• A SARIF upload that appears in Code Scanning.
• A focused issue or pull request created from an audit finding.
• A short note about what maintainer task the audit improved.

Open an adoption report when a public repository uses the CLI or Action. Open trial feedback when you reviewed a report but did not adopt the tool. Open a maintainer audit report when you want to discuss a generated report before posting follow-up to another repository.

Boundaries

Do not treat the score as a code-quality verdict. It measures visible maintainer-readiness signals: contribution paths, security reporting, CI, templates, release notes, and related repository hygiene.

Do not claim third-party adoption unless the repository owner or maintainer has actually used, merged, or acknowledged the workflow.

This site is open source. Improve this page.