oss-signal

Trust Center

Last verified: 2026-06-05T16:02:53Z

This page collects the strongest public signals for reviewers, maintainers, and users evaluating oss-signal.

Current Candid Assessment

oss-signal is early. It does not yet claim broad independent adoption, GitHub stars, forks, or a large user base.

What it does have is a complete, public maintainer workflow:

• Public npm package: https://www.npmjs.com/package/oss-signal
• Public GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.4
• Public GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
• Public GitHub Pages landing page: https://salmonplays.github.io/oss-signal/
• Public no-fail maintainer trial workflow: maintainer-trial.md
• Public maintainer feedback path for neutral or negative trial responses: maintainer-feedback.md
• Public CI, CodeQL, OpenSSF Scorecard, repository health, repository inventory, and release workflows.
• Public self-audit, GitHub URL audit, SARIF output, inventory report, and issue-body examples.
• Public field-audit reports, six posted issues, and five open, mergeable follow-up pull requests against external repositories.
• One accepted external documentation contribution merged by an outside maintainer: https://github.com/icoretech/codex-action/pull/24
• Explicit governance, maintainer ownership, CODEOWNERS, security policy, support policy, contribution guide, and release process.
• Citation metadata, architecture notes, security model, and roadmap are documented in the repository.

Evidence Matrix

Signal	Public evidence	Why it matters
Installable CLI	npm exec --yes --package=oss-signal@0.8.4 -- oss-signal --version	Reviewers can run the package without cloning this repository.
Marketplace Action	https://github.com/marketplace/actions/oss-signal	Users can discover and copy the Action through GitHub Marketplace.
Maintainer trial	maintainer-trial	External maintainers can try the Action without failing CI first.
Maintainer feedback	maintainer-feedback	Neutral or negative maintainer responses can still improve rules and count as real third-party feedback.
Dogfood Action	Repository health workflow	The repository runs the public Action tag against itself.
Inventory mode	Repository inventory workflow	Maintainers can audit several repositories from one target list.
Security posture	CodeQL workflow, OpenSSF Scorecard workflow, SECURITY.md	Security and supply-chain signals are visible in public workflows.
Release process	release workflow, release process, CHANGELOG.md	Package and Action releases have repeatable checks.
Maintainer governance	MAINTAINERS.md, GOVERNANCE.md, CODEOWNERS	Ownership and review paths are explicit.
Architecture	architecture, security model, JSON output contract, SARIF walkthrough, roadmap	Reviewers can inspect the implementation boundary, permissions, automation contract, Code Scanning path, and next adoption target.
Citation	CITATION.cff	GitHub can expose a standard citation route for the project.
Accepted external contribution	https://github.com/icoretech/codex-action/pull/24	An outside maintainer merged a focused documentation safety fix and left a public merge comment.
Evidence ledger	evidence-ledger	Reviewers get one compact page separating accepted evidence, supporting demos, open PRs, and boundaries.
External workflow evidence	adoption evidence	Field audits show the intended maintainer workflow on public repositories.
Contributor intake	good first issues, adoption kit	Outside users have structured ways to try, report, and contribute.

What Marketplace Means

The GitHub Marketplace listing is a discovery page for the Action. It lets users find oss-signal, inspect the Action metadata and README, and copy a workflow snippet using:

- uses: SalmonPlays/oss-signal@v0.8.4

The listing is not a paid product. It is a free Action listing. Running GitHub Actions has separate GitHub Actions billing rules, but standard GitHub-hosted runners are free for public repositories.

What Is Not Claimed

• No claim of broad third-party adoption yet.
• No claim that stars, forks, or watchers prove popularity.
• No claim that open external issues or PRs count as accepted adoption until maintainers merge, reply, or otherwise endorse them. The merged icoretech/codex-action PR is counted separately as an accepted external contribution.
• No claim that the score measures code quality. It measures visible maintainer-readiness signals.

Reviewer Path

Use reviewer-evidence.md for a five-minute verification path:

1. Check npm package metadata.
2. Run the published package against the public repository.
3. Inspect public Actions, CodeQL, OpenSSF Scorecard, Pages, and Marketplace.
4. Inspect the public Action tag and release.
5. Review field-audit issues and pull requests.

Use adoption-kit.md to add the Action to another repository or share a public workflow run.

This site is open source. Improve this page.