At LF Energy Summit 2024 in Brussels, Nico Rikken from Alliander shared a detailed look into how their Open Source Program Office (OSPO) manages automated checks before publishing open source code. Alliander, a distribution grid operator in the Netherlands, has been actively contributing to open source projects as part of their digital transformation efforts. Nico’s session offered a wealth of practical advice for organizations looking to publish internal projects as open source, ensuring they meet high standards for legal, technical, and community readiness.
Here are the key highlights from Nico Rikken’s presentation (full video follows at the end):
1. The Importance of Preparation and Commitment
Nico emphasized the need for careful planning and commitment before making any internal project open source. Open sourcing a project requires not just an initial investment of time and resources to clean up the codebase, but also ongoing governance and maintenance. Alliander’s approach ensures that the process is clear from the outset, setting the stage for successful collaboration and community building.
Key activities before publishing include:
- Cleaning up the project
- Adding comprehensive documentation
- Defining a governance model
- Clarifying the legal processes and licenses
2. Legal and Licensing Checks
Before publishing, it’s crucial to clarify who holds the copyright and under which license the project will be released. Nico stressed the importance of tools like the SPDX License Identifier and ensuring all code files are appropriately annotated with license information. This avoids confusion and legal risks later on. Alliander’s process includes:
- Checking for proper copyright declarations
- Ensuring licenses are correctly applied to all code
- Removing sensitive information like passwords or API keys
3. Code Quality and Security Audits
Automating checks to maintain code quality and security is essential, especially when moving a project to the public domain. Alliander leverages tools like TruffleHog to scan for secrets and the OpenSSF Best Practices Badge for evaluating security standards. They also run security and dependency scans using GitHub Actions to ensure any vulnerabilities are identified early.
These checks include:
- Ensuring no hardcoded credentials or API keys
- Verifying the code quality through established standards
- Addressing potential vulnerabilities in third-party dependencies
4. Documentation and Inclusivity
Comprehensive and clear documentation is a cornerstone of any successful open source project. Nico highlighted how their team uses tools like MKDocs for documentation and Woke, a tool to ensure inclusive language is used throughout the codebase. This ensures that the project is accessible and welcoming to a diverse range of contributors.
Key steps for documentation include:
- Ensuring the presence of core files like
README.md
,LICENSE.md
, andCONTRIBUTING.md
- Regularly updating documentation to reflect the latest changes
- Checking for non-inclusive or outdated language using automated tools
5. Automated Workflows for Continuous Monitoring
A robust automated workflow is essential for maintaining the health of an open-source project. Alliander has developed a comprehensive setup using GitHub Actions, which runs various checks whenever changes are proposed or pushed to the project. This helps them keep track of legal, technical, and documentation standards, providing a transparent process for developers to follow.
The key benefits of automation include:
- Early detection of issues before they escalate
- Consistent enforcement of coding and legal standards
- Easy integration with other tools for continuous improvements