Upgrade OpenSSF Best Practices badge from Silver to Gold

[SebTardif]

Context

The Scorecard CII-Best-Practices check scores 7/10 with a Silver badge. Gold gives 10/10.

Current progress on bestpractices.dev/projects/13100.

Unmet Gold criteria (categorized)

Questionnaire answers (fill in on bestpractices.dev)

• homepage_url - Project homepage URL
• report_url - Bug reporting URL
• hardened_site - Site hardening (GitHub hosts the project)
• require_2FA / secure_2FA - 2FA for committers
• code_review_standards - Code review process
• contributors_unassociated - Contributor independence
• copyright_per_file / license_per_file - Per-file notices
• small_tasks - Good first issues

May require code changes Now met

• test_statement_coverage90 - Need 90% statement coverage 91.14% (met)
• test_branch_coverage80 - Need 80% branch coverage 87.47% (met)
• build_reproducible - Reproducible builds

Structural (hard for solo project)

• bus_factor - Bus factor > 1
• two_person_review - Two-person review
• security_review - Formal security review

Expected impact

Scorecard CII-Best-Practices: 7 -> 10 (with Gold badge)

Note: Gold is structurally impossible for solo maintainers due to bus_factor and contributors_unassociated MUST criteria. The questionnaire items and build_reproducible are achievable.

[SebTardif]

OpenSSF Best Practices Gold Progress

Filled the Gold questionnaire via Playwright CDP automation. Current status:

Level	Percentage
Passing	100%
Silver	100%
Gold	87%
Baseline Level 1	100%
Baseline Level 2	100%
Baseline Level 3	95%

What was done

• Fixed 3 Met criteria that were not counting as passing due to missing URL justifications (test_invocation, hardened_site, hardening)
• Fixed osps_sa_03_02 from Unmet to Met (SECURITY.md documents security model)
• Added URL-backed justifications to all 8 criteria that lacked them
• Gold went from 4% to 87%

Remaining unmet criteria (3/23)

Criterion	Level	Status	Why
bus_factor	MUST	Unmet	Requires 2+ maintainers. Solo project.
test_statement_coverage90	MUST (conditional)	Unmet	82.44% < 90% required
two_person_review	SHOULD	Unmet	Solo maintainer, no second reviewer

Gold badge is blocked by solo-maintainer constraints

The Gold badge requires bus_factor >= 2 (MUST criterion). This cannot be met for a solo-maintainer project regardless of code quality. This is a structural requirement, not a technical one.

Actionable improvements to reach maximum possible Gold %

1. Increase test statement coverage to 90% to fix test_statement_coverage90 (would reach 91% Gold)
2. Recruit a second maintainer to fix bus_factor and two_person_review (would enable Gold badge)

[SebTardif]

Progress update (2026-06-17)

Two coverage criteria that were previously unmet are now satisfied:

Criterion	When issue was filed	Current
test_statement_coverage90	82% line coverage	91.14% line coverage (252 tests)
test_branch_coverage80	87% branch coverage	87.47% branch coverage

Both thresholds are met. These can be checked off on bestpractices.dev/projects/13100.

Remaining blockers for Gold are structural/solo-maintainer constraints (bus_factor, two_person_review, contributors_unassociated) that cannot be resolved without additional maintainers. The questionnaire-only items (homepage_url, report_url, hardened_site, etc.) can be filled in at any time.