The following sections provide guidance on how to review a release PR / issue.
...
- if you see a release PR that is nearly ready, add a comment as follows: "Please add @release-management_maintainers to this PR once the PR is ready"
- for final approval use a comment: "LGTM from ReleaseManagement."
ICM checks:
ICM Review - SimpleEdgeDiscovery - v1.0.0
(from: https://github.com/camaraproject/IdentityAndConsentManagement/issues/189#issuecomment-2315026741)
Check the ICM-defined
info.description
template (Authorization and Authentication section). Reference
Checked https://github.com/camaraproject/SimpleEdgeDiscovery/blob/r1.2/code/API_definitions/simple-edge-discovery.yaml#L203
✅ OKCheck the use of openIdConnect for
securitySchemes
. Reference
Checked https://github.com/camaraproject/SimpleEdgeDiscovery/blob/r1.2/code/API_definitions/simple-edge-discovery.yaml#L391
✅ OKCheck the use of the
security
property according to ICM definitions. Reference
Checked the one endpoint
https://github.com/camaraproject/SimpleEdgeDiscovery/blob/r1.2/code/API_definitions/simple-edge-discovery.yaml#L253
✅ OK.Error codes are defined by Commonalities e.g. INVALID_TOKEN_CONTEXT.
https://github.com/camaraproject/SimpleEdgeDiscovery/blob/r1.2/code/API_definitions/simple-edge-discovery.yaml#L551
However, the ICM could check the definition of a 403 INVALID_TOKEN_CONTEXT if it applies to a specific API (e.g. APIs using device object or phoneNumber in the API request). Reflects an inconsistency between information in some field of the API request and the access token.
⚠️ OK with comments. The API specification has its own section Identifying the Device. The API specification does not include the recommended section called "Identifying a device from the access token" ininfo.description
that provides a detailed description of the expected handling of thedevice
object in the API request as it relates to the access token. It is specified in Appendix A: info.description template for device identification from access token and it is required for APIs that use thedevice
object in the API requests.
@Kevsy @crissancas @javierlozallu please check whether the recommended section is applicableVerify that there is no unexpected leakage of users' personal information, such as API responses containing identifiers or information beyond the API functionality.
✅ OK SimpleEdgeCloud can be used to verify a phone number like NumberVerification does. Please see API misuse Commonalities#259. If Phone-Number is part of the SimpleEdgeCloud request then response tells the API consumer the same as a request to NumberVerification does.
ICM Review Result: ✅ OK
create an ICM review issue template for stable APIs or add these in the RM review issue template ?
Release actions
- Tick task when checked and done.
- Check if further review by TSC / Commonalities / ICM is needed (e.g. for targeted stable APIs), and leave issue open until those reviews are marked as done and OK in the review issue
- When all tasks and complementary reviews are completed, close the review issue with a comment on the overall status of the API.
...