Skip to content

Add missing OSS hygiene files#34

Merged
beogip merged 5 commits into
mainfrom
chore/22-oss-hygiene-files
Jun 7, 2026
Merged

Add missing OSS hygiene files#34
beogip merged 5 commits into
mainfrom
chore/22-oss-hygiene-files

Conversation

@beogip

@beogip beogip commented Jun 7, 2026

Copy link
Copy Markdown
Owner

Summary

Adds the missing OSS hygiene files for @code-first-agents/tool and hardens CI. Scope was expanded beyond the literal issue (per maintainer decisions during planning) to also include a Code of Conduct and a PR template.

Closes #22

What's included

Docs

  • SECURITY.md — vulnerability disclosure policy. GitHub private vulnerability reporting (primary, now enabled on the repo) + beogip@gmail.com (fallback); supported versions = latest published release only.
  • CONTRIBUTING.md — issue-first flow, full Conventional Commit type list (mirrors lefthook.yml), bun dev commands, note that bun install installs the lefthook hooks, inbound=outbound MIT.
  • CODE_OF_CONDUCT.md — Contributor Covenant v2.1 (official text), enforcement contact beogip@gmail.com.
  • README.md — "maintained in spare time" note near the intro + a new ## API Reference section documenting the public exports with a spec link.

Repo config (chore)

  • .github/dependabot.ymlnpm + github-actions, weekly, all update types grouped (incl. majors, per maintainer choice), open-pull-requests-limit: 5, commit-message.prefix: chore, labels: [chore], target-branch: main.
  • .github/ISSUE_TEMPLATE/{bug_report,feature_request}.yml — YAML issue forms with auto-labels (bug / enhancement) and title prefixes ([Bug]: / [Feature]: ).
  • .github/ISSUE_TEMPLATE/config.ymlblank_issues_enabled: false + a contact link to the spec site (Discussions are disabled).
  • .github/PULL_REQUEST_TEMPLATE.md — contributor checklist (linked issue, Conventional Commit title, green tests/lint/build).

CI hardening (ci)

  • .github/workflows/ci.yml — added permissions: contents: read and a job-level concurrency block to the ci job. cancel-in-progress is gated to pull_request only, so pushes to main never cancel an in-progress ci run and the release job is never skipped. The release job is byte-identical.

Non-file action

GitHub private vulnerability reporting was enabled for the repository via gh api before SECURITY.md cites it ({"enabled":true}).

Notes

  • All commits use non-release types (docs/chore/ci), so semantic-release will not cut a version bump from this PR.
  • Reviewed with code-reviewer + code-attacker. AC-8 (concurrency never skips a release) was verified by event-trace. Minor doc-accuracy nits found during review were fixed in this PR.

Verification

  • bun test → 113 pass / 0 fail
  • bunx biome check . → clean
  • bunx tsc --noEmit → clean
  • All new/modified YAML parse-validated; issue forms structurally validated.

Plan: docs/specs/issue-22-add-missing-oss-hygiene-files.md (level: lean, depth: medium)

@greptile-apps

greptile-apps Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds the standard OSS hygiene files missing from @code-first-agents/tool and hardens CI, closing issue #22. No source code is changed — all additions are documentation, configuration, and workflow updates.

  • Docs: SECURITY.md, CONTRIBUTING.md, and CODE_OF_CONDUCT.md (Contributor Covenant v2.1) are added; README.md gains a "maintained in spare time" callout and an API Reference table whose descriptions were verified accurate against src/tool-class.ts.
  • Repo config: YAML issue forms (bug + feature), a PR template, and Dependabot coverage for npm + github-actions (weekly, all update types grouped, commit-message.prefix: chore) are added.
  • CI hardening: permissions: contents: read and a job-level concurrency block are added to the ci job; cancel-in-progress is gated to pull_request events via ${{ github.event_name == 'pull_request' }}, so main pushes queue rather than cancel and the release job is never skipped.

Confidence Score: 5/5

All changes are documentation, configuration, and a two-line CI job hardening addition; no source or test code is touched.

The CI concurrency design is correct: cancel-in-progress is gated to PR events only, so sequential main pushes queue rather than race, and the release job is never bypassed. API Reference descriptions in README.md were cross-checked against src/tool-class.ts and are accurate. YAML configs (issue forms, dependabot, ci.yml) are structurally valid and match the stated acceptance criteria.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Adds job-level permissions: contents: read and a concurrency block to the ci job; the cancel-in-progress expression correctly gates cancellation to PR events only, preserving sequential main-push runs so the release job is never skipped.
.github/dependabot.yml New Dependabot config for npm and github-actions ecosystems, weekly, with a group covering all update types (minor/patch/major), open-pull-requests-limit: 5, and commit-message.prefix: chore; matches the plan decisions.
README.md Adds a "maintained in spare time" callout near the intro and a new API Reference table documenting all public exports; descriptions verified accurate against src/tool-class.ts.
SECURITY.md New vulnerability disclosure policy citing GitHub private advisory reporting (primary) and email fallback; supported-versions table correctly states only the latest release.
CONTRIBUTING.md New contributor guide with issue-first flow, Conventional Commit type list matching lefthook.yml, bun dev commands, and inbound=outbound MIT license note.
.github/ISSUE_TEMPLATE/bug_report.yml New YAML issue form with required version/repro/expected-actual fields, auto-label bug, and [Bug]: title prefix.
.github/PULL_REQUEST_TEMPLATE.md New PR checklist covering linked issue, Conventional Commit title, and the four verification commands from the dev setup.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push / PR to main] --> B{event_name == pull_request?}
    B -- Yes: PR --> C[Concurrency group: ci-refs/pull/N/merge\ncancel-in-progress: true]
    B -- No: push to main --> D[Concurrency group: ci-refs/heads/main\ncancel-in-progress: false]
    C --> E[ci job\npermissions: contents: read\nCheck + Test]
    D --> F[ci job — queued, never cancelled\npermissions: contents: read\nCheck + Test]
    F --> G{github.ref == refs/heads/main\n&& event == push?}
    G -- Yes --> H[release job\npermissions: write\nbunx semantic-release]
    G -- No --> I[done]
    E --> I
Loading

Reviews (3): Last reviewed commit: "Merge origin/main into chore/22-oss-hygi..." | Re-trigger Greptile

Comment thread README.md Outdated
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
@beogip

beogip commented Jun 7, 2026

Copy link
Copy Markdown
Owner Author

@claude can you fix the merging conflicts?

@claude

claude Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Claude finished @beogip's task in 1m 52s —— View job


Merge conflicts fixed ✅

  • Identify conflicting files against origin/main
  • Resolve conflicts
  • Verify build/tests
  • Commit & push

What happened: the branch had diverged from main since it was created — main picked up #32 (the examples/ directory), #31 (package metadata) and the 0.1.4 release. The only real conflict was in README.md, where both sides inserted a new section at the same spot:

Resolution: kept both## Examples now sits right after Programmatic invocation, followed by ## API Reference, then Development. CHANGELOG.md, package.json, and the new examples/ files merged cleanly with no manual intervention.

Verification on the merged tree:

  • bun test113 pass / 0 fail
  • README sections render cleanly, no leftover conflict markers

Merge commit c123957 pushed to chore/22-oss-hygiene-files. The branch is now even with origin/main (0 commits behind) and ready to merge.
· chore/22-oss-hygiene-files

Resolve README.md conflict by keeping both the new Examples section
(from main, #32) and the API Reference section (from this PR).

Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
@beogip beogip merged commit 84eda61 into main Jun 7, 2026
2 checks passed
@beogip beogip deleted the chore/22-oss-hygiene-files branch June 7, 2026 23:19
beogip added a commit that referenced this pull request Jun 7, 2026
* docs: add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT and README API reference (#22)

* chore: add Dependabot config and issue/PR templates (#22)

* ci: scope ci job to read-only permissions with PR-gated concurrency (#22)

* fix: Update README.md

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
beogip added a commit that referenced this pull request Jun 7, 2026
* Add missing OSS hygiene files (#34)

* docs: add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT and README API reference (#22)

* chore: add Dependabot config and issue/PR templates (#22)

* ci: scope ci job to read-only permissions with PR-gated concurrency (#22)

* fix: Update README.md

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>

* chore: bump the github-actions group with 2 updates

Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-node](https://github.com/actions/setup-node).


Updates `actions/checkout` from 4 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v4...v6)

Updates `actions/setup-node` from 4 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Juan Ignacio Gipponi <beogip@gmail.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add missing OSS hygiene files

1 participant