Add missing OSS hygiene files#34
Conversation
Greptile SummaryThis PR adds the standard OSS hygiene files missing from
Confidence Score: 5/5All changes are documentation, configuration, and a two-line CI job hardening addition; no source or test code is touched. The CI concurrency design is correct: No files require special attention.
|
| Filename | Overview |
|---|---|
| .github/workflows/ci.yml | Adds job-level permissions: contents: read and a concurrency block to the ci job; the cancel-in-progress expression correctly gates cancellation to PR events only, preserving sequential main-push runs so the release job is never skipped. |
| .github/dependabot.yml | New Dependabot config for npm and github-actions ecosystems, weekly, with a group covering all update types (minor/patch/major), open-pull-requests-limit: 5, and commit-message.prefix: chore; matches the plan decisions. |
| README.md | Adds a "maintained in spare time" callout near the intro and a new API Reference table documenting all public exports; descriptions verified accurate against src/tool-class.ts. |
| SECURITY.md | New vulnerability disclosure policy citing GitHub private advisory reporting (primary) and email fallback; supported-versions table correctly states only the latest release. |
| CONTRIBUTING.md | New contributor guide with issue-first flow, Conventional Commit type list matching lefthook.yml, bun dev commands, and inbound=outbound MIT license note. |
| .github/ISSUE_TEMPLATE/bug_report.yml | New YAML issue form with required version/repro/expected-actual fields, auto-label bug, and [Bug]: title prefix. |
| .github/PULL_REQUEST_TEMPLATE.md | New PR checklist covering linked issue, Conventional Commit title, and the four verification commands from the dev setup. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Push / PR to main] --> B{event_name == pull_request?}
B -- Yes: PR --> C[Concurrency group: ci-refs/pull/N/merge\ncancel-in-progress: true]
B -- No: push to main --> D[Concurrency group: ci-refs/heads/main\ncancel-in-progress: false]
C --> E[ci job\npermissions: contents: read\nCheck + Test]
D --> F[ci job — queued, never cancelled\npermissions: contents: read\nCheck + Test]
F --> G{github.ref == refs/heads/main\n&& event == push?}
G -- Yes --> H[release job\npermissions: write\nbunx semantic-release]
G -- No --> I[done]
E --> I
Reviews (3): Last reviewed commit: "Merge origin/main into chore/22-oss-hygi..." | Re-trigger Greptile
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
|
@claude can you fix the merging conflicts? |
|
Claude finished @beogip's task in 1m 52s —— View job Merge conflicts fixed ✅
What happened: the branch had diverged from
Resolution: kept both — Verification on the merged tree:
Merge commit |
Resolve README.md conflict by keeping both the new Examples section (from main, #32) and the API Reference section (from this PR). Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
* docs: add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT and README API reference (#22) * chore: add Dependabot config and issue/PR templates (#22) * ci: scope ci job to read-only permissions with PR-gated concurrency (#22) * fix: Update README.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com>
* Add missing OSS hygiene files (#34) * docs: add SECURITY, CONTRIBUTING, CODE_OF_CONDUCT and README API reference (#22) * chore: add Dependabot config and issue/PR templates (#22) * ci: scope ci job to read-only permissions with PR-gated concurrency (#22) * fix: Update README.md Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com> * chore: bump the github-actions group with 2 updates Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-node](https://github.com/actions/setup-node). Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v6) Updates `actions/setup-node` from 4 to 6 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Juan Ignacio Gipponi <beogip@gmail.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Juan Ignacio Gipponi <beogip@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Summary
Adds the missing OSS hygiene files for
@code-first-agents/tooland hardens CI. Scope was expanded beyond the literal issue (per maintainer decisions during planning) to also include a Code of Conduct and a PR template.Closes #22
What's included
Docs
SECURITY.md— vulnerability disclosure policy. GitHub private vulnerability reporting (primary, now enabled on the repo) +beogip@gmail.com(fallback); supported versions = latest published release only.CONTRIBUTING.md— issue-first flow, full Conventional Commit type list (mirrorslefthook.yml), bun dev commands, note thatbun installinstalls the lefthook hooks, inbound=outbound MIT.CODE_OF_CONDUCT.md— Contributor Covenant v2.1 (official text), enforcement contactbeogip@gmail.com.README.md— "maintained in spare time" note near the intro + a new## API Referencesection documenting the public exports with a spec link.Repo config (
chore).github/dependabot.yml—npm+github-actions, weekly, all update types grouped (incl. majors, per maintainer choice),open-pull-requests-limit: 5,commit-message.prefix: chore,labels: [chore],target-branch: main..github/ISSUE_TEMPLATE/{bug_report,feature_request}.yml— YAML issue forms with auto-labels (bug/enhancement) and title prefixes ([Bug]:/[Feature]:)..github/ISSUE_TEMPLATE/config.yml—blank_issues_enabled: false+ a contact link to the spec site (Discussions are disabled)..github/PULL_REQUEST_TEMPLATE.md— contributor checklist (linked issue, Conventional Commit title, green tests/lint/build).CI hardening (
ci).github/workflows/ci.yml— addedpermissions: contents: readand a job-levelconcurrencyblock to thecijob.cancel-in-progressis gated topull_requestonly, so pushes tomainnever cancel an in-progresscirun and thereleasejob is never skipped. Thereleasejob is byte-identical.Non-file action
GitHub private vulnerability reporting was enabled for the repository via
gh apibeforeSECURITY.mdcites it ({"enabled":true}).Notes
docs/chore/ci), so semantic-release will not cut a version bump from this PR.Verification
bun test→ 113 pass / 0 failbunx biome check .→ cleanbunx tsc --noEmit→ cleanPlan:
docs/specs/issue-22-add-missing-oss-hygiene-files.md(level: lean, depth: medium)