Skip to content

docs(community): quality pass on SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, GOVERNANCE#111

Merged
williaby merged 5 commits into
mainfrom
claude/review-security-policy-aasG1
May 16, 2026
Merged

docs(community): quality pass on SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, GOVERNANCE#111
williaby merged 5 commits into
mainfrom
claude/review-security-policy-aasG1

Conversation

@williaby
Copy link
Copy Markdown
Collaborator

@williaby williaby commented May 15, 2026
edited
Loading

Summary

Quality pass on the org-level community health files. These apply to all repos in the org that do not provide their own versions.

SECURITY.md

  • Supported-versions table (was prose); now reflects real tags (v1.0.0, v1) rather than a fictional "date-based release tag" scheme.
  • Added byronawilliams@gmail.com as an alternate reporting channel.
  • Added a "What to Include in a Report" section.
  • Security Practices section rewritten to match tooling that is actually wired up here: CodeQL, SonarCloud, Ruff, Bandit, Trivy, detect-secrets, TruffleHog. Removed gitleaks (not used), GitGuardian (no workflow in this repo), and "Semgrep" framed as an active scanner (only nosemgrep: suppression comments exist).
  • Response Timeline rebuilt as a table; critical-fix target is now 14 calendar days from acknowledgement (not from end of triage), and critical-issue triage is shortened to 2 business days to remove the overlap.
  • Trimmed boilerplate Credit section.

CONTRIBUTING.md

  • Documented the full branch-naming convention (feature/, fix/, chore/, docs/, and a reserved claude/ for automated agents).
  • Added an explicit PR checklist (signing, hooks, tests, scope).
  • Added a Code Review Expectations section.
  • Replaced the DCO Signed-off-by requirement with an explicit GPG-signed commits required section. Wording clarified: branch protection enforces signing at merge to main, not at push to a feature branch.
  • Setup section reframed: pre-commit step is universal; Python and shell/bats setups shown as examples. Clone instructions now include the fork step for external contributors.

CODE_OF_CONDUCT.md

  • Kept the Contributor Covenant v2.1 base.
  • Reporting now goes to byronawilliams@gmail.com only; removed the Security Advisory link (wrong channel for conduct reports) and cross-linked to SECURITY.md for vulnerabilities.

GOVERNANCE.md

  • Rewrote to match reality. The previous version described a Project Lead, Core Team, and Maintainers, which is fiction for a sole-maintainer org.
  • New version: sole-maintainer note, day-to-day vs larger-change decision process (with a 7-day comment window for breaking changes), how to propose a change, and a brief succession note.
  • Dropped hard references to specific issue templates and a governance label, since neither is guaranteed to exist on every downstream repo.

Test plan

  • No em-dashes (scripts/check-no-em-dash.sh passes on staged files).
  • markdownlint clean against .markdownlint.yml.
  • All four files render correctly in the GitHub preview.
  • SonarCloud Quality Gate passing.
  • Branch rebased onto latest main (was one commit behind; new tip in main only touched workflow YAML, no overlap).
  • Reviewer: confirm byronawilliams@gmail.com is the correct contact address to publish.
  • Reviewer: confirm GPG-signing is enforced by branch protection on downstream repos before this lands as an org-wide promise.

Copilot AI review requested due to automatic review settings May 15, 2026 20:45
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 15, 2026
edited
Loading

Warning

Rate limit exceeded

@williaby has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 15 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bf1f32e9-5fef-414f-9cd5-4e285f6b59d3

📥 Commits

Reviewing files that changed from the base of the PR and between 4e0fd54 and 0fefc99.

📒 Files selected for processing (4)
  • CODE_OF_CONDUCT.md
  • CONTRIBUTING.md
  • GOVERNANCE.md
  • SECURITY.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/review-security-policy-aasG1

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Quality pass across the org-level community health markdown files so downstream repositories inherit clearer, more actionable guidance for security reporting, contributions, conduct reporting, and governance.

Changes:

  • SECURITY.md: restructured reporting guidance, added report-content checklist, supported versions table, response timeline table, and disclosure section.
  • CONTRIBUTING.md: added branch naming table, PR checklist, code review expectations, and switched to a GPG or SSH signed commit requirement section.
  • CODE_OF_CONDUCT.md and GOVERNANCE.md: updated reporting channels and aligned governance language with a sole-maintainer model.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
SECURITY.md Adds structured vulnerability reporting guidance, version support and timeline tables, and updated security practices and disclosure text.
CONTRIBUTING.md Replaces the prior contributing guide with expanded contributor workflow guidance, including naming conventions, signing requirements, and review expectations.
CODE_OF_CONDUCT.md Adds email as an additional private reporting channel and updates the last updated date.
GOVERNANCE.md Replaces the multi-role governance model with a sole-maintainer decision process and succession notes.

Comment thread SECURITY.md Outdated
Comment thread SECURITY.md Outdated
Comment thread CONTRIBUTING.md
Comment on lines +14 to +28
## Local Development Setup

3. **Fork & Clone**
The exact steps depend on the project, but the typical Python flow is:

```bash
git clone https://github.com/<org>/<repo>.git
cd <repo>
git remote add upstream https://github.com/<org>/<repo>.git
```
```bash
git clone https://github.com/ByronWilliamsCPA/<repo>.git
cd <repo>
git remote add upstream https://github.com/ByronWilliamsCPA/<repo>.git

## Pull Request Guidelines
python3 -m venv .venv
source .venv/bin/activate
uv sync # or: pip install -e ".[dev]"
pre-commit install # required: installs commit hooks
pytest # run the test suite
```
@williaby
Copy link
Copy Markdown
Collaborator Author

williaby commented May 15, 2026

PR Review — docs(community): quality pass on community health files

Branch is BEHIND main — rebase before merge.

All CI checks green. Copilot's 3 comments were addressed in the second commit. CodeRabbit completed with no inline comments.

Critical (must fix before merge)

  • [SECURITY.md] "GitGuardian on PRs" is a false security claim — no GitGuardian workflow exists in .github/workflows/. The only reference is a comment in workflow-templates/python-security-analysis.yml listing it as a complementary external app. Remove or replace with GitHub's native secret scanning.
  • [GOVERNANCE.md] References issue templates that do not exist — no .github/ISSUE_TEMPLATE/ directory in this repo (404 via API). Change to "Open an issue" without referencing templates, or create the templates.
  • [GOVERNANCE.md] References a governance label that does not exist — confirmed missing from repo label set. Create the label or remove the instruction.

Important (should fix)

  • [SECURITY.md] "Semgrep (via SonarCloud)" is misleading — SonarCloud and Semgrep are separate products. Only # nosemgrep: suppression comments exist in the repo, not active Semgrep invocations. Suggested rewrite: "SonarCloud (incorporates Semgrep rule patterns)."
  • [SECURITY.md] Supported Versions table says "Most recent dated release tag" but actual repo tags are v1.0.0 and v1 (semver, not date-based). The original prose ("main is always the supported version") was more accurate.
  • [CONTRIBUTING.md] Clone instructions omit the fork step — clones the org URL directly and adds upstream pointing to the same URL. External contributors cannot push to the org; they must fork first.
  • [CODE_OF_CONDUCT.md] Security Advisory is the wrong channel for conduct reports — it's a vulnerability-reporting tool, not a general communication channel. The email added in this PR is the correct primary channel. Also: SECURITY.md lists Advisory as "preferred" while CODE_OF_CONDUCT.md lists email first — inconsistent ordering.
  • [SECURITY.md] Timeline math: "Initial triage: 10 business days" + "Fix for critical: 14 calendar days" run concurrently. 10 business days ≈ 14 calendar days, leaving effectively zero days for the fix after triage completes.

Suggested

  • Commit subject docs(community): refresh SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, GOVERNANCE is 76 chars — 4 over the 72-char limit that this PR's own CONTRIBUTING.md documents.
  • "Unsigned commits will be rejected by branch protection" fires at merge to main, not at push to feature branch. Suggested: "Commits that reach main must be GPG-signed; branch protection enforces this at merge."
  • PR body does not mention the Security Practices section rewrite (a substantial change beyond the five bullets listed).
  • claude/<description>-<id> branch naming convention is not in the Branch Naming table despite being used in this repo.

🤖 Generated with Claude Code | HEAD: https://github.com/ByronWilliamsCPA/.github/blob/f6b0a88db9440b52f514e7d9e96306d51f8f607b/SECURITY.md

@williaby williaby force-pushed the claude/review-security-policy-aasG1 branch from f6b0a88 to abb649c Compare May 15, 2026 21:24
@williaby
Copy link
Copy Markdown
Collaborator Author

williaby commented May 15, 2026

Fix Summary

All issues from the automated review and Copilot threads have been addressed in commit b562950 (force-pushed after rebasing onto the independently-fixed remote commit `0e57917`).

Copilot threads addressed

SECURITY.md — Supported Versions table (#3250919668)
Reworded prose to: "Release tags follow semver; there are no long-term support branches." Table now uses "Most recent release tag" and "Earlier release tags and older pinned SHAs" — no hardcoded tag names or dated-header framing.

SECURITY.md — Semgrep and gitleaks claims (#3250919714)

  • Semgrep: reworded to "SonarCloud (incorporates Semgrep rule patterns)" — accurate since SonarCloud bundles Semgrep rules but no standalone Semgrep config exists.
  • gitleaks: replaced with "GitHub secret scanning (enabled by default on public repositories)" — GitGuardian and gitleaks are not wired up in this repo.

CONTRIBUTING.md — Python setup presented as universal (#3250919736)
Sections are already labeled "Example: Python repos (those with a pyproject.toml)" and "Example: shell/workflow repos (those with tests/*.bats)" with conditional repo-type indicators. No change needed; Copilot's concern is already resolved in the PR.

All other Critical/Important findings from the review

Finding Resolution
GPG enforcement timing unclear Clarified: "unsigned commits pushed to a feature branch are not rejected at push, but they cannot be merged"
Response Timeline: fix window start date ambiguous Added: "The fix windows run from triage completion, not from the initial report date."
CONTRIBUTING.md missing fork step Added fork step with org URL before clone
CODE_OF_CONDUCT.md using Security Advisory for conduct Replaced with: "Do not use GitHub Security Advisories for conduct reports; that channel is reserved for vulnerability disclosure."

All pre-commit hooks pass locally.

@williaby
Copy link
Copy Markdown
Collaborator Author

williaby commented May 15, 2026

PR Review

Critical (must fix before merge)

  • Merge conflict: Branch is DIRTY -- has conflicts with main. The test plan marks "rebased onto latest main" as complete, but commit 2e3e3dd landed after the rebase. Rebase required before merge.

  • CONTRIBUTING.md -- GPG branch protection claim is false: "Branch protection on main enforces this at merge time" -- gh api repos/ByronWilliamsCPA/.github/branches/main/protection returns HTTP 404 (no protection configured). Either create the required_signatures branch protection rule, or remove the claim that a platform gate exists.

  • SECURITY.md (Response Timeline) -- Internal contradiction: the table says fix windows run "from acknowledgement" but the prose directly below says "from triage completion, not from the initial report date." These are different clocks. Pick one anchor and remove the other.

Important (should fix)

  • CONTRIBUTING.md (PR Checklist) -- "show as Verified on the PR" is a GitHub-side display outcome the contributor cannot directly control (requires key upload + email match on GitHub). Reword to distinguish the signing action from the Verified badge.

  • CONTRIBUTING.md (Local Dev Setup) -- uv sync appears without any note on installing uv. Same gap flagged as a quick win in PR fix(org): update org identity from williaby to ByronWilliamsCPA #104 CodeRabbit review; still unresolved.

  • CONTRIBUTING.md (Branch Naming) -- chore/ description covers build/CI/deps but the adjacent Conventional Commits type list also includes refactor, perf, test, style, revert. Contributors doing refactor or test-only work have no clear branch prefix.

  • GOVERNANCE.md -- "handled per SECURITY.md" cited for fast-path security merges; SECURITY.md describes reporter-facing timelines only, not internal merge policy.

  • SECURITY.md (Security Practices) -- Ruff and Bandit don't run in this repo directly; the qualifier exists but is buried. Lead with scope: "Python repos that inherit the Python reusable workflows additionally run Ruff and Bandit."

Review coverage: Copilot not requested via org ruleset. CodeRabbit rate-limited (no content). SonarQube: 0 issues (all changed files are *.md, excluded by sonar.exclusions). CI: all checks passing.

🤖 Generated with Claude Code

claude and others added 4 commits May 15, 2026 16:40
@claude @williaby
docs(community): refresh SECURITY, CONTRIBUTING, CODE_OF_CONDUCT, GOV…
548f7b7 
…ERNANCE

- SECURITY.md: add supported-versions table, email contact
  (byronawilliams@gmail.com), "what to include in a report" section; trim
  boilerplate Credit section and tighten timeline language.
- CONTRIBUTING.md: list full branch prefix set (feature/, fix/, chore/,
  docs/), add PR checklist and code-review expectations, replace DCO
  sign-off with an explicit GPG/SSH commit-signing requirement.
- CODE_OF_CONDUCT.md: add maintainer email as a reporting channel
  alongside the existing private Security Advisory link.
- GOVERNANCE.md: rewrite to match reality (sole maintainer), describe
  decision-making, change-proposal process, and succession.
@claude @williaby
docs(community): address Copilot review on SECURITY and CONTRIBUTING
9884f80 
- SECURITY.md: rewrite Supported Versions table to match the repo's actual
  date-based versioning scheme (CHANGELOG.md uses [YYYY-MM-DD] headers,
  not semver), and drop the misleading "latest minor" language.
- SECURITY.md: correct the Security Practices list to match tooling that
  is actually wired up; remove gitleaks (not used), keep Semgrep (runs via
  SonarCloud workflows), and split secret scanning into pre-commit hooks
  (detect-secrets, TruffleHog) and the GitGuardian PR check.
- CONTRIBUTING.md: reframe Local Development Setup so it does not imply
  every repo is Python; add a shell/bats example and direct contributors
  to each repo's README and workflows for authoritative commands.
@claude @williaby
docs(community): address reviewer feedback
fb09631 
Critical:
- SECURITY.md: drop GitGuardian claim (runs as a GitHub App, no workflow
  in this repo); remove "Semgrep via SonarCloud" wording (the repo only
  has nosemgrep suppression comments, not active Semgrep scans). Now
  lists only tooling that is actually wired up here: CodeQL, SonarCloud,
  Ruff, Bandit, Trivy, detect-secrets, TruffleHog.
- SECURITY.md: rebuild Supported Versions table around real tags (v1.0.0
  and v1) instead of "most recent dated release tag"; date-based scheme
  applies to CHANGELOG headers, not git tags.
- GOVERNANCE.md: drop hard reference to issue templates and the
  governance label; templates may not exist downstream, and a missing
  label would make the instruction unfollowable.

Important:
- SECURITY.md: fix timeline overlap. Critical-fix target is now 14
  calendar days from acknowledgement (not from end of triage), and
  triage for critical is shortened to 2 business days.
- CONTRIBUTING.md: add fork step to the clone instructions; external
  contributors cannot push to the org.
- CONTRIBUTING.md: add the claude/ prefix to the branch-naming table
  (used by automated agents in this repo).
- CONTRIBUTING.md: clarify that branch protection enforces signing at
  merge to main, not at push to a feature branch.
- CODE_OF_CONDUCT.md: remove Security Advisory as a conduct-report
  channel; email is the only correct path. Cross-link to SECURITY.md
  for vulnerability reports.
@williaby @claude
docs(community): fix factual accuracy in community health files
57a31f3 
SECURITY.md:
- Supported Versions: remove "dated release tag" wording; actual tags
  are semver (v1.0.0). Remove false "no numbered releases" claim.
- Response Timeline: clarify fix windows run from triage completion,
  not from the initial report date.
- Security Practices: replace "Semgrep (via SonarCloud)" with accurate
  "SonarCloud (incorporates Semgrep rule patterns)".
- Security Practices: replace "GitGuardian on PRs" (no workflow exists)
  with "GitHub secret scanning (enabled by default on public repos)".

CONTRIBUTING.md:
- Local Development Setup: add fork step before clone; external
  contributors cannot push to the org URL directly.
- GPG-Signed Commits Required: clarify enforcement fires at merge to
  main, not at push to a feature branch.

CODE_OF_CONDUCT.md:
- Reporting: replace GitHub Security Advisory link (wrong tool for
  conduct reports) with GitHub abuse reporting link.

GOVERNANCE.md:
- How to Propose a Change: remove "using the appropriate template"
  reference; no issue templates exist in this repo.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@williaby williaby force-pushed the claude/review-security-policy-aasG1 branch from b562950 to 57a31f3 Compare May 16, 2026 00:12
@williaby @claude
fix(review): address pr-review findings on community health files
0fefc99 
SECURITY.md:
- Remove contradicting "from triage completion" prose; all fix windows
  run from acknowledgement as the table already states.
- Clarify Bandit and Ruff scope: these apply to downstream Python repos
  via the Python reusable workflows, not to this repo directly.

CONTRIBUTING.md:
- Soften GPG enforcement claim: branch protection is not configured;
  restate as org policy rather than platform-enforced gate.
- Fix "show as Verified" checklist item to distinguish signing action
  from GitHub-side badge display.
- Add uv install reference in Python example setup block.
- Expand chore/ branch prefix to cover refactor, test-only, and style
  changes alongside tooling and CI.
- Add private-repo fork caveat: external contributors cannot fork
  private repositories.

GOVERNANCE.md:
- Fix security-fixes cross-reference: SECURITY.md describes reporter
  timelines, not internal merge policy; reword to avoid implying it
  does.
- Anchor the seven-day waiting period to the issue creation date so
  the clock is auditable.
- Scope succession fork rights to public repositories; private repos
  cannot be forked by external contributors.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@williaby
Copy link
Copy Markdown
Collaborator Author

williaby commented May 16, 2026

/pr-fix Summary

Commit 0fefc99 addresses all 10 auto-fixable findings from the /pr-review pass. Two items require manual reviewer confirmation (noted below).

Critical fixes

File Finding Resolution
SECURITY.md Response Timeline contradiction: prose said "windows run from triage completion" but the table header says "from acknowledgement" Replaced contradicting sentence with "All windows run from acknowledgement of the report"
CONTRIBUTING.md GPG enforcement claim was false: stated "branch protection on `main` enforces this at merge time" but the repo has no branch protection rule Softened to org-policy language: "This is org policy: unsigned commits will be requested for re-signing before a PR is merged"

Important fixes

File Finding Resolution
SECURITY.md Security Practices listed Semgrep and gitleaks, neither of which exist in this repo Reworded: "SonarCloud (SAST); downstream Python repos add Ruff and Bandit via the Python reusable workflows"
CONTRIBUTING.md PR checklist said "show as Verified on the PR" (vague) Tightened to "confirm each shows the Verified badge before requesting review"
CONTRIBUTING.md Python example block had no uv install prerequisite Added # uv must be installed first: https://github.com/astral-sh/uv comment before uv sync
CONTRIBUTING.md chore/ branch prefix description omitted refactor, test-only, style, and revert commit types Expanded to: "Tooling, build, dependency, CI, refactoring, test-only, and style changes"
GOVERNANCE.md Security-fix rule cross-reference implied SECURITY.md is merge policy, not reporter guidance Reworded: "reported via SECURITY.md; the maintainer may merge fixes without the seven-day waiting period"

Suggested fixes

File Finding Resolution
CONTRIBUTING.md No caveat for private repos under the maintainer-clone note Added: "If the repository is private, request access from the maintainer rather than forking"
GOVERNANCE.md Seven-day window had no clock anchor Added "from the issue creation date" so the window is auditable
GOVERNANCE.md Succession section said "repositories remain" without scoping to public repos Changed to "public repositories remain" (private repos cannot be forked externally)

Copilot thread responses

All three Copilot inline comments are addressed:

  • Supported Versions table wording: The PR rewrote the table. Current text uses main (latest commit) and Most recent release tag; semver tags v1.0.0 and v1 both exist in the repo. No further change needed.
  • Semgrep/gitleaks in Security Practices: Fixed in 0fefc99 (see table above).
  • Python flow labeling: The PR's later commits already added explicit **Example: Python repos** and **Example: shell/workflow repos** headers. Comment is outdated.

Human-only items (reviewer confirmation required)

  1. CODE_OF_CONDUCT.md -- Gmail audit trail: The CoC lists a Gmail address for enforcement reports with no mention of audit-trail or retention considerations. The PR description flags this as an intentional design choice. Reviewer should confirm this is acceptable.
  2. CODE_OF_CONDUCT.md -- email address: This PR restores byronawilliams@gmail.com in the CoC, which may reverse a decision made in PR fix(org): update org identity from williaby to ByronWilliamsCPA #104. The PR description explicitly flags this for reviewer confirmation before merge.

@williaby williaby merged commit 19a5ab5 into main May 16, 2026
22 checks passed
@williaby williaby mentioned this pull request May 16, 2026
Merged
1 task
@williaby williaby deleted the claude/review-security-policy-aasG1 branch May 16, 2026 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@williaby @claude