Skip to content

chore: SECURITY.md, CodeQL workflow, package metadata, refresh CONTRIBUTING#47

Merged
pofallon merged 1 commit into
mainfrom
chore-docs-metadata-security
May 26, 2026
Merged

chore: SECURITY.md, CodeQL workflow, package metadata, refresh CONTRIBUTING#47
pofallon merged 1 commit into
mainfrom
chore-docs-metadata-security

Conversation

@pofallon
Copy link
Copy Markdown
Contributor

@pofallon pofallon commented May 25, 2026

Bundles three P2 polish items from the post-1.0 audit.

SECURITY.md (gap #10 policy half)

New top-level file documenting supported versions, private reporting channels (GitHub Security Advisory + email), in/out-of-scope, coordinated-disclosure window, and pointer to the CI security gates.

CodeQL workflow (gap #10 scanning half)

New .github/workflows/codeql.yml — Rust analysis on PR + push to main + weekly schedule (Monday 06:00 UTC, staggered from cargo-deny's 07:00 UTC daily).

Cargo manifest metadata (gap #12)

Added homepage, documentation, keywords, categories to [workspace.package] + per-package description and readme. Unblocks crates.io publish with proper search discoverability.

CONTRIBUTING.md refresh (gap #13)

The Quick Start + Common Tasks sections centered on raw cargo test, but the repo standardized on cargo-nextest + make targets long ago. Updated:

  • Quick Start leads with make dev-fast / make test-nextest-fast
  • Common Tasks table now reflects the make-target taxonomy (test-nextest-fast, test-nextest-unit, test-nextest-docker, test-nextest-smoke, release-check, test-nextest-audit, coverage)
  • Drops the long e2e-by-name list (the suite has grown past the original 7 named tests)
  • CI/CD section now matches what actually runs: ci.yml + codeql.yml + cargo-deny + Conventional-Commits PR title

Verification

  • cargo build
  • cargo fmt --all -- --check
  • CI green

Refs: gaps #10, #12, #13 from the post-1.0 audit.

🤖 Generated with Claude Code

@pofallon @claude
docs+chore: SECURITY.md, CodeQL workflow, package metadata, refresh C…
c99c31e 
…ONTRIBUTING

Bundles three P2 polish items from the post-1.0 audit:

## SECURITY.md (gap #10 policy half)

New top-level file documenting:
- Supported versions
- Private reporting channels (GitHub Security Advisory + email)
- Scope (in-scope: command injection, path traversal, secret leakage,
  TLS/OCI auth, runtime privilege escalation; out-of-scope:
  upstream Docker/Podman bugs, third-party features, CLI-process DoS)
- Coordinated disclosure window
- Pointer to the CI security gates

## CodeQL workflow (gap #10 scanning half)

New `.github/workflows/codeql.yml`: Rust analysis on PR + push to main
+ weekly schedule (Monday 06:00 UTC, staggered from cargo-deny's 07:00
UTC daily). Uses the workspace MSRV. Builds `--workspace --all-targets`
so the full subcommand surface is analyzed.

## Cargo manifest metadata (gap #12)

Added to `[workspace.package]` and per-package `[package]`:
- `homepage`, `documentation`, `keywords`, `categories`
- Per-package `description` and `readme` for crates.io rendering

This unblocks publishing both crates to crates.io with proper search
discoverability.

## CONTRIBUTING.md refresh (gap #13)

The Quick Start and Common Tasks sections centered on raw `cargo test`,
but the repo standardized on `cargo-nextest` + `make` targets long ago.
Updated to:
- Lead with `make dev-fast` / `make test-nextest-fast` in the Quick Start
- Replace the Common Tasks table with the make-target taxonomy
- Drop the long e2e-by-name list (replaced with general "filter by name"
  guidance — the e2e suite has grown past the original 7 named tests)
- CI/CD section now reflects the actual workflows on main: ci.yml +
  codeql.yml + cargo-deny, with Conventional-Commits PR-title gate.

## Verification

- `cargo build` ✓
- `cargo fmt --all -- --check` ✓

Refs: gaps #10, #12, #13 from the post-1.0 audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added ci CI/CD changes build Build system changes labels May 25, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 25, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@pofallon pofallon changed the title docs+chore: SECURITY.md, CodeQL workflow, package metadata, refresh CONTRIBUTING chore: SECURITY.md, CodeQL workflow, package metadata, refresh CONTRIBUTING May 25, 2026
@pofallon pofallon merged commit cf0d66f into main May 26, 2026
10 of 11 checks passed
@pofallon pofallon deleted the chore-docs-metadata-security branch May 26, 2026 00:05
@pofallon pofallon mentioned this pull request May 26, 2026
Merged
pofallon added a commit that referenced this pull request May 26, 2026
@pofallon @claude
docs(readme): refresh badges + shipped/limitations sections for 1.0 (#55
9846cf3 
)

The README's `Shipped Commands` table was missing four commands that
landed in 2026-05, and the `In Progress` table claimed five features
were "Planned" / "Experimental" when they had actually shipped.

## Shipped Commands — added 4

- `set-up` (PR-6a/6b/6c — lifecycle hooks against an existing container
  + dotfiles + `/etc` patches)
- `upgrade` (PR-5a/5b — regenerate-lockfile + Dependabot pinning)
- `outdated` (current/wanted/latest feature versions)
- `config` (config management subcommands)

Also rewrote one-liners for the existing commands to be more accurate
(e.g. `up` notes features-at-build-time, `build` notes the
Dockerfile-only feature scope, `read-configuration` mentions extends +
variable substitution).

## In Progress → Known limitations

The old table claimed these five were not ready, all wrong now:

- Docker Compose profiles → shipped (`populate_profiles` in `compose.rs`)
- Features during `up` → shipped (PR-4a/4b/4c)
- Container-side dotfiles → shipped (PR-6b)
- `--expect-existing-container` → shipped (`container.rs:435` +
  `compose.rs:146`)
- Port forwarding → shipped (`forward_ports` flows through both paths)

Replaced the whole table with two honest entries:
- **Podman runtime** — still experimental in 1.0; #30 tracks 1.1
- **`build` features** — Dockerfile-only; compose-build + image-ref still
  error with features

Footer now points at #52 (post-1.0 hardening tracker) too.

## Badges — added 4

Existing: Latest Release, CI status, License.

Added:
- CodeQL workflow status (new in PR #47)
- Coveralls coverage badge (matches the "Coverage is published to
  Coveralls" line later in the README)
- MSRV 1.82 (bumped in PR #26)
- Security Policy badge linking to GH security policy (SECURITY.md
  landed in PR #47)

Also pinned the CI badge to `?branch=main` so a feature-branch failure
doesn't flap the README.

## Code Signing section

Removed the false "tracked in issue: Code Signing" claim — no such
issue exists. Replaced with a "file one if you need this prioritized"
note so readers know it's not actively scheduled.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

build Build system changes ci CI/CD changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pofallon @github-advanced-security