Skip to content

chore(repo): add CODEOWNERS, PR template, dependabot config#55

Merged
onspeedhp merged 1 commit into
mainfrom
chore/repo-metadata
May 6, 2026
Merged

chore(repo): add CODEOWNERS, PR template, dependabot config#55
onspeedhp merged 1 commit into
mainfrom
chore/repo-metadata

Conversation

@onspeedhp

Copy link
Copy Markdown
Member

Summary

Three repo-hygiene additions, all opt-in / non-breaking.

Files

  • .github/CODEOWNERS — every change requires review from one of `@onspeedhp`, `@chauanhtuan185`, `@metasal1`. Audit-sensitive paths (`/program/`, `/assertions/`, `/.github/workflows/`, `/audits/`) and the cherry-pick guardrails (`scripts/fee-paths.txt`, `scripts/strip-fee.sh`, `scripts/check-no-fee.sh`) re-state the same owners so renames don't silently drop ownership rules.

  • .github/PULL_REQUEST_TEMPLATE.md — terse, audit-aware. Includes a "Cherry-pick provenance" section so PRs that mirror commits from `lazorkit-protocol` leave a clear trail and explicitly confirm `bash scripts/check-no-fee.sh` passed. Note: with squash merge, the PR description ends up as the commit message body on `main`, so this template effectively shapes `git log` going forward.

  • .github/dependabot.yml — monthly cadence:

    • cargo (workspace)
    • npm (/tests-sdk) — for `@lazorkit/sdk-legacy` and vitest
    • github-actions (/)

    Each ecosystem grouped (1 PR for all version updates, 1 for security) with cap of 2-3 open PRs to keep noise bounded.

Test plan

  • CI passes — `check-no-fee`, `sbf-cluster-check` (no source changes)
  • CODEOWNERS auto-assigns reviewers on the next PR
  • First Dependabot run lands within ~30 days

- CODEOWNERS: every change touches admins by default (@onspeedhp,
  @chauanhtuan185, @metasal1); audit-sensitive paths (program/, assertions/,
  .github/workflows/, audits/) and the cherry-pick guardrails (fee-paths.txt
  + strip-fee.sh + check-no-fee.sh) re-state the same owners explicitly
  so renames don't silently drop ownership rules.
- PULL_REQUEST_TEMPLATE.md: includes a 'Cherry-pick provenance' section so
  cherry-picks from lazorkit-protocol leave an audit trail and confirm
  scripts/check-no-fee.sh passed.
- dependabot.yml: monthly cadence per ecosystem (cargo workspace, tests-sdk
  npm, github-actions). Groups version + security updates separately so a
  security PR doesn't get held up behind feature bumps.
@onspeedhp onspeedhp merged commit 309af2d into main May 6, 2026
5 checks passed
@onspeedhp onspeedhp deleted the chore/repo-metadata branch May 6, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant