looptech-ai · amacsmith · May 10, 2026 · May 10, 2026
@@ -0,0 +1,55 @@
+# Path-based PR labels for actions/labeler@v5.
+# Schema: <label>: [ { changed-files: [{ any-glob-to-any-file: [globs...] }] } ]
+
+"area:schemas":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "schemas/**"
+
+"area:scripts":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "scripts/**"
+
+"area:mcp":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "mcp/**"
+
+"area:cli":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "cli/**"
+
+"area:python-sdk":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "python-sdk/**"
+
+"area:site":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "site/**"
+
+"area:docs":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "docs/**"
+          - "README.md"
+          - "CONTRIBUTING.md"
+          - "CHANGELOG.md"
+
+"area:ci":
+  - changed-files:
+      - any-glob-to-any-file:
+          - ".github/workflows/**"
+          - ".github/labeler.yml"
+          - ".github/release.yml"
+
+"area:tests":
+  - changed-files:
+      - any-glob-to-any-file:
+          - "tests/**"
+          - "**/__tests__/**"
+          - "**/*.test.*"
+          - "**/*.spec.*"
@@ -0,0 +1,93 @@
+# Release-drafter configuration.
+# Used by .github/workflows/release-drafter.yml to auto-build draft release
+# notes whenever a PR merges into main.
+
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+
+categories:
+  - title: "🚀 Features"
+    labels:
+      - "feat"
+      - "feature"
+      - "type:feature"
+  - title: "🐛 Fixes"
+    labels:
+      - "fix"
+      - "bug"
+      - "type:bug"
+  - title: "📝 Docs"
+    labels:
+      - "docs"
+      - "area:docs"
+      - "documentation"
+  - title: "♻️ Refactor"
+    labels:
+      - "refactor"
+      - "type:refactor"
+  - title: "⚡ Performance"
+    labels:
+      - "perf"
+      - "performance"
+  - title: "🧪 Tests"
+    labels:
+      - "test"
+      - "tests"
+      - "area:tests"
+  - title: "🔒 Security"
+    labels:
+      - "security"
+  - title: "🤖 Dependencies"
+    labels:
+      - "dependencies"
+      - "dependabot"
+  - title: "🧹 Chore"
+    labels:
+      - "chore"
+      - "ci"
+      - "build"
+      - "area:ci"
+
+change-template: "- $TITLE (#$NUMBER) @$AUTHOR"
+change-title-escapes: '\<*_&'
+
+# Exclude unsigned/no-op work and label-only edits from the changelog body.
+exclude-labels:
+  - "skip-changelog"
+  - "duplicate"
+  - "invalid"
+  - "wontfix"
+
+version-resolver:
+  major:
+    labels:
+      - "breaking-change"
+      - "major"
+  minor:
+    labels:
+      - "feat"
+      - "feature"
+      - "minor"
+  patch:
+    labels:
+      - "fix"
+      - "bug"
+      - "docs"
+      - "chore"
+      - "ci"
+      - "build"
+      - "refactor"
+      - "perf"
+      - "test"
+      - "dependencies"
+      - "security"
+      - "patch"
+  default: patch
+
+# Build the draft body. Sections only render when they have entries.
+template: |
+  ## What's changed
+
+  $CHANGES
+
+  **Full changelog:** https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION
@@ -0,0 +1,37 @@
+name: First interaction
+
+# Welcome first-time contributors with a friendly note pointing them at the
+# right docs. The action only runs the FIRST time someone interacts with the
+# repo, so we don't pester returning folks.
+
+on:
+  pull_request_target:
+    types: [opened]
+  issues:
+    types: [opened]
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # pin: v3.1.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          pr-message: >
+            Thanks for your first PR to understand-quickly! A maintainer will
+            review shortly. If this adds a new entry to `registry.json`, the
+            validate workflow will fetch your graph_url + check schema; if it
+            adds a new graph format, `CONTRIBUTING.md` walks through the schema
+            authoring flow. Questions:
+            [Discussions](https://github.com/looptech-ai/understand-quickly/discussions).
+          issue-message: >
+            Thanks for opening your first issue! For "add my repo" requests,
+            the [wizard](https://looptech-ai.github.io/understand-quickly/add.html)
+            is often faster. For protocol questions, see
+            [CKGP v1](https://github.com/looptech-ai/understand-quickly/blob/main/docs/spec/code-graph-protocol.md)
+            or open a Discussions thread.
@@ -0,0 +1,25 @@
+name: Labeler
+
+# Auto-apply `area:*` labels based on which files a PR touches. Keeps the PR
+# list grep-able and lets release-drafter sort changes into categories.
+#
+# Config: .github/labeler.yml - path globs map to label names.
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # pin: v5.0.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          configuration-path: .github/labeler.yml
+          sync-labels: true
@@ -0,0 +1,71 @@
+name: Link check
+
+# Weekly sweep of every Markdown file + the live Pages site. Also runs on PRs
+# that touch README/docs so broken links never reach main.
+#
+# On scheduled-run failures we open (or reuse) a tracking issue rather than
+# failing silently. PR runs surface results as a job summary - no spammy issue.
+
+on:
+  schedule:
+    - cron: "17 6 * * 1"   # Mondays 06:17 UTC
+  pull_request:
+    branches: [main]
+    paths:
+      - "**/*.md"
+      - "docs/**"
+      - ".lychee.toml"
+      - ".github/workflows/lychee.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  link-check:
+    name: lychee
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # pin: v5.0.0
+
+      - name: Restore lychee cache
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # pin: v4.3.0
+        with:
+          path: .lycheecache
+          key: lychee-${{ github.run_id }}
+          restore-keys: lychee-
+
+      - name: Run lychee
+        id: lychee
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # pin: v2.8.0
+        with:
+          args: >-
+            --config .lychee.toml
+            --cache
+            --no-progress
+            --verbose
+            './**/*.md'
+            'https://looptech-ai.github.io/understand-quickly/'
+          output: ./lychee/out.md
+          fail: false
+          format: markdown
+          jobSummary: true
+
+      - name: Open or update tracking issue on scheduled failures
+        if: steps.lychee.outputs.exit_code != 0 && github.event_name == 'schedule'
+        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # pin: v5.0.1
+        with:
+          title: "Link check: broken links detected"
+          content-filepath: ./lychee/out.md
+          labels: |
+            area:docs
+            status:link-rot
+
+      - name: Fail job if links broken on PR
+        if: steps.lychee.outputs.exit_code != 0 && github.event_name == 'pull_request'
+        run: |
+          echo "::error::lychee reported broken links - see job summary."
+          exit 1
@@ -0,0 +1,33 @@
+name: Release drafter
+
+# Maintains a permanent draft of the next GitHub Release. Every merged PR
+# bumps the resolved version and appends its title to the right category in
+# the release body, based on PR labels.
+#
+# Config lives in .github/release.yml.
+#
+# Cutting a release: edit the draft (rename/tag if needed), then Publish. The
+# tag created kicks off any tag-driven publish workflows.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  draft:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: release-drafter/release-drafter@67e173cadb2fbd3de94f4a861e0c48c913b462ae # pin: v6.4.0
+        with:
+          config-name: release.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,49 @@
+name: OpenSSF Scorecard
+
+# Runs the OpenSSF Scorecard checks against this repo. Results are uploaded
+# as SARIF (visible under the Security tab) and published publicly so the
+# README badge can resolve them.
+#
+# Publish-results: requires the workflow to run from the default branch with
+# id-token write so the upstream can verify our identity. This is the
+# standard OSSF wiring.
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "12 4 * * 2"   # Tuesdays 04:12 UTC
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      security-events: write   # upload SARIF to Code Scanning
+      id-token: write          # publish_results: true
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # pin: v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # pin: v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # pin: v3.27.0
+        with:
+          sarif_file: results.sarif
+          category: ossf-scorecard