feat: org-wide community-health defaults (CoC, Contributing, Security, Support, templates)#2
Conversation
Populate the .github repo with the canonical fallbacks GitHub looks up
when a downstream repo doesn't define its own. Previously every
resq-software/* repo lacked CoC / Contributing / Security / Support /
templates; contributors had no consistent reference.
Files added:
CODE_OF_CONDUCT.md Contributor Covenant v2.1 (linked, not
vendored) + ResQ reporting channels.
CONTRIBUTING.md One-page onboarding (install-resq.sh +
install-hooks.sh), commit format
(Conventional Commits + `!`), branch
naming, local check commands, PR flow.
SECURITY.md Supported versions table, private
reporting channels (GitHub Security
Advisories preferred, security@ fallback),
response windows, scope/out-of-scope.
SUPPORT.md Docs / Discussions / issue-template
routing for non-security questions.
.github/PULL_REQUEST_TEMPLATE.md
Structured sections: Summary, Type,
Test plan, Breaking changes, Checklist.
.github/ISSUE_TEMPLATE/bug_report.yml Structured form.
.github/ISSUE_TEMPLATE/feature_request.yml Structured form.
.github/ISSUE_TEMPLATE/config.yml Disable blank issues;
route Security + Discussions + Docs.
.github/FUNDING.yml Commented placeholder.
Applies automatically to every public repo under resq-software that
doesn't already define these files. Zero downstream action required.
Follow-up PRs (separate branches) add: reusable security-scan workflow,
per-repo callers + dependabot.yml + CODEOWNERS, dev/README cleanup.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 21 minutes and 44 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request establishes the core community health and contribution infrastructure for the resq-software organization by adding standard files such as CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md, and various GitHub issue and pull request templates. Feedback focuses on ensuring that relative links to internal files (like CODEOWNERS and workflow definitions) are converted to absolute URLs to prevent broken links when these files are inherited by other repositories in the organization.
| - **Preferred**: open a [GitHub Security Advisory](https://github.com/resq-software/.github/security/advisories/new) on this `.github` repo — advisories are private by default and route straight to maintainers. | ||
| - **Alternative**: email `conduct@resq.software`. | ||
|
|
||
| All reports are reviewed by the maintainers listed in [`.github/CODEOWNERS`](./CODEOWNERS) and handled confidentially. The reporter's identity is not shared beyond those directly involved in the review. |
There was a problem hiding this comment.
The link destination ./CODEOWNERS is inconsistent with the text [.github/CODEOWNERS]. Additionally, for an organization-wide Code of Conduct, it is recommended to use an absolute URL to the central .github repository's CODEOWNERS file. This ensures the link resolves correctly when the file is inherited by other repositories in the organization.
| All reports are reviewed by the maintainers listed in [`.github/CODEOWNERS`](./CODEOWNERS) and handled confidentially. The reporter's identity is not shared beyond those directly involved in the review. | |
| All reports are reviewed by the maintainers listed in [`.github/CODEOWNERS`](https://github.com/resq-software/.github/blob/main/.github/CODEOWNERS) and handled confidentially. The reporter's identity is not shared beyond those directly involved in the review. |
|
|
||
| ## Automated scanning | ||
|
|
||
| Every repo runs the reusable [`security-scan`](.github/workflows/security-scan.yml) workflow on push + PR + weekly schedule: CodeQL, Gitleaks, OSV-Scanner, Dependency Review, plus optional Snyk when `SNYK_TOKEN` is configured. Findings are triaged by the maintainers listed in each repo's `CODEOWNERS`. |
There was a problem hiding this comment.
The relative link to the workflow file will break when this security policy is inherited by other repositories. Downstream repositories will attempt to resolve the path relative to their own root, where the workflow likely does not exist. Use an absolute URL to the .github repository to ensure the link remains functional across the organization.
| Every repo runs the reusable [`security-scan`](.github/workflows/security-scan.yml) workflow on push + PR + weekly schedule: CodeQL, Gitleaks, OSV-Scanner, Dependency Review, plus optional Snyk when `SNYK_TOKEN` is configured. Findings are triaged by the maintainers listed in each repo's `CODEOWNERS`. | |
| Every repo runs the reusable [`security-scan`](https://github.com/resq-software/.github/blob/main/.github/workflows/security-scan.yml) workflow on push + PR + weekly schedule: CodeQL, Gitleaks, OSV-Scanner, Dependency Review, plus optional Snyk when `SNYK_TOKEN` is configured. Findings are triaged by the maintainers listed in each repo's `CODEOWNERS`. |
1 participant
Summary
First of a four-PR series standardizing governance + security across every public ResQ repo. Populates the
.githuborg repo with the canonical fallbacks GitHub looks up when a downstream repo doesn't define its own — so everyresq-software/*repo inherits these automatically with zero per-repo action.Files
CODE_OF_CONDUCT.md— Contributor Covenant v2.1 (linked to canonical text, not vendored); ResQ-specific reporting channels.CONTRIBUTING.md— onboarding (install-resq.sh + install-hooks.sh), Conventional Commits +!marker, branch-naming rules, local check commands (resq pre-commit/resq format --check/resq hooks doctor), PR flow.SECURITY.md— supported-versions table, private reporting (GitHub Security Advisories preferred +security@resq.softwarefallback), response SLOs, scope & out-of-scope.SUPPORT.md— routes to docs.resq.software / GitHub Discussions / SECURITY.md..github/PULL_REQUEST_TEMPLATE.md— Summary / Type / Test plan / Breaking changes / Checklist..github/ISSUE_TEMPLATE/{bug_report,feature_request}.yml— structured forms with pre-flight checkboxes..github/ISSUE_TEMPLATE/config.yml— disable blank issues; route Security + Discussions + Docs links..github/FUNDING.yml— commented placeholder until funding routes exist.Verification
After merge, open
https://github.com/resq-software/<any-public-repo>/community— the community profile page should now show full ✅ marks for Code of Conduct, Contributing, Security, Support, Issue templates, and Pull request template (all inherited from this repo).Follow-up PRs in this series
security-scan.ymlworkflow in.github(CodeQL + Gitleaks + OSV-scanner + dependency-review + optional Snyk).github/dependabot.yml+.github/CODEOWNERS(10 small PRs)dev/README.md— drop the.agents/convention per your decision; add a short pointer atAGENTS.md🤖 Generated with Claude Code