Summary
The org-level recurram/.github repo is the canonical location for org-wide policy documents and shared GitHub configuration. It currently contains only a profile/README.md stub. Add the following:
SECURITY.md — vulnerability disclosure policy and contact (mailto or private security advisory link).CODE_OF_CONDUCT.md — community standards.SUPPORT.md — where to ask questions.FUNDING.yml — funding metadata (optional).dependabot.yml template / docs (note: Dependabot config does not propagate from this repo to others; each repo needs its own).
Also add per-repo .github/dependabot.yml to recurram, recurram-rust, recurram-js, recurram-zig, recurram-bench covering:
github-actions ecosystem (auto-update SHAs of pinned actions)cargo ecosystem where Cargo.toml existsnpm / pnpm ecosystem where package.json exists
Motivation
A documented vulnerability-disclosure path is the most-cited missing piece across the org. Without SECURITY.md, researchers don't know whether to file a public Issue, email a private address, or use GitHub's private vulnerability reporting feature. The audit performed today found Critical-severity bugs in three of the implementation repos; coordinated disclosure would have been smoother with a SECURITY.md already in place.
CODE_OF_CONDUCT.md and SUPPORT.md are conventional org-health files that GitHub surfaces in the "Community Standards" tab.
Dependabot configurations close out the supply-chain hardening recommendations from the audit (unpinned third-party Actions, missing --locked cargo builds, etc.).
Proposed Solution
Create the following files in this repo:
SECURITY.md — choose between (a) "report via GitHub private vulnerability advisories" or (b) a security@recurram.dev-style mailbox. Document the response SLO.CODE_OF_CONDUCT.md — use the Contributor Covenant v2.1 template.SUPPORT.md — point to GitHub Discussions / Issues / chat.- (Optional)
FUNDING.yml.
In each implementation repo, add .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "cargo" # where applicable
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "npm" # where applicable
directory: "/"
schedule:
interval: "weekly"Alternatives Considered
A central org-level dependabot.yml would be convenient but is not supported by Dependabot (the config must live in each individual repo).
Additional Context
Tracking issue for cross-org policy and Dependabot rollout. Sub-tasks should be opened in each implementation repo as needed.
Summary
The org-level
recurram/.githubrepo is the canonical location for org-wide policy documents and shared GitHub configuration. It currently contains only aprofile/README.mdstub. Add the following:SECURITY.md— vulnerability disclosure policy and contact (mailto or private security advisory link).CODE_OF_CONDUCT.md— community standards.SUPPORT.md— where to ask questions.FUNDING.yml— funding metadata (optional).dependabot.ymltemplate / docs (note: Dependabot config does not propagate from this repo to others; each repo needs its own).Also add per-repo
.github/dependabot.ymltorecurram,recurram-rust,recurram-js,recurram-zig,recurram-benchcovering:github-actionsecosystem (auto-update SHAs of pinned actions)cargoecosystem where Cargo.toml existsnpm/pnpmecosystem wherepackage.jsonexistsMotivation
A documented vulnerability-disclosure path is the most-cited missing piece across the org. Without
SECURITY.md, researchers don't know whether to file a public Issue, email a private address, or use GitHub's private vulnerability reporting feature. The audit performed today found Critical-severity bugs in three of the implementation repos; coordinated disclosure would have been smoother with a SECURITY.md already in place.CODE_OF_CONDUCT.mdandSUPPORT.mdare conventional org-health files that GitHub surfaces in the "Community Standards" tab.Dependabot configurations close out the supply-chain hardening recommendations from the audit (unpinned third-party Actions, missing
--lockedcargo builds, etc.).Proposed Solution
Create the following files in this repo:
SECURITY.md— choose between (a) "report via GitHub private vulnerability advisories" or (b) asecurity@recurram.dev-style mailbox. Document the response SLO.CODE_OF_CONDUCT.md— use the Contributor Covenant v2.1 template.SUPPORT.md— point to GitHub Discussions / Issues / chat.FUNDING.yml.In each implementation repo, add
.github/dependabot.yml:Alternatives Considered
A central org-level
dependabot.ymlwould be convenient but is not supported by Dependabot (the config must live in each individual repo).Additional Context
Tracking issue for cross-org policy and Dependabot rollout. Sub-tasks should be opened in each implementation repo as needed.