Skip to content

chore(github): enable free-tier features — dependabot, CODEOWNERS, issue form, SECURITY, CITATION, dynamic badge#7

Merged
prat96 merged 4 commits into
mainfrom
chore/github-quick-wins
Jun 22, 2026
Merged

chore(github): enable free-tier features — dependabot, CODEOWNERS, issue form, SECURITY, CITATION, dynamic badge#7
prat96 merged 4 commits into
mainfrom
chore/github-quick-wins

Conversation

@prat96

@prat96 prat96 commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Enables the low-effort GitHub features from the repo audit, plus the workflow change needed to make a required status check safe. All free for public repos; pure config/CI/docs — no firmware or build-behavior changes, nothing runs at or above the DAP path.

What's in here

File Feature Why
.github/dependabot.yml Dependabot version updates Security updates were already on, but no version-bump PRs. Scoped to the only two manifest-managed ecosystems — github-actions and pip (requirements.txt). C upstream stays git-pinned via setup.sh, intentionally excluded.
.github/CODEOWNERS Code-owner review The ruleset's require_code_owner_review was a silent no-op with no file. Names the two analyze.sh-pristine files. @prat96.
.github/ISSUE_TEMPLATE/bug_report.yml + config.yml Repo-specific issue form Requires the {"q":"status"} line (firmware ver) and prompts for {"q":"lastfault"}. Routes questions → Discussions, security → private advisories.
SECURITY.md Security policy Adds the policy + trust model (physical/USB access trusted) so reports target the real surface.
CITATION.cff "Cite this repository" widget Near-zero-effort OSS maturity signal.
README.md Dynamic release badge Was hardcoded v1.0 while v1.1 shipped; now img.shields.io/github/v/release.
.github/workflows/host-tests.yml Required-check safety Drop the pull_request paths filter so Portable logic (no hardware) reports on every PR — a path-filtered required check leaves PRs blocked on a forever-pending "Expected" status. Hosted + uploads nothing, so docs-only PRs cost nothing.
.github/workflows/firmware-c.yml Artifact retention cap retention-days: 7 on the build artifact (was defaulting to 90); on publish the binaries also go to the free permanent Release.

Done alongside this PR (applied directly)

  • Required status checkPortable logic (no hardware) added to the default ruleset (non-strict, do_not_enforce_on_create). The host-tests.yml change above is what makes it safe.
  • Labels — dropped stray new project!; added dap / dashboard / sd / cdc1 / gate.
  • Homepage — set to https://github.com/GhostRoboticsLab.
  • Social-preview image — UI-only (Settings → General → Social preview), pending an image.

Notes

  • pyserial==3.5 is exact-pinned for HIL USB-CDC stability — review any Dependabot bump against the macOS bench gotchas before merging.
  • Replace @prat96 in CODEOWNERS with an org team if preferred.
  • Merge requires a review (ruleset) — use the admin bypass to self-merge, or have a second maintainer approve.

prat96 added 4 commits June 22, 2026 23:23
Security updates were already on; this adds the separate version-update PRs. Scoped to the only two manifest-managed ecosystems — CI actions and host-side requirements.txt. The C upstream stays git-pinned via setup.sh and is intentionally excluded.

Signed-off-by: Pratheek Balakrishna <pratheekb96@gmail.com>
CODEOWNERS binds the ruleset's code-owner-review rule (a no-op without the file) and names the two analyze.sh-pristine files. The YAML bug form requires the {"q":"status"} line (firmware ver) and prompts for the {"q":"lastfault"} crash dump; config.yml routes questions to Discussions and security reports to private advisories.

Signed-off-by: Pratheek Balakrishna <pratheekb96@gmail.com>
Frames the bench-tool trust model (physical/USB access trusted) so reports target the real surface — CDC1 JSON parser, SD path handling, ISR-stack safety, DAP-stall-via-input — and points reporters at the already-enabled private vulnerability reporting.

Signed-off-by: Pratheek Balakrishna <pratheekb96@gmail.com>
CITATION.cff enables the Cite-this-repository widget. The release badge was hardcoded to v1.0 while v1.1 shipped; switch to img.shields.io/github/v/release so it never goes stale.

Signed-off-by: Pratheek Balakrishna <pratheekb96@gmail.com>
@prat96 prat96 self-assigned this Jun 22, 2026
@prat96 prat96 merged commit 48d7681 into main Jun 22, 2026
8 checks passed
@prat96 prat96 deleted the chore/github-quick-wins branch June 22, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant