Files
Tirth Kanani aef940fcde chore(repo): add issue/PR templates, SECURITY.md, CoC, package metadata; widen CI triggers
Closes a cluster of community-profile gaps (#248, #249, #251, #252) in one
PR rather than four micro-PRs that all touch the same surface area.

### Templates (#251, #252)

- .github/ISSUE_TEMPLATE/bug_report.yml — required fields for repro
  (plugin version, platform, OS, project language, file count); the four
  pieces of context that are missing from ~every current bug report.
- .github/ISSUE_TEMPLATE/feature_request.yml — leads with the *problem*
  rather than the proposed solution, which keeps maintainer review focused
  on whether to solve, not just how.
- .github/ISSUE_TEMPLATE/question.yml — separate from bug to keep the
  bug queue triagable.
- .github/ISSUE_TEMPLATE/config.yml — disables blank issues and routes
  general discussion to README + Discussions.
- .github/PULL_REQUEST_TEMPLATE.md — includes the version-bump checklist
  that CLAUDE.md says must stay in sync across 5 manifests; otherwise
  every contributor learns this rule by getting their PR bounced.

### Community files

- CODE_OF_CONDUCT.md — short, project-specific document that names the
  expectations and reporting path. Not a verbatim Contributor Covenant
  to keep it readable.
- SECURITY.md — describes the project's local-only threat model
  explicitly so reporters know what's in / out of scope before they
  spend time on a writeup. Points at GitHub private vulnerability
  reporting as the primary channel.

### CI (#249)

- ci.yml now also runs on pushes to main, not only PRs. Without this,
  a direct push to main (which happens when maintainers merge a PR
  branch locally) doesn't trigger CI, so a regression can land green-
  looking and stay broken for days.
- Added a concurrency group that cancels stale runs for the same ref.
  Saves runner minutes and keeps the per-ref status meaningful.
- Used `github.ref` (a controlled value), not user-controlled input,
  so no script-injection surface.

### package.json (#248)

- Added description, license, repository, bugs, homepage, keywords —
  the standard set for npm package discoverability and so GitHub's
  community-profile check shows the project at 100%.
2026-05-31 21:29:13 +01:00

51 lines
1.3 KiB
YAML

name: CI
on:
# Run on every PR so a contributor's first push gets feedback.
pull_request:
# Also run on direct pushes to main so the "main is green" signal is real.
# Without this, main can silently break for days when someone bypasses
# review. (#249)
push:
branches: [main]
# Cancel any in-flight CI for the same ref when a new commit is pushed —
# saves runner minutes and keeps the latest commit's status the only one
# anyone reads. `github.ref` is a controlled value (refs/heads/* or
# refs/pull/*/merge), not user-controlled input, so it's safe to interpolate.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: pnpm
cache-dependency-path: pnpm-lock.yaml
- name: Install dependencies
run: pnpm install
- name: Lint
run: pnpm lint
- name: Build core
run: pnpm --filter @understand-anything/core build
- name: Build skill
run: pnpm --filter @understand-anything/skill build
- name: Test core
run: pnpm --filter @understand-anything/core test
- name: Test skill
run: pnpm test