Problem
A GitHub repo hygiene audit found three gaps in .github/ that affect the "top-notch OSS" signal:
1. CODE_OF_CONDUCT.md missing
The repo has CONTRIBUTING.md, SECURITY.md, and LICENSE but no Code of Conduct. This is a standard community health file checked by GitHub's community profile and required by many OSS foundations.
2. No code scanning / CodeQL workflow
.github/workflows/ has ci.yml, governance.yml, and release.yml — but no security scanning workflow. CodeQL on JavaScript/TypeScript would enable GitHub's code scanning dashboard, surface potential vulnerabilities in CLI arg handling, and close a visible OSS trust gap.
3. CODEOWNERS only covers /.ai/*
Current CODEOWNERS:
/.ai/* admin@stackbilt.dev
All other files — including packages/, scripts/, .github/workflows/ — are unowned. PRs touching any of those paths have no required reviewer.
Changes
-
Add CODE_OF_CONDUCT.md at repo root using Contributor Covenant 2.1. Enforcement contact: admin@stackbilt.dev (matches SECURITY.md).
-
Add .github/workflows/codeql.yml:
- Trigger: push to
main, PRs to main, weekly schedule
- Language:
javascript-typescript
- Use
actions/checkout + github/codeql-action/init + github/codeql-action/analyze
-
Expand .github/CODEOWNERS:
# Catch-all: all PRs require review
* @Stackbilt-dev/charter-maintainers
# ADF governance context — extra scrutiny
/.ai/* admin@stackbilt.dev
# CLI commands — surface changes need careful review
/packages/cli/src/commands/ @Stackbilt-dev/charter-maintainers
# Release pipeline — treat as high-risk
/.github/workflows/release.yml @Stackbilt-dev/charter-maintainers
Why now
These are split-stable repo-level files — none of them move with the @stackbilt/build commercial split. Checking all three boxes closes the gaps visible on the GitHub community profile page and in the npm package trust signals.
Acceptance
- GitHub community profile shows CODE_OF_CONDUCT ✓
- Security tab shows code scanning enabled ✓
- All PRs to
packages/ require at least one review from @Stackbilt-dev/charter-maintainers
Problem
A GitHub repo hygiene audit found three gaps in
.github/that affect the "top-notch OSS" signal:1.
CODE_OF_CONDUCT.mdmissingThe repo has
CONTRIBUTING.md,SECURITY.md, andLICENSEbut no Code of Conduct. This is a standard community health file checked by GitHub's community profile and required by many OSS foundations.2. No code scanning / CodeQL workflow
.github/workflows/hasci.yml,governance.yml, andrelease.yml— but no security scanning workflow. CodeQL on JavaScript/TypeScript would enable GitHub's code scanning dashboard, surface potential vulnerabilities in CLI arg handling, and close a visible OSS trust gap.3.
CODEOWNERSonly covers/.ai/*Current CODEOWNERS:
All other files — including
packages/,scripts/,.github/workflows/— are unowned. PRs touching any of those paths have no required reviewer.Changes
Add
CODE_OF_CONDUCT.mdat repo root using Contributor Covenant 2.1. Enforcement contact:admin@stackbilt.dev(matches SECURITY.md).Add
.github/workflows/codeql.yml:main, PRs tomain, weekly schedulejavascript-typescriptactions/checkout+github/codeql-action/init+github/codeql-action/analyzeExpand
.github/CODEOWNERS:Why now
These are split-stable repo-level files — none of them move with the
@stackbilt/buildcommercial split. Checking all three boxes closes the gaps visible on the GitHub community profile page and in the npm package trust signals.Acceptance
packages/require at least one review from@Stackbilt-dev/charter-maintainers