feat: SHA-pin workflows, dynamic repo sync, org health files

- Convert workflow-templates to thin wrappers calling reusable workflows
- Pin all workflow references by SHA (Renovate-only, no Dependabot)
- Generate repo-sync target list dynamically from all non-archived repos
- Add CODEOWNERS, CONTRIBUTING.md, and issue templates (bug/feature)
- Expand compliance audit to check LICENSE and CODEOWNERS
- Update README with dependency policy and community health docs

Author: h13

.github/sync.yml

@@ -1,47 +1,12 @@
-# Repo file sync configuration
-# Syncs org-wide config files to target repositories.
-# Requires REPO_SYNC_TOKEN secret (PAT with repo scope).
-#
-# Add new repos here when created. The compliance-audit workflow
-# will flag repos missing from this list.
-# Exclude archived repos (they are read-only).
+# Repo file sync — file mappings only.
+# The repo list is resolved dynamically at runtime
+# (all non-archived h13 repos, excluding .github itself).
+# See .github/workflows/repo-sync.yml for details.
 
-h13/gtm-users:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/constraint-engine:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/contract-templates:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/feed-pulse:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/feed-pulse-ts:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/smallbiz-suite:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/fyi:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/nps-platform:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/autoreload.fish:
-  - source: sync/.github/PULL_REQUEST_TEMPLATE.md
-    dest: .github/PULL_REQUEST_TEMPLATE.md
-
-h13/anki-manual-ja:
+files:
   - source: sync/.github/PULL_REQUEST_TEMPLATE.md
     dest: .github/PULL_REQUEST_TEMPLATE.md
+  - source: sync/.github/ISSUE_TEMPLATE/bug_report.yml
+    dest: .github/ISSUE_TEMPLATE/bug_report.yml
+  - source: sync/.github/ISSUE_TEMPLATE/feature_request.yml
+    dest: .github/ISSUE_TEMPLATE/feature_request.yml

.github/workflows/ci-markdown.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: h13/.github/actions/apply-org-config@main
+      - uses: h13/.github/actions/apply-org-config@c62d0eebefffc0d3ca156453f0fb7cd3dcb94f4c # main
         with:
           config-file: .markdownlint-cli2.yaml
 

.github/workflows/compliance-audit.yml

@@ -27,7 +27,7 @@ jobs:
           for repo in $REPOS; do
             FINDINGS=""
 
-            # Check renovate.json
+            # Check renovate.json (Renovate-only policy — no Dependabot)
             if ! gh api "repos/h13/$repo/contents/renovate.json" --silent 2>/dev/null; then
               FINDINGS="${FINDINGS}\n  - [ ] Missing \`renovate.json\`"
             fi
@@ -43,6 +43,23 @@ jobs:
               FINDINGS="${FINDINGS}\n  - [ ] No branch protection on \`$DEFAULT_BRANCH\`"
             fi
 
+            # Check LICENSE
+            if ! gh api "repos/h13/$repo/contents/LICENSE" --silent 2>/dev/null; then
+              FINDINGS="${FINDINGS}\n  - [ ] Missing \`LICENSE\`"
+            fi
+
+            # Check CODEOWNERS
+            HAS_CODEOWNERS=false
+            for path in "CODEOWNERS" ".github/CODEOWNERS" "docs/CODEOWNERS"; do
+              if gh api "repos/h13/$repo/contents/$path" --silent 2>/dev/null; then
+                HAS_CODEOWNERS=true
+                break
+              fi
+            done
+            if [ "$HAS_CODEOWNERS" = "false" ]; then
+              FINDINGS="${FINDINGS}\n  - [ ] Missing \`CODEOWNERS\`"
+            fi
+
             if [ -n "$FINDINGS" ]; then
               REPORT="${REPORT}\n### $repo\n$FINDINGS\n"
               ISSUES_FOUND=$((ISSUES_FOUND + 1))

.github/workflows/repo-sync.yml

@@ -5,7 +5,6 @@ on:
     branches: [main]
     paths:
       - "sync/**"
-      - ".github/sync.yml"
   workflow_dispatch:
 
 permissions:
@@ -17,6 +16,31 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
+      - name: Generate sync config from all org repos
+        env:
+          GH_TOKEN: ${{ secrets.REPO_SYNC_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          REPOS=$(gh repo list h13 --no-archived --json name -q '.[].name' \
+            | grep -v '^\\.github$' \
+            | sort \
+            | awk '{printf "      h13/%s\n", $0}')
+
+          cat > .github/sync.yml <<SYNC
+          group:
+            - repos: |
+          ${REPOS}
+              files:
+                - source: sync/.github/PULL_REQUEST_TEMPLATE.md
+                  dest: .github/PULL_REQUEST_TEMPLATE.md
+                - source: sync/.github/ISSUE_TEMPLATE/bug_report.yml
+                  dest: .github/ISSUE_TEMPLATE/bug_report.yml
+                - source: sync/.github/ISSUE_TEMPLATE/feature_request.yml
+                  dest: .github/ISSUE_TEMPLATE/feature_request.yml
+          SYNC
+          cat .github/sync.yml
+
       - uses: BetaHuhn/repo-file-sync-action@8d7590ac8bf240686428959b8fd060a34d508b3f # v1.9.4
         with:
           GH_PAT: ${{ secrets.REPO_SYNC_TOKEN }}

CODEOWNERS

@@ -0,0 +1,3 @@
+# Default owner for all files in h13 repositories.
+# Repos can override this by adding their own CODEOWNERS file.
+* @h13

CONTRIBUTING.md

@@ -0,0 +1,28 @@
+# Contributing
+
+Thanks for your interest in contributing to h13 projects.
+
+## Getting Started
+
+1. Fork the repository
+2. Create a feature branch from `main`
+3. Make your changes
+4. Run tests locally and ensure CI passes
+5. Open a pull request
+
+## Guidelines
+
+- Keep pull requests focused on a single change
+- Follow the existing code style and conventions
+- Add tests for new functionality
+- Update documentation if needed
+
+## Dependency Management
+
+All repositories use [Renovate](https://docs.renovatebot.com/) for automated dependency updates. Do not use Dependabot.
+
+## Reporting Issues
+
+- **Bugs**: Use the "Bug report" issue template
+- **Features**: Use the "Feature request" issue template
+- **Security**: See [SECURITY.md](SECURITY.md) — do not open a public issue

README.md

@@ -7,15 +7,15 @@ Default community health files, reusable workflows, and shared config for h13 re
 
 ## Reusable Workflows
 
-Call from any repo via `uses: h13/.github/.github/workflows/<name>@v1`:
+Call from any repo via `uses: h13/.github/.github/workflows/<name>@<sha>`:
 
-| Workflow | Stack | Inputs | Steps |
-|---|---|---|---|
-| `ci-node.yml` | Node.js | `node-version` | npm ci (cached) → npm test |
-| `ci-go.yml` | Go | — | go test -race → golangci-lint |
-| `ci-php.yml` | PHP | `php-version`, `php-extensions`, `working-directory`, `composer-args`, `test-command` | composer install (cached) → composer test |
-| `ci-terraform.yml` | Terraform | `terraform-version` | terraform fmt/init/validate → tflint |
-| `ci-markdown.yml` | Markdown | `glob` | markdownlint-cli2 (org config auto-applied) |
+| Workflow           | Stack     | Inputs                                                                                | Steps                                       |
+| ------------------ | --------- | ------------------------------------------------------------------------------------- | ------------------------------------------- |
+| `ci-node.yml`      | Node.js   | `node-version`                                                                        | npm ci (cached) → npm run lint → npm test   |
+| `ci-go.yml`        | Go        | —                                                                                     | go test -race → golangci-lint               |
+| `ci-php.yml`       | PHP       | `php-version`, `php-extensions`, `working-directory`, `composer-args`, `test-command` | composer install (cached) → composer test   |
+| `ci-terraform.yml` | Terraform | `terraform-version`                                                                   | terraform fmt/init/validate → tflint        |
+| `ci-markdown.yml`  | Markdown  | `glob`                                                                                | markdownlint-cli2 (org config auto-applied) |
 
 All workflows enforce `permissions: { contents: read }` (least-privilege).
 
@@ -29,41 +29,56 @@ on:
   pull_request:
 jobs:
   ci:
-    uses: h13/.github/.github/workflows/ci-node.yml@v1
+    uses: h13/.github/.github/workflows/ci-node.yml@c62d0eebefffc0d3ca156453f0fb7cd3dcb94f4c # main
 ```
 
 ## Versioning
 
-- **Non-breaking** (fixes, dependency updates): `v1` tag moves forward
-- **Breaking** (removed inputs, changed behavior): new major `v2`
-- SHA pins inside workflows are auto-updated by Renovate
+- All workflow references use **SHA pinning** (no `@v1` tags)
+- SHA pins are auto-updated by **Renovate** (Dependabot is not used)
 
 ## Composite Actions
 
-| Action | Description |
-|---|---|
+| Action                     | Description                                     |
+| -------------------------- | ----------------------------------------------- |
 | `actions/apply-org-config` | Download org config if no local override exists |
 
 ## Automation
 
-| Workflow | Schedule | Description |
-|---|---|---|
-| Compliance Audit | Monthly (1st) | Checks all repos for renovate.json, CI, branch protection |
-| Repo Sync | On push to `sync/` | Syncs PR template to all repos |
+| Workflow         | Schedule           | Description                                                                    |
+| ---------------- | ------------------ | ------------------------------------------------------------------------------ |
+| Compliance Audit | Monthly (1st)      | Checks all repos for renovate.json, CI, branch protection, LICENSE, CODEOWNERS |
+| Repo Sync        | On push to `sync/` | Syncs PR/issue templates to all non-archived repos (dynamic)                   |
+
+## Community Health Files
+
+Org-wide defaults (applied to all repos without their own):
+
+| File              | Purpose                        |
+| ----------------- | ------------------------------ |
+| `SECURITY.md`     | Vulnerability reporting policy |
+| `CONTRIBUTING.md` | Contribution guidelines        |
+| `CODEOWNERS`      | Default code review ownership  |
+| `LICENSE`         | MIT license                    |
+
+## Dependency Policy
+
+All repositories use **Renovate** exclusively for dependency management. Dependabot is not used.
+Shared presets are maintained in [h13/renovate-config](https://github.com/h13/renovate-config).
 
 ## Ecosystem
 
 ```text
 h13/dotfiles                      ← Dev environment + repo-init
   └─ repo-init --stack=node --github
        ├─ generates → renovate.json ──→ h13/renovate-config
-       ├─ generates → .github/workflows/ci.yml (calls @v1)
+       ├─ generates → .github/workflows/ci.yml (SHA-pinned)
        └─ configures → GitHub settings (branch protection, labels, alerts)
 
 h13/.github                       ← Reusable Workflows + shared config ★
   ├─ ci-{node,go,php,terraform,markdown}.yml (reusable, SHA-pinned)
   ├─ compliance-audit.yml (monthly)
-  ├─ repo-sync.yml (PR template sync)
+  ├─ repo-sync.yml (dynamic sync to all repos)
   └─ apply-org-config action
 
 h13/renovate-config               ← Shared Renovate presets

sync/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,32 @@
+name: Bug report
+description: Report a bug or unexpected behavior
+labels: ["bug"]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What did you expect to happen?
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      description: How can we reproduce the issue?
+    validations:
+      required: true
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment
+      description: "OS, runtime version, etc."
+    validations:
+      required: false

sync/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,25 @@
+name: Feature request
+description: Suggest a new feature or improvement
+labels: ["enhancement"]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this solve?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed solution
+      description: How should it work?
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Any other approaches you considered?
+    validations:
+      required: false

workflow-templates/ci-go.yml

@@ -6,24 +6,5 @@ on:
   pull_request:
 
 jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version-file: go.mod
-
-      - run: go test ./...
-
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
-        with:
-          go-version-file: go.mod
-
-      - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
+  ci:
+    uses: h13/.github/.github/workflows/ci-go.yml@c62d0eebefffc0d3ca156453f0fb7cd3dcb94f4c # main