Skip to content

chore: repo hygiene — health files, CodeQL, GHCR Docker publish#43

Merged
mftnakrsu merged 2 commits into
mainfrom
chore/repo-hygiene
May 10, 2026
Merged

chore: repo hygiene — health files, CodeQL, GHCR Docker publish#43
mftnakrsu merged 2 commits into
mainfrom
chore/repo-hygiene

Conversation

@mftnakrsu

@mftnakrsu mftnakrsu commented May 10, 2026

Copy link
Copy Markdown
Owner

Polishes the repo to standard OSS health-file expectations and closes a distribution gap.

Health files

  • SECURITY.md — supported-versions table, GitHub private advisory + email disclosure paths, response timeline, plus hardening notes for operators (CORS lockdown, retention policy, pepper rotation).
  • CHANGELOG.md — Keep-a-Changelog format; v0.2.0 release + v0.2.1 (yanked) / v0.2.2 / v0.2.3 patch sections populated with PR backrefs.
  • CONTRIBUTING.md — onboarding (clone + uv sync + make test), branch naming, conventional-commit prefixes, KVKK/GDPR design rules ("don't persist raw plate text"), release procedure for maintainers.
  • .github/ISSUE_TEMPLATE/bug_report.yml — YAML form, enforces version + python + repro fields.
  • .github/ISSUE_TEMPLATE/feature_request.yml — incl. a KVKK privacy-impact checkbox.
  • .github/ISSUE_TEMPLATE/config.yml — directs security issues to the private advisory; links to PyPI.
  • .github/PULL_REQUEST_TEMPLATE.md — type-of-change checklist + test plan + KVKK check.

Workflows

  • .github/workflows/codeql.yml — free Python security/quality scan on push, PR, and weekly (Mon 04:32 UTC).
  • .github/workflows/publish.yml — extended with a publish-docker job. On every tag push, the existing PyPI publish now runs alongside a Docker publish to ghcr.io/mftnakrsu/anpr-pipeline (semver {version} + {major}.{minor} + latest tags) via docker/metadata-action + docker/build-push-action with GHA layer cache. Opt-in manual run via workflow_dispatch.

Out of scope

  • README docker pull ghcr.io/... instructions — will come in a follow-up after the first tag triggers the GHCR job and the image is live.

mftnakrsu added 2 commits May 11, 2026 02:33
@mftnakrsu
chore: repo hygiene — health files, CodeQL, GHCR Docker publish
b0ea012 
Brings the repo up to standard OSS health-file expectations and closes a
distribution gap (Docker image was being built in CI then thrown away).

Health files:

* SECURITY.md — supported versions, disclosure process via GitHub
  private advisory, response timeline, hardening notes for operators
  (CORS, retention, HMAC pepper rotation).
* CHANGELOG.md — Keep-a-Changelog format, populated with the v0.2.0
  release + v0.2.1 (yanked) / 0.2.2 / 0.2.3 patches.
* CONTRIBUTING.md — onboarding, branch naming, conventional-commits,
  make targets for local checks, KVKK/GDPR privacy rules, release
  procedure for maintainers.
* .github/ISSUE_TEMPLATE/{bug_report.yml, feature_request.yml,
  config.yml} — YAML form-style templates; bug-report enforces
  version + python + repro fields; feature-request has a KVKK
  privacy checkbox.
* .github/PULL_REQUEST_TEMPLATE.md — type-of-change checklist + test
  plan + KVKK check.

Workflows:

* .github/workflows/codeql.yml — Python security/quality scan on
  push, PR, and Mondays.
* .github/workflows/publish.yml — extended with a `publish-docker`
  job that pushes to ghcr.io/mftnakrsu/anpr-pipeline on tag push
  (semver tag pattern + `latest`) via docker/metadata-action +
  docker/build-push-action. Also opt-in via workflow_dispatch.
@mftnakrsu
ci(publish): add GHCR Docker publish job
4615955 
CI was building the Docker image and throwing it away. With this job
the image is pushed to ghcr.io/mftnakrsu/anpr-pipeline on every tag
push (semver `{version}` + `{major}.{minor}` + `latest` tags), or
manually via workflow_dispatch.

Uses docker/metadata-action to derive the tag set + OCI labels in one
place, docker/build-push-action with GHA cache for layer reuse, and
the workflow's built-in GITHUB_TOKEN with `packages: write` — no PAT
needed.

After this lands, the existing `pypi` and new `docker` publish steps
fan out from the same tag, so a single `git push origin vX.Y.Z`
covers both distribution channels.
@github-advanced-security

github-advanced-security AI commented May 10, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@mftnakrsu mftnakrsu merged commit 21b7c3c into main May 10, 2026
8 checks passed
@mftnakrsu mftnakrsu deleted the chore/repo-hygiene branch May 10, 2026 23:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mftnakrsu @github-advanced-security