chore(bestpractices): uplift to Met across the passing tier#18
Merged
Conversation
Author the missing documentation and infrastructure so .bestpractices.json reaches 64 Met / 3 N/A / 0 Unmet (was 58 / 6 / 3) without aspirational answers. Justifications carry a URL only for the eight criteria where the upstream criteria.yml sets met_url_required (contribution, contribution_requirements, license_location, release_notes, report_process, report_archive, vulnerability_report_process, vulnerability_report_private); every other justification is prose only. New documentation: - CONTRIBUTING.md — bug-report process, PR conventions, coding standards table, static + dynamic analysis gates, license note. - SECURITY.md — supported-version matrix, vulnerability reporting channels (GitHub private advisory + email fallback), what to include, response-time commitments, scope, security architecture reference, credit policy. Release notes uplift: - .github/workflows/release.yml now parses Conventional Commit prefixes (feat/fix/perf/refactor/docs/test/ci/build/chore) and groups them into human-readable categorised sections, replacing the raw `git log` dump. Anything that doesn't match a known prefix lands in an 'Other' section so nothing is silently dropped. Verified locally against the v0.1.10..v0.1.15 range. Dynamic analysis: - ci.yml + release.yml: `go test` now runs with `-race`, Go's runtime data-race detector. The race detector immediately surfaced a real test-side race in cmd/logs_extra_test.go: TestTailLog_DrainsThenExitsOnContextCancel's goroutine still had withFlags' deferred restore in flight when the test returned, racing the next test's withFlags read. Fixed by gating the test exit on a sync.WaitGroup so the goroutine fully completes before the test function returns. Full -race suite passes (918 tests, 27 packages, ~0 races). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Acts on the criteria you flagged. After this PR, `.bestpractices.json` reads 64 Met / 3 N/A / 0 Unmet (was 58 / 6 / 3) — full passing-tier coverage with no aspirational answers.
Per your instruction, justifications carry a URL only (no extra text) for the eight criteria where the upstream `criteria.yml` sets `met_url_required: true` — `contribution`, `contribution_requirements`, `license_location`, `release_notes`, `report_process`, `report_archive`, `vulnerability_report_process`, `vulnerability_report_private`. Every other justification is prose only.
What changed
Documentation (new files):
Release-notes uplift (`release.yml`):
Dynamic analysis (`ci.yml` + `release.yml`):
.bestpractices.json delta
`crypto_pfs`, `dynamic_analysis_unsafe`, `release_notes_vulns` remain N/A with their original justifications.
Test plan
🤖 Generated with Claude Code