docs: update contribution guidlines, enforce security policies#15
Merged
Conversation
…andarise pr and commit requirements
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning
|
| Layer / File(s) | Summary |
|---|---|
Security Policy and Issue Templates SECURITY.md, .github/ISSUE_TEMPLATE/bug_report.yml, .github/ISSUE_TEMPLATE/feature_request.yml |
Adds SECURITY.md and updates issue templates to warn against public vulnerability reports and direct reporters to private disclosure. |
CONTRIBUTING.md Rework CONTRIBUTING.md |
Reorganizes contributor guide: security caution, TOC, "Before You Start", codebase entry points, and contact/security instructions. |
Branch Naming and Commit Conventions CONTRIBUTING.md (branch naming, commit conventions) |
Enforces strict branch naming and Conventional Commits with an allowed type/scope mapping. |
PR Template and Requirements .github/PULL_REQUEST_TEMPLATE.md, CONTRIBUTING.md (PR requirements) |
Replaces PR scaffold with ## Description, updates checklist to require lint/build/test commands, stricter no-secrets checks, and rebase-on-main; documents CI gates. |
Code Standards and Testing CONTRIBUTING.md (Code Standards, Testing Requirements) |
Specifies Python/FastAPI and TypeScript/React rules, CI pytest invocation, frontend test guidance, and expands rejection checklist. |
Review Timeline and Labels CONTRIBUTING.md (Review Timeline, Issue Labels) |
Converts review timeline to a target table and updates label guidance for issues/PRs. |
CI Dependency Management & Lint Step backend/requirements-ci.txt, backend/requirements-base.txt, backend/requirements.txt, .github/workflows/ci.yml |
Adds base and CI requirements files; CI now installs from requirements-ci.txt and runs ruff check without installing Ruff each job. |
Automation Workflows and Repo Config .github/dependabot.yml, .github/workflows/greetings.yml, .github/workflows/stale.yml, .gitignore, README.md, .coderabbit.yaml |
Adds Dependabot, Greetings, and Stale workflows; updates .gitignore to ignore ._*; swaps README feature label to feature; updates .coderabbit.yaml for language and auto-review prompt. |
Camera Stream Ref Capture Fix
| Layer / File(s) | Summary |
|---|---|
Camera Stream Ref Snapshotting src/pages/ScannerPage.tsx |
Snapshots videoRef.current to currentVideo for stream setup and cleanup so the correct video element is referenced throughout the effect lifecycle. |
Estimated code review effort
🎯 3 (Moderate) | ⏱️ ~25 minutes
Poem
🐰 A twitch, a tweak, a careful fix,
Camera keeps its steady mix.
Docs now warn where secrets hide,
CI tidy, workflows tied.
Hops of joy — the repo’s spry!
🚥 Pre-merge checks | ✅ 4 | ❌ 1
❌ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. |
✅ Passed checks (4 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title accurately reflects the main changes: updating contribution guidelines and establishing security policies (SECURITY.md, stricter CONTRIBUTING.md rules, template updates for security routing). |
| Linked Issues check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
| Out of Scope Changes check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
- Commit unit tests in branch
docs/guidlines-and-security
Comment @coderabbitai help to get the list of available commands and usage tips.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 11 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/ISSUE_TEMPLATE/bug_report.yml">
<violation number="1" location=".github/ISSUE_TEMPLATE/bug_report.yml:9">
P1: Broken link: `../SECURITY.md` resolves to `.github/SECURITY.md`, which doesn't exist. SECURITY.md is at the repository root. Fix the relative path so users don't hit a 404.</violation>
</file>
<file name="backend/requirements-ci.txt">
<violation number="1" location="backend/requirements-ci.txt:1">
P2: `requirements-ci.txt` duplicates nearly all deps from `requirements.txt`. When shared deps change in one file, the other drifts silently until CI breaks. Extract common deps into a base file (e.g., `requirements-base.txt` excluding torch/torchvision) and reference it from both `requirements.txt` and `requirements-ci.txt` with `-r requirements-base.txt`. Then `requirements-ci.txt` only needs its CI-specific extras line.</violation>
</file>
<file name=".github/ISSUE_TEMPLATE/feature_request.yml">
<violation number="1" location=".github/ISSUE_TEMPLATE/feature_request.yml:8">
P2: Relative paths `../SECURITY.md` and `../DOCUMENTATION.md` won't resolve correctly in the issue template form. GitHub doesn't resolve markdown relative links in issue forms from the file's directory. Both SECURITY.md and DOCUMENTATION.md are at repo root — use absolute URLs or drop the `../` prefix.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/ISSUE_TEMPLATE/bug_report.yml:
- Line 9: Replace the relative link target in the issue template line that reads
"Do NOT use this form. Read [SECURITY.md](../SECURITY.md) and report it
privately via email instead." with a root-relative or absolute path so it always
resolves (e.g., change "../SECURITY.md" to "/SECURITY.md" or the repo's full
URL); update only the link target in that quoted string so the link points to
the repository root SECURITY.md.
In @.github/ISSUE_TEMPLATE/feature_request.yml:
- Around line 8-13: Update the two relative links in the issue template that
currently point to "../SECURITY.md" and "../DOCUMENTATION.md#14-future-roadmap"
so they use root-relative paths ("/SECURITY.md" and
"/DOCUMENTATION.md#14-future-roadmap") to ensure links resolve correctly from
.github/ISSUE_TEMPLATE/feature_request.yml; locate and replace the link strings
in the block containing "Is this a security concern? Use [SECURITY.md]" and the
"Read before opening" section.
In `@backend/requirements-ci.txt`:
- Around line 1-10: The CI requirements file uses loose >= specifiers which
allows dependency drift; update backend/requirements-ci.txt to pin each package
to an exact version (replace each "package>=x.y.z" with "package==x.y.z",
preserving extras like "uvicorn[standard]") using the currently
validated/resolved versions for fastapi, uvicorn[standard], supabase, Pillow,
numpy, python-dotenv, python-multipart, httpx, pytest, ruff, etc.; to keep this
reproducible, regenerate the file from your lockfile/resolved environment (e.g.,
pip freeze or pip-compile) so the exact versions in requirements-ci.txt match
the tested CI environment.
In `@CONTRIBUTING.md`:
- Around line 74-76: Markdown fenced code blocks in CONTRIBUTING.md are missing
a language tag which triggers markdownlint MD040; update both code fences
containing the commit message templates so they include a language (for example
"text") by changing the opening backticks from ``` to ```text for the block that
shows "<type>(<scope>): <summary>" and the example block that lists commit lines
like "feat(scanner): add live confidence threshold display" and "fix(auth):
handle OAuth redirect loop on mobile Safari" (also apply the same change to the
similar block at lines 102-107).
In `@SECURITY.md`:
- Around line 15-17: The fenced block containing the email currently has no
language and triggers markdownlint MD040; update that fence in SECURITY.md by
adding a language (e.g., change the triple-backtick fence to ```text) or remove
the code fence to make it plain text so the markdown linter stops flagging
it—locate the email block and apply the change.
In `@src/components/Navbar.tsx`:
- Line 22: The useEffect currently calls setProfile(null) synchronously
(triggering react-hooks/set-state-in-effect); remove the synchronous
setProfile(null) from the useEffect body and instead call setProfile(null)
inside the auth-change event handler (the function that handles auth-change
events used in the same effect), e.g., update the auth-change handler
(referenced as the auth-change callback registered in useEffect) to
setProfile(null) when appropriate and keep the effect only for
registering/unregistering that handler.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 0871c5b3-6245-4ac8-bc49-271770e1c418
📒 Files selected for processing (11)
.github/ISSUE_TEMPLATE/bug_report.yml.github/ISSUE_TEMPLATE/feature_request.yml.github/PULL_REQUEST_TEMPLATE.md.github/workflows/ci.yml.gitignoreCONTRIBUTING.mdREADME.mdSECURITY.mdbackend/requirements-ci.txtpublic/._manifest.jsonsrc/components/Navbar.tsx
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.coderabbit.yaml:
- Line 3: The reviews.auto_review entry is using a boolean but the schema
expects an object; update the .coderabbit.yaml to replace reviews.auto_review:
true with an object like reviews.auto_review: { enabled: true } (or the
equivalent YAML mapping) so the field conforms to the expected structure and any
additional properties (e.g., enabled) can be added later.
In @.github/workflows/greetings.yml:
- Line 16: Update the workflow's action reference so it uses a specific commit
SHA instead of the floating tag; replace the line that reads "uses:
actions/first-interaction@v1" with "uses:
actions/first-interaction@<commit-sha>" where <commit-sha> is the exact commit
hash from the actions/first-interaction repository (use the action's GitHub repo
to find the latest stable commit and pin to that SHA) to ensure immutability for
the "actions/first-interaction@v1" usage.
In @.github/workflows/stale.yml:
- Line 14: Replace the mutable reference "uses: actions/stale@v9" with a pinned
full commit SHA for the actions/stale action; locate the latest stable commit
SHA from the actions/stale repository (or the specific release tag you want) and
update the workflow job step that contains the literal "uses: actions/stale@v9"
to use "uses: actions/stale@<full-commit-sha>" so the workflow is pinned to an
immutable revision.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: ea869b67-bada-41cd-a397-e88676a74513
📒 Files selected for processing (11)
.coderabbit.yaml.github/ISSUE_TEMPLATE/bug_report.yml.github/ISSUE_TEMPLATE/feature_request.yml.github/dependabot.yml.github/workflows/greetings.yml.github/workflows/stale.ymlCONTRIBUTING.mdSECURITY.mdbackend/requirements-base.txtbackend/requirements-ci.txtbackend/requirements.txt
✅ Files skipped from review due to trivial changes (5)
- backend/requirements-base.txt
- .github/dependabot.yml
- SECURITY.md
- .github/ISSUE_TEMPLATE/bug_report.yml
- CONTRIBUTING.md
| issues: write | ||
| pull-requests: write | ||
| steps: | ||
| - uses: actions/stale@v9 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
🏁 Script executed:
#!/bin/bash
# Verify unpinned GitHub Actions references in workflows.
rg -nP '^\s*-\s*uses:\s*[^@]+@((?![0-9a-f]{40}).)+$' .github/workflowsRepository: jpdevhub/FreshScanAi
Length of output: 584
Pin actions/stale to a commit SHA (avoid mutable @v9).
.github/workflows/stale.yml:14 uses actions/stale@v9, and @v9 is mutable; pinning to the full commit SHA reduces action-reference drift.
- uses: actions/stale@v9🔒 Proposed fix
- - uses: actions/stale@v9
+ - uses: actions/stale@<FULL_LENGTH_COMMIT_SHA>🧰 Tools
🪛 zizmor (1.25.2)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/stale.yml at line 14, Replace the mutable reference "uses:
actions/stale@v9" with a pinned full commit SHA for the actions/stale action;
locate the latest stable commit SHA from the actions/stale repository (or the
specific release tag you want) and update the workflow job step that contains
the literal "uses: actions/stale@v9" to use "uses:
actions/stale@<full-commit-sha>" so the workflow is pinned to an immutable
revision.
There was a problem hiding this comment.
Pull request overview
This PR strengthens contributor/security workflows (new security policy, stricter contribution and template guidance, CI dependency pinning) and includes a small frontend fix to address a React Hooks lint issue in the scanner camera effect.
Changes:
- Added a formal security policy and updated contributor docs/templates to route vulnerability reports privately and enforce contribution standards.
- Refactored backend dependency installation for CI to use pinned requirements files.
- Adjusted
ScannerPagecamera effect to avoid stalerefusage in async/cleanup.
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
src/pages/ScannerPage.tsx |
Captures videoRef.current once per effect run to satisfy hooks/lint and stabilize cleanup behavior. |
SECURITY.md |
Adds a private vulnerability reporting policy and response timelines. |
README.md |
Updates “Request Feature” link label parameter. |
CONTRIBUTING.md |
Overhauls contribution requirements, standards, and testing expectations. |
backend/requirements.txt |
Switches to -r requirements-base.txt and keeps local test deps. |
backend/requirements-ci.txt |
Introduces CI-only dependency set (base + pytest + ruff). |
backend/requirements-base.txt |
Introduces shared backend dependency list used by other requirement files. |
.gitignore |
Ignores macOS ._* metadata files. |
.github/workflows/stale.yml |
Adds stale issue/PR automation. |
.github/workflows/greetings.yml |
Adds first-interaction greeting automation for issues/PRs. |
.github/workflows/ci.yml |
Installs backend CI deps via backend/requirements-ci.txt and simplifies Ruff setup. |
.github/PULL_REQUEST_TEMPLATE.md |
Updates PR template to a single description section + stricter checklist. |
.github/ISSUE_TEMPLATE/feature_request.yml |
Adds security-routing guidance and stronger pre-submission expectations. |
.github/ISSUE_TEMPLATE/bug_report.yml |
Adds security-routing warning and stricter report expectations. |
.github/dependabot.yml |
Enables Dependabot updates for npm/pip/GitHub Actions. |
.coderabbit.yaml |
Configures CodeRabbit auto-review behavior and PR complexity labeling instructions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| - [ ] `npm run lint` passes with no errors | ||
| - [ ] `npm run build` compiles without TypeScript errors | ||
| - [ ] `python -m pytest` passes (including new tests I added) |
Comment on lines
+16
to
+18
| - uses: actions/first-interaction@v1 | ||
| with: | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} |
Comment on lines
+14
to
+16
| - uses: actions/stale@v9 | ||
| with: | ||
| repo-token: ${{ secrets.GITHUB_TOKEN }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR overhauls the project's documentation and contribution workflows to ensure security, standardisation, and a better experience for open-source contributors.
Summary by cubic
Introduces a clear security policy and tightens contributor workflows. Adds SECURITY.md, updates CONTRIBUTING and templates, pins CI to
backend/requirements-ci.txt, and fixes a React Hooks lint issue inScannerPage.tsx.New Features
Bug Fixes
ScannerPage.tsx; stabilized video ref usage and cleanup to prevent stale references.Written for commit a6da084. Summary will update on new commits. Review in cubic
Summary by CodeRabbit
Documentation
Bug Fixes
Chores