Skip to content

Commit be23215

Browse files
authored
docs: add CONTRIBUTING, SECURITY, and CODE_OF_CONDUCT (#83)
* docs: add CONTRIBUTING, SECURITY, and CODE_OF_CONDUCT Signed-off-by: Juho Vainio <juho.vainio@amd.com> * add eof line Signed-off-by: Juho Vainio <juho.vainio@amd.com> * docs: replace README Contributing section with link Signed-off-by: Juho Vainio <juho.vainio@amd.com> --------- Signed-off-by: Juho Vainio <juho.vainio@amd.com>
1 parent b817f00 commit be23215

5 files changed

Lines changed: 213 additions & 23 deletions

File tree

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,4 @@ active-implementation-log.md
1111
current-user-asks.md
1212
__pycache__/
1313
/.hawkeye-bin/
14+
/.claude

CODE_OF_CONDUCT.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
<!--
2+
Copyright © Advanced Micro Devices, Inc., or its affiliates.
3+
4+
SPDX-License-Identifier: MIT
5+
-->
6+
7+
# Code of Conduct
8+
9+
## Our Pledge
10+
11+
We as contributors and maintainers pledge to make participation in this project a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
12+
13+
## Our Standards
14+
15+
Examples of behavior that contributes to a positive environment:
16+
17+
- Using welcoming and inclusive language
18+
- Being respectful of differing viewpoints and experiences
19+
- Gracefully accepting constructive feedback
20+
- Focusing on what is best for the community and the project
21+
- Showing empathy toward other contributors
22+
23+
Examples of unacceptable behavior:
24+
25+
- The use of sexualized language or imagery, and unwelcome sexual attention or advances
26+
- Trolling, insulting or derogatory comments, and personal or political attacks
27+
- Public or private harassment
28+
- Publishing others' private information (physical or electronic addresses) without explicit permission
29+
- Other conduct which could reasonably be considered inappropriate in a professional setting
30+
31+
## Our Responsibilities
32+
33+
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
34+
35+
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, issues, and other contributions that are not aligned with this Code of Conduct, or to temporarily or permanently ban any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
36+
37+
## Scope
38+
39+
This Code of Conduct applies within all project spaces — including the GitHub repository, issue tracker, pull requests, and any other forums created by the project team — and also applies when an individual is officially representing the project in public spaces.
40+
41+
## Enforcement
42+
43+
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project maintainers via GitHub. All complaints will be reviewed and investigated promptly and fairly. The project team is obligated to maintain confidentiality with regard to the reporter of an incident.
44+
45+
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
46+
47+
## Attribution
48+
49+
This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org), version 2.1, available at <https://www.contributor-covenant.org/version/2/1/code_of_conduct/>.

CONTRIBUTING.md

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
<!--
2+
Copyright © Advanced Micro Devices, Inc., or its affiliates.
3+
4+
SPDX-License-Identifier: MIT
5+
-->
6+
7+
# Contributing to ROCm CLI
8+
9+
Thank you for your interest in contributing. This document explains how to get started, how work is tracked, and what to expect from the review process.
10+
11+
## Code of Conduct
12+
13+
By participating in this project you agree to abide by the [Code of Conduct](CODE_OF_CONDUCT.md).
14+
15+
## Issue Tracking
16+
17+
Bug reports and feature requests are tracked as [GitHub Issues](../../issues). Before opening a new issue, search existing ones to avoid duplicates.
18+
19+
## Branch and Commit Naming
20+
21+
Use [Conventional Commits](https://www.conventionalcommits.org/) for commit messages:
22+
23+
```
24+
feat: add support for vLLM multi-GPU serving
25+
fix: correct VRAM probe when amd-smi is absent
26+
docs: clarify GPU selection flag behavior
27+
chore: bump rust-toolchain to 1.96
28+
```
29+
30+
Branch names should be short and descriptive:
31+
32+
```
33+
feat/vllm-multi-gpu
34+
fix/vram-probe-fallback
35+
```
36+
37+
## Development Setup
38+
39+
Prerequisites: Rust (see `rust-toolchain.toml` for the pinned version) and [uv](https://github.com/astral-sh/uv) (for prek and scripts).
40+
41+
```bash
42+
git clone https://github.com/ROCm/rocm-cli
43+
cd rocm-cli
44+
uv tool install prek # or: cargo install --locked prek
45+
prek install # fast checks on every commit
46+
prek install -t pre-push # heavier checks on push (clippy + tests)
47+
```
48+
49+
`prek` runs the same checks locally that CI enforces: `cargo fmt`, `clippy`, `cargo test`, `ruff` (Python), `shellcheck` (shell), and PowerShell syntax.
50+
51+
### Workspace layout
52+
53+
| Path | Description |
54+
| --- | --- |
55+
| `apps/rocm` | Main CLI binary |
56+
| `apps/rocmd` | Background daemon |
57+
| `crates/rocm-core` | Core library |
58+
| `crates/rocm-dash-*` | Dashboard TUI libraries |
59+
| `crates/rocm-engine-protocol` | Engine IPC protocol |
60+
| `engines/` | Inference engine adapters (lemonade, vllm) |
61+
62+
### Test commands
63+
64+
| Component | Command |
65+
| --- | --- |
66+
| Rust (all crates) | `cargo test` |
67+
| Lint + format check | `prek run --all-files` |
68+
69+
See `docs/testing.md` for the full test guide and `docs/manual-testing.md` for manual QA steps.
70+
71+
## Making Changes
72+
73+
1. **Fork** the repository and create a branch from `main`.
74+
2. **Make your changes.** Keep commits focused — one logical change per commit.
75+
3. **Add or update tests** for any new behavior.
76+
4. **Run the relevant test suite** before opening a PR.
77+
5. **Open a pull request** against `main` with a clear title and description following the Conventional Commits format.
78+
79+
### Commit signing and sign-off
80+
81+
Commits must be both cryptographically **signed** and carry a DCO **`Signed-off-by`** trailer. Use `git commit -s` to add the trailer automatically. This is enforced by the prek hooks and by a blocking CI check.
82+
83+
Enable SSH signing once with:
84+
85+
```bash
86+
git config --global gpg.format ssh
87+
git config --global user.signingkey ~/.ssh/id_ed25519.pub
88+
git config --global commit.gpgsign true
89+
```
90+
91+
See `docs/commit-signatures.md` for GPG signing, GitHub "Verified" status, and troubleshooting.
92+
93+
### What reviewers look for
94+
95+
- Tests cover the new behavior
96+
- No secrets, credentials, or internal hostnames in committed files
97+
- Third-party dependencies declared in `Cargo.lock`; license headers present on new source files (see `licenserc.toml`)
98+
99+
## Reporting Security Issues
100+
101+
Do **not** open a public GitHub Issue for security vulnerabilities. See [SECURITY.md](SECURITY.md) for the responsible disclosure process.
102+
103+
## License
104+
105+
By contributing you agree that your contributions will be licensed under the [MIT License](LICENSE.TXT).

README.md

Lines changed: 1 addition & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -340,29 +340,7 @@ rocm completions powershell | Out-String | Invoke-Expression
340340

341341
## Contributing
342342

343-
This repo uses [prek](https://github.com/j178/prek) (a fast drop-in
344-
replacement for `pre-commit`) to run the same checks locally that CI enforces:
345-
`cargo fmt`, `clippy`, `cargo test`, `ruff` (Python), `shellcheck` (shell),
346-
and PowerShell syntax.
347-
348-
```bash
349-
uv tool install prek # or: cargo install --locked prek
350-
prek install # fast checks on commit
351-
prek install -t pre-push # heavier checks on push (clippy + tests)
352-
prek run --all-files # run everything against the whole tree
353-
```
354-
355-
Commits must be both cryptographically **signed** and carry a DCO
356-
**`Signed-off-by`** trailer (use `git commit -s`). This is enforced by the
357-
prek hooks above and by a blocking CI check. Enable signing once with:
358-
359-
```bash
360-
git config --global gpg.format ssh
361-
git config --global user.signingkey ~/.ssh/id_ed25519.pub
362-
git config --global commit.gpgsign true
363-
```
364-
365-
See `docs/commit-signatures.md` for details (GPG signing, GitHub "Verified", and troubleshooting).
343+
See [CONTRIBUTING.md](CONTRIBUTING.md).
366344

367345
## More docs
368346

SECURITY.md

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
<!--
2+
Copyright © Advanced Micro Devices, Inc., or its affiliates.
3+
4+
SPDX-License-Identifier: MIT
5+
-->
6+
7+
# Security Policy
8+
9+
This security policy outlines the process for reporting vulnerabilities and secrets found within this GitHub repository.
10+
It is essential that all contributors and users adhere to this policy in order to maintain a secure and stable environment.
11+
12+
## Reporting a Vulnerability
13+
14+
If you discover a vulnerability within the code, dependencies, or any other component of this repository, please follow these steps:
15+
16+
1. **Do not disclose the vulnerability publicly.** Publicly disclosing a vulnerability may put the project at risk and could potentially harm other users.
17+
18+
2. **Report the vulnerability privately** using [GitHub's private vulnerability reporting](../../security/advisories/new). Include the following information:
19+
- The affected component(s)
20+
- Steps to reproduce the issue
21+
- Potential impact of the vulnerability
22+
- Any possible mitigations or workarounds
23+
24+
3. **Wait for a response from the maintainers.** Please be patient, as they may need time to investigate and verify the issue. The maintainers will acknowledge receipt of your report and provide an estimated time frame for addressing the vulnerability.
25+
26+
4. **Cooperate with the maintainers.** If requested, provide additional information or assistance to help resolve the issue.
27+
28+
5. **Do not disclose the vulnerability until the maintainers have addressed it.** Once the issue has been resolved, the maintainers may choose to publicly disclose the vulnerability and credit you for the discovery.
29+
30+
## Reporting Secrets
31+
32+
If you discover any secrets, such as API keys or passwords, within the repository, follow these steps:
33+
34+
1. **Do not share the secret or use it for unauthorized purposes.** Misusing a secret could have severe consequences for the project and its users.
35+
36+
2. **Report privately** using [GitHub's private vulnerability reporting](../../security/advisories/new). Include the secret's location and any potential risks associated with it.
37+
38+
3. **Wait for a response and further instructions.**
39+
40+
## Responsible Disclosure
41+
42+
We encourage responsible disclosure of vulnerabilities and secrets. If you follow the steps outlined in this policy, we will work with you to understand and address the issue. We will not take legal action against individuals who discover and report vulnerabilities or secrets in accordance with this policy.
43+
44+
## Patching and Updates
45+
46+
We are committed to maintaining the security of our project. When vulnerabilities are reported and confirmed, we will:
47+
48+
1. Work diligently to develop and apply a patch or implement a mitigation strategy.
49+
2. Keep the reporter informed about the progress of the fix.
50+
3. Update the repository with the necessary patches and document the changes in the release notes or changelog.
51+
4. Credit the reporter for the discovery, if they wish to be acknowledged.
52+
53+
## Contributing to Security
54+
55+
We welcome contributions that help improve the security of our project. If you have suggestions or want to contribute code to address security issues, please follow the standard contribution guidelines in [CONTRIBUTING.md](CONTRIBUTING.md). When submitting a pull request related to security, please mention that it addresses a security issue and provide any necessary context.
56+
57+
By adhering to this security policy, you contribute to the overall security and stability of the project. Thank you for your cooperation and responsible handling of vulnerabilities and secrets.

0 commit comments

Comments
 (0)