docs: OpenSSF Best Practices passing-level artifacts#145
Conversation
- CONTRIBUTING.md with test policy - SECURITY.md with vulnerability reporting process - CHANGELOG.md seeded from existing tags
Review: OpenSSF Best Practices DocumentationOverall, this is a well-executed PR providing the three required documentation artifacts. The files are clear, comprehensive, and consistent with the project's CLAUDE.md conventions. Strengths:
Action Items:
Verdict: Approve pending resolution of the above items. Documentation quality is high and successfully satisfies OpenSSF Best Practices criteria. |
| --- | ||
|
|
||
| [Unreleased]: https://github.com/bernardladenthin/java-llama.cpp/compare/v5.0.1...HEAD | ||
| [5.0.1]: https://github.com/bernardladenthin/java-llama.cpp/compare/v5.0.0...v5.0.1 |
There was a problem hiding this comment.
v5.0.0 and v5.0.1 exist, but no tags are currently present in the repository. The links will return 404.
Options:
- Create annotated tags before merging:
git tag -a v5.0.0 <commit>andgit tag -a v5.0.1 <commit> - Replace with commit SHA comparisons, e.g.:
https://github.com/bernardladenthin/java-llama.cpp/compare/<sha1>...<sha2>
GitHub's compare URLs work with either tags or commit SHAs.
|
|
||
| ### Secondary channel — maintainer email | ||
|
|
||
| If you cannot use the GitHub advisory form, you may contact the maintainer by email. The address associated with recent commits is listed in the git log (`git log --format='%ae' -1`). Note that this address is **unconfirmed** as a monitored security contact — GitHub Private Vulnerability Reporting above is preferred. |
There was a problem hiding this comment.
git log --format='%ae' -1 command currently returns noreply@anthropic.com, which is not a monitored security contact.
Since GitHub Private Vulnerability Reporting (above) is the primary and preferred method, consider either:
- Removing the secondary email option entirely (sufficient to list the GitHub form)
- Establishing a real, monitored security contact email and documenting it here
- Strengthening the guidance that this email is "unconfirmed" and "not monitored"
The current text appropriately marks it as "unconfirmed," but a contributor might waste time trying this channel.
Summary
Adds the three documentation artifacts required for the OpenSSF Best Practices passing badge level.
CONTRIBUTING.mdinteract,contribution,contribution_requirements,test_policy,tests_are_added,tests_documented_addedSECURITY.mdvulnerability_report_process,vulnerability_report_private,vulnerability_report_responseCHANGELOG.mdrelease_notes,release_notes_vulnsFile Details
CONTRIBUTING.md
mvn compile,mvn test,mvn package) and CMake commands from the project, including CPU-only, CUDA, Metal, and C++ unit-test builds.clang-formatfor C++, Java 11+ requirement, and Javadoc HTML-entity conventions.SECURITY.md
5.x (latest)supported;< 5.0not supported.CHANGELOG.md
[Unreleased]— in-progress work since 5.0.1 (llama.cpp b9172 upgrade, reasoning-budget tests, OpenSSF badge).[5.0.1] - 2026-05-14—setContinueFinalMessage, llama.cpp upgrades through b9145, static MSVC runtime, CI fixes.[5.0.0] - 2026-05-11— First Maven Central release undernet.ladenthin:llama; full Java API surface; pre-built binaries; CodeQL; coverage; CI pipeline.Audit Findings
main. Adding annotated tags (v5.0.0,v5.0.1) is recommended for correct GitHub Releases linking and to satisfyrelease_notesfully.git log --format='%ae' -1returnsnoreply@anthropic.com(the address of the last automated commit). The real maintainer contact is not exposed in git history; GitHub Private Vulnerability Reporting is therefore the primary and recommended channel.gh apiquery returnedunavailable— could not confirm whether GitHub Private Vulnerability Reporting is enabled on the repository. The maintainer should verify this is enabled in the repository Security settings.codeql.ymlexists and runs on push tomain, on PRs targetingmain, and on a weekly schedule (cron: "12 1 * * 0"). Language: Java, queries:+security-and-quality.publish.ymldownloads models and runsmvn test(Java integration tests) andctest(C++ unit tests) on push and PR events. CI test coverage is present.Generated by Claude Code