Skip to content

Commit 309af2d

Browse files
authored
chore(repo): add CODEOWNERS, PR template, dependabot config (#55)
## Summary Three repo-hygiene additions, all opt-in / non-breaking. ## Files - **`.github/CODEOWNERS`** — every change requires review from one of \`@onspeedhp\`, \`@chauanhtuan185\`, \`@metasal1\`. Audit-sensitive paths (\`/program/\`, \`/assertions/\`, \`/.github/workflows/\`, \`/audits/\`) and the cherry-pick guardrails (\`scripts/fee-paths.txt\`, \`scripts/strip-fee.sh\`, \`scripts/check-no-fee.sh\`) re-state the same owners so renames don't silently drop ownership rules. - **`.github/PULL_REQUEST_TEMPLATE.md`** — terse, audit-aware. Includes a "Cherry-pick provenance" section so PRs that mirror commits from \`lazorkit-protocol\` leave a clear trail and explicitly confirm \`bash scripts/check-no-fee.sh\` passed. Note: with squash merge, the PR description ends up as the commit message body on \`main\`, so this template effectively shapes \`git log\` going forward. - **`.github/dependabot.yml`** — monthly cadence: - `cargo` (workspace) - `npm` (`/tests-sdk`) — for \`@lazorkit/sdk-legacy\` and vitest - `github-actions` (`/`) Each ecosystem grouped (1 PR for all version updates, 1 for security) with cap of 2-3 open PRs to keep noise bounded. ## Test plan - [ ] CI passes — \`check-no-fee\`, \`sbf-cluster-check\` (no source changes) - [ ] CODEOWNERS auto-assigns reviewers on the next PR - [ ] First Dependabot run lands within ~30 days
1 parent 5d68d56 commit 309af2d

3 files changed

Lines changed: 104 additions & 0 deletions

File tree

.github/CODEOWNERS

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Code owners for lazor-kit/program-v2
2+
#
3+
# Order matters — the LAST matching pattern wins. Use specific
4+
# overrides below the catch-all when you want to scope ownership.
5+
#
6+
# Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
7+
8+
# Default: any change requires review from one of the maintainers
9+
* @onspeedhp @chauanhtuan185 @metasal1
10+
11+
# Audit-sensitive paths — additional eyes on changes that affect on-chain
12+
# behavior or release artifacts
13+
/program/ @onspeedhp @chauanhtuan185 @metasal1
14+
/assertions/ @onspeedhp @chauanhtuan185 @metasal1
15+
/.github/workflows/ @onspeedhp @chauanhtuan185 @metasal1
16+
/audits/ @onspeedhp @chauanhtuan185 @metasal1
17+
/scripts/fee-paths.txt @onspeedhp @chauanhtuan185 @metasal1
18+
/scripts/strip-fee.sh @onspeedhp @chauanhtuan185 @metasal1
19+
/scripts/check-no-fee.sh @onspeedhp @chauanhtuan185 @metasal1

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
<!--
2+
Keep this short. The squash-merge commit body uses the PR description, so
3+
prose written here ends up in `git log`. Aim for what a reviewer (or your
4+
future self bisecting) needs to understand the change.
5+
6+
If this PR cherry-picks from `lazorkit-protocol`: cite the upstream
7+
commit / PR and confirm `bash scripts/check-no-fee.sh` passes.
8+
-->
9+
10+
## Summary
11+
12+
<!-- 1–3 bullets: what this PR does and the user-visible reason. -->
13+
14+
## Changes
15+
16+
<!-- Per-file or per-area highlights. Skip if `Summary` already covers it. -->
17+
18+
## Test plan
19+
20+
- [ ] CI passes (`check-no-fee`, `sbf-cluster-check`)
21+
- [ ] `cargo test --features devnet` passes
22+
- [ ] `cargo build-sbf --features devnet` and `--features mainnet` both build
23+
- [ ] `npm test` in `tests-sdk` (against a live validator) passes
24+
- [ ] Updates docs / CHANGELOG when public behavior changes
25+
26+
## Audit / security notes
27+
28+
<!-- Skip if N/A. Otherwise: error codes touched, account layout changes,
29+
authority/auth flow changes, vault-invariant defenses, anything that
30+
needs Accretion follow-up. Note new entries against the
31+
`audit-baseline-*` tag. -->
32+
33+
## Cherry-pick provenance (if applicable)
34+
35+
<!-- Upstream commit / PR being mirrored from lazorkit-protocol, plus
36+
confirmation that the fee surface was correctly stripped:
37+
- [ ] `bash scripts/check-no-fee.sh` clean
38+
- [ ] No symbols added that match `scripts/fee-paths.txt`
39+
-->
40+
41+
## Related
42+
43+
<!-- Linked issues, prior PRs, audit findings, design docs. -->

.github/dependabot.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Dependabot config — keep noise low, group updates, monthly cadence.
2+
# Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
3+
version: 2
4+
updates:
5+
# Cargo workspace (program + assertions + no-padding)
6+
- package-ecosystem: "cargo"
7+
directory: "/"
8+
schedule:
9+
interval: "monthly"
10+
open-pull-requests-limit: 3
11+
groups:
12+
cargo-deps:
13+
applies-to: version-updates
14+
patterns: ["*"]
15+
cargo-security:
16+
applies-to: security-updates
17+
patterns: ["*"]
18+
commit-message:
19+
prefix: "chore(deps)"
20+
21+
# Test harness (uses @lazorkit/sdk-legacy from npm)
22+
- package-ecosystem: "npm"
23+
directory: "/tests-sdk"
24+
schedule:
25+
interval: "monthly"
26+
open-pull-requests-limit: 3
27+
groups:
28+
tests-deps:
29+
applies-to: version-updates
30+
patterns: ["*"]
31+
commit-message:
32+
prefix: "chore(deps-dev)"
33+
include: "scope"
34+
35+
# GitHub Actions used in workflows
36+
- package-ecosystem: "github-actions"
37+
directory: "/"
38+
schedule:
39+
interval: "monthly"
40+
open-pull-requests-limit: 2
41+
commit-message:
42+
prefix: "ci(deps)"

0 commit comments

Comments
 (0)