Add release distribution and repo governance

Author: sionsmith

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+
+[*.rs]
+indent_size = 4
+
+[Makefile]
+indent_style = tab

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,94 @@
+name: Bug report
+description: Report a reproducible Jira CLI problem
+title: "bug: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug. Do not paste Jira API tokens, OAuth secrets, cookies, or private issue data.
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What happened?
+      placeholder: The command failed when...
+    validations:
+      required: true
+  - type: textarea
+    id: command
+    attributes:
+      label: Command
+      description: Paste the exact command and redact project keys or issue keys only if needed.
+      render: bash
+      placeholder: jira issue view ENG-123 --output json
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: What should have happened?
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      description: Include stderr/stdout with secrets redacted.
+      render: text
+    validations:
+      required: true
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Reproduction steps
+      description: Provide the smallest set of steps that reproduces the issue.
+      placeholder: |
+        1. Configure profile with ...
+        2. Run ...
+        3. Observe ...
+    validations:
+      required: true
+  - type: dropdown
+    id: auth
+    attributes:
+      label: Auth method
+      options:
+        - API token
+        - OAuth 3LO
+        - Environment variables
+        - Unknown
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: jira version
+      description: Run `jira --version`.
+      placeholder: jira 0.1.0 (abcdef0)
+    validations:
+      required: true
+  - type: input
+    id: os
+    attributes:
+      label: Operating system
+      placeholder: macOS 15.5 arm64, Ubuntu 24.04 x86_64, Windows 11
+    validations:
+      required: true
+  - type: textarea
+    id: diagnostics
+    attributes:
+      label: Diagnostics
+      description: Include relevant `jira auth doctor --output json`, `jira config show --output json`, or `RUST_LOG=jira_cli=debug` output with secrets redacted.
+      render: json
+  - type: checkboxes
+    id: checklist
+    attributes:
+      label: Checklist
+      options:
+        - label: I have removed API tokens, OAuth secrets, and private issue data.
+          required: true
+        - label: I have checked the latest release and main branch behavior where practical.
+          required: false

.github/ISSUE_TEMPLATE/command_request.yml

@@ -0,0 +1,45 @@
+name: Command request
+description: Propose a new Jira command, flag, output field, or workflow
+title: "command: "
+labels:
+  - enhancement
+  - command
+body:
+  - type: textarea
+    id: workflow
+    attributes:
+      label: Workflow
+      description: What are you trying to automate or make easier?
+      placeholder: As a release manager, I need to...
+    validations:
+      required: true
+  - type: textarea
+    id: proposed_command
+    attributes:
+      label: Proposed CLI shape
+      description: Show the command, flags, and expected output mode.
+      render: bash
+      placeholder: jira version release ENG 1.2.3 --dry-run --output json
+    validations:
+      required: true
+  - type: textarea
+    id: jira_api
+    attributes:
+      label: Jira API surface
+      description: If known, list the Jira REST API endpoints or permissions involved.
+      placeholder: /rest/api/3/...
+  - type: textarea
+    id: output
+    attributes:
+      label: Expected structured output
+      description: Include JSON fields if this command will be used by agents or CI.
+      render: json
+  - type: checkboxes
+    id: requirements
+    attributes:
+      label: Requirements
+      options:
+        - label: The command should support `--dry-run` if it mutates Jira data.
+        - label: The command should work with `--output json`.
+        - label: The command should be safe with `--no-input`.
+        - label: The command should update README/docs/man page examples.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: mailto:security@osodevops.io
+    about: Please report security issues privately instead of opening a public issue.
+  - name: Questions and usage support
+    url: https://github.com/osodevops/jira-cli/discussions
+    about: Use discussions for setup questions, workflow ideas, and non-bug troubleshooting.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,40 @@
+name: Feature request
+description: Suggest a product, documentation, packaging, or integration improvement
+title: "feat: "
+labels:
+  - enhancement
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What gap or friction are you seeing?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposal
+      description: What should change?
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: What workarounds or designs did you consider?
+  - type: textarea
+    id: examples
+    attributes:
+      label: Examples
+      description: Include commands, scripts, JSON output, or links to related CLI behavior.
+      render: bash
+  - type: checkboxes
+    id: scope
+    attributes:
+      label: Scope
+      options:
+        - label: This affects scripting or machine-readable output.
+        - label: This affects authentication or token handling.
+        - label: This affects release packaging or installation.
+        - label: This affects documentation or examples.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,31 @@
+## Summary
+
+Explain the change, motivation, and user impact.
+
+## Changes
+
+- 
+
+## Verification
+
+- [ ] `cargo fmt --all -- --check`
+- [ ] `cargo clippy --all-targets --all-features -- -D warnings`
+- [ ] `cargo test --all-targets --all-features`
+- [ ] `cargo audit`
+- [ ] `cargo build --release`
+- [ ] `./target/release/jira --help >/dev/null`
+- [ ] `./target/release/jira completions man --dir /tmp/jira-man`
+
+## Release impact
+
+- [ ] No release impact
+- [ ] User-facing behavior changed
+- [ ] New command, flag, output field, or exit code
+- [ ] Docs, README, examples, completions, or man pages updated
+- [ ] Packaging, Homebrew, Scoop, or GitHub Actions changed
+
+## Safety
+
+- [ ] No secrets, tokens, private Jira data, or debug credentials are committed.
+- [ ] Mutating commands support confirmation, `--no-input`, or `--dry-run` where appropriate.
+- [ ] Machine-readable output remains stable or the change is documented.

.github/dependabot.yml

@@ -1,10 +1,32 @@
 version: 2
 updates:
-  - package-ecosystem: cargo
-    directory: /
+  - package-ecosystem: "cargo"
+    directory: "/"
     schedule:
-      interval: weekly
-  - package-ecosystem: github-actions
-    directory: /
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "rust"
+    commit-message:
+      prefix: "deps"
+    groups:
+      rust-minor:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
-      interval: weekly
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"

.github/workflows/ci.yml

@@ -23,7 +23,7 @@ jobs:
     name: Workflow Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Run actionlint
         uses: docker://rhysd/actionlint:1.7.7
         with:
@@ -33,7 +33,7 @@ jobs:
     name: Format
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
@@ -44,12 +44,12 @@ jobs:
     name: Clippy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
           components: clippy
-      - uses: actions/cache@v4
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry
@@ -68,11 +68,11 @@ jobs:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
-      - uses: actions/cache@v4
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry
@@ -87,11 +87,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [fmt, clippy]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
-      - uses: actions/cache@v4
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry
@@ -112,11 +112,11 @@ jobs:
     name: Security Audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
-      - uses: actions/cache@v4
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry

.github/workflows/jira-cloud-smoke.yml

@@ -26,11 +26,11 @@ jobs:
     name: Jira Cloud Sandbox Smoke
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # stable
         with:
           toolchain: stable
-      - uses: actions/cache@v4
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: |
             ~/.cargo/registry