CONTRIBUTING.md proposed: bug/PR workflow, migration conventions, security disclosure path
bmersereau opened a PR proposing a `CONTRIBUTING.md` for the upstream repo, framed as a first draft for maintainer review. It codifies conventions that already exist in practice and adds a few explicit requirements - notably test coverage and structured migration scripts. The PR is open.
The document covers four areas: filing bugs and feature requests, a private security disclosure path through GitHub advisories (with a 72-hour response SLA marked as adjustable), local dev setup including the DOWNLOAD_SIGNING_SECRET and USER_API_KEYS_ENCRYPTION_SECRET env vars added in recent security work, and a branch/PR naming convention based on conventional commits.
Two sections carry more weight than boilerplate. The migration conventions section promotes patterns that emerged organically from recent database work to a documented expectation: explicit BEGIN/COMMIT framing, paired rollback scripts, and a pre-flight comment block. The test requirement is stated as hard rather than advisory - bmersereau notes it's based on observed review patterns in recent PRs and explicitly offers to soften it if it overshoots what the maintainer actually enforces.
Deliberate omissions: no CLA, no DCO, no CODEOWNERS. The rationale given is contributor friction relative to project scale - those can be added later.
The framing throughout is proposal rather than policy drop. bmersereau invites the maintainer to adjust tone, strengthen or weaken requirements, and cut sections before merge.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?