CONTRIBUTING.md proposed: bug/PR workflow, migration conventions, security disclosure path

bmersereau opened a PR proposing a `CONTRIBUTING.md` for the upstream repo, framed as a first draft for maintainer review. It codifies conventions that already exist in practice and adds a few explicit requirements - notably test coverage and structured migration scripts. The PR is open.

workflow

The document covers four areas: filing bugs and feature requests, a private security disclosure path through GitHub advisories (with a 72-hour response SLA marked as adjustable), local dev setup including the DOWNLOAD_SIGNING_SECRET and USER_API_KEYS_ENCRYPTION_SECRET env vars added in recent security work, and a branch/PR naming convention based on conventional commits.

Two sections carry more weight than boilerplate. The migration conventions section promotes patterns that emerged organically from recent database work to a documented expectation: explicit BEGIN/COMMIT framing, paired rollback scripts, and a pre-flight comment block. The test requirement is stated as hard rather than advisory - bmersereau notes it's based on observed review patterns in recent PRs and explicitly offers to soften it if it overshoots what the maintainer actually enforces.

Deliberate omissions: no CLA, no DCO, no CODEOWNERS. The rationale given is contributor friction relative to project scale - those can be added later.

The framing throughout is proposal rather than policy drop. bmersereau invites the maintainer to adjust tone, strengthen or weaken requirements, and cut sections before merge.

So what Worth reading if you're formalizing contribution process on your own fork - the migration conventions section in particular captures practices that are easy to lose as institutional knowledge. The document itself won't apply directly since it references bmersereau's PR workflow conventions, but the structure is reusable.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?