chore(.github): add stale, labeler, templates, and SECURITY.md#58
Merged
pratyush618 merged 4 commits intomainfrom Apr 10, 2026
Merged
chore(.github): add stale, labeler, templates, and SECURITY.md#58pratyush618 merged 4 commits intomainfrom
pratyush618 merged 4 commits intomainfrom
Conversation
Runs actions/stale@v9 daily at 02:00 UTC with conservative thresholds: PRs stale after 45 days of inactivity and closed after another 14, issues stale after 90 days and closed after another 30. Exempts the dependencies, pinned, security, help wanted, and good first issue labels so Dependabot and long-lived items stay open.
Applies area labels (rust, python, javascript, documentation, github_actions, mcp, wasm) based on changed file paths using actions/labeler@v5. Runs on pull_request_target so fork PRs still receive labels; safe because labeler inspects diff paths only and never checks out PR code.
PR template prompts for summary, test plan, and related issue. Bug and feature issue forms (YAML format) require structured input and auto-apply the bug/enhancement labels. Blank issues are disabled so every issue flows through a form.
Paperjam parses untrusted PDF/DOCX/XLSX/EPUB input, so parser bugs (memory safety, panics, DoS via crafted files) are a real attack surface. Points reporters at GitHub private vulnerability reporting, lists expected report contents, sets best-effort response SLAs, and documents in-scope vs out-of-scope categories.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Production-grade GitHub hygiene layer for the repo, split into four logical commits:
.github/workflows/stale.yml) —actions/stale@v9on a daily cron. Conservative thresholds: PRs stale after 45d inactivity and closed after another 14d; issues stale after 90d and closed after another 30d. Exemptsdependencies,pinned,security,help wanted,good first issuelabels so Dependabot PRs and long-lived items stay open..github/workflows/labeler.yml+.github/labeler.yml) —actions/labeler@v5onpull_request_target. Path rules applyrust,python,javascript,documentation,github_actions,mcp,wasmbased on changed files. Safe on fork PRs because labeler only inspects diff paths, never checks out PR code.bug/enhancementlabels. Blank issues disabled.SECURITY.md— private disclosure policy pointing at GitHub's vulnerability reporting. Paperjam parses untrusted PDF/DOCX/XLSX/EPUB input, so parser bugs (memory safety, panics, DoS via crafted files) are a real attack surface that warrants a documented channel.Labels added (out-of-band)
These were created via
gh label createon the remote so the labeler and stale workflows don't no-op:python,mcp,wasm,pinned,security.Test plan
.github/**/*.ymlfiles parse withyaml.safe_loadcleanup.yml(cache-cleanup-on-close, unrelated scope)dependencieslabel is in the stale exempt list so Dependabot PRs are not touchedcrates/paperjam-mcp/src/main.rsand confirmrust+mcplabels auto-appliedgh workflow run stale.ymland checkgh run view --logruns clean (should be a no-op on current repo state)