chore: community health files (CONTRIBUTING, CoC, SECURITY, issue templates)#53
Merged
Merged
Conversation
github-actions
Bot
added
the
Awaiting CI
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
github-actions
Bot
added
Ready for QA
16 tasks
…plates) Ports the community-health pass from cmeans/pypi-winnow-downloads (PR #20 over there) to this repo. Adds CONTRIBUTING.md (Apache-2.0 inbound = outbound, no-bounty policy, dev setup, PR-flow doc), CODE_OF_CONDUCT.md (Contributor Covenant 2.1 with private-reporting workaround), SECURITY.md (private-advisory-only reporting; in-scope / out-of-scope drawn from the actual fix history — page-derived-string injection #40 / #46, blocklist source trust #41 / #42, state integrity #44, auto-upgrade gating #43), and three GitHub issue templates (bug_report.yml, feature_request.yml, config.yml). The bug-report template has yt-dont-recommend-specific fields (mode in use, install method, YouTube UI locale, blocklist source, --check-selectors report). The feature-request template's Area dropdown is replaced with this repo's component map. PR #22's deploy/Tailscale Funnel section doesn't apply here (no deploy/), so it's omitted. Dependabot config follows in a separate PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
cmeans-claude-dev
Bot
force-pushed
the
chore/community-health-files
branch
from
b8de904 to
37bcd51
Compare
github-actions
Bot
added
Awaiting CI
github-actions
Bot
added
Ready for QA
Owner
|
Adding QA Active — starting review at HEAD |
github-actions
Bot
removed
the
Ready for QA
cmeans
reviewed
Apr 27, 2026
Owner
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA review — round 1
Verdict: Ready for QA Signoff. Zero findings.
HEAD: `37bcd512`
Tests: 502/502 pass (no skips, no deselects, no xfails). `ruff check src/ tests/`: clean. (Suite count rose 485→502 because the branch picked up #49, #50, and #52 during rebase — PR-claim is correct at PR-creation time; updated the checkbox text for clarity.)
Verification
Doc-heavy PR; verified every external/internal reference rather than spot-checking.
- Files exist — `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `SECURITY.md`, `.github/ISSUE_TEMPLATE/{bug_report,feature_request,config}.yml` all present at HEAD; YAML parses for all three template files.
- Issue references valid — verified via `gh api repos/.../issues/N`:
- #12 (open) — Help wanted: non-English YouTube testers — referenced by both `CONTRIBUTING.md` and `bug_report.yml` ✓
- #13 (open) — Help wanted: selector breakage reports from other accounts — referenced by `CONTRIBUTING.md` and `bug_report.yml` ✓
- #40, #41, #42, #44, #46 (closed) — referenced in `SECURITY.md` "Recent fixes in this area" / "in scope" sections; titles match the security narrative ✓
- Function references valid —
- `fetch_subscriptions()` at `browser.py:479` ✓
- `process_channels()` at `browser.py:657` ✓
- `_n(count, word)` at `config.py:474` ✓ (`CONTRIBUTING.md` style guide)
- Flag references valid — every flag mentioned in `bug_report.yml` mode dropdown and prose docs is a real argparse argument:
- `--login`, `--blocklist`, `--clickbait`, `--check-selectors` (with `--repair` modifier), `--check-update`, `--auto-upgrade`, `--revert`, `--schedule`, `--heartbeat` ✓
- README anchor links valid — `config.yml` `contact_links` point at `#install` (matches `## Install` at README:28) and `#checking-and-updating-selectors` (matches `## Checking and Updating Selectors` at README:564) ✓
- Python version matches — `CONTRIBUTING.md` says "Python 3.10+"; `pyproject.toml` line 8 says `requires-python = ">=3.10"` ✓
- Dependency claim matches — `CONTRIBUTING.md` says runtime dep is `playwright` and `[clickbait]` extras are `ollama`, `pyyaml`, `youtube-transcript-api`; `pyproject.toml` matches exactly ✓
- Data-dir mode claim matches — `SECURITY.md` says `~/.yt-dont-recommend/` is created with mode `0o700`; `config.py:226-238` confirms `DATA_DIR.mkdir(...)` followed by `os.chmod(DATA_DIR, 0o700)` if not already ✓
- License claim matches — `CONTRIBUTING.md` says "Apache-2.0 from v0.5.0 onward; earlier published versions remain under MIT"; `pyproject.toml` line 11 has `license = "Apache-2.0"` and the v0.5.0 CHANGELOG entry confirms the switch ✓
- No code touched — verified: `pytest tests/` 502/502, `ruff check src/ tests/` clean, `git diff --stat 7ec4242..37bcd51` shows only `CHANGELOG.md`, the three top-level docs, and `.github/ISSUE_TEMPLATE/*.yml` ✓
- CHANGELOG entry — under `## [Unreleased]` → `### Added` (correct KaC subsection for new docs); placement at top of `[Unreleased]` is correct per KaC ordering ✓
Notes (informational, not findings)
- Pre-existing CHANGELOG-subsection ordering in `[Unreleased]` is non-standard — Security → Fixed → Changed instead of KaC's Changed → Fixed → Security. This drift exists in main and is not introduced by this PR; the new `### Added` section is correctly placed first.
- Box 2 of the test plan (rendered-on-GitHub spot check, `/issues/new` reachability) is the one CLI-only QA can't fully do — left unchecked. Maintainer should confirm during signoff that the issue templates show up on the New Issue page.
CI: 7/7 SUCCESS (test ubuntu, test macos, smoke-macos, on-push, on-label, qa-approved; on-unlabel SKIPPED). `QA Gate` StatusContext PENDING — expected until `QA Approved` lands.
Awaiting maintainer to apply `QA Approved`.
Owner
|
Applying Ready for QA Signoff — 502/502 tests pass, ruff clean, every internal/external reference (file, function, issue, flag, README anchor, dep claim, data-dir mode, license history) verified against the live codebase. Zero findings. Box 2 of the test plan (rendered-on-GitHub spot check) left unchecked — maintainer should eyeball |
cmeans
added
Ready for QA Signoff
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 27, 2026
…plate) (#54) Cascades the post-`mcp-synology#63` Dependabot-PR-hygiene playbook from the validated `cmeans/mcp-clipboard#96` rollout. Five files: `.github/dependabot.yml` (pip + github-actions, weekly Mon 06:00 CT, grouped, `chore` prefix with `include: scope` to avoid the `chore(deps)(deps):` doubled-prefix bug), `.github/workflows/dependabot-changelog.yml` (`pull_request_target` filtered to `dependabot[bot]`, App-token-authed so the bot's commit re-fires QA-Gate-required CI checks, includes the post-#63 Keep-a-Changelog ordering fix in the create-`### Changed`-from-scratch path), `.github/PULL_REQUEST_TEMPLATE.md` (humans only — Dependabot bypasses templates), `.github/labels.yml` adds `python` + `github-actions`, and a `CHANGELOG.md` Unreleased / Added entry. Operator prereqs `BOT_APP_ID` + `BOT_APP_PRIVATE_KEY` confirmed in-place. SHA pins on all three third-party actions verified exact match upstream tags. Bot user id `272174644` verified via `gh api 'users/cmeans-claude-dev[bot]'`. Workflow's CHANGELOG insertion logic dry-run on this repo's current `[Unreleased]` (which has `### Changed` already) produces correct output. The naive simple `dependabot.yml` alone would break here because of the strict CHANGELOG-per-PR rule + required CI checks + QA-Gate ruleset combination — Dependabot PRs would QA-fail for missing CHANGELOG, and `GITHUB_TOKEN`-authored auto-fix pushes would not re-fire the required checks. The full playbook handles all three. Notes: this PR sits behind PRs #50, #52, #53 in the queue. Once it lands on main, `sync-labels.yml` runs and creates the two new labels before next Monday's Dependabot schedule fires. Dormant Gotcha 6 (Keep-a-Changelog subsection ordering bug from `mcp-synology#63`) is fixed in the workflow but won't fire on yt-dont-recommend's current `[Unreleased]` layout (which already has `### Changed`). It activates after the next release cuts a fresh empty `[Unreleased]` and a feature PR adds `### Added` before any Dependabot bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ports the community-health pass from
cmeans/pypi-winnow-downloads(PR #20 over there) to this repo. AddsCONTRIBUTING.md(Apache-2.0 inbound = outbound, no-bounty policy, dev setup, PR-flow doc),CODE_OF_CONDUCT.md(Contributor Covenant 2.1 with private-reporting workaround),SECURITY.md(private-advisory-only reporting; in-scope / out-of-scope drawn from the actual fix history — page-derived-string injection #40 / #46, blocklist source trust #41 / #42, state integrity #44, auto-upgrade gating #43), and three GitHub issue templates (bug_report.yml,feature_request.yml,config.yml).The bug-report template has yt-dont-recommend-specific fields (mode in use, install method, YouTube UI locale, blocklist source,
--check-selectorsreport). The feature-request template's Area dropdown is replaced with this repo's component map. PR #22'sdeploy/Tailscale Funnel section doesn't apply here (nodeploy/), so it's omitted. Dependabot config follows in a separate PR.Test plan
ls CONTRIBUTING.md CODE_OF_CONDUCT.md SECURITY.md .github/ISSUE_TEMPLATE/{bug_report,feature_request,config}.yml— all six exist/issues/new[Unreleased] / Added.venv/bin/python -m pytest tests/— 502 passed (no code touched; count was 485 at PR creation, grew after rebase picked up fix(state): atomic save_state via tmp file + replace #49 / fix(cli): gate auto-upgrade on sys.stdin.isatty #50 / fix(unblock,diagnostics): escape CSS attr values in built selectors #52).venv/bin/ruff check src/ tests/— cleanNo code paths affected; this is documentation + GitHub-side metadata only.
🤖 Generated with Claude Code