chore(ci): add OSSF and CI best practices

[unclesp1d3r]

This pull request introduces several improvements to project automation, documentation, and governance. The most significant changes are the addition of stricter CI/CD and merge requirements, enhanced documentation of contribution and security policies, and the introduction of automated security and merge management workflows.

CI/CD and Automation Improvements:

• Removed path-based filtering from the main CI workflow in .github/workflows/ci.yml, ensuring all jobs (quality, MSRV, test, cross-platform test, coverage) always run regardless of which files are changed. The aggregate ci-gate job for branch protection was also removed. [1] [2] [3] [4] [5] [6]
• Updated .github/dependabot.yml to disable automatic rebasing for all ecosystems and removed the unused rust-toolchain update entry.
• Added .github/workflows/scorecard.yml to enable OSSF Scorecard supply-chain security analysis on the repository, including scheduled and branch protection-triggered runs.
• Introduced .mergify.yml to automate and enforce merge queueing, review, and branch protection policies, including conventional commit enforcement and required status checks.

Documentation and Policy Updates:

• Expanded CONTRIBUTING.md with clearer MSRV policy, explicit ban on unsafe code (#![forbid(unsafe_code)]), improved module layout guidance, detailed code review requirements, DCO (Developer Certificate of Origin) instructions, and a new section on project governance and decision-making. [1] [2] [3] [4]
• Added a section to AGENTS.md outlining open-source quality standards for OSSF Scorecard compliance, including commit sign-off, CI requirements, test coverage, security practices, and documentation standards.

Project Configuration:

• Updated .serena/project.yml with explicit fields for project name, included/excluded tools, and mode configuration, improving clarity for Serena-based automation.

These changes collectively raise the project's quality bar, automate best practices, and clarify contributor expectations, aligning with industry standards for open-source software.

---

References:
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]

[coderabbitai]

📝 Walkthrough

This PR contains no changes to core source code, public APIs, binary format handling, or semantic-classification implementation/logic. The modifications are repository-level: CI/CD, automation, security, documentation, and project governance.

Architectural/implementation impact

• No modifications to src/ files that alter code behavior, interfaces, or binary formats.
• No changes to exported types, function signatures, traits, or public enums used by clients.
• No edits to semantic-classification code or pattern/ranking implementations.

CI/CD & automation

• Removed path-based filtering from the main CI workflow so quality, MSRV, test, cross-platform test, and coverage jobs run unconditionally.
• Removed the aggregate ci-gate job.
• Added OSSF Scorecard workflow (.github/workflows/scorecard.yml) to run supply-chain/security analyses and upload SARIF.
• Updated Dependabot (.github/dependabot.yml) to disable automatic rebasing.
• Introduced .mergify.yml to automate/enforce merge queueing, review rules, conventional-commit enforcement, and required status checks.
• Minor .gitignore update (adds .claude.local.md).

Security & contributor policies

• Added SECURITY.md with vulnerability reporting, scope, safe-harbor, PGP key material, and security practices.
• CONTRIBUING.md expanded: stricter MSRV policy (updated reference from 1.85+ → 1.91+), explicit ban on unsafe code (#![forbid(unsafe_code)]), detailed code-review requirements, DCO instructions, module layout guidance, and project governance/decision-making content.
• AGENTS.md updated with OSSF quality guidance (commit sign-off, CI/test/coverage/security/documentation expectations).

Tooling & repository configuration

• Added cliff.toml for git-cliff changelog generation with Conventional Commits parsing.
• Updated .serena/project.yml with new project metadata fields (project_name, included_optional_tools, base_modes, default_modes, fixed_tools).
• Added changelog and CI-related metadata and automation helpers (.mergify.yml, scorecard workflow, cliff.toml).

Notes on semantic classification accuracy, binary formats, and APIs

• Semantic classification patterns, ranking engine, containers, and extraction code remain unchanged; classification accuracy and behavior are unaffected by these changes.
• Binary-format detection/parsers and output formatters are unchanged; no behavioral impact to detection or output encoding.
• Public API surface remains stable; documentation updates reflect policies and contributor expectations but do not change code-level APIs.

Commit-level fix

• Addressed minor doc/CI review findings (removed emoji shortcodes in SECURITY.md; removed unreachable pull_request condition in scorecard workflow).

Summary: repository governance, CI, security, and documentation improvements only — no functional or API changes to the codebase, binary handling, or semantic-classification logic.

Walkthrough

Adds CI/workflow and automation changes, new security and governance docs/configs, Mergify rules, changelog configuration, and minor repository housekeeping updates.

Changes

Cohort / File(s)	Summary
GitHub Actions & Dependabot .github/dependabot.yml, .github/workflows/ci.yml, .github/workflows/scorecard.yml	Disables Dependabot rebase; removes path-change gating and makes CI jobs run unconditionally; adds new OSSF Scorecard workflow that runs analysis, produces results.sarif, uploads an artifact, and posts SARIF to code scanning.
PR Automation & Merge Policies .mergify.yml	Adds Mergify configuration: queue rules, pull_request_rules for maintainers/Dependabot/external PRs, auto-approve for Dependabot, conventional-commit enforcement, and CI merge protections.
Project Metadata & Changelog .serena/project.yml, cliff.toml	Introduces per-project mode/tool fields in Serena config and adds cliff.toml for git-cliff changelog generation with Conventional Commits parsing and grouping rules.
Developer Guidance & Security Docs CONTRIBUTING.md, SECURITY.md, AGENTS.md	Updates MSRV and code review requirements; tightens unsafe-code policy; adds SECURITY.md with vulnerability reporting, response timelines, and PGP key; injects OSSF best-practices guidance into AGENTS.md.
Repository housekeeping .gitignore	Adds .claude.local.md to ignore list.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Trigger as GitHub Event / Scheduler
participant Actions as GitHub Actions Runner
participant Repo as Repository (code)
participant Scorecard as ossf/scorecard-action
participant Artifact as Actions Artifacts
participant CodeScanning as CodeQL Upload

Trigger->>Actions: workflow start
Actions->>Repo: checkout (no credentials)
Actions->>Scorecard: run analysis -> produce `results.sarif`
Scorecard-->>Actions: results.sarif
Actions->>Artifact: upload `results.sarif` (5d retention)
Actions->>CodeScanning: upload SARIF (`results.sarif`)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🛡️ New rules, new checks, the pipelines hum,

scorecards scan while changelogs come.
Mergify queues, commits kept neat,
Security posted, fixes meet.
A sturdier repo, calm and bright—deploy tonight.

🚥 Pre-merge checks | ✅ 8 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (6 files): ⚔️ .github/dependabot.yml (content) ⚔️ .github/workflows/ci.yml (content) ⚔️ .gitignore (content) ⚔️ .serena/project.yml (content) ⚔️ AGENTS.md (content) ⚔️ CONTRIBUTING.md (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (8 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits format with correct type (chore) and scope (ci), and accurately describes the main changes to CI workflows and OSSF best practices.
Description check	✅ Passed	Description is comprehensive and directly related to the changeset, detailing CI/CD improvements, documentation updates, security policies, and configuration changes across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
No Unsafe Code	✅ Passed	No Rust source files (.rs) were modified in this PR; all changes are configuration and documentation only. No unsafe code was introduced.
Error Handling	✅ Passed	PR modifies only configuration, documentation, and build files with no Rust source changes, so no error handling implementations to evaluate against StringyError conventions.
Ascii Only	✅ Passed	All modified files are fully ASCII-compliant with no emojis, em-dashes, smart quotes, or non-ASCII Unicode characters.
File Size Limit	✅ Passed	All files are under 500-line limit and no blanket module-level #[allow] attributes were introduced.
Section Weight Consistency	✅ Passed	Custom check for section weight consistency is not applicable; PR contains only CI/CD, documentation, and configuration changes with no modifications to container parser files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/add_CI_bestpractices

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch feature/add_CI_bestpractices
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 📃 Configuration Change Requirements

Wonderful, this rule succeeded.

Mergify configuration change

• check-success = Configuration changed

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?:

🟢 CI must pass

Wonderful, this rule succeeded.

All CI checks must pass. This protection prevents manual merges that bypass the merge queue.

• check-success = coverage
• check-success = msrv
• check-success = quality
• check-success = test
• check-success = test-cross-platform (macos-latest, macOS)
• check-success = test-cross-platform (ubuntu-latest, Linux)
• check-success = test-cross-platform (windows-latest, Windows)

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 10 commits of the base branch before merging

• #commits-behind <= 10

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for 44d76a1.

🟢 All jobs passed!

But CI Insights is watching 👀

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR raises the repository’s automation and governance baseline by tightening CI execution rules, adding supply-chain/security automation (OSSF Scorecard), and documenting contributor/security expectations.

Changes:

• Make CI run unconditionally by removing path-based job filtering and removing the aggregate gate job.
• Add/adjust automation and governance tooling: OSSF Scorecard workflow, Mergify merge automation, and Dependabot configuration tweaks.
• Expand project documentation around contribution standards, security reporting, and OSSF-aligned best practices.

Reviewed changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
mise.lock	Adds a pinned tool lockfile for local/dev automation tooling.
cliff.toml	Introduces git-cliff configuration for structured changelog generation.
SECURITY.md	Adds a security policy and reporting process (incl. PGP key).
CONTRIBUTING.md	Expands contributor guidance (MSRV, safety/CI rules, DCO, governance).
AGENTS.md	Adds OSSF-oriented PR/release quality standards.
.serena/project.yml	Makes Serena project configuration more explicit (project name/tools/modes).
.mergify.yml	Adds merge queue automation and status-check enforcement rules.
.gitignore	Ignores a local Claude-related markdown file.
.github/workflows/scorecard.yml	Adds OSSF Scorecard workflow for supply-chain security analysis.
.github/workflows/ci.yml	Removes path filtering and the aggregate gate job so all CI jobs run consistently.
.github/dependabot.yml	Disables automatic rebasing and removes the rust-toolchain ecosystem entry.

[Copilot]

The qlty coverage upload is configured to read "target/lcov.info", but earlier in this job the LCOV report is written to "lcov.info" (repo root). This mismatch will prevent qlty from finding the report. Align the output path and the upload path (either write into target/lcov.info or upload lcov.info).

Suggested change

	files: target/lcov.info
	files: lcov.info

[Copilot]

In Mergify queue_rules, the required-check list should be under the correct schema key (commonly conditions:). With merge_conditions: here, Mergify may ignore the rule and not enforce the required CI checks. Rename to the correct key so the queue rule is applied.

Suggested change

	merge_conditions:
	conditions:

[Copilot]

CONTRIBUTING.md says branch protection enforces formatting/lint/tests plus "security audit" and "CodeQL analysis" before merge, but the repo’s merge enforcement in .mergify.yml only requires the CI workflow jobs (quality/msrv/test/test-cross-platform/coverage). Either add the security/audit and CodeQL check names to the required checks enforcement, or clarify in the docs which checks are actually required for merges.

Suggested change

	CI must pass before merge. This includes formatting, linting, tests, security audit, and CodeQL analysis. Branch protection enforces these checks on the `main` branch.
	CI must pass before merge. Branch protection on the `main` branch currently enforces the required formatting, linting, test, MSRV, cross-platform, and coverage checks. Additional jobs such as security audit and CodeQL analysis may run as part of CI but are not guaranteed to be merge-blocking.

[Copilot]

The workflow has an if: condition that references github.event_name == 'pull_request', but this workflow is not configured to run on pull_request events. This makes the condition misleading/dead code. Either add a pull_request trigger (if PR runs are desired) or simplify/remove the condition to match the actual triggers.

Suggested change

	if: github.event.repository.default_branch == github.ref_name
	if: github.event.repository.default_branch == github.ref_name

[Copilot]

base_modes: is declared but has no value, which YAML parses as null. If the intent is an empty list, set it to []; if the intent is to inherit global base modes, omit this key entirely.

Suggested change

	base_modes:
	# list of mode names that are to be activated by default.
	# The full set of modes to be activated is base_modes + default_modes.
	# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
	# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
	# This setting can, in turn, be overridden by CLI parameters (--mode).
	default_modes:
	# list of mode names that are to be activated by default.
	# The full set of modes to be activated is base_modes + default_modes.
	# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
	# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
	# This setting can, in turn, be overridden by CLI parameters (--mode).

[Copilot]

default_modes: is declared but has no value, which YAML parses as null. If the intent is an empty list, set it to []; if the intent is to inherit global defaults, omit this key entirely.

Suggested change

	base_modes:
	# list of mode names that are to be activated by default.
	# The full set of modes to be activated is base_modes + default_modes.
	# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
	# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
	# This setting can, in turn, be overridden by CLI parameters (--mode).
	default_modes:
	# list of mode names that are to be activated by default.
	# The full set of modes to be activated is base_modes + default_modes.
	# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
	# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
	# This setting can, in turn, be overridden by CLI parameters (--mode).

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/scorecard.yml:
- Line 20: The conditional "if: github.event.repository.default_branch ==
github.ref_name || github.event_name == 'pull_request'" contains a dead branch
because this workflow's triggers don't include "pull_request"; either add
"pull_request" to the workflow's on: triggers so github.event_name ==
'pull_request' can be true, or remove the "|| github.event_name ==
'pull_request'" clause (simplify the if to only compare default branch) so the
condition matches the actual triggers; update the scorecard.yml triggers or the
if condition accordingly to keep them consistent.

In `@CONTRIBUTING.md`:
- Line 85: CONTRIBUTING.md currently claims "security audit" and "CodeQL
analysis" are required CI checks, but .mergify.yml does not mark those workflows
as required; update the documentation (line ~85) so it only lists the actual
blocking checks: quality, msrv, test, test-cross-platform, and coverage, or
alternatively add the audit and codeql workflows to the required list in
.mergify.yml; reference the audit.yml and codeql.yml workflow names if you
choose to make them blocking so the doc and .mergify.yml remain consistent.

In `@SECURITY.md`:
- Around line 5-8: The table rows containing the emoji shortcodes
":white_check_mark:" and ":x:" should be replaced with ASCII-only text; update
the entries for versions "0.1.x" and "< 0.1" to use plain text like
"supported"/"unsupported" or "yes"/"no" (e.g., replace "| 0.1.x   |
:white_check_mark: |" with "| 0.1.x   | supported |" and "| < 0.1   | :x:       
|" with "| < 0.1   | unsupported |") so the SECURITY.md table contains no emoji
shortcodes or Unicode characters.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the CONTRIBUTING.md file around line 85
cat -n CONTRIBUTING.md | sed -n '80,90p'

Repository: EvilBit-Labs/Stringy

Length of output: 917

---

🏁 Script executed:

# Check for .mergify.yml and CI workflows
echo "=== Checking for .mergify.yml ==="
ls -la .mergify.yml 2>/dev/null || echo "No .mergify.yml found"

echo ""
echo "=== Checking for workflow files ==="
ls -la .github/workflows/ 2>/dev/null || echo "No .github/workflows/ found"

echo ""
echo "=== Looking for security audit references ==="
rg 'security.*audit|audit.*security|cargo-audit' .github/workflows/ || echo "No security audit found"

echo ""
echo "=== Looking for CodeQL workflow ==="
ls -la .github/workflows/ | grep -i codeql || echo "No explicit CodeQL file"

Repository: EvilBit-Labs/Stringy

Length of output: 1252

---

🏁 Script executed:

# Check the content of .mergify.yml if it exists
if [ -f .mergify.yml ]; then
  echo "=== Content of .mergify.yml ==="
  cat .mergify.yml
fi

Repository: EvilBit-Labs/Stringy

Length of output: 2809

---

🏁 Script executed:

echo "=== Content of audit.yml ==="
cat .github/workflows/audit.yml

echo ""
echo "=== Content of codeql.yml ==="
cat .github/workflows/codeql.yml

Repository: EvilBit-Labs/Stringy

Length of output: 1324

---

Update CONTRIBUTING.md line 85 to accurately reflect required CI checks.

The documented checks (security audit and CodeQL analysis) do run via audit.yml and codeql.yml workflows, but neither is configured as a required merge check in .mergify.yml. Line 85 should list only the actual blocking checks: quality, msrv, test, test-cross-platform, and coverage. Either update the documentation to remove aspirational checks, or add security audit and CodeQL to the merge requirements if they should be blocking.

🤖 Prompt for AI Agents

In `@CONTRIBUTING.md` at line 85, CONTRIBUTING.md currently claims "security
audit" and "CodeQL analysis" are required CI checks, but .mergify.yml does not
mark those workflows as required; update the documentation (line ~85) so it only
lists the actual blocking checks: quality, msrv, test, test-cross-platform, and
coverage, or alternatively add the audit and codeql workflows to the required
list in .mergify.yml; reference the audit.yml and codeql.yml workflow names if
you choose to make them blocking so the doc and .mergify.yml remain consistent.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@SECURITY.md`:
- Around line 64-74: The SECURITY.md claims two enforcement mechanisms that are
not present; either add the crate-level pragma #![forbid(unsafe_code)] to the
crate root (e.g., lib.rs or main.rs) to match the "No unsafe code" claim or
remove/update that bullet to accurately reflect current code, and update the CI
claim: either remove "cargo-deny" from the dependency-auditing bullet and
reference only cargo-audit, or add a cargo-deny configuration to your CI (and
reference the new workflow) so the document matches the actual workflows; ensure
the Security Features list text is edited accordingly so both statements are
accurate.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, get an overview of the repository structure
git ls-files | head -20

Repository: EvilBit-Labs/Stringy

Length of output: 737

---

🏁 Script executed:

# Check for forbid(unsafe_code) in Rust sources
rg -n '#!\[forbid\(unsafe_code\)\]' --type=rs

Repository: EvilBit-Labs/Stringy

Length of output: 90

---

🏁 Script executed:

# Look for Cargo.toml files to check dependencies
fd -n 'Cargo.toml$' -x head -30 {}

Repository: EvilBit-Labs/Stringy

Length of output: 294

---

🏁 Script executed:

# Check .github directory for CI and release workflows
find .github -type f -name '*.yml' -o -name '*.yaml' | head -20

Repository: EvilBit-Labs/Stringy

Length of output: 350

---

🏁 Script executed:

# Find and read Cargo.toml files
find . -name 'Cargo.toml' -type f | head -5

Repository: EvilBit-Labs/Stringy

Length of output: 76

---

🏁 Script executed:

# Check for forbid(unsafe_code) using correct syntax
find . -name '*.rs' -type f -exec grep -l 'forbid(unsafe_code)' {} \;

Repository: EvilBit-Labs/Stringy

Length of output: 46

---

🏁 Script executed:

# Read the main Cargo.toml
head -80 ./Cargo.toml

Repository: EvilBit-Labs/Stringy

Length of output: 1452

---

🏁 Script executed:

# Check the audit workflow
cat .github/workflows/audit.yml

Repository: EvilBit-Labs/Stringy

Length of output: 685

---

🏁 Script executed:

# Check the release workflow
cat .github/workflows/release.yml

Repository: EvilBit-Labs/Stringy

Length of output: 15852

---

🏁 Script executed:

# Directly read lib.rs and main.rs to check for forbid pragma
head -20 src/lib.rs

Repository: EvilBit-Labs/Stringy

Length of output: 932

---

🏁 Script executed:

# Check main.rs
head -20 src/main.rs

Repository: EvilBit-Labs/Stringy

Length of output: 671

---

🏁 Script executed:

# Search explicitly for forbid anywhere in the repo
rg -i 'forbid' --type=rust --type=toml --type=yaml

Repository: EvilBit-Labs/Stringy

Length of output: 232

---

🏁 Script executed:

# Check dependabot.yml for cargo-deny or any deny config
cat .github/dependabot.yml

Repository: EvilBit-Labs/Stringy

Length of output: 501

---

🏁 Script executed:

# Check full lib.rs to see if forbid appears anywhere
cat src/lib.rs | head -50

Repository: EvilBit-Labs/Stringy

Length of output: 2266

---

🏁 Script executed:

# Check full main.rs
cat src/main.rs

Repository: EvilBit-Labs/Stringy

Length of output: 685

---

🏁 Script executed:

# Comprehensive search for any forbid, deny, or unsafe keywords
rg 'forbid|#!\[deny' src/

Repository: EvilBit-Labs/Stringy

Length of output: 46

---

Correct SECURITY.md to reflect actual implementation.

The document claims two security enforcement mechanisms not currently implemented:

1. #![forbid(unsafe_code)] — Not present in src/lib.rs or src/main.rs. Either add this pragma to the crate root or remove this claim.

2. cargo-deny in CI — Not configured in .github/workflows/ or .github/dependabot.yml. The audit workflow uses cargo-audit via GitHub Actions instead. Update line 70 to reference only cargo-audit, or add cargo-deny configuration.

The other claims are accurate: goblin and pelite are dependencies, Dependabot is configured, and CycloneDX SBOMs + Sigstore attestations are generated in the release workflow.

🤖 Prompt for AI Agents

In `@SECURITY.md` around lines 64 - 74, The SECURITY.md claims two enforcement
mechanisms that are not present; either add the crate-level pragma
#![forbid(unsafe_code)] to the crate root (e.g., lib.rs or main.rs) to match the
"No unsafe code" claim or remove/update that bullet to accurately reflect
current code, and update the CI claim: either remove "cargo-deny" from the
dependency-auditing bullet and reference only cargo-audit, or add a cargo-deny
configuration to your CI (and reference the new workflow) so the document
matches the actual workflows; ensure the Security Features list text is edited
accordingly so both statements are accurate.