Add CODE_OF_CONDUCT, SECURITY, PR template; link them from README

Tier 1 organizational files that any open-source project at LEDMatrix's maturity is expected to have. None of these existed before. They're additive — no existing content was rewritten. CODE_OF_CONDUCT.md - Contributor Covenant 2.1 (the de facto standard for open-source projects). Mentions both the Discord and the GitHub Security Advisories channel for reporting violations. SECURITY.md - Private vulnerability disclosure flow with two channels: GitHub Security Advisories (preferred) and Discord DM. - Documents the project's known security model as intentional rather than vulnerabilities: no web UI auth, plugins run unsandboxed, display service runs as root for GPIO access, config_secrets.json is plaintext. These match the limitations already called out in PLUGIN_QUICK_REFERENCE.md and the audit flagging from earlier in this PR. - Out-of-scope section points users at upstream (rpi-rgb-led-matrix, third-party plugins) so reports land in the right place. .github/PULL_REQUEST_TEMPLATE.md - 10-line checklist that prompts for the things that would have caught the bugs in this very PR: did you load the changed plugin once, did you update docs alongside code, are there any plugin compatibility implications. - Linked from CONTRIBUTING.md for the full flow. README.md - Added a License section near the bottom (the README previously said nothing about the license despite the project being GPL-3.0). - Added a Contributing section pointing at CONTRIBUTING.md and SECURITY.md. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 21:03:01 +00:00 · 2026-04-07 12:52:48 -04:00
parent 44cd3e8c2f
commit 38773044e9
4 changed files with 309 additions and 0 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,62 @@
+# Pull Request
+
+## Summary
+
+<!-- 1-3 sentences describing what this PR does and why. -->
+
+## Type of change
+
+<!-- Check all that apply. -->
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Documentation
+- [ ] Refactor (no functional change)
+- [ ] Build / CI
+- [ ] Plugin work (link to the plugin)
+
+## Related issues
+
+<!-- "Fixes #123" or "Refs #123". Use "Fixes" for bug PRs so the issue
+auto-closes when this merges. -->
+
+## Test plan
+
+<!-- How did you test this? Check all that apply. Add details for any
+checked box. -->
+
+- [ ] Ran on a real Raspberry Pi with hardware
+- [ ] Ran in emulator mode (`EMULATOR=true python3 run.py`)
+- [ ] Ran the dev preview server (`scripts/dev_server.py`)
+- [ ] Ran the test suite (`pytest`)
+- [ ] Manually verified the affected code path in the web UI
+- [ ] N/A — documentation-only change
+
+## Documentation
+
+- [ ] I updated `README.md` if user-facing behavior changed
+- [ ] I updated the relevant doc in `docs/` if developer behavior changed
+- [ ] I added/updated docstrings on new public functions
+- [ ] N/A — no docs needed
+
+## Plugin compatibility
+
+<!-- For changes to BasePlugin, the plugin loader, the web UI, or the
+config schema. -->
+
+- [ ] No plugin breakage expected
+- [ ] Some plugins will need updates — listed below
+- [ ] N/A — change doesn't touch the plugin system
+
+## Checklist
+
+- [ ] My commits follow the message convention in `CONTRIBUTING.md`
+- [ ] I read `CONTRIBUTING.md` and `CODE_OF_CONDUCT.md`
+- [ ] I've not committed any secrets or hardcoded API keys
+- [ ] If this adds a new config key, the form in the web UI was
+      verified (the form is generated from `config_schema.json`)
+
+## Notes for reviewer
+
+<!-- Anything reviewers should know — gotchas, things you weren't
+sure about, decisions you'd like a second opinion on. -->