Operational notes for the people who run this repository. External
contributors should read CONTRIBUTING.md
instead.
These settings enforce the fork → pull request → squash-merge
flow that CONTRIBUTING.md describes. Apply
them once when the repository is created (or before going public),
and re-verify after any change to the protected-branch policy.
Settings → Branches → Add rule → Branch name pattern: main
| Setting | Value | Why |
|---|---|---|
| Require a pull request before merging | on | Direct pushes to main are forbidden — every change must come through a PR |
| Required approvals | 1 (or 2 when more than one maintainer is active) | At least one maintainer reviews every PR |
| Dismiss stale pull request approvals when new commits are pushed | on | Force re-review after rework |
| Require review from Code Owners | on if CODEOWNERS is added |
Auto-route to the right reviewer |
| Require status checks to pass before merging | on | Block merges that fail CI |
| Status checks (required) | build-and-test (ubuntu-latest / Go 1.25), cross-build (linux/amd64), cross-build (linux/arm64), cross-build (darwin/arm64), cross-build (windows/amd64) |
All matrix jobs from .github/workflows/ci.yml |
| Require branches to be up to date before merging | on | Refuse merge of stale branches; contributor rebases first |
| Require conversation resolution before merging | on | All review threads must be resolved |
| Require signed commits | optional | Enable if signing is part of the maintainer policy |
| Require linear history | on | Combined with squash-only merge keeps main linear |
| Restrict who can push to matching branches | maintainers team only | Backstop in case the "require PR" rule is ever disabled |
| Allow force pushes | off | Force-push to main is never the right answer |
| Allow deletions | off | main cannot be deleted |
External contributors do not appear in the Restrict who can push allowlist. With the require PR rule above, the only way for them to land a change is to fork, push to their fork, and open a PR — which is what we want.
Settings → General → Pull Requests
- Allow merge commits: off
- Allow squash merging: on (default merge button)
- Allow rebase merging: off
- Default to PR title for squash merge commit messages: on
- Default to pull request description for squash merge commit messages: on
- Automatically delete head branches after merge: on
These settings keep main linear, give every commit on main a
PR-shaped title and body, and keep the branch list clean.
Settings → Actions → General
- Workflow permissions: Read repository contents permission (least privilege; CI does not push or write)
- Allow GitHub Actions to create and approve pull requests: off
- Fork pull request workflows from outside collaborators: Require approval for first-time contributors (prevents a malicious fork-PR from running CI without review)
Settings → Security & analysis
- Private vulnerability reporting: on (used by
SECURITY.md) - Dependency graph + Dependabot alerts: on
- Dependabot security updates: on
CODEOWNERS is not required for fork+PR enforcement (the branch
protection rule already covers that), but adding it routes review
notifications. A minimal CODEOWNERS once a maintainer team is
defined:
# .github/CODEOWNERS
* @Postmath/ncode-sdk-maintainers
/pdf/ @Postmath/ncode-sdk-maintainers
/pattern/neolab @Postmath/ncode-sdk-maintainers
/tools/ncode-cli @Postmath/ncode-sdk-maintainers
Until a maintainer team exists, leave CODEOWNERS absent rather
than pointing at individuals — turnover is a documentation hazard.
For each incoming PR:
- Triage within 5 business days. Add labels (
bug,enhancement,breaking-change,docs,ci, etc.). If the PR sits in Draft, leave a short note acknowledging it and move on. - Sanity-check CI. All required checks must be green before substantive review. If CI is red, ask the contributor to fix before maintainer time is spent.
- Review against CONTRIBUTING.md scope, conventions, and public-API stability rules. Reviewer's job is policy compliance, not typo hunting.
- Squash-merge when approved. The PR title becomes the commit subject; trim the description to the why before merging.
- Tag breaking changes in the merge commit body with
BREAKING CHANGE:so release notes pick them up.
The SDK uses semantic versioning. Pre-1.0 (the current state) means the public surface is still movable; minor bumps may include breaking changes as long as they are documented.
To cut a release:
-
Confirm
mainis green on CI. -
Decide the version: bump
vMAJOR.MINOR.PATCHper semver.org. -
Update
CHANGELOG.md(create on first release) — list user-visible changes since the previous tag, grouped underAdded,Changed,Fixed,Removed,Deprecated,Security,Breaking. -
Tag from
main:git checkout main git pull --ff-only git tag -a v0.1.0 -m "v0.1.0" git push origin v0.1.0Annotated tags only —
pkg.go.devandgo getindex annotated tags more reliably than lightweight ones. -
Create a GitHub Release pinned to the tag. Paste the relevant
CHANGELOG.mdsection as the release body. -
Do not publish pre-built binaries that link
pdf/(i.e. that statically include MuPDF) without a NOTICE file documenting the AGPL-3.0 obligation. Source-only releases viago get/pkg.go.devdo not have this constraint.
go-fitz(MuPDF) andpdfcpuare the heavy dependencies. Bumping them across major versions warrants a cycle-spanning PR with a manual smoke test (examples/publishwith NeoLAB credentials — seeCONTRIBUTING.mdfor the offline test loop too).- Dependabot PRs land like any other contribution — they go through CI and review, not auto-merge.
- Adding a new dependency requires a maintainer issue first.
- Yearly licence-notice review — confirm the third-party notice
in
LICENSEstill reflects current dependencies (especially thego-fitz/ MuPDF AGPL-3.0 disclosure). - Yearly contributor list refresh —
README.mdContributors section is hand-maintained.