From 5d51bb7e7df3f3ab0e75476d4039bab30c16f1f7 Mon Sep 17 00:00:00 2001 From: Affan Amir Mir Date: Sat, 2 May 2026 18:52:14 +0500 Subject: [PATCH 1/2] docs: add Quickstart, honest comparison, and community-standards files - README: add a 60-second Quickstart at the top so cloners reach a working setup without configuration choices - README: replace the comparison with a neutral table that acknowledges where Codecov, Coveralls, and 5monkeys/cobertura-action win, plus "pick X if" guidance for honest tool selection - README: rename existing "Quick Start" to "Common Patterns" so the 60-second version is unambiguously the entry point - Add SECURITY.md with private vulnerability reporting via GitHub Security Advisories, supported version policy (v2.x only), and consumer hardening recommendations - Add CODE_OF_CONDUCT.md adopting Contributor Covenant 2.1 by reference with local reporting and enforcement details - CONTRIBUTING.md: fix placeholder clone URL and link to CoC + SECURITY - README: add Security section and CoC reference next to Contributing Targets the GitHub community-standards profile (security policy + CoC) to unblock enterprise adoption gates and clears the way for an OpenSSF Best Practices badge later. Co-Authored-By: Claude Opus 4.7 (1M context) --- CODE_OF_CONDUCT.md | 38 ++++++++++++++++++++++ CONTRIBUTING.md | 4 ++- README.md | 78 ++++++++++++++++++++++++++++++++++------------ SECURITY.md | 66 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 165 insertions(+), 21 deletions(-) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..654425f --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,38 @@ +# Code of Conduct + +This project adopts the **[Contributor Covenant, version 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/)** as its code of conduct. All contributors, maintainers, and participants in project spaces (issues, pull requests, discussions, and any associated channels) are expected to read and uphold it. + +The full text — including the pledge, standards, scope, enforcement guidelines, and attribution — is available at: + +> + +We adopt that document by reference rather than re-inlining it so that any future clarifications or translations from the Contributor Covenant project flow through automatically. + +## Reporting a Concern + +If you experience or witness conduct that violates the Contributor Covenant in any project space, please report it privately: + +- **Email**: `affan.amir@laam.pk` with subject prefix `[diff-cover-action conduct]` +- **GitHub**: open a private security advisory at and tag it `[conduct]` + +Reports are reviewed confidentially. Please include: + +- What happened (links to issues, PRs, comments, or screenshots) +- Who was involved +- Any prior context that may help + +You will receive an acknowledgement within 5 business days. + +## Enforcement + +The project maintainer ([@Affanmir](https://github.com/Affanmir)) is responsible for clarifying and enforcing this Code of Conduct, following the Enforcement Guidelines section of the linked Contributor Covenant. Possible responses range from a private warning to permanent ban from project spaces, depending on severity and pattern. + +The maintainer is also accountable to it. If you believe the maintainer has violated this Code of Conduct, please report it through the same channels above; an external mediator will be engaged if needed. + +## Scope + +This Code of Conduct applies in all project spaces — the GitHub repository, issue tracker, pull requests, discussions, and any official communication channel — and also when an individual is officially representing the project in public spaces. + +## Attribution + +This Code of Conduct is adopted from the [Contributor Covenant, version 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/), maintained by the Contributor Covenant project and available under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8262acc..7d22549 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,10 +1,12 @@ # Contributing to diff-cover-action +Thanks for your interest in contributing! By participating, you agree to abide by the project's [Code of Conduct](CODE_OF_CONDUCT.md). For security issues, please follow the private reporting process in [SECURITY.md](SECURITY.md) instead of opening a public issue. + ## Development Setup ```bash # Clone the repo -git clone https://github.com/your-org/diff-cover-action.git +git clone https://github.com/Affanmir/diff-cover-action.git cd diff-cover-action # Install dev dependencies diff --git a/README.md b/README.md index c3e1c5e..00a7444 100644 --- a/README.md +++ b/README.md @@ -12,24 +12,58 @@ A GitHub Action that wraps [diff-cover](https://github.com/Bachmann1234/diff_cov --- -## Why This Action? - -| | diff-cover-action | Codecov | Coveralls | coverage-diff | -|---|:---:|:---:|:---:|:---:| -| **Free & self-hosted** | Yes | Freemium | Freemium | Yes | -| **No external account** | Yes | No | No | Yes | -| **Coverage + quality in one** | Yes | No | No | No | -| **13+ lint tools** (ruff, eslint, mypy...) | Yes | No | No | No | -| **PR comments** | Yes | Yes | Yes | Yes | -| **Inline annotations** | Yes | Yes | Yes | No | -| **Step summaries** | Yes | No | No | No | -| **Badge generation** | Yes | Yes | Yes | Yes | -| **JaCoCo / lcov / XML** | Yes | Yes | Yes | JSON only | -| **Shallow clone handling** | Auto | Manual | Manual | N/A | -| **Fork PR safe** | Yes | Yes | Yes | Limited | -| **Data stays in your CI** | Yes | No | No | Yes | - -**In short**: This is the only action that does **both** diff coverage and diff quality analysis in a single step, with full GitHub integration, across any language and linter -- with zero vendor dependencies. +## Quickstart in 60 seconds + +Drop this file into `.github/workflows/diff-coverage.yml`, push, and open a PR. A coverage comment will appear automatically — no signup, no token, no external service. + +```yaml +name: Diff Coverage +on: [pull_request] + +permissions: + contents: read + pull-requests: write + +jobs: + coverage: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - run: pip install pytest pytest-cov && pytest --cov --cov-report=xml + - uses: Affanmir/diff-cover-action@v2 + with: + coverage-files: coverage.xml +``` + +That's the whole setup. It works on **any language** that produces Cobertura XML, lcov, or JaCoCo — replace the `pytest` line with your own test command (Jest, `go test -coverprofile`, Maven, etc.). For thresholds, monorepos, fork PRs, or quality (lint) mode, see [Common Patterns](#common-patterns) below. + +--- + +## How does this compare? + +Honest comparison — `diff-cover-action` is not always the right pick. Here's where each tool wins: + +| | diff-cover-action | Codecov | Coveralls | 5monkeys/cobertura-action | +|---|---|---|---|---| +| **Setup** | 1 workflow file | App install + token | App install + token | 1 workflow file | +| **Where it runs** | Your CI runner | SaaS (data uploaded) | SaaS (data uploaded) | Your CI runner | +| **Pricing** | Free (OSS, MIT) | Free for OSS, paid private | Free for OSS, paid private | Free (OSS, MIT) | +| **Coverage scope** | Changed lines only | Full repo + diff | Full repo + diff | Changed lines only | +| **Lint / quality reporting** | 13+ tools (ruff, eslint, mypy, …) | — | — | — | +| **PR comment** | Idempotent updates | Idempotent updates | Idempotent updates | Idempotent updates | +| **Inline diff annotations** | Yes | Yes | Yes | — | +| **Actions step summary** | Yes | — | — | — | +| **Historical trend graphs** | — | Yes | Yes | — | +| **Org-wide dashboards** | — | Yes | Yes | — | +| **Coverage formats** | Cobertura XML, lcov, JaCoCo, Clover | Cobertura, lcov, JaCoCo, +many | Cobertura, lcov, +many | Cobertura XML only | +| **Fork PR comments** | Skips gracefully (read-only token) | Works via app token | Works via app token | Skips gracefully | +| **Data leaves your CI?** | No | Yes | Yes | No | + +**Pick `diff-cover-action` if** you want diff coverage *and* diff quality (lint) in one step, you don't want vendor signups, and you don't need cross-PR trend history. + +**Pick Codecov / Coveralls if** you need historical trend graphs, organization dashboards, full-repo coverage tracking on non-PR commits, or coverage history retained outside CI logs. + +**Pick `5monkeys/cobertura-action` if** all you need is a Cobertura PR comment and you don't care about lint/quality, lcov, or JaCoCo. --- @@ -157,7 +191,7 @@ The same coverage table also appears in the **Actions > Job Summary** tab so you --- -## Quick Start +## Common Patterns ### Coverage Mode @@ -487,7 +521,11 @@ Report coverage without failing the step: ## Contributing -See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines. +See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines. Participation in this project is governed by the [Code of Conduct](CODE_OF_CONDUCT.md). + +## Security + +Found a vulnerability? Please report it privately — see [SECURITY.md](SECURITY.md) for the reporting policy and supported versions. ## License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..a95c267 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,66 @@ +# Security Policy + +`diff-cover-action` runs inside your GitHub Actions workflow with access to your repository content and a `GITHUB_TOKEN`. We take security reports seriously and ask that you report them privately so we can fix issues before they are publicly disclosed. + +## Supported Versions + +Only the latest major version receives security updates. + +| Version | Supported | +| ------- | ------------------ | +| `v2.x` | :white_check_mark: | +| `v1.x` | :x: (please upgrade) | + +The major-version tag (`@v2`) is moved on each compatible release, so pinning to `@v2` automatically receives security patches. Pinning to a SHA is supported and recommended for hardened environments — see the [release notes](https://github.com/Affanmir/diff-cover-action/releases) for the SHA of each version. + +## Reporting a Vulnerability + +**Please do not open a public GitHub issue for security reports.** + +Use one of the following private channels: + +1. **GitHub Security Advisory (preferred)** — open a private report at . This keeps the discussion private and lets us coordinate a fix and release together. +2. **Email** — `affan.amir@laam.pk` with the subject prefix `[diff-cover-action security]`. + +Please include: + +- A description of the vulnerability and its impact +- Steps to reproduce (a minimal repo or workflow snippet helps) +- Affected version(s) or commit SHA +- Any suggested mitigation, if you have one + +## What to Expect + +- **Acknowledgement**: within 5 business days. +- **Initial assessment**: within 10 business days, including whether we consider the report in scope and a rough remediation timeline. +- **Fix and release**: severity-dependent. Critical issues are prioritised; lower-severity issues are bundled into the next regular release. +- **Public disclosure**: typically once a fix has shipped and downstream users have had a reasonable upgrade window (target: 30 days after release for high/critical, sooner for low-impact). We will credit the reporter unless anonymity is requested. + +This is a solo-maintained open-source project — response times are best-effort, not contractual. + +## Scope + +**In scope** + +- The action code in this repository (`src/`, `entrypoint.py`, `action.yml`, `Dockerfile`, `templates/`) +- The published Docker image used at runtime +- Direct dependencies declared in `requirements.txt` +- Documentation that could mislead users into an insecure configuration + +**Out of scope** + +- Vulnerabilities in transitive dependencies that have no exploitable path through this action (please report those upstream) +- Misconfiguration in *consumer* workflows (e.g. a user passing `pull_request_target` with insufficient hardening); we will document safer patterns but cannot patch them centrally +- Issues in [`diff_cover`](https://github.com/Bachmann1234/diff_cover) itself — please report upstream +- Denial-of-service via unbounded user input that only impacts the user's own runner + +## Hardening Recommendations for Consumers + +If you are using this action in security-sensitive workflows: + +- Pin to a commit SHA (`uses: Affanmir/diff-cover-action@`) rather than a moving tag +- Grant the minimum required permissions (`contents: read`, `pull-requests: write`) +- Avoid `pull_request_target` unless you understand the [security implications](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) +- Review the [release notes](https://github.com/Affanmir/diff-cover-action/releases) before upgrading the major-version tag + +Thank you for helping keep `diff-cover-action` and its users safe. From 9d868fad917c3600307f9a31f2e2ebf3e733009d Mon Sep 17 00:00:00 2001 From: Affan Amir Mir Date: Sat, 2 May 2026 19:03:14 +0500 Subject: [PATCH 2/2] docs: use personal OSS contact email in SECURITY and CODE_OF_CONDUCT Use affan.amir.mir@gmail.com (personal) instead of the LAAM work email for the public reporting channels. Co-Authored-By: Claude Opus 4.7 (1M context) --- CODE_OF_CONDUCT.md | 2 +- SECURITY.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 654425f..94d37ba 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -12,7 +12,7 @@ We adopt that document by reference rather than re-inlining it so that any futur If you experience or witness conduct that violates the Contributor Covenant in any project space, please report it privately: -- **Email**: `affan.amir@laam.pk` with subject prefix `[diff-cover-action conduct]` +- **Email**: `affan.amir.mir@gmail.com` with subject prefix `[diff-cover-action conduct]` - **GitHub**: open a private security advisory at and tag it `[conduct]` Reports are reviewed confidentially. Please include: diff --git a/SECURITY.md b/SECURITY.md index a95c267..c2ed79c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -20,7 +20,7 @@ The major-version tag (`@v2`) is moved on each compatible release, so pinning to Use one of the following private channels: 1. **GitHub Security Advisory (preferred)** — open a private report at . This keeps the discussion private and lets us coordinate a fix and release together. -2. **Email** — `affan.amir@laam.pk` with the subject prefix `[diff-cover-action security]`. +2. **Email** — `affan.amir.mir@gmail.com` with the subject prefix `[diff-cover-action security]`. Please include: