diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..e33328c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,73 @@ +name: Bug report +description: Something is not working as expected +labels: ["bug", "needs-triage"] +body: + - type: markdown + attributes: + value: | + Before filing a bug, check whether it has already been reported in [existing issues](https://github.com/ratifydata/ratify/issues). + + The more specific you are, the faster we can reproduce and fix the problem. + + - type: textarea + id: what-happened + attributes: + label: What happened + description: A clear description of the bug. What did you do, what did you expect, and what actually happened? + placeholder: | + I ran `ratify contract activate ` and expected the contract status to change to "active". + Instead, the CLI exited with error: "failed to connect to database: connection refused". + validations: + required: true + + - type: textarea + id: steps + attributes: + label: Steps to reproduce + description: The exact steps needed to reproduce the bug. Be as specific as possible. + placeholder: | + 1. Start the server with `docker compose up` + 2. Create a contract with `ratify contract create` + 3. Run `ratify contract activate ` + 4. See error + validations: + required: true + + - type: textarea + id: expected + attributes: + label: Expected behaviour + description: What should have happened? + validations: + required: true + + - type: textarea + id: environment + attributes: + label: Environment + description: Fill in the details for your setup. + value: | + - Ratify version (or commit hash): + - Go version (`go version`): + - OS: + - PostgreSQL version: + - Deployment method (docker compose / binary): + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant logs or error output + description: Paste any relevant log output here. The server logs structured JSON — the full log line is more useful than just the message. + render: shell + + - type: checkboxes + id: checklist + attributes: + label: Before submitting + options: + - label: I have searched existing issues and this has not been reported before + required: true + - label: I am running the latest version of Ratify + required: false \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..f3ae2d3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: Discord - quick questions + url: https://discord.gg/RVU3cdRs9z + about: For quick questions, Discord is faster than a GitHub issue. + - name: Security vulnerability + url: https://github.com/ratifydata/ratify/security/advisories/new + about: Report security vulnerabilities privately using GitHub's advisory system. \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..c19b7a3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,69 @@ +name: Feature request +description: Suggest something new or an improvement to existing behaviour +labels: ["enhancement", "needs-triage"] +body: + - type: markdown + attributes: + value: | + Feature requests are most useful when they are grounded in a real problem. + "It would be cool if..." requests are harder to act on than "I keep running into this situation and here is what I need." + + If you are not sure whether something is worth requesting, bring it up in [Discord](https://discord.gg/RVU3cdRs9z) first. + + - type: textarea + id: problem + attributes: + label: What problem are you running into + description: Describe the situation that prompted this request. What are you trying to do, and what is getting in the way? + placeholder: | + When I have 20+ consumers registered on a contract, the proposal notification emails + are going to individual addresses. I need a way to send to a team distribution list + instead of enumerating every person. + validations: + required: true + + - type: textarea + id: solution + attributes: + label: What you would like to see + description: Describe the behaviour you want. Be specific about the interface — CLI command, API endpoint, UI element, config option, whatever is relevant. + placeholder: | + Allow a team to have a single notification_email field that receives all proposal + notifications for that team, instead of sending to each team member individually. + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: What you have tried instead + description: How are you working around this today? Understanding the workaround helps us understand the severity of the gap. + + - type: dropdown + id: area + attributes: + label: Which area of the tool does this relate to + options: + - Contract authoring + - Change proposals + - Consumer notifications + - Breach detection + - Audit trail + - CLI + - Web UI + - API + - Docker / deployment + - Documentation + - Other + validations: + required: true + + - type: checkboxes + id: checklist + attributes: + label: Before submitting + options: + - label: I have searched existing issues and this has not been requested before + required: true + - label: I have checked the roadmap in the README and this is not already planned + required: false \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/question.yml b/.github/ISSUE_TEMPLATE/question.yml new file mode 100644 index 0000000..cf2cead --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.yml @@ -0,0 +1,44 @@ +name: Question +description: Something is unclear or you need help understanding how Ratify works +labels: ["question"] +body: + - type: markdown + attributes: + value: | + For quick questions, [Discord](https://discord.gg/RVU3cdRs9z) is faster than GitHub issues. + + Use this form if your question is detailed enough that it might be worth turning into documentation once answered. + + - type: textarea + id: question + attributes: + label: What would you like to understand + description: Ask your question as specifically as you can. Include what you have already read or tried. + validations: + required: true + + - type: textarea + id: context + attributes: + label: What you have already tried or read + description: This helps avoid repeating things you already know and gets to the useful part faster. + + - type: dropdown + id: area + attributes: + label: Which area does your question relate to + options: + - Getting started / installation + - Contract authoring + - Change proposals + - Consumer notifications + - Breach detection + - Audit trail + - CLI usage + - Web UI + - API + - Docker / deployment + - Contributing to the codebase + - Other + validations: + required: true \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..194377b --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,21 @@ +## What this PR does + + + +## How to test it + + + +## Checklist + +- [ ] I have run `go test ./...` and all tests pass +- [ ] I have run `golangci-lint run ./...` and there are no lint errors +- [ ] I have run `npm run lint` and `npm run format:check` if I changed frontend code +- [ ] I have added tests for new behaviour (or explained why tests are not needed) +- [ ] I have updated `CHANGELOG.md` under `[Unreleased]` if this changes behaviour +- [ ] My commit messages follow the Conventional Commits format (`feat:`, `fix:`, etc.) + +## Related issues + + \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..521cd8a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,72 @@ +version: 2 + +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + timezone: "UTC" + groups: + go-dependencies: + patterns: + - "*" + cooldown: + default-days: 3 + semver-major-days: 14 + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + commit-message: + prefix: "chore" + include: "scope" + labels: + - "dependencies" + - "go" + + - package-ecosystem: "npm" + directory: "/frontend" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + timezone: "UTC" + groups: + npm-dependencies: + patterns: + - "*" + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 7 + semver-patch-days: 7 + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + commit-message: + prefix: "chore" + include: "scope" + labels: + - "dependencies" + - "frontend" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "08:00" + timezone: "UTC" + groups: + github-actions: + patterns: + - "*" + cooldown: + default-days: 3 + commit-message: + prefix: "chore" + include: "scope" + labels: + - "dependencies" + - "ci" \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..f09b0a4 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,56 @@ +# Changelog + +All notable changes to Ratify are recorded here. + +The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +Ratify uses [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +Until v1.0, breaking changes may happen between minor versions. +After v1.0, we commit to not breaking the API within a major version. + +--- + +## [Unreleased] + +### Added +- Initial project structure and repository setup +- Go module initialised (`github.com/ratifydata/ratify`) +- React + TypeScript + Vite frontend scaffold +- GitHub Actions CI pipeline (Backend, Frontend, Security, PR Title Format) +- Docker Compose local development environment with PostgreSQL 16 +- Two-stage production Dockerfile, final image under 50MB +- Air live-reload development Dockerfile +- Environment variable loading via Viper (`internal/config`) +- Database migration runner via golang-migrate (`internal/db`) +- `GET /health` endpoint - returns `{"status":"ok","database":"ok","version":"0.1.0"}` +- HTTP server with graceful shutdown on SIGINT/SIGTERM +- Chi router with Logger and Recoverer middleware +- pgx/v5 connection pool +- pgcrypto extension enabled via migration 000001 (required for UUID generation) +- Structured JSON logging via `log/slog` +- golangci-lint v2 configuration +- Prettier + ESLint frontend code quality tooling +- `.gitattributes` enforcing Unix line endings + +--- + +## How this file works + +Every pull request that changes behaviour - new features, bug fixes, +deprecations, removals - adds an entry to the `[Unreleased]` section +above under the appropriate heading. + +When we cut a release, the `[Unreleased]` section becomes the new +version entry (e.g. `[0.2.0] - 2026-07-01`) and a fresh `[Unreleased]` +section is opened above it. + +**Heading types used in this file:** + +- `Added` - new features or capabilities +- `Changed` - changes to existing behaviour +- `Deprecated` - features that will be removed in a future version +- `Removed` - features removed in this version +- `Fixed` - bug fixes +- `Security` - security fixes (always include the CVE or advisory link if one exists) + +Not every commit needs a changelog entry. Dependency updates, refactors that do not change behaviour, and internal tooling changes do not need one. Features, fixes, and anything that changes how the tool behaves do. \ No newline at end of file diff --git a/frontend/.npmrc b/frontend/.npmrc new file mode 100644 index 0000000..82fc414 --- /dev/null +++ b/frontend/.npmrc @@ -0,0 +1,4 @@ +# Enforce security boundaries inside npm package lifecycles +ignore-scripts=true +save-exact=true +min-release-age=7 \ No newline at end of file