Project manifest
What was checked
A machine-readable project manifest makes the repository reproducible and navigable.
Evidence
package.json— npm manifest
Next action
Add the standard manifest for the repository's primary language or build system.
MANIFLIGHT / REPOSITORY PREFLIGHT
All 24 evaluated checks passed. Review the evidence before using this snapshot in a release decision.
ready
100%Compared with baseline Maniflight. Status changes are separated from added and removed checks.
No readiness regressions detected. Improvements and other changes remain listed for review.
community/repository-metadata
Repository metadata
Status changed from
Unknown
to
Pass
Choose a domain to narrow the evidence. Select the repository core to restore the complete view.
A score is a navigation aid, not a certification. Use the evidence and confidence to make the decision.
25 checks shown
A machine-readable project manifest makes the repository reproducible and navigable.
package.json — npm manifestAdd the standard manifest for the repository's primary language or build system.
Production code is grouped under a recognizable application, package, or source directory.
src — Recognized source boundaryGroup production code under src/, app/, packages/, cmd/, internal/, or lib/.
The repository includes tests and a discoverable way to run them.
Add focused tests and expose a standard test command in the project manifest.
TypeScript repositories explicitly enable strict type checking.
tsconfig.json — strict mode is enabledAdd a tsconfig.json and enable compilerOptions.strict.
Declared npm entrypoints resolve to files in the inspected checkout.
package.json — bin.maniflight points to dist/cli.jsCorrect stale entrypoint paths or ensure required build outputs exist before publishing.
At least one readable GitHub Actions workflow is present.
.github/workflows/ci.yml — Readable workflow.github/workflows/codeql.yml — Readable workflow.github/workflows/dogfood.yml — Readable workflow.github/workflows/pages.yml — Readable workflowAdd a minimal validation workflow that runs on pull requests.
Pull requests run tests plus at least one additional quality gate.
.github/workflows/ci.yml — Runs on pull_request.github/workflows/codeql.yml — Runs on pull_request.github/workflows/dogfood.yml — Runs on pull_requestRun tests and lint, build, typecheck, or security checks for pull requests.
Workflow jobs have explicit timeout limits.
Set timeout-minutes on every workflow job to bound stalled runs.
Detected deployment jobs use an environment and workflow concurrency control.
No repository evidence was recorded for this check.
Use a protected environment and concurrency group for every deployment workflow.
The repository publishes a responsible vulnerability reporting route.
SECURITY.md — Security policy detectedAdd SECURITY.md with supported versions and a private reporting channel.
Dependency-bearing projects commit a recognized lockfile.
package-lock.json — Lockfile detectedGenerate and commit the ecosystem's lockfile.
A dependency update service is configured for repositories with manifests.
.github/dependabot.yml — Update automationConfigure Dependabot or Renovate for the detected package ecosystems.
Workflows explicitly scope the GITHUB_TOKEN and avoid write-all access.
Declare only the permissions each workflow or job requires.
External Actions and containers are pinned to immutable commit or digest references.
.github/workflows/ci.yml — Immutable reference.github/workflows/ci.yml — Immutable reference.github/workflows/codeql.yml — Immutable reference.github/workflows/codeql.yml — Immutable reference.github/workflows/codeql.yml — Immutable reference.github/workflows/dogfood.yml — Immutable reference.github/workflows/dogfood.yml — Immutable reference.github/workflows/dogfood.yml — Immutable reference.github/workflows/pages.yml — Immutable reference.github/workflows/pages.yml — Immutable reference.github/workflows/pages.yml — Immutable reference.github/workflows/pages.yml — Immutable reference.github/workflows/pages.yml — Immutable referencePin third-party Actions to a full 40-character commit SHA and containers to a digest.
pull_request_target workflows do not combine privileged context with a source checkout.
Use pull_request for untrusted code, or avoid checking out pull request code in privileged jobs.
Inline shell scripts do not interpolate attacker-controlled GitHub context directly.
Pass untrusted values through an environment variable and quote them in the shell.
The checkout does not contain common private-key, credential, secret, or environment filenames.
Remove sensitive files from version control, rotate exposed credentials, and add safe ignore rules.
The repository explains its purpose and basic use.
README.md — README detectedAdd a concise README with purpose, setup, use, and support information.
The repository declares how others may use and contribute to the project.
LICENSE — License detectedAdd an OSI-approved license file appropriate for the project.
Contributors have a documented development and review path.
CONTRIBUTING.md — Contribution guide detectedAdd CONTRIBUTING.md with setup, test, and pull request expectations.
The repository defines expected community behavior.
CODE_OF_CONDUCT.md — Code of conduct detectedAdd a recognized code of conduct and enforcement contact.
Issue forms or templates collect useful problem context.
.github/ISSUE_TEMPLATE/bug_report.yml — Issue template.github/ISSUE_TEMPLATE/feature_request.yml — Issue template.github/ISSUE_TEMPLATE/rule_proposal.yml — Issue template.github/ISSUE_TEMPLATE/support_question.yml — Issue templateAdd focused issue forms under .github/ISSUE_TEMPLATE/.
Pull requests prompt contributors for validation and context.
.github/pull_request_template.md — Pull request templateAdd a pull request template with summary, validation, and risk prompts.
Users can find an appropriate public or private support route.
SUPPORT.md — Support route detectedAdd SUPPORT.md and direct sensitive reports to a private channel.
The GitHub repository has a description and useful topics.
Set a concise repository description and relevant discovery topics on GitHub.
No checks match these filters. Reset the filters or broaden the search.