Summary
The project already has useful CI and release automation scaffolding, but it still needs stronger production-grade security, supply-chain visibility, and release governance.
What already looks good
- Multi-language CI in
.github/workflows/ci.yml
- Release orchestration in
.github/workflows/release.yml and release-please-config.json
- WASM freshness checking in
.github/workflows/wasm-staleness.yml
Production gaps to address
- Add a clear security policy and vulnerability disclosure path (
SECURITY.md)
- Add dependency/security scanning and update hygiene (for Rust, JS, Python, etc.)
- Improve release integrity with checksums that are actually shipped, and consider SBOM / provenance / attestation support
- Tighten release gates and workflow hardening (toolchain pinning strategy, permissions, and staleness enforcement)
- Clarify versioning and release expectations for a pre-alpha multi-package repository
Proposed work
Acceptance criteria
- Security reporting and dependency hygiene are documented and automated
- Release artifacts include integrity metadata users can verify
- CI/release workflows enforce the intended gates consistently
- Maintainers have a documented path from alpha to stable release governance
Summary
The project already has useful CI and release automation scaffolding, but it still needs stronger production-grade security, supply-chain visibility, and release governance.
What already looks good
.github/workflows/ci.yml.github/workflows/release.ymlandrelease-please-config.json.github/workflows/wasm-staleness.ymlProduction gaps to address
SECURITY.md)Proposed work
SECURITY.mdand document supported disclosure/reporting flowAcceptance criteria