-
Notifications
You must be signed in to change notification settings - Fork 0
[codex] Improve open source documentation governance #5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Code of Conduct | ||
|
|
||
| ## 中文摘要 | ||
|
|
||
| - 用途:本文档说明 QuantStrategyLab 仓库中的讨论、issue、pull request 和 review 行为规范。 | ||
| - 主要覆盖:`Our Standards`、`Project Scope`、`Reporting and Enforcement`。 | ||
| - 阅读顺序:参与讨论或提交 PR 前先确认沟通边界;发现不当行为时联系维护者。 | ||
| - 风险提示:涉及投资、交易、密钥或实盘系统的讨论必须保持克制、可复现和证据导向。 | ||
|
|
||
| ## Our Standards | ||
|
|
||
| - Be respectful, direct, and evidence-oriented in issues, pull requests, reviews, and discussions. | ||
| - Assume technical disagreement is about the work. Keep feedback specific to code, docs, data, evidence, reproducibility, or operational risk. | ||
| - Avoid harassment, insults, discriminatory language, personal attacks, and repeated off-topic comments. | ||
| - Do not pressure maintainers or contributors to disclose private account details, credentials, trading records, unpublished data, or personal information. | ||
|
|
||
| ## Project Scope | ||
|
|
||
| QuantStrategyLab repositories involve research, automation, strategy artifacts, and trading-support systems. Contributions should keep financial claims conservative and verifiable, separate research evidence from live-trading decisions, and avoid presenting examples as investment advice. | ||
|
|
||
| ## Reporting and Enforcement | ||
|
|
||
| Report conduct concerns to the maintainer on GitHub: `@Pigbibi`. Maintainers may edit or remove comments, close issues or pull requests, restrict participation, or take other reasonable steps to protect contributors and project integrity. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Contributing | ||
|
|
||
| ## 中文摘要 | ||
|
|
||
| - 用途:本文档说明如何向 `PoliticalEventTrackingResearch` 提交低风险、可审阅的变更。 | ||
| - 主要覆盖:`Ground Rules`、`Documentation Standards`、`Branching and Pull Requests`、`Local Verification`。 | ||
| - 阅读顺序:先确认仓库边界和变更范围,再运行适合本仓库的本地校验。 | ||
| - 风险提示:涉及策略、artifact、自动化、密钥、云资源、券商或交易所行为的变更,必须先用测试环境、dry-run 或只读证据验证;不要只凭示例修改生产。 | ||
| - 英文正文保留更完整的命令、字段名和配置键;如果摘要和正文不一致,以正文中的实际命令和配置为准。 | ||
|
|
||
| Thanks for contributing to `PoliticalEventTrackingResearch`. | ||
|
|
||
| ## Ground Rules | ||
|
|
||
| - Prefer small pull requests with one clear purpose. | ||
| - Keep refactors separate from behavior, contract, workflow, or documentation changes. | ||
| - Preserve this repository's boundary as a public political event evidence pipeline; do not move broker execution, live-allocation decisions, private credentials, or unrelated platform logic into it. | ||
| - Add or update tests, examples, docs, or reproducible evidence when changing behavior or public contracts. | ||
|
|
||
| ## Documentation Standards | ||
|
|
||
| - Keep `README.md` as the entry point for project purpose, boundary, repository layout, quick start, and links to deeper docs. | ||
| - Put long-form runbooks, artifact contracts, evidence notes, and architecture details under `docs/` when they outgrow the README. | ||
| - Document inputs, outputs, required permissions, risk controls, and validation commands for workflows or scripts that touch external systems. | ||
| - Keep English and Chinese user-facing docs aligned when a change affects operators, contributors, or downstream platform users. | ||
|
|
||
| ## Branching and Pull Requests | ||
|
|
||
| - Create a topic branch for each change. | ||
| - Open a pull request with a concise summary, scope boundary, and concrete validation notes. | ||
| - Wait for CI to pass before merging. | ||
| - Do not include generated artifacts, private data, credentials, account identifiers, or local environment files unless the repository explicitly documents them as public examples. | ||
|
|
||
| ## Local Verification | ||
|
|
||
| Run the lightweight whitespace check for every change and the repository test command when code, contracts, workflows, or examples change: | ||
|
|
||
| ```bash | ||
| git diff --check | ||
| python -m pip install -e '.[test]' | ||
| python -m pytest -q | ||
| ``` | ||
|
|
||
| For documentation-only changes, at minimum review Markdown links, headings, and bilingual consistency before opening the pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # Security Policy | ||
|
|
||
| ## 中文摘要 | ||
|
|
||
| - 用途:本文档说明如何报告 `PoliticalEventTrackingResearch` 的安全问题,以及密钥或凭证暴露时的处理顺序。 | ||
| - 主要覆盖:`Reporting a Vulnerability`、`Secret and Credential Exposure`、`Scope Notes`。 | ||
| - 阅读顺序:发现问题后先避免公开泄露,再通过私密渠道提供最小复现信息。 | ||
| - 风险提示:涉及实盘、密钥、权限、Cloud Run、GitHub Actions、交易所或券商 API 的问题,不要开公开 issue 或贴出敏感日志。 | ||
| - 英文正文保留更完整的命令、字段名和配置键;如果摘要和正文不一致,以正文中的实际命令和配置为准。 | ||
|
|
||
| Thanks for helping keep `PoliticalEventTrackingResearch` safe. | ||
|
|
||
| This repository is part of the QuantStrategyLab automation, research, or trading-support surface. Please do **not** open a public issue for vulnerabilities involving credentials, broker or exchange access, cloud resources, workflow tokens, private market data, account identifiers, order execution, or secret material. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| - Contact the maintainer directly at GitHub: `@Pigbibi`. | ||
| - If private vulnerability reporting is enabled for this repository, prefer that channel. | ||
| - Include the repository name, affected commit or branch, environment details, and exact reproduction steps. | ||
| - Share only the minimum logs, payloads, or screenshots needed to reproduce the issue, and redact secrets or account identifiers. | ||
|
|
||
| ## Secret and Credential Exposure | ||
|
|
||
| If you suspect tokens, passwords, API keys, service-account keys, cookies, broker credentials, or workflow credentials were exposed: | ||
|
|
||
| 1. Rotate the exposed secrets immediately. | ||
| 2. Pause scheduled jobs, deployments, or external integrations if the exposure can affect automation, artifact publishing, notifications, or trading behavior. | ||
| 3. Remove the exposed material from open pull requests, issues, logs, and artifacts. | ||
| 4. Coordinate any required history rewrite or downstream credential update with the maintainer. | ||
|
|
||
| ## Scope Notes | ||
|
|
||
| Security fixes should stay minimal and focused. Please avoid bundling unrelated refactors, formatting churn, research changes, or feature work with a security report or patch. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When GitHub private vulnerability reporting is not enabled for this repository, this policy tells reporters not to open a public issue but only gives a GitHub username; GitHub mentions/profile pages are not a guaranteed private contact mechanism. That leaves no actionable confidential path for credential or workflow-token disclosures, so the policy should include a concrete private channel or require enabling GitHub private vulnerability reporting.
Useful? React with 👍 / 👎.