Add security and project harness

Adds local and CI tooling to keep the repo ASF-compliant and secure:

- prek (.pre-commit-config.yaml) with pre-commit / commit-msg / pre-push
  hooks: license-header insertion, trailing-whitespace/EOF/YAML/JSON checks,
  workflow + dependabot schema validation, a commit-msg hook that rejects
  Co-authored-by trailers, and a pre-push suite (tests, license allowlist,
  zizmor).
- Apache-2.0 license headers on all source files (js/py/sh/html), placed
  after shebangs and PEP-723 metadata blocks.
- Dependency license allowlist check (scripts/check-licenses.mjs) gating npm
  dependencies to ASF Category-A licenses; wired into CI and pre-push.
- Track package-lock.json files (un-ignored) for reproducible "npm ci".
- Dependabot coverage for mcp/apache-projects-mcp (cooldowns, like the others).
- Consolidate MCP CI into mcp-tests.yml (matrix over both servers x Node
  20/22, runs tests + license check); add static-checks.yml running prek.
- AGENTS.md documenting setup, the pre-push checks, and the ASF attribution
  policy (Generated-by, never Co-authored-by).

Generated-by: Claude Code 2.1.158 (Claude Opus 4.8)
30 files changed
tree: 85fb8063407926a92629b8db78931f832fde4fac
  1. .github/
  2. asf-highlights/
  3. mcp/
  4. project-activity/
  5. scripts/
  6. .asf.yaml
  7. .gitignore
  8. .pre-commit-config.yaml
  9. AGENTS.md
  10. LICENSE
  11. README.md
  12. SECURITY.md
README.md

ASF Comdev tools

ASF Community Development (ComDev) project partners with other groups across the ASF to provide resources, tools, programs, and advice in order to attract, retain, educate, and grow key communities around the Apache Software Foundation, in support of sustainability producing software for the public good.

Other repositories:

Contents of this repository:

  • asf-highlights - tools for finding foundation-wide activity
  • project-activities - tools for project-specific activity