Skip to content

Post-release configuration checklist

Scope status (post-Scope-Freeze 2026-05-10) — See ARCHITECTURE.md for the canonical 37 MÓDULOs + 7 Test Kinds + DOM/CPOS/PIE-PA safety architecture. ADRs 0014, 0019-0025 cover post-Freeze additions.

8 actions that finalise the project's "production-ready GitHub posture". They live here (and not in code) because each one writes to a setting that lives outside the repository tree (branch protection, secret scanning, Pages, etc.) and can only be toggled by a user with Admin permission on the repository.

Each action takes between 5 seconds and 1 minute. Total: ≈ 5 minutes.

Action Why
1. Enable Code Scanning Lets CodeQL, Trivy and Scorecard publish their results to the Security tab. Today their SARIF uploads return 403; the workflows are tolerant of that, but you only get the value once this is on.
2. Branch protection on main Forbids direct pushes; requires a green PR before merge.
3. Tag protection v* Releases become immutable: signing matters.
4. Enable GitHub Pages Publishes the MkDocs Material site at https://nollagluiz.github.io/AI_forSE/.
5. Enable Discussions Q&A space separate from issues.
6. Repo identity Description, website, topics — improves search and social previews.
7. Secret scanning and push protection Blocks accidental commits of API keys / tokens.
8. Pin on profile (optional) Pins the repo on your GitHub profile.

1. Enable Code Scanning

Open: https://github.com/nollagluiz/AI_forSE/settings/security_analysis

In the Code scanning section click Set upDefault → toggle the language(s) (javascript-typescript) and click Enable CodeQL.

What changes after the click:

  • The next push triggers codeql.yml; the SARIF upload now succeeds (instead of returning 403 as today, which we currently swallow with continue-on-error).
  • The same applies to image-scan.yml (Trivy SARIF) and scorecard.yml. From this point you can review issues on the Security → Code scanning tab.

Verify:

gh workflow run codeql.yml --ref main
sleep 60
gh run list --workflow=codeql.yml --limit 1

The newest run should now end success with a link to Code scanning alerts.

2. Branch protection on main

Open: https://github.com/nollagluiz/AI_forSE/settings/branchesAdd classic branch protection rule (or Rules → Add ruleset, the modern equivalent).

Branch name pattern: main.

Toggle the following:

  • Require a pull request before merging
  • Require 1 approval.
  • ✅ Dismiss stale approvals when new commits are pushed.
  • ✅ Require review from CODEOWNERS (.github/CODEOWNERS already points at you).
  • Require status checks to pass before merging
  • ✅ Require branches to be up to date before merging.
  • In the search box, select these checks (they are produced by the workflows already in the repo):
    • agent — typecheck & test
    • dashboard — typecheck, lint, test, build
    • dashboard — license compliance
    • docker — build images
    • gitleaks
    • trivy — agent
    • trivy — dashboard
    • Analyze (javascript-typescript)
  • Require conversation resolution before merging
  • Require linear history (works hand in hand with the squash-merge policy described in CONTRIBUTING.md).
  • Do not allow bypassing the above settings.

Save.

Verify:

gh api /repos/nollagluiz/AI_forSE/branches/main/protection \
  --jq '.required_status_checks.contexts'

Should print the eight check names listed above.

3. Tag protection v*

Open: https://github.com/nollagluiz/AI_forSE/settings/tag_protection

  • Click Add rule.
  • Pattern: v*.
  • ✅ Restrict updates and deletion.
  • Save.

Verify:

gh api /repos/nollagluiz/AI_forSE/tags/protection

Should list the new pattern.

4. Enable GitHub Pages

Open: https://github.com/nollagluiz/AI_forSE/settings/pages

  • Source: GitHub Actions.
  • That's it — the existing docs.yml workflow takes care of the build and deploy.

Force the first deploy now:

gh workflow run docs.yml --ref main
sleep 60
gh run list --workflow=docs.yml --limit 1

Then open https://nollagluiz.github.io/AI_forSE/. The site has a left-side navigation with the architecture overview, ADRs and the three Ubuntu + k3s quick-starts (PT/EN/ES).

5. Enable Discussions

Open: https://github.com/nollagluiz/AI_forSE/settings

Scroll to the Features section and tick Discussions.

The link to "💬 Discussions / Q&A" in .github/ISSUE_TEMPLATE/config.yml goes live as soon as Discussions is enabled.

6. Repo identity

Open: https://github.com/nollagluiz/AI_forSE → click the gear ⚙ button next to About at the top right.

Fill in:

  • Description:

    1–300 Linux + Chromium synthetic agents driving real web access cycles, with an Apple-style cockpit.

  • Website: https://nollagluiz.github.io/AI_forSE/ (after step 4)
  • Topics: 
    kubernetes, nextjs, playwright, synthetic-monitoring, tls13,
prometheus, web-monitoring, postgres, helm, chromium, observability,
cosign, sbom, opentofu, drizzle-orm, server-sent-events

(Optional) Settings → Social preview: upload a 1280×640 PNG so the repo gets a nice card on Slack/Twitter/LinkedIn.

7. Secret scanning and push protection

Open: https://github.com/nollagluiz/AI_forSE/settings/security_analysis

Toggle:

  • Secret scanning → Enable
  • Push protection → Enable

This is GitHub's first-party scanner. We also run gitleaks in CI for redundancy and to flag scoped tokens that GitHub doesn't yet recognise.

8. Pin on profile

Open: https://github.com/nollagluiz?tab=overviewCustomize your pins.

Tick AI_forSE so the repo shows on the public profile homepage.

After all 8 actions

Cut the next release. The release.yml workflow handles everything else automatically (multi-arch GHCR push, Cosign keyless signature, SBOM attestation, GitHub Release with auto-generated notes):

git checkout main
git pull origin main

git tag -a v1.1.0 -m "v1.1.0: top-tier GitHub posture (governance, supply-chain, Helm, docs)"
git push origin v1.1.0

Once it finishes, anyone can verify the published images:

cosign verify ghcr.io/nollagluiz/web-agent-agent:v1.1.0 \
  --certificate-identity-regexp "https://github.com/.*/.github/workflows/release.yml@refs/tags/v.*" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

When public consumers pull the images, you may want to flip them to public at https://github.com/nollagluiz?tab=packages. Each package has a Settings → Change visibility option.

Optional follow-ups (nice-to-have)

  • OpenSSF Best Practices badge: register the repo at https://www.bestpractices.dev/en and link the badge in README.md.
  • CII Best Practices (older equivalent) → same registration site.
  • OpenTelemetry collector + Grafana stack for traces — design documented in ADR 0005 follow-ups.
  • Multi-tenant workspace — discussed in the README "future roadmap" section; opens a tenant_id column across every table.

Maintainer: André Luiz Gallon — agallon@Cisco.com Document version: 1.0.0 (matches the v1.0.0 release of the project)