6cac50f
6cac50f8031792e8981acd6b83739c8d9d7bc0dce0e2add
036c3ad| Status | File | + | - |
|---|---|---|---|
| A |
CONTRIBUTING.md
|
23 | 0 |
| A |
README.md
|
48 | 0 |
| A |
SECURITY.md
|
33 | 0 |
CONTRIBUTING.mdadded@@ -0,0 +1,23 @@ | ||
| 1 | +# Contributing to shithub | |
| 2 | + | |
| 3 | +shithub is currently **pre-launch and closed to external contributions**. Once we cross v1.0.0 and the project's own source migrates to a self-hosted shithub instance, this document will be expanded with the full contribution workflow. | |
| 4 | + | |
| 5 | +In the meantime, if you find a security issue, please follow [SECURITY.md](SECURITY.md). | |
| 6 | + | |
| 7 | +## Post-launch (planned) | |
| 8 | + | |
| 9 | +- Code style: `gofumpt` + `goimports`. Lint via `golangci-lint`. | |
| 10 | +- Commit messages: terse, imperative, single-line unless the change requires elaboration. | |
| 11 | +- DCO sign-off on each commit (`git commit -s`). | |
| 12 | +- Tests: every change ships with tests proportional to its scope. Integration tests hit a real Postgres; we do not mock the DB seam. | |
| 13 | +- One change per pull request; small PRs are easier to review. | |
| 14 | + | |
| 15 | +## Development setup | |
| 16 | + | |
| 17 | +```sh | |
| 18 | +git clone https://github.com/tenseleyFlow/shithub.git | |
| 19 | +cd shithub | |
| 20 | +make dev | |
| 21 | +``` | |
| 22 | + | |
| 23 | +The full development guide will land in `docs/internal/contributing.md` post-launch. | |
README.mdadded@@ -0,0 +1,48 @@ | ||
| 1 | +# shithub | |
| 2 | + | |
| 3 | +GitHub. Open source. Without Copilot. | |
| 4 | + | |
| 5 | +shithub is a feature-complete, self-hostable, AGPL-licensed clone of GitHub. The full experience — repos, issues, pull requests, organizations, actions, social feed, search, settings, ssh & https git protocols — minus the AI integrations. | |
| 6 | + | |
| 7 | +> Status: pre-launch. Not yet hosted. The codebase is currently developed against an embedded plan; expect rapid change. | |
| 8 | + | |
| 9 | +## Why | |
| 10 | + | |
| 11 | +GitHub is a well-built platform with broad feature coverage. The aggressive Copilot push has changed the product's character. shithub aims to recreate the parts that worked while staying honest about what an open-source forge can be. | |
| 12 | + | |
| 13 | +## Quickstart (development) | |
| 14 | + | |
| 15 | +```sh | |
| 16 | +make dev # hot-reload server on http://localhost:8080 | |
| 17 | +make test # run tests | |
| 18 | +make build # build bin/shithubd | |
| 19 | +make ci # full CI pipeline locally (mirrors GitHub Actions) | |
| 20 | +``` | |
| 21 | + | |
| 22 | +Requires: | |
| 23 | +- Go 1.22+ | |
| 24 | +- `golangci-lint`, `gofumpt`, `goimports`, `air` (installed via `go install` per the Makefile or Homebrew) | |
| 25 | + | |
| 26 | +## Layout | |
| 27 | + | |
| 28 | +``` | |
| 29 | +cmd/shithubd/ # main entry point + subcommands (web, ssh, worker, migrate, version, ...) | |
| 30 | +internal/ # domain packages (web, auth, repo, git, issues, pulls, ...) | |
| 31 | +templates/ # html/template files | |
| 32 | +static/ # css, js, images, logo | |
| 33 | +migrations/ # SQL migrations | |
| 34 | +docs/ # public-facing docs | |
| 35 | +deploy/ # Ansible playbooks + systemd units | |
| 36 | +``` | |
| 37 | + | |
| 38 | +## License | |
| 39 | + | |
| 40 | +AGPLv3. See [LICENSE](LICENSE). | |
| 41 | + | |
| 42 | +## Status | |
| 43 | + | |
| 44 | +Pre-launch. See [CONTRIBUTING.md](CONTRIBUTING.md) for the current contribution posture. | |
| 45 | + | |
| 46 | +## Security | |
| 47 | + | |
| 48 | +To report a security issue, see [SECURITY.md](SECURITY.md). Please do not open a public issue for security reports. | |
SECURITY.mdadded@@ -0,0 +1,33 @@ | ||
| 1 | +# Security policy | |
| 2 | + | |
| 3 | +## Reporting a vulnerability | |
| 4 | + | |
| 5 | +shithub is pre-launch. The project does not yet have a dedicated security mailbox. For now, please open a private channel of communication with the maintainer (contact via GitHub) before disclosing publicly. | |
| 6 | + | |
| 7 | +Once shithub launches at its public domain, this policy will be updated with: | |
| 8 | + | |
| 9 | +- A dedicated `security@<domain>` mailbox | |
| 10 | +- A PGP public key for sensitive reports | |
| 11 | +- A response-time SLO (target: 72 hours initial acknowledgement) | |
| 12 | +- A scope statement covering the hosted instance plus the self-hosted code | |
| 13 | +- A coordinated-disclosure timeline | |
| 14 | + | |
| 15 | +## Out of scope (pre-launch) | |
| 16 | + | |
| 17 | +- Findings against unreleased / pre-launch builds in development environments | |
| 18 | +- Issues that require a foothold the maintainer's machine to exploit | |
| 19 | +- Theoretical findings without a working proof of concept | |
| 20 | + | |
| 21 | +## In scope (once launched) | |
| 22 | + | |
| 23 | +- Authentication / authorization bypasses | |
| 24 | +- Server-side request forgery | |
| 25 | +- Code injection (SQL, template, command, etc.) | |
| 26 | +- Cross-site scripting and CSRF | |
| 27 | +- Insecure cryptographic practices | |
| 28 | +- Resource exhaustion / denial-of-service vectors | |
| 29 | +- Information disclosure of private repo content | |
| 30 | + | |
| 31 | +## License | |
| 32 | + | |
| 33 | +This document evolves with the project. See [LICENSE](LICENSE) for shithub's overall licensing terms. | |