chore: add .github community health files and CI

[w7-mgfcode]

Summary

Adds a .github/ directory with community-health files and a CI pipeline, and lays the groundwork for branch protection on main (the CI jobs become the required status checks).

Added

File	Purpose
.github/workflows/ci.yml	CI — two status checks: ShellCheck (pinned shellcheck v0.10.0, -x, severity=warning, run on all 31 *.sh) and Compose Validate (docker compose config for each of the three project stacks).
.github/PULL_REQUEST_TEMPLATE.md	Bilingual PR checklist (shellcheck / health / tests / docs / no-secrets).
.github/ISSUE_TEMPLATE/bug_report.md	Bilingual bug template.
.github/ISSUE_TEMPLATE/feature_request.md	Bilingual feature template.
.github/ISSUE_TEMPLATE/config.yml	Issue chooser config + docs link.
.github/CODEOWNERS	Default review owner.
.github/dependabot.yml	Weekly updates for GitHub Actions + Docker base images.
.github/SECURITY.md	Bilingual vulnerability-reporting policy.

Validation

• All YAML parses cleanly (ci.yml, dependabot.yml, config.yml).
• CI parity checked locally before commit:
  • shellcheck -x --severity=warning is clean for all 31 scripts.
  • docker compose config succeeds for all three projects.
• Issue templates have valid front matter.

Follow-up

Once this is merged and the CI has run on main, the ShellCheck and Compose Validate checks can be marked as required in the main branch protection rule (force-push and deletion are already blocked).

Summary by Sourcery

Add GitHub community health configuration and CI to standardize contributions and automated validation.

New Features:

• Introduce a GitHub Actions CI workflow that runs ShellCheck on all shell scripts and validates all docker-compose configurations on pushes and pull requests to main.

Enhancements:

• Add CODEOWNERS to define default review ownership for the repository.

CI:

• Configure CI concurrency and permissions for the new ShellCheck and Compose validation jobs.

Deployment:

• Ensure docker-compose stacks are syntactically validated in CI to guard against invalid deployments.

Documentation:

• Document a bilingual security policy describing supported scope and coordinated vulnerability disclosure expectations.

Chores:

• Add bilingual pull request and issue templates (bug report, feature request, and chooser config) to guide contributors.
• Configure Dependabot to propose weekly updates for GitHub Actions and Docker base images used in the projects.

Summary by CodeRabbit

• New Features

  • Added GitHub issue templates for bug reports and feature requests, with bilingual guidance and structured fields.
  • Added a pull request template to standardize contributor submissions.
  • Added a security policy with clear reporting instructions.

• Documentation

  • Added repository guidance for code ownership, issue submission, and security reporting.

• Chores

  • Added automated dependency update settings and CI checks for shell scripts and compose file validation.

[sourcery-ai]

Reviewer's Guide

Adds a .github/ directory with a CI workflow (ShellCheck + docker compose validation), bilingual PR/issue/security templates, Dependabot configuration, and CODEOWNERS, laying the groundwork for enforcing required status checks on main.

Sequence diagram for new CI status checks on main

sequenceDiagram
  actor Developer
  participant GitHub
  participant CI_Workflow as CI_workflow_ci_yml
  participant ShellCheck as Job_ShellCheck
  participant ComposeValidate as Job_Compose_Validate
  participant BranchProtectionMain

  Developer->>GitHub: push / pull_request to main
  GitHub->>CI_Workflow: trigger workflow CI

  CI_Workflow->>ShellCheck: start job ShellCheck
  CI_Workflow->>ComposeValidate: start job Compose Validate

  ShellCheck->>ShellCheck: run shellcheck -x --severity=warning on *.sh
  ComposeValidate->>ComposeValidate: run docker compose config for each project

  ShellCheck-->>GitHub: status check ShellCheck
  ComposeValidate-->>GitHub: status check Compose Validate

  GitHub->>BranchProtectionMain: evaluate required checks ShellCheck, Compose Validate
  BranchProtectionMain-->>Developer: allow or block merge to main

Loading

File-Level Changes

Change	Details	Files
Introduce GitHub Actions CI pipeline with ShellCheck and docker compose validation as independent required gates.	Add a CI workflow triggered on pushes and PRs to main with two jobs: ShellCheck and Compose Validate Install a pinned ShellCheck v0.10.0 on ubuntu-latest runners and lint all tracked .sh files (excluding .git) with -x and severity=warning, failing the job on any warning or error while grouping output per file Add a compose validation job that runs docker compose config --quiet for each of the three project directories, ensuring a .env exists by copying from .env.example when needed, and failing if any expected compose file is missing Configure workflow-level permissions (contents: read) and a concurrency group per-ref with cancel-in-progress to avoid overlapping runs	.github/workflows/ci.yml
Add bilingual pull request and issue templates plus a security policy to standardize contribution and reporting workflows.	Create a bilingual pull request template with project/area checkboxes, change-type classification, and a checklist emphasizing shellcheck cleanliness, stack health, tests, docs, and secret hygiene Add bilingual bug report and feature request issue templates with structured sections (description, affected project, repro steps / motivation, proposed solution, environment, logs, etc.) Add a bilingual SECURITY.md describing supported scope, educational/lab-only intent, and private vulnerability reporting channels via GitHub security advisories or email	.github/PULL_REQUEST_TEMPLATE.md .github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/SECURITY.md
Configure repository-level automation and ownership via Dependabot, issue template config, and CODEOWNERS.	Add a Dependabot configuration to create weekly PRs for GitHub Actions updates and Docker base image updates across all directories, with labeled, prefixed commit messages Configure the issue template chooser to keep blank issues enabled while adding a documentation contact link pointing to the repo docs tree Add a CODEOWNERS file to define default review ownership for the repository (content not shown in diff but file is created)	.github/dependabot.yml .github/ISSUE_TEMPLATE/config.yml .github/CODEOWNERS

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Adds GitHub repository governance files for ownership, issue and pull request templates, security guidance, Dependabot rules, and a CI workflow that runs ShellCheck and docker compose validation.

Changes

Repository governance and automation

Layer / File(s)	Summary
Ownership and security policy .github/CODEOWNERS, .github/SECURITY.md	CODEOWNERS sets repository ownership rules, and SECURITY.md adds bilingual deployment scope and vulnerability reporting guidance.
Issue templates and config .github/ISSUE_TEMPLATE/*	Issue template configuration enables blank issues and contact links, and the bug and feature templates add bilingual prompts, metadata, and project selectors.
Pull request template .github/PULL_REQUEST_TEMPLATE.md	The PR template adds bilingual summary, affected-projects, checklist, and testing sections.
Dependabot rules .github/dependabot.yml	Dependabot is configured for weekly GitHub Actions and Docker update checks with commit prefixes and labels.
CI workflow checks .github/workflows/ci.yml	The CI workflow adds push and pull_request triggers, read-only permissions, concurrency control, a ShellCheck job, and a compose validation job.

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions as GitHub Actions
  participant CIWorkflow as CI workflow
  participant ShellCheckJob as ShellCheck job
  participant ComposeValidateJob as compose-validate job
  GitHubActions->>CIWorkflow: trigger on push and pull_request to main
  CIWorkflow->>ShellCheckJob: run ShellCheck v0.10.0 over shell scripts
  CIWorkflow->>ComposeValidateJob: validate docker-compose.yml files
  ShellCheckJob-->>CIWorkflow: fail on warnings or errors
  ComposeValidateJob-->>CIWorkflow: return compose config status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hop through templates, neat and bright,
With CI checks that bark all night. 🐇
Shells stay tidy, compose files sing,
And security bells go ting-a-ling.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the addition of community health files and CI under .github/.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/github-meta

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• In the ShellCheck job, consider using find ... -print0 combined with while IFS= read -r -d '' script to make the loop robust to script paths containing spaces or unusual characters.
• You might want to restrict the workflow triggers with paths/paths-ignore so the CI only runs when .sh scripts or compose files change, avoiding unnecessary runs on docs-only or meta changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the ShellCheck job, consider using `find ... -print0` combined with `while IFS= read -r -d '' script` to make the loop robust to script paths containing spaces or unusual characters.
- You might want to restrict the workflow triggers with `paths`/`paths-ignore` so the CI only runs when `.sh` scripts or compose files change, avoiding unnecessary runs on docs-only or meta changes.

## Individual Comments

### Comment 1
<location path=".github/dependabot.yml" line_range="15-16" />
<code_context>
+      - "github-actions"
+
+  # Keep Docker base images (Dockerfile FROM lines) across all projects current.
+  - package-ecosystem: "docker"
+    directories:
+      - "/**"
+    schedule:
</code_context>
<issue_to_address>
**issue (bug_risk):** Use `directory` instead of `directories` for the Docker ecosystem config.

Dependabot’s `docker` ecosystem only supports a single `directory` field; `directories` is not recognized and will be ignored. To cover all Dockerfiles, use a single `directory` (e.g. `/`) or define multiple `updates` entries, each with its own `directory`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Use directory instead of directories for the Docker ecosystem config.

Dependabot’s docker ecosystem only supports a single directory field; directories is not recognized and will be ignored. To cover all Dockerfiles, use a single directory (e.g. /) or define multiple updates entries, each with its own directory.