- enforce release creation only after successful CI build

- make CI dependency installation deterministic via `composer install` (lockfile-based)
- add security checks to CI (`composer audit`) and add `roave/security-advisories` to dev dependencies
- add professional repository standards: `SECURITY.md`, `CONTRIBUTING.md`, CODEOWNERS, issue and PR templates

Author: juradee

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @dorazil

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,47 @@
+name: Bug report
+description: Report a reproducible defect
+title: "[Bug]: "
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting a bug. Please provide enough details to reproduce it.
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: What is wrong?
+      placeholder: Briefly describe the issue.
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Package version
+      placeholder: e.g. 6.0.0
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to reproduce
+      placeholder: |
+        1. ...
+        2. ...
+        3. ...
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,29 @@
+name: Feature request
+description: Propose an enhancement
+title: "[Feature]: "
+labels:
+  - enhancement
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem statement
+      description: What limitation are you hitting?
+    validations:
+      required: true
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: What should be added or changed?
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+  - type: textarea
+    id: bc
+    attributes:
+      label: Backward compatibility impact
+      description: Note any possible BC impact for existing users.

.github/pull_request_template.md

@@ -0,0 +1,17 @@
+## Summary
+
+Describe the change and why it is needed.
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Refactor
+- [ ] Documentation update
+
+## Checklist
+
+- [ ] I ran `composer ci` locally
+- [ ] I added/updated tests where needed
+- [ ] I updated docs/changelog where needed
+- [ ] The change is backward compatible within current major version

.github/workflows/main.yml

@@ -2,14 +2,13 @@ name: CI build
 on: [ push, pull_request ]
 jobs:
     build:
-        name: PHP ${{ matrix.php-versions }} on ${{ matrix.operating-system }} ${{ matrix.extra-label }} ${{ matrix.composer-dependencies }}
+        name: PHP ${{ matrix.php-versions }} on ${{ matrix.operating-system }} ${{ matrix.extra-label }}
         runs-on: ${{ matrix.operating-system }}
         strategy:
             fail-fast: false
             matrix:
                 operating-system: [ ubuntu-latest ]
                 php-versions: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
-                composer-dependencies: [ '', '--prefer-lowest' ]
                 extra-label: [ '' ]
                 include:
 
@@ -72,7 +71,7 @@ jobs:
                     restore-keys: ${{ runner.os }}-composer-
 
             -   name: Install Composer dependencies
-                run: composer update --no-progress --prefer-dist --optimize-autoloader ${{ matrix.composer-dependencies }}
+                run: composer install --no-progress --prefer-dist --optimize-autoloader
 
             -   name: Run CI Build
                 run: composer ci

CONTRIBUTING.md

@@ -0,0 +1,32 @@
+# Contributing
+
+Thank you for contributing to `webwingscz/fio-api-php`.
+
+## Development Setup
+
+Use WSL and project Docker setup:
+
+```bash
+wsl.exe --cd /home/dorazil/projects/fio-api-php bash -lc "docker compose -f docker/local/docker-compose.yml run --rm php composer install"
+```
+
+## Validation Before PR
+
+Run full checks before opening a PR:
+
+```bash
+wsl.exe --cd /home/dorazil/projects/fio-api-php bash -lc "docker compose -f docker/local/docker-compose.yml run --rm php composer ci"
+```
+
+## Pull Request Rules
+
+- Keep PRs focused and small.
+- Include tests for behavior changes and bug fixes.
+- Keep public API backward compatible within the same major line.
+- Update README or changelog notes when behavior/configuration changes.
+
+## Commit Message Guidance
+
+Use clear, imperative commit messages, for example:
+- `Fix PSR-12 formatting in uploader entities`
+- `Handle invalid JSON response in downloader`

README.md

@@ -79,9 +79,18 @@ Submitting bugs and feature requests
 ------------------------------------
 Bugs and feature request are tracked on [GitHub](https://github.com/webwingscz/fio-api-php/issues)
 
+Security
+--------
+Please report vulnerabilities according to [SECURITY.md](SECURITY.md).
+
+Contributing
+------------
+Contribution guidelines are available in [CONTRIBUTING.md](CONTRIBUTING.md).
+
 Author
 ------
 Martin Hujer - <https://www.martinhujer.cz>
+Jiří Dorazil - <https://www.webwings.cz>
 
 Changelog
 ----------
@@ -93,6 +102,10 @@ Changelog
 - improve downloader error handling for connection and invalid JSON responses
 - remove invalid bundled CA certificate fallback and use explicit certificate resolution
 - modernize coding standards from PSR-2 to PSR-12 and update PHP_CodeSniffer
+- enforce release creation only after successful CI build
+- make CI dependency installation deterministic via `composer install` (lockfile-based)
+- add security checks to CI (`composer audit`) and add `roave/security-advisories` to dev dependencies
+- add professional repository standards: `SECURITY.md`, `CONTRIBUTING.md`, CODEOWNERS, issue and PR templates
 
 ## 5.0.0 (2024-06-07)
 - [#31](https://github.com/mhujer/fio-api-php/pull/31) add `composer/ca-bundle` as a required dependency instead of bundled root cert (thx @feldsam!)

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+Security fixes are provided for the latest stable major version.
+
+| Version | Supported |
+| --- | --- |
+| 6.x | Yes |
+| < 6.0 | No |
+
+## Reporting a Vulnerability
+
+Please do not open public issues for security vulnerabilities.
+
+Report vulnerabilities privately to:
+- dorazil@webwings.cz
+
+When reporting, include:
+- affected version
+- impact and attack scenario
+- minimal reproduction steps
+- suggested fix (if available)
+
+You will receive an initial response within 5 business days.

composer.json

@@ -38,7 +38,8 @@
     "squizlabs/php_codesniffer": "^3.10",
     "phpstan/phpstan": "^2.1",
     "phpstan/phpstan-phpunit": "^2.0",
-    "phpstan/phpstan-strict-rules": "^2.0"
+    "phpstan/phpstan-strict-rules": "^2.0",
+    "roave/security-advisories": "dev-latest"
   },
   "autoload": {
     "psr-4": {
@@ -52,10 +53,12 @@
   },
   "scripts": {
     "ci": [
+      "@security",
       "@phpstan",
       "@phpcs",
       "@test"
     ],
+    "security": "composer audit --locked --no-dev",
     "test": "phpunit",
     "phpcs": "phpcs --standard=PSR12 src && phpcs --standard=PSR12 tests",
     "phpstan": "phpstan analyse -c phpstan.neon"