OSS snapshot

Author: NVCF OSS Bot

.github/CODEOWNERS

@@ -0,0 +1 @@
+*                  @NVIDIA/nvcf-dev

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,23 @@
+---
+name: Bug report
+about: Create a bug report to help us improve nvcf-go
+title: "[BUG]"
+labels: "Needs Triage, bug"
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Steps/Code to reproduce bug**
+Follow [this guide](https://matthewrocklin.com/blog/work/2018/02/28/minimal-bug-reports) to craft a minimal bug report. This helps us reproduce the issue you're having and resolve the issue more quickly.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Additional context**
+Add any other context about the problem here.
+
+-----
+By submitting this issue, you agree to follow our [code of conduct](/CODE_OF_CONDUCT.md) and our [contributing guidelines](/CONTRIBUTING.md).

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# GitHub info on config.yml
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+# Set to 'false' if you only want the templates to be used. 
+blank_issues_enabled: false
+
+# When using discussions instead of Question issue templates,
+# link that below to have it show up in the 'Submit Issue' page
+contact_links:
+  - name: Ask a Question
+    url: https://github.com/NVIDIA/nvcf-go/discussions
+    about: Please ask any questions here.
+  - name: Report a Security Vulnerability
+    type: security
+    url: https://www.nvidia.com/object/submit-security-vulnerability.html
+    about: Do not file security issues on GitHub. Use the NVIDIA PSIRT.

.github/ISSUE_TEMPLATE/documentation-request.md

@@ -0,0 +1,42 @@
+---
+name: Documentation request
+about: Report incorrect or needed documentation
+title: "[DOC]"
+labels: "Needs Triage, doc"
+assignees: ''
+
+---
+
+
+<!-- Fill out either incorrect documentation, or needed documentation and delete the unused section -->
+
+## Report incorrect documentation
+
+**Location of incorrect documentation**
+Provide links and line numbers if applicable.
+
+**Describe the problems or issues found in the documentation**
+A clear and concise description of what you found to be incorrect.
+
+**Steps taken to verify documentation is incorrect**
+List any steps you have taken:
+
+**Suggested fix for documentation**
+Detail proposed changes to fix the documentation if you have any.
+
+---
+
+## Report needed documentation
+
+**Report needed documentation**
+A clear and concise description of what documentation you believe it is needed and why.
+
+**Describe the documentation you'd like**
+A clear and concise description of what you want to happen.
+
+**Steps taken to search for needed documentation**
+List any steps you have taken:
+
+
+-----
+By submitting this issue, you agree to follow our [code of conduct](/CODE_OF_CONDUCT.md) and our [contributing guidelines](/CONTRIBUTING.md).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,23 @@
+---
+name: Feature request
+about: Suggest an idea for nvcf-go
+title: "[FEA]"
+labels: "Needs Triage, feature request"
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I wish I could use nvcf-go to do [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context, code examples, or references to existing implementations about the feature request here.
+
+-----
+By submitting this issue, you agree to follow our [code of conduct](/CODE_OF_CONDUCT.md) and our [contributing guidelines](/CONTRIBUTING.md).

.github/ISSUE_TEMPLATE/submit-question.md

@@ -0,0 +1,14 @@
+---
+name: Submit question
+about: Ask a general question about nvcf-go
+title: "[QST]"
+labels: "Needs Triage, question"
+assignees: ''
+
+---
+
+**What is your question?**
+
+
+-----
+By submitting this issue, you agree to follow our [code of conduct](/CODE_OF_CONDUCT.md) and our [contributing guidelines](/CONTRIBUTING.md).

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,28 @@
+## Customer Summary (required for feat, fix, and perf MRs)
+<!--To include in the release notes. Use customer facing language to describe the effect on them.-->
+
+## TL;DR
+<!--Provide a brief description of the changes in this MR.-->
+
+## Additional Details (optional for docs, build, test, refactor, ci, chore, style, and revert MRs)
+<!-- - describe the intent of this MR -->
+<!-- - any limitations or possible things missing from this MR -->
+<!-- - what led to this change being made? this is optional extra information to help the reviewer -->
+
+## For the Reviewer
+<!--mention reviewers you wish to review this MR-->
+<!--call out specific files that should be looked at closely-->
+<!--any questions you need answered pertaining to this review-->
+
+## For QA (optional for docs, build, test, refactor, ci, chore, style, and revert MRs)
+<!--list steps you took to verify this change-->
+<!--Is QA Needed?-->
+
+## Issues: (use one of the action keywords Closes / Fixes / Resolves / Relates to)
+- Closes #XXX
+- If no issues are associated, use NO-REF
+
+## Checklist
+- [ ] I am familiar with the [Contributing Guidelines](/CONTRIBUTING.md).
+- [ ] New or existing tests cover these changes.
+- [ ] The documentation is up to date with these changes.

.github/dco.yml

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# DCO (Developer Certificate of Origin) enforcement configuration.
+# This file is used by the DCO GitHub App (https://github.com/apps/dco).
+#
+# All commits in pull requests must include a Signed-off-by line:
+#   Signed-off-by: Your Name <your.email@example.com>
+#
+# Contributors can sign off using: git commit -s
+
+require:
+  members: true      # enforce DCO for org members
+  contributors: true # enforce DCO for external contributors

.github/workflows/ci.yml

@@ -0,0 +1,102 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# CI workflow for nvcf-go public GitHub repository.
+# Runs on push to main and on pull requests.
+#
+# External contributor sandboxing (SEC-1):
+#   PRs from non-collaborators require maintainer approval before workflows run.
+#   This is enforced via the repository's "Fork pull request workflows" setting
+#   (Settings → Actions → Fork pull request workflows from outside collaborators
+#    → set to "Require approval for all outside collaborators").
+
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.24"
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Build — verify the library compiles cleanly
+  # ---------------------------------------------------------------------------
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Build
+        run: go build ./...
+
+  # ---------------------------------------------------------------------------
+  # Lint — static analysis
+  # ---------------------------------------------------------------------------
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Run go vet
+        run: go vet ./...
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: v2.1
+          args: --timeout=5m ./...
+
+  # ---------------------------------------------------------------------------
+  # Test — unit tests
+  # ---------------------------------------------------------------------------
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Run tests
+        run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v4
+        if: always()
+        with:
+          files: coverage.txt
+          fail_ci_if_error: false

.github/workflows/security.yml

@@ -0,0 +1,89 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Security scanning workflow for nvcf-go public GitHub repository.
+# Runs on push to main and on a weekly schedule.
+
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    # Run weekly on Mondays at 08:00 UTC
+    - cron: "0 8 * * 1"
+  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.24"
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Secret scanning — check for accidentally committed secrets
+  # ---------------------------------------------------------------------------
+  secret-scan:
+    name: Secret Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # full history for thorough scan
+
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # ---------------------------------------------------------------------------
+  # Dependency vulnerability scan
+  # ---------------------------------------------------------------------------
+  dependency-scan:
+    name: Dependency Scan (govulncheck)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...
+
+  # ---------------------------------------------------------------------------
+  # SAST — CodeQL static analysis
+  # ---------------------------------------------------------------------------
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Build
+        run: go build ./...
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3