This document explains how GitHub issue templates stay synchronized with JSON schemas and YAML data files in the CoSAI Risk Map repository. It provides guidance for both contributors and maintainers on managing template updates.
- Overview
- Schema Evolution Workflow
- Manual Synchronization Procedures
- Two-Week Sync Lag
- Testing Strategies
- Automated Workflows
- Troubleshooting
GitHub issue templates (.github/ISSUE_TEMPLATE/*.yml) contain dropdown menus and checkbox options that must match enums defined in JSON schemas (risk-map/schemas/*.schema.json) and data from YAML files (risk-map/yaml/*.yaml).
When schemas or YAML files change, templates may need updates to stay synchronized.
Schema Changes Requiring Template Updates:
- Adding/removing enum values (e.g., new control category, new risk ID)
- Adding/removing required fields
- Changing field descriptions or constraints
- Adding new cross-reference relationships
Schema Changes NOT Requiring Template Updates:
- Documentation updates in schema descriptions
- Constraint changes that don't affect dropdowns
- Internal validation rule changes
Templates must be updated when:
Affects: Dropdown menus and checkbox options in templates
Examples:
- New control category added to
controls.schema.json - New risk ID added to
risks.schema.json - New component category added to
components.schema.json - New framework added to
frameworks.schema.json
Templates to Update:
new_control.yml- If control categories changenew_risk.yml- If risk categories changenew_component.yml- If component categories change- Framework mappings in multiple templates if frameworks change
Affects: Field validation (marked with * in templates)
Examples:
- Previously optional field becomes required
- Required field becomes optional
- New required field added to schema
Templates to Update:
- Corresponding
new_*.ymltemplates - May affect validation blocks in templates
Affects: Which framework mapping fields appear in templates
Examples:
- STRIDE becomes applicable to controls (currently only risks)
- New framework added that applies to multiple entity types
Templates to Update:
- All templates with framework mapping sections
The CoSAI Risk Map uses a two-stage governance process:
-
Technical Review (develop branch)
- Schema changes reviewed by technical maintainers
- Merged to
developbranch after approval - Available for development and testing
-
Community Review (main branch)
- ~2 weeks after
developmerge - Community review period
- Merged to
mainbranch after approval
- ~2 weeks after
Problem: GitHub issue templates are served from the main branch.
Result: Template dropdown options lag behind develop by up to 2 weeks.
Timeline Example:
Day 0: New enum added to controls.schema.json
Day 0: Schema + template changes merge to develop
Day 0-14: develop branch has updated template
Day 14: develop merges to main
Day 14+: main branch has updated template (available to users)
For Contributors:
If you're proposing an entity using a newly added enum:
- Option 1: Wait ~2 weeks for
develop→mainmerge - Option 2: Use free-form text fields (most templates have both dropdowns and textareas)
- Option 3: Note in "Additional Context" that you're using an enum from
develop
For Maintainers:
- Clearly communicate sync lag to contributors
- Accept proposals using valid-but-not-yet-in-dropdown values
- Prioritize template updates when merging significant schema changes
Current:
- Documentation explains the lag (this document + issue-templates-guide.md)
- Templates provide free-form alternatives to dropdowns
- Maintainers accommodate early adopters
Templates automatically regenerate when you commit changes to template dependencies.
When you modify any template dependency files, the pre-commit hook:
- Detects changes to:
- Template sources:
scripts/TEMPLATES/*.template.yml - Schema files:
risk-map/schemas/*.schema.json - Framework configuration:
risk-map/yaml/frameworks.yaml
- Template sources:
- Automatically runs the generator
- Updates
.github/ISSUE_TEMPLATE/files - Stages the generated templates
- Includes them in your commit
You don't need to manually run the generator - it happens automatically!
This ensures templates always stay synchronized with all their dependencies. The pre-commit hook prevents template drift by regenerating templates whenever schemas, frameworks, or template sources change.
For testing or verification, you can manually generate templates:
Usage:
# Generate all templates
python scripts/generate_issue_templates.py
# Dry-run (show diffs without modifying)
python scripts/generate_issue_templates.py --dry-run
# Generate specific template
python scripts/generate_issue_templates.py --template new_control
# Validate synchronization
python scripts/generate_issue_templates.py --validateTemplates are automatically validated before commit and in CI/CD pipelines.
Goal: Ensure all issue templates and dependabot.yml conform to their respective schema requirements
File: scripts/hooks/validate_issue_templates.py
Validates issue templates against GitHub schemas and dependabot.yml against the vendor.dependabot schema using check-jsonschema:
# Validate all config files (manual use)
python scripts/hooks/validate_issue_templates.py --force
# Validate staged files only (pre-commit)
python scripts/hooks/validate_issue_templates.py
# Quiet mode (errors only)
python scripts/hooks/validate_issue_templates.py --force --quietConfig: .pre-commit-config.yaml (hooks regenerate-issue-templates and validate-issue-templates)
The validator and generator are integrated as framework hooks. The regenerate-issue-templates wrapper (scripts/hooks/precommit/regenerate_issue_templates.py) runs first when any template source, schema, or frameworks.yaml is staged; it regenerates and git adds the output directory. The validate-issue-templates hook then runs scripts/hooks/validate_issue_templates.py against the staged files and blocks the commit on failure.
For Contributors:
# Before committing template changes
python scripts/hooks/validate_issue_templates.py --force
# Should output:
# ✅ All GitHub config files passed validationFor Maintainers:
# Pre-commit hook runs automatically
git add .github/ISSUE_TEMPLATE/new_component.yml
git commit -m "Update new_component template"
# → Validation runs automatically
# → Commit succeeds if validation passes
# → Commit blocked if validation fails
# GitHub Actions runs automatically on PR
# - Validates all templates
# - Detects template drift
# - Runs test suite
# - Posts summary to PRSymptoms:
- User reports dropdown missing option
- New entity proposals reference invalid values
Detection:
# Compare schema enums to template options
# (manual comparison currently, automated in future)Resolution:
- Extract new enum from schema
- Add to template dropdown options
- Validate YAML syntax and GitHub schema
- Format with prettier
- Commit and deploy
Symptoms:
- Template shows enum that was removed from schema
- Schema validation fails for old proposals
Detection:
# Review schema changelog
# Compare template options to current schemaResolution:
- Remove outdated option from template
- Check if any open issues use the removed option
- Update or close affected issues
- Commit template update
Symptoms:
Additional properties are not allowed ('validations' was unexpected)
Cause: validations block added to unsupported field type (e.g., checkboxes)
Resolution:
# ❌ Wrong - validations not allowed on checkboxes
- type: checkboxes
id: personas
attributes:
label: Applicable Personas*
options:
- label: Model Provider
validations:
required: true # <- NOT ALLOWED
# ✅ Correct - required on individual checkbox options
- type: checkboxes
id: personas
attributes:
label: Applicable Personas*
options:
- label: Model Provider
required: true # <- ALLOWEDSymptoms:
- Template links to
../../risk-map/tables/components-summary.mdreturn 404
Causes:
- Table file renamed/moved/deleted
- Relative path incorrect
Detection:
# Check if linked file exists
ls risk-map/tables/components-summary.mdResolution:
- Locate current table file location
- Update relative path in template
- Test link in GitHub UI
- Commit fix
Symptoms:
- Template shows STRIDE for controls (should be risks only)
- Template shows NIST AI RMF for risks (should be controls only)
Cause: Incorrect framework applicability configuration
Resolution:
The framework applicability system is fully automated:
- Generator reads
applicableTofrom frameworks.yaml automatically - Templates are dynamically filtered based on entity type
- Framework mappings update automatically when frameworks.yaml changes
- No manual configuration needed
Verification:
- Check frameworks.yaml for correct
applicableTovalues - Regenerate templates to apply changes
- Verify correct frameworks appear in each template type
When reviewing PRs with schema changes:
- Identify which templates are affected
- Verify template updates included in same PR
- Check YAML syntax validation passes
- Check GitHub schema validation passes
- Check prettier formatting passes
- Verify enum values match schema exactly
- Verify required field changes reflected
- Verify reference links still work
- Verify bidirectionality messaging preserved
- Test template rendering in GitHub UI (if major change)
- Issue Templates Guide - User-facing guide for all templates
- Contributing Guide - Overall contribution workflow
- Development Guide - Development setup and procedures
If you encounter template synchronization issues not covered in this document:
- Check existing issues for similar problems
- Open an issue with the
infrastructurelabel - Tag maintainers for assistance