docs(readme): add M-sec badges + untrack .vscode/#5
Merged
Conversation
README badges (Task 30 of M-sec plan):
- CI (ci.yml status on main)
- CodeQL (codeql.yml status on main)
- OpenSSF Scorecard (supply-chain posture)
Added now, accepting that they'll be broken/not-found while the repo
is private. The moment the repo flips public (Phase 4 of release
strategy), they light up without needing a README update. CodeQL
and Scorecard will ALSO need their workflow triggers re-enabled per
TD-VUL-006 fix sequence — a README comment notes this.
The existing 8 static badges (pkg.go.dev, Go Report Card, License,
Go Version, Docker, Security Policy, EdDSA, SPIFFE) are preserved.
.vscode/ fix:
- .vscode/settings.json was tracked on develop but carries per-user
editor settings (Snyk IDE prefs, etc.). git rm'd from the tree.
- Added .vscode/ to .gitignore so it can never land in any branch.
- Root-causes the leak that happened during the first develop →
main strip merge attempt: VSCode recreated the file between
rm -rf and git commit, so it landed in the merge commit. The
commit was amended (see a72a959), but the real fix is not having
the file tracked in the first place. Done now.
Local verification:
- go build ./cmd/broker ./cmd/aactl: OK
devonartis
added a commit
that referenced
this pull request
Apr 10, 2026
Brings two documentation fixes from PR #5: - README badges: CI, CodeQL, OpenSSF Scorecard (will render broken while repo is private, auto-resolve on public flip) - .vscode/ removed from tree and added to .gitignore — closes the root cause of the settings.json leak caught during the previous develop → main strip merge scripts/strip_for_main.sh ran clean in mid-merge mode (16 paths checked, nothing to remove this round since a72a959 already handled the dev file deletions). Build guard PASS. Pre-commit hook (.githooks/pre-commit) also verified — no forbidden paths in the staged changes.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Finishes Task 30 of the M-sec plan and closes the
.vscode/leak vector at the root.README badges
Added three CI-health badges to
README.mdahead of the public flip:ci.ymlstatus onmaincodeql.ymlstatus onmainAll three will render as "not found" or broken while the repo is private (CodeQL/Scorecard workflows are parked on
workflow_dispatch:only per TD-VUL-006, and GitHub's Actions badges don't render without viewer auth on private repos). A README comment explains this and notes that the badges light up automatically when the repo flips public — fire-and-forget. No follow-up PR needed at public-flip time beyond the TD-VUL-005/006 workflow re-enable sequence.The existing 8 static badges (pkg.go.dev, Go Report Card, License, Go Version, Docker, Security Policy, EdDSA, SPIFFE) are preserved.
.vscode/ fix
.vscode/settings.jsonwas tracked ondevelopbut carries per-user editor state (Snyk IDE prefs, etc.).git rm'd..vscode/to.gitignoreso VSCode can't recreate the file into a commit on any branch..vscode/settings.jsonbetween the strip and the merge commit andgit add -Arestaged it. The commit was amended (a72a959) to remove it before pushing, but the real fix is not having the file tracked in the first place. Done now.CHANGELOG
Extended the
Unreleasedblock with two new fix entries.Local verification
go build ./cmd/broker ./cmd/aactl— OKgo test -short ./...— 15/15 packages PASSgolangci-lint run ./...— clean./scripts/test-gate-parity.sh— 13 gates matchPR checklist
developdevelop → mainstrip merge to carry the badges + gitignore to main (the fixed strip script from PR fix(strip): make strip_for_main.sh work mid-merge + align safety lists #4 should handle it without intervention)