Merge pull request #9 from kedro-org/chore/compliance

Add compliance docs

Author: ravi-kumar-pilla

.github/CODEOWNERS

@@ -1,7 +1,7 @@
 *                                       @rashidakanchwala @ravi-kumar-pilla
 
 *.py                                    @rashidakanchwala @ravi-kumar-pilla
-*.md                                    @rashidakanchwala @ravi-kumar-pilla @NeroOkwa
+*.md                                    @rashidakanchwala @ravi-kumar-pilla
 
 .gitignore                              @ravi-kumar-pilla
-CODEOWNERS                              @rashidakanchwala @ravi-kumar-pilla @NeroOkwa
+CODEOWNERS                              @rashidakanchwala @ravi-kumar-pilla

.github/workflows/detect-secrets.yml

@@ -0,0 +1,28 @@
+name: Detect secrets on Publish Kedro-Viz
+
+on:
+  push:
+    branches:
+      - "*"
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  detect-secrets:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install detect-secrets
+        run: pip install detect-secrets
+      - name: Scan all tracked files
+        run: |
+          detect-secrets scan --all-files --force-use-all-plugins

.github/workflows/test.yml

@@ -3,7 +3,7 @@
 name: Test publish-kedro-viz
 
 permissions:
-  contents: write
+  contents: read
   pages: write
   id-token: write
 
@@ -63,4 +63,4 @@ jobs:
         uses: ./
         with:
           project_path: "demo-project"
-          python_manager: "uv"
+          python_manager: "uv"

CODE_OF_CONDUCT.md

@@ -0,0 +1,78 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behaviour that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behaviour by participants include:
+
+* The use of sexualised language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behaviour and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behaviour.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviours that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behaviour may be
+reported by contacting the project team on [Slack](https://slack.kedro.org). All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+**Investigation Timeline:** The project team will make all reasonable efforts to initiate and conclude the investigation in a timely fashion. Depending on the type of investigation the steps and timeline for each investigation will vary.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -0,0 +1,19 @@
+# Contributing
+
+## Submitting a pull request
+
+1. Fork and clone the repository
+2. Create a new branch: `git checkout -b my-branch-name`
+3. Make your change and make sure the test workflow in `test.yml` still passes
+4. Push to your fork and submit a pull request
+
+Here are a few things you can do that will increase the likelihood of your pull request being accepted:
+
+- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
+
+## Resources
+
+- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
+- [GitHub Help](https://help.github.com)
+- [Writing good commit messages](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)

PRIVACY.md

@@ -0,0 +1,120 @@
+# Privacy Policy
+
+## Privacy Notice
+
+**No personal data is collected or stored by this GitHub Action.** This Action only processes your Kedro project files locally within the GitHub Actions runner environment to generate static visualization artifacts.
+
+## Data Processing Summary
+
+- **Data Processed**: Kedro project configuration files, pipeline definitions, and metadata
+- **Processing Location**: GitHub Actions runner (ephemeral environment)
+- **Data Storage**: No persistent data storage by this Action
+- **Data Transmission**: Only static HTML/JS/CSS artifacts uploaded to GitHub Pages
+
+## Telemetry and Opt-Out
+
+This Action includes an optional telemetry feature input that controls whether the Kedro framework sends usage data to Kedro Org. The Action does not collect any telemetry data directly - it only sets the telemetry consent configuration for your Kedro project by writing the consent value to the `.telemetry` file.
+
+- **Default Setting**: Telemetry is **disabled by default** (`telemetry_consent: false`)
+- **Opt-In Required**: You must explicitly set `telemetry_consent: true` to enable
+- **Data Sent**: Anonymous usage statistics about Kedro-Viz features used
+- **Opt-Out Instructions**: Keep `telemetry_consent: false` (default) or omit the parameter
+
+### How to Disable Telemetry Explicitly
+
+```yaml
+- uses: kedro-org/publish-kedro-viz@v3
+  with:
+    telemetry_consent: false  # Explicitly disable (default)
+```
+
+## GDPR/CCPA Compliance
+
+This Action complies with GitHub's Data Protection Addendum and applicable data protection regulations:
+
+- No personal data collection or processing
+- No cookies or tracking mechanisms
+- No data retention beyond GitHub Actions job execution
+- Processing limited to generating static visualizations
+
+## Data Controller Information
+
+**Organization**: Kedro Community (kedro-org)  
+**Contact**: kedro-framework@mckinsey.com  
+**Purpose**: Data pipeline visualization and documentation  
+
+## Your Rights
+
+Under applicable data protection laws, you have the following rights:
+
+- **Right to Information**: This privacy policy provides information about our data processing
+- **Right to Access**: You can request information about any data processing (though we process no personal data)
+- **Right to Rectification**: You can request correction of inaccurate data (not applicable as we process no personal data)
+- **Right to Erasure**: You can request deletion of personal data (not applicable as we process no personal data)
+- **Right to Object**: You can object to data processing by not using this Action or disabling telemetry
+
+## Third-Party Services
+
+This Action uses the following third-party services:
+
+### GitHub Actions Platform
+- **Service**: GitHub Actions runner environment
+- **Data Shared**: Repository contents during workflow execution
+- **Privacy Policy**: [GitHub Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement)
+
+### GitHub Pages
+- **Service**: Static website hosting
+- **Data Shared**: Generated HTML/JS/CSS artifacts
+- **Privacy Policy**: [GitHub Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement)
+
+### Kedro-Viz Telemetry (Optional)
+- **Service**: Anonymous usage analytics (only if explicitly enabled)
+- **Data Shared**: Anonymous feature usage statistics
+- **Control**: Disabled by default, requires explicit opt-in
+
+### Third-Party GitHub Actions
+
+This Action integrates with the following third-party GitHub Actions:
+
+#### actions/upload-pages-artifact
+- **Author**: GitHub (actions organization)
+- **Purpose**: Upload build artifacts for GitHub Pages deployment
+- **Data Shared**: Generated static website files (HTML/JS/CSS)
+- **License**: MIT
+- **Repository**: [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact)
+
+#### actions/deploy-pages
+- **Author**: GitHub (actions organization)  
+- **Purpose**: Deploy artifacts to GitHub Pages
+- **Data Shared**: Build artifacts for website deployment
+- **License**: MIT
+- **Repository**: [actions/deploy-pages](https://github.com/actions/deploy-pages)
+
+#### peaceiris/actions-gh-pages (v1 only)
+- **Author**: peaceiris
+- **Purpose**: Deploy static site to GitHub Pages branch (legacy v1 functionality)
+- **Data Shared**: Generated static website files
+- **License**: MIT  
+- **Repository**: [peaceiris/actions-gh-pages](https://github.com/peaceiris/actions-gh-pages)
+- **Note**: Used only in v1 of this Action for branch-based deployments
+
+## Changes to This Policy
+
+We may update this privacy policy from time to time. Changes will be reflected in the repository commit history and users will be notified through:
+
+- Updates to this PRIVACY.md file
+- Release notes for new versions
+- Repository announcements for significant changes
+
+## Contact
+
+For questions about data protection or this privacy policy:
+
+- **Email**: kedro-framework@mckinsey.com
+- **Security Issues**: See [SECURITY.md](SECURITY.md)
+- **General Support**: See [SUPPORT.md](SUPPORT.md)
+
+---
+
+**Last Updated**: November 19, 2024  
+**Version**: 1.0