oss-signal 0.3.0 → 0.5.1

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## Unreleased
+
+## 0.5.1
+
+- Published the Issue-ready output release on a clean tag after release workflow hardening.
+- Guarded automatic npm publishing behind an explicit repository variable.
+
+## 0.5.0
+
+- Added `--format issue` for generating human-reviewed GitHub Issue bodies from audit findings.
+- Added an issue-output example and maintainer playbook guidance for audit-to-issue workflows.
+
+## 0.4.0
+
+- Added a maintainer playbook for audit-to-issue, PR, CI gate, and SARIF workflows.
+- Added a documented release process and tag-triggered release workflow with npm dry-run verification.
+
+- Added SARIF output for GitHub Code Scanning and other security dashboards.
+- Added Action support for `format: sarif`.
+
 ## 0.3.0
 
 - Added GitHub Actions step summary output for readable workflow reports.

package/README.md

@@ -2,13 +2,14 @@
 
 [![CI](https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml/badge.svg)](https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml)
 [![Repository health](https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml/badge.svg)](https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml)
+[![GitHub release](https://img.shields.io/github/v/release/SalmonPlays/oss-signal.svg)](https://github.com/SalmonPlays/oss-signal/releases/latest)
 [![npm version](https://img.shields.io/npm/v/oss-signal.svg)](https://www.npmjs.com/package/oss-signal)
 [![npm downloads](https://img.shields.io/npm/dm/oss-signal.svg)](https://www.npmjs.com/package/oss-signal)
 [![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 
 `oss-signal` is a dependency-light CLI for auditing open-source repository maintenance readiness.
 
-It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown or JSON.
+It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown, JSON, SARIF, or a GitHub Issue-ready Markdown body.
 
 ![oss-signal example output](docs/assets/terminal-report.svg)
 
@@ -24,12 +25,20 @@ Open-source projects often fail quietly because the maintainer workflow is undoc
 - Foundations and working groups can compare repository hygiene across many projects.
 - CI maintainers can add it as a GitHub Action, show the score in the workflow summary, and publish the report as an artifact.
 
+See [docs/maintainer-playbook.md](docs/maintainer-playbook.md) for a concrete maintainer workflow from audit to issue, PR, CI gate, and Code Scanning evidence.
+
 ## Install
 
 ```bash
 npm install --global oss-signal
 ```
 
+Try it without installing:
+
+```bash
+npx oss-signal SalmonPlays/oss-signal
+```
+
 For local development:
 
 ```bash
@@ -66,12 +75,24 @@ Use JSON in automation:
 oss-signal . --format json --fail-under 80
 ```
 
+Write SARIF for GitHub Code Scanning or other dashboards:
+
+```bash
+oss-signal . --format sarif --output oss-signal.sarif
+```
+
 Generate a report that can be attached to an issue:
 
 ```bash
 oss-signal . --format markdown --output docs/maintainer-readiness.md
 ```
 
+Generate a maintainer-friendly issue body:
+
+```bash
+oss-signal platformatic/massimo --format issue --output maintainer-follow-up.md
+```
+
 ## Checks
 
 `oss-signal` currently checks:
@@ -82,11 +103,13 @@ oss-signal . --format markdown --output docs/maintainer-readiness.md
 
 See [docs/rules.md](docs/rules.md) for rule details and scoring weights.
 
+SARIF output reports failed maintainer-readiness checks as warning-level results. This lets teams upload the audit to code scanning dashboards while keeping the Markdown report available for maintainers. Issue output turns the same findings into a human-reviewed checklist that can be edited before posting.
+
 For GitHub URL audits, `oss-signal` reads the repository file tree through the GitHub API and also uses GitHub's community profile signal when available. This lets it detect organization-level files such as a shared code of conduct.
 
 ## Real Output
 
-This repository audits itself at **100/100 (A)**:
+This repository audits itself at **100/100 (A)** and dogfoods the public GitHub Action:
 
 ```text
 Score: 100/100 (A)
@@ -97,7 +120,9 @@ Summary:
 - Total checks: 15
 ```
 
-See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report and [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output.
+See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
+
+The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.5.1`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
 
 ## Field Audits
 
@@ -111,6 +136,8 @@ See [docs/outreach](docs/outreach) for the reports and draft issue text. Drafts
 
 For a compact maintainer/adoption summary, see [docs/adoption-evidence.md](docs/adoption-evidence.md).
 
+Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.4.0` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229) with a report artifact.
+
 ## Example Recommendation Output
 
 ```text
@@ -138,7 +165,7 @@ oss-signal . --fail-under 80
 Add `oss-signal` directly to a GitHub Actions workflow:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.3.0
+- uses: SalmonPlays/oss-signal@v0.5.1
   id: oss-signal
   with:
     fail-under: "80"
@@ -151,6 +178,16 @@ The Action writes a concise GitHub Actions step summary by default, so reviewers
 
 ![oss-signal GitHub Actions summary](docs/assets/github-step-summary.svg)
 
+Generate an editable Issue body from CI:
+
+```yaml
+- uses: SalmonPlays/oss-signal@v0.5.1
+  with:
+    format: issue
+    output: maintainer-follow-up.md
+    summary: "true"
+```
+
 Full workflow example:
 
 ```yaml
@@ -166,7 +203,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.3.0
+      - uses: SalmonPlays/oss-signal@v0.5.1
         id: oss-signal
         with:
           fail-under: "80"
@@ -178,9 +215,28 @@ jobs:
           path: oss-signal-report.md
 ```
 
-See [docs/examples/github-action-workflow.yml](docs/examples/github-action-workflow.yml) for a copyable workflow.
+See [docs/examples/github-action-workflow.yml](docs/examples/github-action-workflow.yml) for a copyable workflow and [docs/examples/github-code-scanning-workflow.yml](docs/examples/github-code-scanning-workflow.yml) for a workflow that uploads SARIF to GitHub Code Scanning.
+
+Upload SARIF to GitHub Code Scanning:
 
-This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.3.0` against the repository and uploads the Markdown report artifact.
+```yaml
+permissions:
+  contents: read
+  security-events: write
+
+steps:
+  - uses: actions/checkout@v4
+  - uses: SalmonPlays/oss-signal@v0.5.1
+    with:
+      format: sarif
+      output: oss-signal.sarif
+      summary: "true"
+  - uses: github/codeql-action/upload-sarif@v3
+    with:
+      sarif_file: oss-signal.sarif
+```
+
+This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.5.1` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
 
 You can also run the CLI directly in CI:
 
@@ -197,8 +253,13 @@ You can also run the CLI directly in CI:
 ## Roadmap
 
 - Ecosystem-specific profiles for Python, Rust, Go, and JavaScript packages
-- SARIF output for code scanning dashboards
-- Rules for release automation and provenance metadata
+- Release automation and provenance metadata checks
+- Maintainer score trends over time
+- Organization-level repository inventory reports
+
+## Release Process
+
+Releases use the checklist in [docs/release-process.md](docs/release-process.md). The repository also includes a tag-triggered [release workflow](.github/workflows/release.yml) that verifies the package, runs `npm publish --dry-run`, and can publish to npm with provenance when `NPM_TOKEN` is configured.
 
 ## Contributing
 

package/action.yml

@@ -10,7 +10,7 @@ inputs:
     required: false
     default: "."
   format:
-    description: Output format, either markdown or json.
+    description: Output format, either markdown, json, sarif, or issue.
     required: false
     default: markdown
   output:

package/docs/adoption-evidence.md

@@ -5,14 +5,21 @@ This page collects the public evidence that `oss-signal` is built for real open-
 ## Project Links
 
 - Repository: https://github.com/SalmonPlays/oss-signal
-- npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.3.0
+- npm package: https://www.npmjs.com/package/oss-signal (`0.5.1` latest)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.5.1
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.5.1
 - GitHub Action metadata: [action.yml](../action.yml)
 - Public dogfood workflow: [.github/workflows/repository-health.yml](../.github/workflows/repository-health.yml)
+- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo
+- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
 - Self-audit report: [docs/self-audit.md](self-audit.md)
+- SARIF self-audit output: [docs/examples/self-audit.sarif](examples/self-audit.sarif)
 - GitHub URL audit report: [docs/examples/github-url-report.md](examples/github-url-report.md)
 - GitHub Action workflow example: [docs/examples/github-action-workflow.yml](examples/github-action-workflow.yml)
+- Maintainer playbook: [docs/maintainer-playbook.md](maintainer-playbook.md)
+- Release process: [docs/release-process.md](release-process.md)
 - Codex for Open Source application brief: [docs/codex-for-oss-application.md](codex-for-oss-application.md)
+- Codex for Open Source form answers: [docs/codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
 - Rule reference: [docs/rules.md](rules.md)
 
 ## Maintainer Use Case
@@ -24,7 +31,19 @@ The CLI supports two practical modes:
 - Local repository audit for maintainers working in a clone.
 - Public GitHub repository audit for quick triage without cloning.
 
-It also ships as a GitHub Action, so maintainers can gate repository hygiene in CI, show the result in the GitHub Actions step summary, and upload a Markdown report as a workflow artifact. This repository dogfoods the public Action tag through the Repository health workflow.
+It also ships as a GitHub Action, so maintainers can gate repository hygiene in CI, show the result in the GitHub Actions step summary, upload a Markdown report as a workflow artifact, and upload failed maintainer-readiness checks as SARIF for GitHub Code Scanning. This repository dogfoods the public Action tag through the Repository health workflow.
+
+The [maintainer playbook](maintainer-playbook.md) documents the end-to-end workflow from audit to issue, pull request, CI gate, and Code Scanning evidence. The [release process](release-process.md) documents pre-release verification, tag consistency, npm publish checks, and post-release smoke tests.
+
+## Separate Public Workflow Evidence
+
+The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.4.0` from a separate workflow file:
+
+- Workflow file: https://github.com/SalmonPlays/oss-signal-adoption-demo/blob/main/.github/workflows/oss-signal.yml
+- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
+- Artifact: `oss-signal-adoption-demo-report`, containing `oss-signal-report.md` and `oss-signal.sarif`
+
+This is not claimed as independent third-party adoption because the repository is owned by `SalmonPlays`. It is evidence that the public `v0.4.0` Action tag works outside the main repository and can publish maintainer-readiness reports from another public workflow.
 
 ## Public Field Audits And PRs
 
@@ -45,16 +64,19 @@ From this repository:
 ```bash
 npm run check
 npm run audit:github
+node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
 node src/cli.js platformatic/massimo --format json
+npm exec --yes --package=oss-signal@0.5.1 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
-The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper.
+The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.5.1` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.5.1` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
 
 Public CI evidence:
 
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
+- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
 
 ## Boundaries
 

package/docs/codex-for-oss-application.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Application Brief
 
-Snapshot: 2026-06-02T11:20:40Z
+Snapshot: 2026-06-03T05:11:50Z
 
 This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open Source program. The official program page says open-source maintainers can apply, with emphasis on core maintainers, widely used public projects, and projects that play an important ecosystem role: https://developers.openai.com/community/codex-for-oss
 
@@ -8,11 +8,16 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.3.0
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.5.1
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.5.1
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
+- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
 - Maintainer evidence: [adoption-evidence.md](adoption-evidence.md)
+- Form answer pack: [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
+- Maintainer playbook: [maintainer-playbook.md](maintainer-playbook.md)
+- Release process: [release-process.md](release-process.md)
 
 ## What `oss-signal` Does
 
@@ -22,7 +27,7 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 - CI, tests, issue templates, pull request templates, Dependabot, and CodeQL-style security workflow.
 - Package metadata and lockfile hygiene.
 
-The output is a deterministic score plus actionable next steps in Markdown or JSON. The GitHub Action also writes a workflow step summary so maintainers and reviewers can see the result without downloading an artifact.
+The output is a deterministic score plus actionable next steps in Markdown, JSON, or SARIF. The GitHub Action also writes a workflow step summary so maintainers and reviewers can see the result without downloading an artifact.
 
 ## Why Codex Helps
 
@@ -31,6 +36,7 @@ This project is designed around repeatable maintainer workflows where Codex is u
 - Run audits against public repositories without cloning.
 - Convert findings into focused cleanup issues or pull requests.
 - Keep repository hygiene visible in CI.
+- Upload failed maintainer-readiness checks to GitHub Code Scanning through SARIF.
 - Generate small contributor-facing files that maintainers can review quickly.
 - Use Codex to turn audit findings into scoped documentation and workflow improvements.
 
@@ -38,14 +44,26 @@ This project is designed around repeatable maintainer workflows where Codex is u
 
 The repository currently has:
 
-- A published npm package.
+- A published npm package with `0.5.1` as the latest release.
+- A published GitHub Release for v0.5.1 with issue-output release notes and CI usage guidance.
 - A reusable GitHub Action with `score`, `grade`, `failed`, and `report-path` outputs.
-- A v0.3.0 GitHub Action tag with step summary support.
-- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.3.0` against the repository.
+- SARIF output for GitHub Code Scanning integration.
+- A v0.5.1 GitHub Action tag with step summary, SARIF support, and Issue-ready output.
+- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.5.1` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.4.0` from another repository and uploads a report artifact.
+- A maintainer playbook that documents audit, triage, issue, PR, CI, and SARIF workflows.
+- A release process and tag-triggered release workflow that verify package contents and support npm provenance publishing when repository secrets are configured.
 - CI and CodeQL workflows passing on `main`.
 - A local self-audit score of 100/100.
+- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.5.1 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
 - Public reports, issues, and PRs created from real repository audits.
 
+## Separate Workflow Demo
+
+The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.4.0` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown and SARIF output.
+
+This is intentionally described as a separate public workflow demo rather than third-party adoption because the repository is also owned by `SalmonPlays`. It still proves that the published Action tag is consumable outside the main repository.
+
 ## Field Audits And Follow-Up PRs
 
 | Repository | Report | Issue | PR | Status |
@@ -62,15 +80,16 @@ Recommended application angle:
 
 `oss-signal` is not yet a widely adopted project, but it is a public OSS maintainer tool built specifically for repeatable Codex-assisted maintenance. The project already has a working CLI, npm distribution, GitHub Action, passing CI/CodeQL, self-audit evidence, and three public field-audit PRs. Codex support would be used to continue auditing repositories, prepare focused maintainer PRs, improve Action automation, and document repeatable OSS maintenance workflows.
 
+Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md). The applicant still needs to fill personal identity fields and their OpenAI Organization ID directly.
+
 ## Current Gaps
 
 - External PRs are open but not yet merged.
 - npm download metrics are still early because the package is newly published.
-- The project needs more real maintainers using the Action in their own repositories.
+- The project needs independent maintainer-owned repositories using the Action in their own workflows.
 
 ## Next Evidence To Collect
 
 - One or more merged external PRs.
-- A GitHub Release for v0.3.0 with release notes.
-- A public workflow run in another repository using `SalmonPlays/oss-signal@v0.3.0`.
+- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.5.1`, ideally with SARIF upload enabled.
 - npm download data once the registry starts reporting weekly/monthly counts.

package/docs/codex-for-oss-form-answers.md

@@ -0,0 +1,94 @@
+# Codex for Open Source Form Answers
+
+Snapshot: 2026-06-03T05:11:50Z
+
+This page prepares concise answers for the official Codex for Open Source application form: https://openai.com/form/codex-for-oss/
+
+The official form asks for personal identity fields that must be filled by the applicant:
+
+- First name
+- Last name
+- Email associated with the applicant's ChatGPT account
+- OpenAI Organization ID
+
+## First Name
+
+```text
+Fill manually.
+```
+
+## Last Name
+
+```text
+Fill manually.
+```
+
+## Email
+
+```text
+Fill manually with the email associated with the applicant's ChatGPT account.
+```
+
+## GitHub Username
+
+```text
+SalmonPlays
+```
+
+## GitHub Repository URL
+
+```text
+https://github.com/SalmonPlays/oss-signal
+```
+
+## Describe Your Role
+
+```text
+Primary maintainer
+```
+
+## Why This Repository Qualifies
+
+```text
+oss-signal is a public OSS maintainer tool for reducing triage and review load. It ships as npm package oss-signal@0.5.1 and GitHub Action SalmonPlays/oss-signal@v0.5.1, supports Markdown/JSON/SARIF/Issue output, passes CI/CodeQL, and has public field-audit issues/PRs plus a separate workflow demo.
+```
+
+## Interest
+
+```text
+Codex Security
+API credits for my project
+```
+
+## OpenAI Organization ID
+
+```text
+Fill manually from https://platform.openai.com/settings/organization/general
+```
+
+## API Credit Use
+
+```text
+Use Codex/API credits to run repeatable public repository audits, draft focused maintainer PRs and issue summaries from reports, build organization-level maintainer-readiness inventories, improve release/Code Scanning automation, and keep every public follow-up behind human review before posting or opening PRs.
+```
+
+## Anything Else
+
+```text
+The project is early, so I am not overstating adoption. Current evidence includes npm 0.5.1, a published v0.5.1 release, a reusable GitHub Action, self-audit score 100/100, public CodeQL/CI, public field-audit PRs, and a separate public workflow run using SalmonPlays/oss-signal@v0.4.0 with a report artifact.
+```
+
+## Evidence Links
+
+- npm package: https://www.npmjs.com/package/oss-signal
+- GitHub Release v0.5.1: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.5.1
+- Main repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
+- Separate workflow demo repository: https://github.com/SalmonPlays/oss-signal-adoption-demo
+- Separate successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26862361229
+- Adoption evidence: https://github.com/SalmonPlays/oss-signal/blob/main/docs/adoption-evidence.md
+
+## Character Counts
+
+- Why this repository qualifies: 299/500
+- API credit use: 312/500
+- Anything else: 309/500

package/docs/examples/github-action-workflow.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.3.0
+      - uses: SalmonPlays/oss-signal@v0.5.1
         id: oss-signal
         with:
           fail-under: "80"

package/docs/examples/github-code-scanning-workflow.yml

@@ -0,0 +1,38 @@
+name: Repository health
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  oss-signal:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: SalmonPlays/oss-signal@v0.5.1
+        id: oss-signal
+        with:
+          fail-under: "80"
+          output: oss-signal-report.md
+          summary: "true"
+      - uses: SalmonPlays/oss-signal@v0.5.1
+        with:
+          format: sarif
+          output: oss-signal.sarif
+          summary: "false"
+      - uses: github/codeql-action/upload-sarif@v3
+        if: github.event_name != 'pull_request'
+        with:
+          sarif_file: oss-signal.sarif
+      - uses: actions/upload-artifact@v4
+        with:
+          name: oss-signal-report
+          path: |
+            oss-signal-report.md
+            oss-signal.sarif

package/docs/examples/github-issue-body.md

@@ -0,0 +1,37 @@
+# Maintainer Readiness Follow-Up
+
+oss-signal scored this repository **64/100 (D)**.
+
+Source: GitHub (platformatic/massimo@main)
+Generated: 2026-06-03T05:12:35.488Z
+
+## Scope
+
+This issue is limited to maintainer-readiness signals: documentation, contribution paths, CI, security reporting, and package hygiene. It does not claim there is a product-code bug.
+
+## Suggested Next Steps
+
+- [ ] **Security policy** (9 pts): Add SECURITY.md with supported versions, reporting instructions, and response expectations.
+- [ ] **Changelog** (6 pts): Keep CHANGELOG.md with dated release entries and migration notes.
+- [ ] **Issue templates** (5 pts): Add bug report and feature request templates under .github/ISSUE_TEMPLATE/.
+- [ ] **Pull request template** (5 pts): Add .github/PULL_REQUEST_TEMPLATE.md with a short checklist.
+- [ ] **Dependency update automation** (5 pts): Add .github/dependabot.yml for the package ecosystems used in the repository.
+- [ ] **Support policy** (4 pts): Add SUPPORT.md describing where to ask questions, what is in scope, and expected response times.
+- [ ] **Static security analysis** (4 pts): Add a CodeQL or equivalent security scanning workflow.
+
+## Why These Checks Matter
+
+- **Security policy**: Responsible disclosure needs a private, documented path.
+- **Changelog**: Users need a durable place to understand release impact.
+- **Issue templates**: Issue templates collect the facts maintainers need to reproduce and triage.
+- **Pull request template**: PR templates nudge contributors to include tests, docs, and review context.
+- **Dependency update automation**: Automated dependency updates reduce security and compatibility drift.
+- **Support policy**: Support boundaries help maintainers avoid turning every request into unpaid consulting.
+- **Static security analysis**: Static analysis finds common vulnerability patterns before releases.
+
+## Notes For Maintainers
+
+If any item is intentionally absent, documenting that decision is a valid outcome. Please close or edit this issue if it does not match the project's priorities.
+
+_Generated by oss-signal; review before posting._
+

package/docs/examples/github-url-report.md

@@ -2,7 +2,7 @@
 
 Repository: `https://github.com/SalmonPlays/oss-signal`
 Source: GitHub (SalmonPlays/oss-signal@main)
-Generated: 2026-06-02T08:09:34.957Z
+Generated: 2026-06-03T05:12:35.946Z
 
 Score: **100/100** (A)