oss-signal 0.7.0 → 0.8.0

package/CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## Unreleased
 
+## 0.8.0
+
+- Added `--format workflow` for generating a no-fail GitHub Actions trial workflow.
+- Added maintainer feedback intake so neutral or negative third-party responses can improve the rules without being overstated as adoption.
+
 ## 0.7.0
 
 - Added `--format plan` for generating PR-sized maintainer plans with suggested files and acceptance criteria.

package/README.md

@@ -15,40 +15,44 @@
 [![Maintainer evidence](https://img.shields.io/badge/maintainer_evidence-public-blue.svg)](docs/reviewer-evidence.md)
 [![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)
 
-`oss-signal` is a dependency-light maintainer-readiness CLI and GitHub Action for OSS projects that need repeatable triage, CI evidence, SARIF, inventory reports, and issue-ready cleanup notes.
+`oss-signal` is a dependency-light maintainer-readiness CLI and GitHub Action for OSS projects that need repeatable triage, CI evidence, SARIF, inventory reports, issue-ready cleanup notes, and no-fail workflow trials.
 
-It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown, JSON, SARIF, inventory, GitHub Issue-ready Markdown, or PR-sized maintainer plan formats.
+It checks the files and automation that reduce maintainer load: README, license, contributing guide, security policy, CI, tests, issue templates, pull request templates, Dependabot, and release notes. The output is a score plus concrete next steps in Markdown, JSON, SARIF, inventory, GitHub Issue-ready Markdown, PR-sized maintainer plan, or no-fail workflow formats.
 
 ![oss-signal example output](docs/assets/terminal-report.svg)
 
 ## Maintainer Evidence Snapshot
 
-Public evidence for the maintainer workflow is collected in [docs/index.md](docs/index.md), [docs/trust-center.md](docs/trust-center.md), [docs/reviewer-evidence.md](docs/reviewer-evidence.md), [docs/adoption-evidence.md](docs/adoption-evidence.md), [docs/adoption-kit.md](docs/adoption-kit.md), [docs/architecture.md](docs/architecture.md), [docs/security-model.md](docs/security-model.md), [docs/json-output.md](docs/json-output.md), [docs/plan-output.md](docs/plan-output.md), [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md), [docs/roadmap.md](docs/roadmap.md), [docs/post-submission-update.md](docs/post-submission-update.md), and [docs/brand.md](docs/brand.md).
+Public evidence for the maintainer workflow is collected in [docs/index.md](docs/index.md), [docs/evidence-ledger.md](docs/evidence-ledger.md), [docs/trust-center.md](docs/trust-center.md), [docs/reviewer-evidence.md](docs/reviewer-evidence.md), [docs/adoption-evidence.md](docs/adoption-evidence.md), [docs/adoption-kit.md](docs/adoption-kit.md), [docs/maintainer-trial.md](docs/maintainer-trial.md), [docs/maintainer-feedback.md](docs/maintainer-feedback.md), [docs/social-launch.md](docs/social-launch.md), [docs/architecture.md](docs/architecture.md), [docs/security-model.md](docs/security-model.md), [docs/json-output.md](docs/json-output.md), [docs/plan-output.md](docs/plan-output.md), [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md), [docs/roadmap.md](docs/roadmap.md), [docs/post-submission-update.md](docs/post-submission-update.md), and [docs/brand.md](docs/brand.md).
 
 - Landing page: https://salmonplays.github.io/oss-signal/
-- Published package: [`oss-signal@0.7.0`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.7.0`.
-- Published GitHub Action: [`SalmonPlays/oss-signal@v0.7.0`](https://github.com/SalmonPlays/oss-signal/tree/v0.7.0).
+- Published package: [`oss-signal@0.8.0`](https://www.npmjs.com/package/oss-signal), with `latest` pointing at `0.8.0`.
+- Published GitHub Action: [`SalmonPlays/oss-signal@v0.8.0`](https://github.com/SalmonPlays/oss-signal/tree/v0.8.0).
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - Trust center: [docs/trust-center.md](docs/trust-center.md)
+- Evidence ledger: [docs/evidence-ledger.md](docs/evidence-ledger.md)
 - Adoption kit: [docs/adoption-kit.md](docs/adoption-kit.md)
+- Maintainer trial: [docs/maintainer-trial.md](docs/maintainer-trial.md)
+- Maintainer feedback: [docs/maintainer-feedback.md](docs/maintainer-feedback.md)
+- Social launch kit: [docs/social-launch.md](docs/social-launch.md)
 - Architecture: [docs/architecture.md](docs/architecture.md)
 - Security model: [docs/security-model.md](docs/security-model.md)
 - JSON output contract: [docs/json-output.md](docs/json-output.md)
 - Maintainer plan output: [docs/plan-output.md](docs/plan-output.md)
 - SARIF Code Scanning walkthrough: [docs/sarif-code-scanning.md](docs/sarif-code-scanning.md)
 - Roadmap: [docs/roadmap.md](docs/roadmap.md)
-- Post-submission version note: the application may reference earlier evidence; `0.7.0` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
+- Post-submission version note: the application may reference earlier evidence; `0.8.0` is the current maintained release and is documented in [docs/post-submission-update.md](docs/post-submission-update.md).
 - Public checks: CI, Repository health, and CodeQL are passing on `main`.
 - Security posture: OpenSSF Scorecard is scheduled, CodeQL is active, secret scanning push protection is enabled, Dependabot alerts/security updates/malware alerts are enabled, and private vulnerability reporting is enabled.
 - Branch posture: `main` has branch protection to prevent force pushes and deletions while keeping direct maintainer maintenance possible.
 - Governance posture: [MAINTAINERS.md](MAINTAINERS.md), [GOVERNANCE.md](GOVERNANCE.md), and [.github/CODEOWNERS](.github/CODEOWNERS) define ownership, review routing, and supported change scope.
 - Community route: [Discussion #5](https://github.com/SalmonPlays/oss-signal/discussions/5) is the public maintainer-workflow thread for usage questions and rule feedback.
 - Self-audit: this repository scores **100/100 (A)** locally and through GitHub URL mode.
-- Field use: five public maintainer-readiness audits have been turned into five issues and four focused follow-up PRs.
-- External OSS contribution: [icoretech/codex-action PR #24](https://github.com/icoretech/codex-action/pull/24) is a focused Codex Action documentation safety fix.
+- Field use: seven public maintainer-readiness audits have been turned into six issues and five focused follow-up PRs.
+- Merged external OSS contribution: [icoretech/codex-action PR #24](https://github.com/icoretech/codex-action/pull/24) is a focused Codex Action documentation safety fix.
 - Contributor intake: [good first issues](https://github.com/SalmonPlays/oss-signal/issues?q=is%3Aissue%20state%3Aopen%20label%3A%22good%20first%20issue%22) are labeled for small outside PRs.
 - Inventory mode: the CLI and Action can audit a newline-delimited list of repositories for organization-level triage.
-- Separate workflow demo: [oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038) runs the public Action tag and uploads Markdown, SARIF, and Issue-ready artifacts.
+- Separate workflow demo: [oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878) runs the public `v0.7.0` Action tag and uploads Markdown, SARIF, and Issue-ready artifacts.
 
 ## Why
 
@@ -152,6 +156,14 @@ oss-signal Grovanni/oss-signal --format plan --output maintainer-plan.md
 
 See [docs/plan-output.md](docs/plan-output.md) and [docs/examples/github-plan.md](docs/examples/github-plan.md) for an example.
 
+Generate a no-fail GitHub Actions trial workflow:
+
+```bash
+oss-signal owner/repo --format workflow --output .github/workflows/oss-signal-trial.yml
+```
+
+See [docs/maintainer-trial.md](docs/maintainer-trial.md) and [docs/examples/maintainer-trial-workflow.yml](docs/examples/maintainer-trial-workflow.yml) for the generated workflow.
+
 ## Checks
 
 `oss-signal` currently checks:
@@ -179,9 +191,9 @@ Summary:
 - Total checks: 15
 ```
 
-See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, [docs/examples/github-plan.md](docs/examples/github-plan.md) for plan output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
+See [docs/self-audit.md](docs/self-audit.md) for the full local self-audit report, [docs/examples/github-url-report.md](docs/examples/github-url-report.md) for the GitHub URL audit output, [docs/examples/github-issue-body.md](docs/examples/github-issue-body.md) for issue output, [docs/examples/github-plan.md](docs/examples/github-plan.md) for plan output, [docs/examples/maintainer-trial-workflow.yml](docs/examples/maintainer-trial-workflow.yml) for workflow output, and [docs/examples/self-audit.sarif](docs/examples/self-audit.sarif) for SARIF output.
 
-The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.7.0`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
+The [Repository health workflow](.github/workflows/repository-health.yml) runs `SalmonPlays/oss-signal@v0.8.0`, uploads the Markdown report as an artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs. The [Repository inventory workflow](.github/workflows/repository-inventory.yml) runs the inventory mode from CI and uploads a multi-repository report artifact.
 
 ## Field Audits
 
@@ -192,16 +204,18 @@ The [Repository health workflow](.github/workflows/repository-health.yml) runs `
 - [sammorrisdesign/interactive-feed report](docs/outreach/sammorrisdesign-interactive-feed-report.md), [issue #14](https://github.com/sammorrisdesign/interactive-feed/issues/14), and [PR #15](https://github.com/sammorrisdesign/interactive-feed/pull/15)
 - [flox/install-flox-action report](docs/outreach/flox-install-flox-action-report.md), [issue #204](https://github.com/flox/install-flox-action/issues/204), and [PR #205](https://github.com/flox/install-flox-action/pull/205)
 - [Grovanni/oss-signal report](docs/outreach/grovanni-oss-signal-report.md) and [issue #1](https://github.com/Grovanni/oss-signal/issues/1)
+- [noctemlabs/signal-oss report](docs/outreach/noctemlabs-signal-oss-report.md) and [PR #12](https://github.com/noctemlabs/signal-oss/pull/12)
+- [Divyesh-5981/signal-oss report](docs/outreach/divyesh-5981-signal-oss-report.md) and [issue #5](https://github.com/Divyesh-5981/signal-oss/issues/5)
 
 See [docs/outreach](docs/outreach) for the reports and draft issue text. Drafts are not posted automatically; maintainers should only receive specific, useful, and respectful suggestions.
 
 Additional prepared outreach candidates are tracked in [docs/outreach/peer-shortlist-2026-06.md](docs/outreach/peer-shortlist-2026-06.md). The shortlist explicitly separates respectful, defensible candidates from low-signal mass outreach.
 
-Additional focused external contribution: [icoretech/codex-action PR #24](https://github.com/icoretech/codex-action/pull/24) updates Codex Action README examples to route generated output through environment variables before printing it from shell steps.
+Additional focused external contribution: [icoretech/codex-action PR #24](https://github.com/icoretech/codex-action/pull/24) was merged and updates Codex Action README examples to route generated output through environment variables before printing it from shell steps.
 
 For a compact maintainer/adoption summary, see [docs/adoption-evidence.md](docs/adoption-evidence.md). For a reviewer-oriented verification path, see [docs/reviewer-evidence.md](docs/reviewer-evidence.md).
 
-Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.5.1` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038) with Markdown, SARIF, and Issue-ready report artifacts.
+Separate public workflow evidence: [SalmonPlays/oss-signal-adoption-demo](https://github.com/SalmonPlays/oss-signal-adoption-demo) runs `SalmonPlays/oss-signal@v0.7.0` and produced a successful [workflow run](https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878) with Markdown, SARIF, and Issue-ready report artifacts.
 
 ## Example Recommendation Output
 
@@ -230,7 +244,7 @@ oss-signal . --fail-under 80
 Add `oss-signal` directly to a GitHub Actions workflow:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.7.0
+- uses: SalmonPlays/oss-signal@v0.8.0
   id: oss-signal
   with:
     fail-under: "80"
@@ -246,7 +260,7 @@ The Action writes a concise GitHub Actions step summary by default, so reviewers
 Run an inventory from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.7.0
+- uses: SalmonPlays/oss-signal@v0.8.0
   env:
     GITHUB_TOKEN: ${{ github.token }}
   with:
@@ -258,7 +272,7 @@ Run an inventory from CI:
 Generate an editable Issue body from CI:
 
 ```yaml
-- uses: SalmonPlays/oss-signal@v0.7.0
+- uses: SalmonPlays/oss-signal@v0.8.0
   with:
     format: issue
     output: maintainer-follow-up.md
@@ -279,8 +293,8 @@ jobs:
   oss-signal:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.7.0
+      - uses: actions/checkout@v5
+      - uses: SalmonPlays/oss-signal@v0.8.0
         id: oss-signal
         with:
           fail-under: "80"
@@ -302,18 +316,18 @@ permissions:
   security-events: write
 
 steps:
-  - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.7.0
+  - uses: actions/checkout@v5
+  - uses: SalmonPlays/oss-signal@v0.8.0
     with:
       format: sarif
       output: oss-signal.sarif
       summary: "true"
-  - uses: github/codeql-action/upload-sarif@v3
+  - uses: github/codeql-action/upload-sarif@v4
     with:
       sarif_file: oss-signal.sarif
 ```
 
-This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.7.0` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
+This repository dogfoods the public Action tag in [Repository health](.github/workflows/repository-health.yml), which runs `SalmonPlays/oss-signal@v0.8.0` against the repository, uploads the Markdown report artifact, and publishes SARIF to Code Scanning on non-PR runs.
 
 You can also run the CLI directly in CI:
 

package/action.yml

@@ -1,5 +1,5 @@
 name: oss-signal
-description: Audit OSS maintainer readiness and produce CI evidence, SARIF, inventory reports, and issue-ready cleanup notes.
+description: Audit OSS maintainer readiness and produce CI evidence, SARIF, inventory reports, issue-ready cleanup notes, and workflow trials.
 author: SalmonPlays
 branding:
   icon: shield
@@ -13,7 +13,7 @@ inputs:
     description: Newline-delimited file of local paths, GitHub URLs, or owner/repo shorthands to audit as an inventory.
     required: false
   format:
-    description: Output format, either markdown, json, sarif, issue, or plan. Inventory mode supports markdown or json.
+    description: Output format, either markdown, json, sarif, issue, plan, or workflow. Inventory mode supports markdown or json.
     required: false
     default: markdown
   output:

package/docs/adoption-evidence.md

@@ -2,15 +2,15 @@
 
 This page collects the public evidence that `oss-signal` is built for real open-source maintainer workflows.
 
-Last verified: 2026-06-04T11:14:41Z
+Last verified: 2026-06-05T09:57:04Z
 
 ## Project Links
 
 - Repository: https://github.com/SalmonPlays/oss-signal
 - GitHub Pages landing page: https://salmonplays.github.io/oss-signal/
-- npm package: https://www.npmjs.com/package/oss-signal (`0.7.0` latest)
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.7.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.7.0
+- npm package: https://www.npmjs.com/package/oss-signal (`0.8.0` latest)
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
 - GitHub Marketplace listing: https://github.com/marketplace/actions/oss-signal
 - GitHub Action metadata: [action.yml](../action.yml)
 - Public dogfood workflow: [.github/workflows/repository-health.yml](../.github/workflows/repository-health.yml)
@@ -20,8 +20,10 @@ Last verified: 2026-06-04T11:14:41Z
 - Governance: [GOVERNANCE.md](../GOVERNANCE.md)
 - CODEOWNERS: [.github/CODEOWNERS](../.github/CODEOWNERS)
 - Maintainer workflow Discussion: https://github.com/SalmonPlays/oss-signal/discussions/5
+- Launch announcement Discussion: https://github.com/SalmonPlays/oss-signal/discussions/13
+- Launch X post: https://x.com/paopaopaolin/status/2062710560857489698
 - Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo
-- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
+- Separate public workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
 - Self-audit report: [docs/self-audit.md](self-audit.md)
 - SARIF self-audit output: [docs/examples/self-audit.sarif](examples/self-audit.sarif)
 - GitHub URL audit report: [docs/examples/github-url-report.md](examples/github-url-report.md)
@@ -31,6 +33,8 @@ Last verified: 2026-06-04T11:14:41Z
 - Brand assets and GitHub settings copy: [docs/brand.md](brand.md)
 - GitHub Pages landing page source: [docs/index.md](index.md)
 - GitHub Marketplace publishing checklist: [docs/marketplace.md](marketplace.md)
+- Maintainer trial: [docs/maintainer-trial.md](maintainer-trial.md)
+- Maintainer feedback: [docs/maintainer-feedback.md](maintainer-feedback.md)
 - Maintainer playbook: [docs/maintainer-playbook.md](maintainer-playbook.md)
 - Trust center: [docs/trust-center.md](trust-center.md)
 - Adoption kit: [docs/adoption-kit.md](adoption-kit.md)
@@ -40,6 +44,7 @@ Last verified: 2026-06-04T11:14:41Z
 - SARIF Code Scanning walkthrough: [docs/sarif-code-scanning.md](sarif-code-scanning.md)
 - Roadmap: [docs/roadmap.md](roadmap.md)
 - Reviewer evidence quickstart: [docs/reviewer-evidence.md](reviewer-evidence.md)
+- Evidence ledger: [docs/evidence-ledger.md](evidence-ledger.md)
 - Post-submission update: [docs/post-submission-update.md](post-submission-update.md)
 - Release process: [docs/release-process.md](release-process.md)
 - Codex for Open Source application brief: [docs/codex-for-oss-application.md](codex-for-oss-application.md)
@@ -64,15 +69,15 @@ The [post-submission update](post-submission-update.md) records why the current
 
 ## Published Package Verification
 
-The npm package is publicly available as `oss-signal@0.7.0` with `latest` pointing at `0.7.0`.
+The npm package is publicly available as `oss-signal@0.8.0` with `latest` pointing at `0.8.0`.
 
-The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-04. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
+The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-05. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
 
 Clean-directory execution against the public GitHub repository returned:
 
 ```json
 {
-  "version": "0.7.0",
+  "version": "0.8.0",
   "score": 100,
   "grade": "A",
   "source": "github"
@@ -88,8 +93,8 @@ Current public workflow status:
 - OpenSSF Scorecard: configured on `main` pushes and a weekly schedule, with JSON artifact output and public Scorecard publishing
 - Release: passing
 - GitHub Pages deployment: passing, with the repository homepage set to https://salmonplays.github.io/oss-signal/
-- GitHub Marketplace listing: published for the `v0.7.0` Action release
-- GitHub issue forms: adoption report and maintainer audit report forms are available for structured public evidence intake
+- GitHub Marketplace listing: published, with `v0.8.0` available as the current Action tag
+- GitHub issue forms: adoption report, trial feedback, and maintainer audit report forms are available for structured public evidence intake
 - GitHub citation metadata: `CITATION.cff` is present for the repository citation UI
 - Automation contract: JSON schema and fixture are documented for `--format json`
 - Code Scanning walkthrough: SARIF upload permissions, expected warnings, fixture, and output example are documented
@@ -97,17 +102,17 @@ Current public workflow status:
 - Maintainer workflow Discussion: published
 - Separate public workflow demo: passing
 
-After the v0.7.0 release, the npm registry should return `0.7.0` for both the package version and `latest` dist-tag. The earlier 2026-06-04 download check returned 356 downloads for the last-week and last-month windows.
+The npm registry returned `0.8.0` for both the package version and `latest` dist-tag on 2026-06-05T09:57:04Z. A clean install smoke test returned version `0.8.0`, score `100`, grade `A`, and source `github`. The 2026-06-05 download check returned 356 downloads for the last-week and last-month windows.
 
 ## Separate Public Workflow Evidence
 
-The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.5.1` from a separate workflow file:
+The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs `SalmonPlays/oss-signal@v0.7.0` from a separate workflow file:
 
 - Workflow file: https://github.com/SalmonPlays/oss-signal-adoption-demo/blob/main/.github/workflows/oss-signal.yml
-- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
+- Successful workflow run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
 - Artifact: `oss-signal-adoption-demo-report`, containing `oss-signal-report.md`, `oss-signal.sarif`, and `maintainer-follow-up.md`
 
-This is not claimed as independent third-party adoption because the repository is owned by `SalmonPlays`. It is evidence that the public `v0.5.1` Action tag works outside the main repository and can publish Markdown, SARIF, and Issue-ready maintainer-readiness reports from another public workflow.
+This is not claimed as independent third-party adoption because the repository is owned by `SalmonPlays`. It is evidence that a public Action tag works outside the main repository and can publish Markdown, SARIF, and Issue-ready maintainer-readiness reports from another public workflow. The demo workflow is refreshed after each release when the new tag is available.
 
 ## Public Field Audits And PRs
 
@@ -115,13 +120,15 @@ The tool has been used to generate maintainer-readiness reports for public repos
 
 | Repository | Report | Posted issue | Follow-up PR | Status |
 | --- | --- | --- | --- | --- |
-| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, clean |
-| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, clean |
-| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open |
-| `flox/install-flox-action` | [report](outreach/flox-install-flox-action-report.md) | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, checks pending |
+| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, mergeable |
+| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, mergeable |
+| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open, mergeable |
+| `flox/install-flox-action` | [report](outreach/flox-install-flox-action-report.md) | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, mergeable |
 | `Grovanni/oss-signal` | [report](outreach/grovanni-oss-signal-report.md) | https://github.com/Grovanni/oss-signal/issues/1 | N/A | open |
+| `noctemlabs/signal-oss` | [report](outreach/noctemlabs-signal-oss-report.md) | N/A | https://github.com/noctemlabs/signal-oss/pull/12 | open, mergeable |
+| `Divyesh-5981/signal-oss` | [report](outreach/divyesh-5981-signal-oss-report.md) | https://github.com/Divyesh-5981/signal-oss/issues/5 | N/A | open |
 
-These issues and pull requests are evidence of the intended maintainer workflow: run a deterministic audit, explain the missing signals, and give maintainers a small set of actionable improvements. Each PR is intentionally limited to documentation or GitHub templates.
+These issues and pull requests are evidence of the intended maintainer workflow: run a deterministic audit, explain the missing signals, and give maintainers a small set of actionable improvements. Each PR is intentionally limited to documentation, GitHub templates, or a minimal CI workflow.
 
 Prepared but not yet posted outreach candidates are tracked separately in [outreach/peer-shortlist-2026-06.md](outreach/peer-shortlist-2026-06.md) and [outreach](outreach). This prevents candidate research from being overstated as real external maintainer engagement.
 
@@ -129,9 +136,9 @@ The workflow now includes [plan-output.md](plan-output.md), which converts audit
 
 Additional focused external contribution:
 
-- `icoretech/codex-action`: https://github.com/icoretech/codex-action/pull/24 updates Codex Action README examples so generated output is routed through environment variables before shell printing.
+- `icoretech/codex-action`: https://github.com/icoretech/codex-action/pull/24 was merged on 2026-06-04 and updates Codex Action README examples so generated output is routed through environment variables before shell printing. The maintainer merge comment is public at https://github.com/icoretech/codex-action/pull/24#issuecomment-4623923361.
 
-All field-audit follow-up PRs were still open when checked from GitHub on 2026-06-04T10:38:39Z. They are not claimed as accepted adoption unless a maintainer merges or otherwise endorses them.
+The five field-audit follow-up PRs were still open when checked from GitHub on 2026-06-05T09:57:04Z. The Divyesh issue was posted on 2026-06-05T04:18:46Z and is not claimed as adoption unless the maintainer replies or acts. Open PRs are not claimed as accepted adoption unless a maintainer merges, replies, or otherwise endorses them.
 
 ## Contributor Intake
 
@@ -140,7 +147,7 @@ The project now has labeled good-first-issue routes for outside contributors:
 - https://github.com/SalmonPlays/oss-signal/issues/6
 - https://github.com/SalmonPlays/oss-signal/issues/7
 
-The repository also includes a GitHub Discussions category form for structured rule feedback, Action usage questions, and maintainer workflow adoption notes. The issue templates include adoption and maintainer-audit forms so users can share workflow-run evidence or discuss reports without inventing the format.
+The repository also includes a GitHub Discussions category form for structured rule feedback, Action usage questions, and maintainer workflow adoption notes. The issue templates include adoption, trial-feedback, and maintainer-audit forms so users can share workflow-run evidence, neutral maintainer feedback, or report discussion without inventing the format.
 
 Current public roadmap evidence:
 
@@ -158,10 +165,10 @@ npm run audit:github
 node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
 node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
 node src/cli.js platformatic/massimo --format json
-npm exec --yes --package=oss-signal@0.7.0 -- oss-signal SalmonPlays/oss-signal --format json
+npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json
 ```
 
-The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.7.0` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.7.0` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
+The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public `v0.8.0` Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm `0.8.0` package has also been executed from a clean temporary directory against the public GitHub repository, returning 100/100 (A).
 
 Public CI evidence:
 
@@ -170,7 +177,7 @@ Public CI evidence:
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
 - OpenSSF Scorecard workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/scorecard.yml
 - Maintainer workflow Discussion: https://github.com/SalmonPlays/oss-signal/discussions/5
-- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
+- Separate workflow demo run: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
 - Reviewer verification quickstart: [reviewer-evidence.md](reviewer-evidence.md)
 
 ## Boundaries

package/docs/adoption-kit.md

@@ -2,12 +2,14 @@
 
 This page gives maintainers a copy-paste path for trying `oss-signal` and leaving useful public evidence.
 
+For a first trial, use the no-fail workflow in [maintainer-trial.md](maintainer-trial.md). It publishes a report without gating CI.
+
 ## Try The CLI
 
 Run against a public repository without cloning:
 
 ```bash
-npm exec --yes --package=oss-signal@0.7.0 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
+npm exec --yes --package=oss-signal@0.8.0 -- oss-signal owner/repo --format markdown --output oss-signal-report.md
 ```
 
 Run against the current checkout:
@@ -22,8 +24,16 @@ Generate a human-reviewed issue body:
 npx oss-signal owner/repo --format issue --output maintainer-follow-up.md
 ```
 
+Generate a no-fail trial workflow:
+
+```bash
+npx oss-signal owner/repo --format workflow --output .github/workflows/oss-signal-trial.yml
+```
+
 ## Add The GitHub Action
 
+This example gates CI with `fail-under`. For a first trial in another maintainer's repository, start with [examples/maintainer-trial-workflow.yml](examples/maintainer-trial-workflow.yml) instead.
+
 ```yaml
 name: Repository health
 
@@ -40,7 +50,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: SalmonPlays/oss-signal@v0.7.0
+      - uses: SalmonPlays/oss-signal@v0.8.0
         id: oss-signal
         with:
           fail-under: "80"
@@ -61,7 +71,7 @@ permissions:
 
 steps:
   - uses: actions/checkout@v4
-  - uses: SalmonPlays/oss-signal@v0.7.0
+  - uses: SalmonPlays/oss-signal@v0.8.0
     with:
       format: sarif
       output: oss-signal.sarif
@@ -77,13 +87,13 @@ Full walkthrough: [sarif-code-scanning.md](sarif-code-scanning.md)
 
 Useful adoption evidence is concrete and public:
 
-- A workflow run that uses `SalmonPlays/oss-signal@v0.7.0`.
+- A workflow run that uses `SalmonPlays/oss-signal@v0.8.0`.
 - A Markdown report attached as a workflow artifact.
 - A SARIF upload that appears in Code Scanning.
 - A focused issue or pull request created from an audit finding.
 - A short note about what maintainer task the audit improved.
 
-Open an [adoption report](https://github.com/SalmonPlays/oss-signal/issues/new?template=adoption_report.yml) when a public repository uses the CLI or Action. Open a [maintainer audit report](https://github.com/SalmonPlays/oss-signal/issues/new?template=audit_report.yml) when you want to discuss a generated report before posting follow-up to another repository.
+Open an [adoption report](https://github.com/SalmonPlays/oss-signal/issues/new?template=adoption_report.yml) when a public repository uses the CLI or Action. Open [trial feedback](https://github.com/SalmonPlays/oss-signal/issues/new?template=trial_feedback.yml) when you reviewed a report but did not adopt the tool. Open a [maintainer audit report](https://github.com/SalmonPlays/oss-signal/issues/new?template=audit_report.yml) when you want to discuss a generated report before posting follow-up to another repository.
 
 ## Boundaries
 

package/docs/assets/code-scanning-results.svg

@@ -6,7 +6,7 @@
   <rect x="0" y="0" width="920" height="58" rx="18" fill="#f6f8fa"/>
   <text x="32" y="37" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="18" font-weight="700">GitHub Code Scanning</text>
   <text x="32" y="98" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="28" font-weight="700">oss-signal maintainer-readiness findings</text>
-  <text x="32" y="132" fill="#57606a" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="16">SARIF upload from SalmonPlays/oss-signal@v0.7.0</text>
+  <text x="32" y="132" fill="#57606a" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="16">SARIF upload from SalmonPlays/oss-signal@v0.8.0</text>
   <rect x="32" y="162" width="856" height="72" rx="10" fill="#fffbdd" stroke="#d4a72c"/>
   <circle cx="65" cy="198" r="10" fill="#bf8700"/>
   <text x="88" y="194" fill="#24292f" font-family="-apple-system, BlinkMacSystemFont, Segoe UI, sans-serif" font-size="17" font-weight="700">oss-signal/security</text>

package/docs/assets/oss-signal-banner.svg

@@ -34,7 +34,7 @@
     <rect x="334" y="266" width="144" height="42" rx="21" fill="#dcfce7"/>
     <text x="359" y="293" fill="#166534">100/100 A</text>
     <rect x="494" y="266" width="142" height="42" rx="21" fill="#dbeafe"/>
-    <text x="521" y="293" fill="#1e40af">npm 0.7.0</text>
+    <text x="521" y="293" fill="#1e40af">npm 0.8.0</text>
     <rect x="652" y="266" width="178" height="42" rx="21" fill="#e0f2fe"/>
     <text x="681" y="293" fill="#075985">GitHub Action</text>
     <rect x="846" y="266" width="168" height="42" rx="21" fill="#fef9c3"/>

package/docs/brand.md

@@ -19,7 +19,7 @@ The display name is intentionally more descriptive for reviewers, while `oss-sig
 
 Recommended repository description:
 
-> Maintainer-readiness CLI and GitHub Action for OSS triage, CI evidence, inventory reports, SARIF, and issue-ready cleanup.
+> Maintainer-readiness CLI and GitHub Action for OSS triage, CI evidence, inventory reports, SARIF, issue-ready cleanup, and workflow trials.
 
 Recommended repository topics:
 

package/docs/codex-for-oss-application.md

@@ -1,6 +1,6 @@
 # Codex for Open Source Application Brief
 
-Snapshot: 2026-06-04T23:25:29Z
+Snapshot: 2026-06-05T09:57:04Z
 
 This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open Source program. The official program page says open-source maintainers can apply, with emphasis on core maintainers, widely used public projects, and projects that play an important ecosystem role: https://developers.openai.com/community/codex-for-oss
 
@@ -9,15 +9,18 @@ This document summarizes why `oss-signal` is a fit for OpenAI's Codex for Open S
 - Display name: OSS Maintainer Signal
 - Repository: https://github.com/SalmonPlays/oss-signal
 - npm package: https://www.npmjs.com/package/oss-signal
-- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.7.0
-- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.7.0
+- GitHub Release: https://github.com/SalmonPlays/oss-signal/releases/tag/v0.8.0
+- GitHub Action tag: https://github.com/SalmonPlays/oss-signal/tree/v0.8.0
 - CI workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/ci.yml
 - Repository health workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-health.yml
 - Repository inventory workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/repository-inventory.yml
 - CodeQL workflow: https://github.com/SalmonPlays/oss-signal/actions/workflows/codeql.yml
-- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038
+- Separate public workflow demo: https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878
 - Maintainer evidence: [adoption-evidence.md](adoption-evidence.md)
+- Evidence ledger: [evidence-ledger.md](evidence-ledger.md)
 - Reviewer evidence quickstart: [reviewer-evidence.md](reviewer-evidence.md)
+- Maintainer trial: [maintainer-trial.md](maintainer-trial.md)
+- Maintainer feedback: [maintainer-feedback.md](maintainer-feedback.md)
 - Post-submission update: [post-submission-update.md](post-submission-update.md)
 - Brand assets and GitHub settings copy: [brand.md](brand.md)
 - Form answer pack: [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md)
@@ -50,28 +53,32 @@ This project is designed around repeatable maintainer workflows where Codex is u
 
 The repository currently has:
 
-- A published npm package with `0.7.0` as the latest release.
+- A published npm package with `0.8.0` as the latest release.
 - A post-submission update page explaining why the current npm package and Action tag may be newer than the originally submitted evidence.
-- npm download API evidence showing 356 last-week and last-month downloads on 2026-06-04.
-- A published GitHub Release for v0.7.0 with maintainer plan output, CI usage guidance, and release notes.
+- npm download API evidence showing 356 last-week and last-month downloads on 2026-06-05.
+- A published GitHub Release for v0.8.0 with maintainer plan output, CI usage guidance, and release notes.
 - A reusable GitHub Action with `score`, `grade`, `failed`, and `report-path` outputs.
 - A repository inventory mode for organization-level maintainer-readiness triage, available in both CLI and GitHub Action form.
-- A clean npm smoke test of `oss-signal@0.7.0` returning version `0.7.0`, score `100`, grade `A`, and source `github`.
+- A clean npm smoke test of `oss-signal@0.8.0` returning version `0.8.0`, score `100`, grade `A`, and source `github`.
 - SARIF output for GitHub Code Scanning integration.
-- A v0.7.0 GitHub Action tag with step summary, SARIF support, inventory support, Issue-ready output, and maintainer plan output.
-- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.7.0` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
-- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.7.0` against a repository target list and uploads an inventory artifact.
-- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.5.1` from another repository and uploads Markdown, SARIF, and Issue-ready report artifacts.
+- A v0.8.0 GitHub Action tag with step summary, SARIF support, inventory support, Issue-ready output, and maintainer plan output.
+- A workflow output mode that renders a no-fail GitHub Actions trial workflow for external maintainers.
+- A public dogfood workflow that runs `SalmonPlays/oss-signal@v0.8.0` against the repository, uploads the Markdown report artifact, and uploads SARIF to GitHub Code Scanning on non-PR runs.
+- A public dogfood inventory workflow that runs `SalmonPlays/oss-signal@v0.8.0` against a repository target list and uploads an inventory artifact.
+- A separate public workflow demo that runs `SalmonPlays/oss-signal@v0.7.0` from another repository and uploads Markdown, SARIF, and Issue-ready report artifacts.
+- A no-fail maintainer trial workflow that external maintainers can copy before enabling CI gates.
+- A trial feedback path for neutral or negative maintainer responses, so third-party feedback does not have to be overstated as adoption.
 - A maintainer playbook that documents audit, triage, issue, PR, CI, and SARIF workflows.
 - A release process and tag-triggered release workflow that verify package contents and publish to npm through Trusted Publishing.
 - CI, Repository health, CodeQL, and Release workflows passing publicly.
 - A local self-audit score of 100/100.
-- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.7.0 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
-- Public reports, issues, and PRs created from real repository audits, including five posted field-audit issues and four follow-up PRs.
+- A clean-directory smoke test of `npm exec --yes --package=oss-signal@0.8.0 -- oss-signal SalmonPlays/oss-signal --format json`, returning 100/100 (A).
+- Public reports, issues, and PRs created from real repository audits, including six posted field-audit issues and five follow-up PRs.
+- One accepted external documentation PR, with a public maintainer merge comment, recorded in [evidence-ledger.md](evidence-ledger.md).
 
 ## Separate Workflow Demo
 
-The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.5.1` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26883001038 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown, SARIF, and Issue-ready output.
+The repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs the public `SalmonPlays/oss-signal@v0.7.0` Action tag from a separate workflow. The successful run at https://github.com/SalmonPlays/oss-signal-adoption-demo/actions/runs/26993130878 uploaded an `oss-signal-adoption-demo-report` artifact containing Markdown, SARIF, and Issue-ready output.
 
 This is intentionally described as a separate public workflow demo rather than third-party adoption because the repository is also owned by `SalmonPlays`. It still proves that the published Action tag is consumable outside the main repository.
 
@@ -79,30 +86,32 @@ This is intentionally described as a separate public workflow demo rather than t
 
 | Repository | Report | Issue | PR | Status |
 | --- | --- | --- | --- | --- |
-| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, clean |
-| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, clean |
-| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open |
-| `flox/install-flox-action` | [report](outreach/flox-install-flox-action-report.md) | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, checks pending |
+| `platformatic/massimo` | [report](outreach/platformatic-massimo-report.md) | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, mergeable |
+| `supermarkt/checkjebon` | [report](outreach/supermarkt-checkjebon-report.md) | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, mergeable |
+| `sammorrisdesign/interactive-feed` | [report](outreach/sammorrisdesign-interactive-feed-report.md) | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open, mergeable |
+| `flox/install-flox-action` | [report](outreach/flox-install-flox-action-report.md) | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, mergeable |
 | `Grovanni/oss-signal` | [report](outreach/grovanni-oss-signal-report.md) | https://github.com/Grovanni/oss-signal/issues/1 | N/A | open |
+| `noctemlabs/signal-oss` | [report](outreach/noctemlabs-signal-oss-report.md) | N/A | https://github.com/noctemlabs/signal-oss/pull/12 | open, mergeable |
+| `Divyesh-5981/signal-oss` | [report](outreach/divyesh-5981-signal-oss-report.md) | https://github.com/Divyesh-5981/signal-oss/issues/5 | N/A | open |
 
-These PRs are intentionally small and maintainer-friendly. They add documentation or GitHub templates rather than changing product code.
+These PRs are intentionally small and maintainer-friendly. They add documentation, GitHub templates, or minimal CI automation rather than changing product code.
 
 ## Application Positioning
 
 Recommended application angle:
 
-`oss-signal` is not yet a widely adopted project, but it is a public OSS maintainer tool built specifically for repeatable Codex-assisted maintenance. The project already has a working CLI, npm distribution, GitHub Action, passing CI/CodeQL, self-audit evidence, five public field-audit issues, and four public field-audit PRs. Codex support would be used to continue auditing repositories, prepare focused maintainer PRs, improve Action automation, and document repeatable OSS maintenance workflows.
+`oss-signal` is not yet a widely adopted project, but it is a public OSS maintainer tool built specifically for repeatable Codex-assisted maintenance. The project already has a working CLI, npm distribution, GitHub Action, passing CI/CodeQL, self-audit evidence, six public field-audit issues, five public field-audit PRs, and one merged external Codex Action documentation PR. Codex support would be used to continue auditing repositories, prepare focused maintainer PRs, improve Action automation, and document repeatable OSS maintenance workflows.
 
 Prepared official form answers are in [codex-for-oss-form-answers.md](codex-for-oss-form-answers.md). The applicant still needs to fill personal identity fields and their OpenAI Organization ID directly.
 
 ## Current Gaps
 
-- External PRs are open but not yet merged.
+- Field-audit PRs are open but not yet merged.
 - npm download metrics are still early because the package is newly published.
 - The project needs independent maintainer-owned repositories using the Action in their own workflows.
 
 ## Next Evidence To Collect
 
-- One or more merged external PRs.
-- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.7.0`, ideally with SARIF or inventory upload enabled.
+- More merged external PRs or maintainer replies on field-audit PRs.
+- A public workflow run in an independent maintainer-owned repository using `SalmonPlays/oss-signal@v0.8.0`, ideally with SARIF or inventory upload enabled.
 - npm download data once the registry starts reporting weekly/monthly counts.