From a689030d30083ff2d0d21dde04fbcf8bf616a147 Mon Sep 17 00:00:00 2001
From: Vijit Singh <vijit.n.singh@gmail.com>
Date: Thu, 18 Jun 2026 01:14:54 -0500
Subject: [PATCH] governance: add CODEOWNERS, issue templates, and SECURITY.md
 (closes #17)

Bring the site's governance scaffolding in line with the sibling repos
(pithead/rigforge already carry these). The PR template was already added
in #18; this completes the set.

- .github/CODEOWNERS: route every PR to @VijitSingh97 for review.
- .github/ISSUE_TEMPLATE/: bug report, content fix, and feature request
  templates, adapted for a static site, plus config.yml linking private
  security reporting and existing issues.
- SECURITY.md: private vulnerability-reporting path, scoped to a static
  Hugo site whose real surface is the build/deploy pipeline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/CODEOWNERS                        |  4 +++
 .github/ISSUE_TEMPLATE/bug_report.md      | 36 +++++++++++++++++++++
 .github/ISSUE_TEMPLATE/config.yml         |  8 +++++
 .github/ISSUE_TEMPLATE/content_fix.md     | 21 ++++++++++++
 .github/ISSUE_TEMPLATE/feature_request.md | 24 ++++++++++++++
 SECURITY.md                               | 39 +++++++++++++++++++++++
 6 files changed, 132 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md
 create mode 100644 .github/ISSUE_TEMPLATE/config.yml
 create mode 100644 .github/ISSUE_TEMPLATE/content_fix.md
 create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md
 create mode 100644 SECURITY.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..d7fa13d
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# Code owners — every PR requests review from the owner(s) below.
+# https://docs.github.com/articles/about-code-owners
+
+* @VijitSingh97
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
new file mode 100644
index 0000000..1c7e8c9
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Report something broken on the site — a rendering glitch, broken link, or display issue
+title: "[Bug] "
+labels: bug
+assignees: ''
+---
+
+## What happened?
+
+A clear description of the bug — what you expected to see, and what actually happened.
+
+## Where?
+
+- **Page / URL:** (e.g. https://p2pool-starter-stack.github.io/#roadmap)
+- **Section or element:** (hero, project card, FAQ, footer, …)
+
+## Steps to reproduce
+
+1. ...
+2. ...
+
+## Environment
+
+- **Browser & version:**
+- **OS:**
+- **Device:** (desktop / mobile / tablet)
+- **Screen size or zoom**, if relevant:
+
+## Screenshots
+
+If it's visual, a screenshot helps a lot.
+
+## Additional context
+
+Anything else — console errors, when it started, etc.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
new file mode 100644
index 0000000..74cf49f
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/p2pool-starter-stack/p2pool-starter-stack.github.io/security/advisories/new
+    about: Please report security issues privately via GitHub Security Advisories, not as a public issue.
+  - name: Question or discussion
+    url: https://github.com/p2pool-starter-stack/p2pool-starter-stack.github.io/issues
+    about: Browse existing issues before opening a new one.
diff --git a/.github/ISSUE_TEMPLATE/content_fix.md b/.github/ISSUE_TEMPLATE/content_fix.md
new file mode 100644
index 0000000..57f6378
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/content_fix.md
@@ -0,0 +1,21 @@
+---
+name: Content fix
+about: A typo, wording, broken/outdated link, or factual correction in the site copy
+title: "[Content] "
+labels: documentation
+assignees: ''
+---
+
+## What needs fixing?
+
+Quote the current text or link, and where it appears (page + section).
+
+## Suggested change
+
+What it should say instead.
+
+## Why
+
+Briefly, why the change is correct (a typo, an outdated version, a wrong link, …).
+
+<!-- Most copy lives in data/content.yaml — small wording fixes are very welcome as PRs. -->
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 0000000..8c3f974
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,24 @@
+---
+name: Feature request
+about: Suggest an idea or improvement for the site
+title: "[Feature] "
+labels: enhancement
+assignees: ''
+---
+
+## Problem / motivation
+
+What are you trying to do, and what's getting in the way? Describe the use case rather
+than a specific solution where you can.
+
+## Proposed solution
+
+What would you like to see happen?
+
+## Alternatives considered
+
+Any other approaches you thought about, and why this one is better.
+
+## Additional context
+
+Anything else — links, references, screenshots, related issues, etc.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..3ff60b0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,39 @@
+# Security Policy
+
+This repository is the source for the P2Pool Starter Stack website
+(<https://p2pool-starter-stack.github.io/>) — a static [Hugo](https://gohugo.io/) site with no
+backend and no third-party requests at runtime (system fonts only; nothing phones home). The main
+security surface is the **build and deploy pipeline** rather than the served pages, but we still
+want to hear about anything that could mislead visitors or compromise the site.
+
+## Supported versions
+
+The live site is whatever is on the latest `main` — it deploys on every push. There are no release
+branches; please check against current `main` before reporting.
+
+| Version        | Supported          |
+|----------------|--------------------|
+| latest `main`  | ✅                 |
+| anything older | ❌ (please update) |
+
+## Reporting a vulnerability
+
+**Please do not open a public issue for security problems.**
+
+Use GitHub's private vulnerability reporting instead: go to the **Security** tab and click
+**"Report a vulnerability"**. This opens a private advisory visible only to the maintainers, where
+we can triage and coordinate a fix and disclosure with you.
+
+When you report, it helps to include:
+
+- A description of the issue and its impact.
+- Steps to reproduce, and the affected area (a rendered page, the build/deploy workflow, the
+  `scripts/refresh-releases.py` release-refresh script, a third-party GitHub Action, etc.).
+- Any relevant logs or links.
+
+**In scope, for example:** a way to inject content into the built site, a compromised or unpinned
+dependency/Action in the build, leaked credentials in the repo or CI, or a weakness in the deploy
+pipeline. **Out of scope:** issues in third-party services we merely link to, and anything that
+requires an already-compromised maintainer machine.
+
+We aim to acknowledge reports promptly and will keep you posted as we work on a fix.