{"id":47711419,"url":"https://github.com/vbonk/repo-template","last_synced_at":"2026-04-02T18:34:26.850Z","repository":{"id":331534541,"uuid":"1073377714","full_name":"vbonk/repo-template","owner":"vbonk","description":"Baseline New Repository Template. .gitignore (multi-language). README.md (solo-focused). CLAUDE.md (with Copilot notes). CI workflow (.github/workflows/ci.yml) without review requirements. License. Basic structure.","archived":false,"fork":false,"pushed_at":"2026-03-30T00:46:43.000Z","size":252,"stargazers_count":1,"open_issues_count":4,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-30T00:59:06.141Z","etag":null,"topics":["ai-coding","ai-first","boilerplate","ci-cd","claude-code","codex","copilot","cursor","devcontainer","developer-tools","devtools","gemini","github-actions","github-template","prompt-injection","repository-template","security","starter-template","template","windsurf"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vbonk.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":"audits/repo-compliance.json","citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":null},"created_at":"2025-10-10T03:01:49.000Z","updated_at":"2026-03-30T00:46:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/vbonk/repo-template","commit_stats":null,"previous_names":["vbonk/repo-template"],"tags_count":1,"template":true,"template_full_name":null,"purl":"pkg:github/vbonk/repo-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbonk%2Frepo-template","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbonk%2Frepo-template/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbonk%2Frepo-template/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbonk%2Frepo-template/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vbonk","download_url":"https://codeload.github.com/vbonk/repo-template/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbonk%2Frepo-template/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31312937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-coding","ai-first","boilerplate","ci-cd","claude-code","codex","copilot","cursor","devcontainer","developer-tools","devtools","gemini","github-actions","github-template","prompt-injection","repository-template","security","starter-template","template","windsurf"],"created_at":"2026-04-02T18:34:26.206Z","updated_at":"2026-04-02T18:34:26.792Z","avatar_url":"https://github.com/vbonk.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# repo-template\n\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12331/badge)](https://www.bestpractices.dev/projects/12331)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![CI](https://github.com/vbonk/repo-template/actions/workflows/ci.yml/badge.svg)](https://github.com/vbonk/repo-template/actions/workflows/ci.yml)\n[![GitHub release](https://img.shields.io/github/v/release/vbonk/repo-template)](https://github.com/vbonk/repo-template/releases)\n[![GitHub stars](https://img.shields.io/github/stars/vbonk/repo-template)](https://github.com/vbonk/repo-template/stargazers)\n\n29 million secrets were leaked on GitHub in 2025. AI-assisted commits leak credentials at **twice the baseline rate**. One solo developer's exposed AWS key cost [$3,200 in unauthorized charges](docs/PROD_CHECKLIST.md) — bots found it within minutes.\n\nMost of this is preventable. A pre-commit hook, a `.gitignore` that covers `.env`, branch protection that blocks force-push. But if you've never worked on a team that set these up for you, you don't know they exist — let alone how to configure them.\n\n**This template is the senior engineer you never had.** It sets up security, CI, AI agent configuration, and repository governance before you write your first line of code. Three commands, two minutes, nothing missed.\n\n\u003e **New here?** Start with the [Getting Started Guide](docs/GETTING-STARTED.md) — security, AI agents, and workflow setup in about 10 minutes.\n\n### Who is this for?\n\n- **Solo developers and indie hackers** — You can code, but you've always worked alone. You've never had someone set up branch protection, configure Dependabot, or explain why `.env` goes in `.gitignore` before your first commit.\n- **Vibe coders** — You're building with AI tools but don't come from a software background. 63% of vibe coders are non-developers: founders, marketers, designers shipping real products. The AI writes your code — this template makes sure the repo around it is safe.\n- **Early-career developers** — You're 0-2 years in, using AI tools heavily, but nobody's shown you the team workflows that prevent disasters: PR reviews, secret scanning, CI pipelines, release management.\n\nIf any of that sounds familiar, this template delivers the institutional knowledge that normally takes years on a team to absorb — as a one-click GitHub template.\n\n### Works with your AI tools — one, some, or all\n\nThe template includes context files for 7 AI coding agents. Use whichever you work with — they're independent files, not a package deal. Each one tells the agent about your project structure, conventions, commands, and security boundaries so it's productive from the first session instead of starting cold.\n\n| Agent | Config File | What It Gives the Agent |\n|-------|------------|------------------------|\n| Claude Code | `CLAUDE.md` | Full project context + `/project:init-template` and `/project:security-audit` commands |\n| GitHub Copilot | `.github/copilot-instructions.md` | Code generation guidelines, security rules |\n| Cursor | `.cursorrules` | Architecture, testing, workflow conventions |\n| OpenAI Codex | `AGENTS.md` | Cross-agent compatibility layer |\n| Google Gemini | `GEMINI.md` | Commands, conventions, project structure |\n| Windsurf | `.windsurfrules` | Same depth as Cursor config |\n| Aider | `.aider.conf.yml` | Model selection, git settings, lint/test commands |\n\nIf you only use Copilot, you get a tuned `copilot-instructions.md` and can ignore the rest. If you use Claude Code and Cursor, both work with project-specific context from day one. The files don't conflict or depend on each other.\n\n### Built for agentic development\n\nWhen AI agents create repositories — or when you're spinning up projects frequently — the setup tax multiplies. Every repo needs the same security baseline, the same CI structure, the same issue taxonomy. Without a template, each one starts from zero and ends up slightly different.\n\nThis template is designed to be the default starting point. Use it from the GitHub UI, from the CLI, or hand it to an autonomous agent:\n\n```bash\ngh repo create my-project --template vbonk/repo-template --public --clone\ncd my-project \u0026\u0026 bash scripts/secure-repo.sh \u0026\u0026 bash templates/hooks/setup-hooks.sh\n```\n\nThree commands. Repository created, security hardened, hooks installed. The agent (or you) can start building immediately, and the deep settings — the ones that prevent secrets from leaking, branches from being force-pushed, dependencies from going unpatched — are already in place.\n\n```\nYour new repo on day one:\n\n  CI/CD pipeline          ready (Node, Python, Go, Rust, Bun — uncomment your stack)\n  Security scanning       active (secrets blocked at commit + PR + push)\n  Branch protection       enforced (force-push blocked, tags protected, delete-on-merge)\n  AI agent context        configured (whichever agents you use, project-aware)\n  Issue management        structured (5 templates, 25+ labels, task scripts)\n  Pre-commit hooks        installed (catches credentials before they reach git)\n  Compliance audit        built in (score any repo against these standards)\n  Drift detection         available (reusable workflow checks downstream repos weekly)\n```\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/vbonk/repo-template/generate\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Use%20This%20Template-238636?style=for-the-badge\u0026logo=github\u0026logoColor=white\" alt=\"Use this template\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003e See it in action: [repo-template-example](https://github.com/vbonk/repo-template-example) is a Node.js/TypeScript project built from this template with every placeholder filled and security hardened.\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Table of Contents\u003c/strong\u003e\u003c/summary\u003e\n\n- [Who Is This For?](#who-is-this-for)\n- [Why This Template?](#why-this-template)\n- [Features](#features)\n- [What's Included](#whats-included)\n- [Workflows](#workflows)\n  - [New Project Workflows](#new-project-workflows)\n  - [Existing Repository Workflows](#existing-repository-workflows)\n  - [Workflow Comparison](#workflow-comparison)\n- [What's Next?](#whats-next)\n- [AI Agent Configuration](#ai-agent-configuration)\n- [CI/CD](#cicd)\n- [Issue Management](#issue-management)\n- [Customization Guide](#customization-guide)\n- [FAQ](#faq)\n- [Contributing](#contributing)\n- [Security](#security)\n- [License](#license)\n- [Acknowledgments](#acknowledgments)\n\n\u003c/details\u003e\n\n---\n\n## Why This Exists\n\n\u003e [!WARNING]\n\u003e **AI-generated code contains vulnerabilities 40-62% of the time.** Zero out of 15 AI-built apps in one study included CSRF protection. Zero set security headers. Over 40% of junior developers deploy AI-generated code they don't fully understand. If you're building with AI tools, the code may work — but the repo around it is probably exposed.\n\nNo existing solution combines all three things a solo AI-assisted developer needs:\n1. **Security-hardened repository governance** — secrets blocked, branches protected, dependencies monitored\n2. **AI agent configuration** — your tools understand your project from session one\n3. **Documentation that explains WHY** — not enterprise docs, not \"hello world\" — the level a helpful senior engineer would use with a new teammate\n\n| Your repo today | Your repo with this template |\n|-----------------|------------------------------|\n| No `.gitignore` or a minimal one — `.env` files slip through | Comprehensive `.gitignore` covering secrets, IDE files, OS files, build artifacts |\n| No CI — you find out code is broken when users tell you | CI pipeline catches failures on every push |\n| Secrets in source code — API keys committed, bots find them in minutes | Pre-commit hook + CI scanning blocks secrets at three levels |\n| Force-push to main can erase your commit history | Branch protection enforced — one-command setup |\n| AI agent starts cold every session | 7 agent configs with your project context, ready on first session |\n| No issue tracking — mental to-do lists | 5 templates, 25+ labels, helper scripts |\n\n---\n\n## Features\n\n- **Your AI tools work from day one** — 7 agents configured (Claude Code, Copilot, Cursor, Codex, Gemini, Windsurf, Aider) with project context, conventions, and security boundaries\n- **Secrets never reach GitHub** — `.gitignore` blocks credential patterns immediately; one command (`setup-hooks.sh`) adds pre-commit scanning; CI scans every PR automatically\n- **Mistakes get caught, not shipped** — 18 workflows included (dependency review, secret detection, stale management active by default; CI and CodeQL ready to enable for your stack)\n- **Security in one command** — `secure-repo.sh` enables branch protection, Dependabot alerts, and tag protection. SHA-pinned Actions and prompt injection defense are active from day one\n- **Two minutes from zero to production-grade** — Quick setup or comprehensive 8-step configuration with interactive prompts\n- **Issues and tasks, not mental to-do lists** — 5 templates (agent/human/external/bug/feature), 25+ labels, project board sync, helper scripts\n- **Score any repo** — Compliance audit scores repos against template standards with a letter grade (A+ through D)\n- **Works for any stack** — Node.js, Python, Go, Rust, Bun — uncomment your stack, everything else adjusts\n\n---\n\n## What's Included\n\n```\nrepo-template/\n├── .github/\n│   ├── workflows/ci.yml        CI pipeline (multi-stack)\n│   ├── workflows/sync-status   Label → Project board sync\n│   ├── ISSUE_TEMPLATE/         5 issue forms + config\n│   ├── PULL_REQUEST_TEMPLATE   PR checklist\n│   ├── dependabot.yml          Dependency updates\n│   └── copilot-instructions    GitHub Copilot config\n├── .claude/\n│   ├── commands/               Custom slash commands\n│   ├── skills/                 Auto-discovered capabilities\n│   └── agents/                 Specialized sub-agents\n├── scripts/\n│   ├── secure-repo.sh          One-command security hardening\n│   ├── audit-compliance.sh     Repo compliance scoring\n│   ├── labels.sh               Create/update labels\n│   ├── my-tasks.sh             Filtered issue views\n│   └── close-issue.sh          Close with status:done\n├── templates/\n│   ├── hooks/                  Pre-commit secret scanning\n│   └── linting/                Commitlint, ESLint, Ruff configs\n├── docs/                       Getting Started, AI Security, more\n├── src/                        Your source code\n├── tests/                      Your tests\n├── CLAUDE.md                   Claude Code instructions\n├── AGENTS.md                   Cross-agent compatibility\n├── CONTRIBUTORS.md             Auto-generated contributors\n├── CONTRIBUTING.md             Contribution guidelines\n├── SECURITY.md                 Security policy\n├── .gitignore                  Comprehensive patterns\n└── .editorconfig               Consistent formatting\n```\n\n---\n\n## Workflows\n\nChoose the workflow that matches your situation:\n\n### New Project Workflows\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow A: GitHub Template (Recommended for most users)\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Quick start with GitHub's UI\n\n1. Click **[Use this template](https://github.com/vbonk/repo-template/generate)** → Name your repo → Create\n2. Clone your new repository:\n   ```bash\n   git clone https://github.com/YOUR_USERNAME/YOUR_REPO.git\n   cd YOUR_REPO\n   ```\n3. Open with Claude Code and run:\n   ```\n   /project:init-template\n   ```\n4. Answer the prompts — files update automatically\n\n\u003e [!IMPORTANT]\n\u003e After creating from template, run `scripts/labels.sh` to create issue labels. Labels, branch protection, secrets, and Projects do **not** transfer from template repos. See `docs/BRANCH-PROTECTION.md` for protection setup.\n\n```mermaid\nflowchart LR\n    A[🎯 Use Template] --\u003e B[📥 Clone Repo]\n    B --\u003e C[🤖 Run /init-template]\n    C --\u003e D[💬 Answer Questions]\n    D --\u003e E[✨ Files Updated]\n    E --\u003e F[🚀 Start Coding]\n\n    style A fill:#238636,color:#fff\n    style F fill:#238636,color:#fff\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow B: Local-First (For pre-planned projects)\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: When you've already planned your project structure or have existing code\n\n1. Create a local directory for your project:\n   ```bash\n   mkdir my-project \u0026\u0026 cd my-project\n   git init\n   ```\n2. Start Claude Code in this directory\n3. Add the init command:\n   ```bash\n   mkdir -p .claude/commands\n   curl -sL https://raw.githubusercontent.com/vbonk/repo-template/main/.claude/commands/init-template.md \\\n     -o .claude/commands/init-template.md\n   ```\n4. Run `/project:init-template` — the agent will:\n   - Ask about your project objectives and tech stack\n   - Generate customized template files\n   - Create the GitHub repository\n   - Push the initial commit\n\n**Advantage:** Files are customized before the GitHub repo exists — no template placeholders to clean up.\n\n**Note:** Requires GitHub CLI (`gh`) to be installed and authenticated.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow C: Spin-off from Existing Session\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: When working in Claude Code and you realize a component should be its own project\n\n1. While in an existing Claude Code session, describe the new project\n2. Ask Claude to create a new repository for it\n3. The agent will:\n   - Set up the new repo with template standards\n   - Move or generate relevant code\n   - Push to GitHub\n   - Return context to your original project\n\n**Example prompt:** \"Let's spin off the authentication module into its own repository called `my-auth-service`\"\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow D: Empty GitHub Repo + Manual Setup\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Users who prefer full control or don't use Claude Code\n\n1. Create an empty repository on GitHub (no README, no .gitignore)\n2. Clone it locally\n3. Copy template files manually or download from this repo\n4. Find and update `TODO` comments:\n   ```bash\n   grep -r \"TODO\" --include=\"*.md\" --include=\"*.yml\"\n   ```\n\n| File | What to Change |\n|------|---------------|\n| `README.md` | Project name, description, badges |\n| `CLAUDE.md` | Your tech stack and commands |\n| `AGENTS.md` | Same as CLAUDE.md (for other AI tools) |\n| `.github/workflows/ci.yml` | Uncomment your language section |\n| `.github/dependabot.yml` | Uncomment your package ecosystem |\n| `SECURITY.md` | Your security contact email |\n\n\u003c/details\u003e\n\n---\n\n### Existing Repository Workflows\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow E: Retrofit an Existing Repository\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Bringing an older repo up to template standards\n\n1. First, add the init command to your existing repo:\n   ```bash\n   # From your existing repo root:\n   mkdir -p .claude/commands\n   curl -sL https://raw.githubusercontent.com/vbonk/repo-template/main/.claude/commands/init-template.md \\\n     -o .claude/commands/init-template.md\n   ```\n2. Then run the command in Claude Code:\n   ```\n   /project:init-template\n   ```\n3. The agent will:\n   - Analyze your current structure\n   - Add missing template files (CLAUDE.md, CI, etc.)\n   - Preserve your existing code and configuration\n   - Suggest improvements without overwriting your work\n\n\u003e **Why the extra step?** `/project:init-template` is a Claude Code custom command that must exist in your repo's `.claude/commands/` directory before Claude Code can discover it. Repos created from this template already have it.\n\n**What gets added:**\n- AI configuration files (if missing)\n- CI/CD workflow (if missing or outdated)\n- Issue/PR templates (if missing)\n- Security policy (if missing)\n- Security hardening script + pre-commit hooks\n\n**What's preserved:**\n- Your existing README (agent will suggest improvements)\n- Your code and tests\n- Your existing CI (agent will compare and recommend)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow F: Fork + Personal Standards\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Contributing to others' projects with AI assistance\n\n1. Fork the upstream repository\n2. Add template files to your fork:\n   - `CLAUDE.md` — Your personal AI instructions\n   - Optionally: `.github/copilot-instructions.md`\n3. **Important:** Add these to `.git/info/exclude` (not `.gitignore`) to avoid polluting upstream PRs:\n   ```\n   # .git/info/exclude\n   CLAUDE.md\n   .github/copilot-instructions.md\n   ```\n\nThis gives you AI assistance without affecting the upstream project.\n\n**Security for forks:** See [docs/FORK-SECURITY.md](docs/FORK-SECURITY.md) for upstream push blocking, fork network data leakage risks, and secure contribution workflows.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow G: Create Organization Template\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Teams wanting consistent standards across repos\n\n1. Fork or clone repo-template\n2. Customize for your organization:\n   - Add org-specific CI steps (internal registries, compliance checks)\n   - Update SECURITY.md with your security contact\n   - Add org branding to README template\n   - Create additional slash commands for team workflows\n3. Mark as a template repository in GitHub Settings\n4. Team members use your org template instead of this one\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow H: Multi-Stack Projects\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Projects with multiple languages (e.g., Python backend + TypeScript frontend)\n\n1. Use Workflow A or B to create the repository\n2. In `.github/workflows/ci.yml`, uncomment multiple language sections\n3. In `.github/dependabot.yml`, enable multiple ecosystems\n4. In `CLAUDE.md`, document all stacks:\n   ```markdown\n   ## Commands\n\n   ### Backend (Python)\n   ```bash\n   cd backend \u0026\u0026 pytest\n   ```\n\n   ### Frontend (TypeScript)\n   ```bash\n   cd frontend \u0026\u0026 npm test\n   ```\n   ```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Workflow I: Monorepo\u003c/strong\u003e\u003c/summary\u003e\n\nBest for: Multiple projects in a single repository\n\n1. Apply template at repository root\n2. Customize paths in CI and Dependabot:\n   ```yaml\n   # dependabot.yml\n   - package-ecosystem: \"npm\"\n     directory: \"/packages/frontend\"\n   - package-ecosystem: \"pip\"\n     directory: \"/packages/backend\"\n   ```\n3. In `CLAUDE.md`, document the monorepo structure and per-package commands\n\n\u003c/details\u003e\n\n---\n\n### Workflow Comparison\n\n| Workflow | Starting Point | Best For | AI Required |\n|----------|---------------|----------|-------------|\n| A: GitHub Template | GitHub UI | Quick start | Recommended |\n| B: Local-First | Empty directory | Pre-planned projects | Yes |\n| C: Spin-off | Existing session | Breaking out components | Yes |\n| D: Manual | Empty GitHub repo | Full control | No |\n| E: Retrofit | Existing repo | Upgrading old projects | Recommended |\n| F: Fork | Others' repos | Contributing with AI | No |\n| G: Org Template | This template | Team standards | No |\n| H: Multi-Stack | Any | Polyglot projects | No |\n| I: Monorepo | Any | Multi-project repos | No |\n\n---\n\n## What's Next?\n\nAfter setup, here are some things to try:\n\n| Action | How |\n|--------|-----|\n| **Add your first feature** | Ask Claude: \"Create a basic Express server in src/\" |\n| **Run CI locally** | `npm test` or your stack's test command |\n| **Create an issue** | Try the bug report form — see how structured it is |\n| **Enable security features** | Settings → Security → Enable secret scanning |\n\n### First Week Checklist\n\n- [ ] Add your source code to `src/`\n- [ ] Write your first test in `tests/`\n- [ ] Push a commit and watch CI run\n- [ ] Invite collaborators (they'll see CONTRIBUTING.md)\n- [ ] Enable GitHub security features (see [Security](#security))\n\n---\n\n## AI Agent Configuration\n\nThis template includes instruction files for multiple AI coding assistants:\n\n| File | AI Tool | What It Contains |\n|------|---------|------------------|\n| `CLAUDE.md` | Claude Code | Project context, commands, code style, structure |\n| `.github/copilot-instructions.md` | GitHub Copilot | Code generation guidelines, security rules |\n| `AGENTS.md` | Codex, Gemini, Cursor, others | Cross-agent compatibility layer |\n\n**Why this matters:** AI agents perform significantly better when they understand your project's conventions, tech stack, and workflows upfront. Instead of re-explaining your preferences each session, the agent reads these files automatically.\n\n**Custom commands:** The `.claude/commands/` folder contains slash commands:\n\n| Command | What It Does |\n|---------|-------------|\n| `/project:init-template` | Interactive project setup (Quick or Full mode) |\n| `/project:security-audit` | Run security scorecard — checks GitHub settings, pre-commit hooks, forbidden tokens, commit signing. Outputs letter grade (A+ through D). |\n| `/project:review` | Code review assistance |\n\n**Proactive security:** All 6 AI agent configs instruct the agent to check if security hardening has been completed on first session. If pre-commit hooks or GitHub protections are missing, the agent will suggest running the setup commands once.\n\n---\n\n## CI/CD\n\nThe included workflow (`.github/workflows/ci.yml`) supports multiple languages. Uncomment the section for your stack:\n\n| Stack | What It Runs |\n|-------|--------------|\n| **Node.js/TypeScript** | npm ci, lint, test, build |\n| **Python** | pip install, pytest, ruff |\n| **Go** | go build, go test, go vet |\n| **Rust** | cargo build, cargo test, cargo clippy |\n\n### Security Features\n\nThe CI workflow follows GitHub's security best practices:\n\n- **Actions pinned to SHA** — Prevents supply chain attacks from compromised tags\n- **Explicit permissions** — Least-privilege access, not default write-all\n- **30-minute timeout** — Prevents runaway jobs from consuming resources\n- **Concurrency controls** — Cancels outdated runs when new commits push\n\n---\n\n## Issue Management\n\nThis template includes a structured issue tracking system with labels, templates, and automation.\n\n### Issue Templates\n\n| Template | Auto-Labels | Use For |\n|----------|-------------|---------|\n| Agent Task | `owner:agent`, `task` | Work an AI agent can complete autonomously |\n| Human Task | `owner:human`, `task` | ENV vars, accounts, credentials, DNS, decisions |\n| External Blocker | `owner:external`, `status:blocked` | Waiting on a client, vendor, or third party |\n| Bug Report | `bug` | Something is broken |\n| Feature Request | `enhancement` | Suggest a new feature |\n\n### Label Taxonomy\n\n| Category | Labels | Purpose |\n|----------|--------|---------|\n| Status | `status:planning`, `in-progress`, `done`, `blocked` | Drives automation |\n| Owner | `owner:human`, `agent`, `external` | Who does the work |\n| Priority | `priority:high`, `medium`, `low` | Urgency |\n| Type | `bug`, `enhancement`, `task`, `roadmap`, `idea`, etc. | Classification |\n\nRun `scripts/labels.sh` to create all labels. Idempotent — safe to run multiple times.\n\n### Helper Scripts\n\n```bash\nscripts/my-tasks.sh              # Your tasks + blocked issues\nscripts/my-tasks.sh agent        # Agent-completable tasks\nscripts/my-tasks.sh high         # High priority only\nscripts/close-issue.sh 23 \"Done\" # Close with status:done + comment\n```\n\n### Project Board Sync (Optional)\n\nThe `sync-status.yml` workflow auto-syncs `status:*` labels to a GitHub Projects v2 board (and optionally Notion). Run `/project:init-template` to configure, or fill in the placeholder IDs manually.\n\n---\n\n## Customization Guide\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Adding a New Language\u003c/strong\u003e\u003c/summary\u003e\n\n1. Uncomment the relevant section in `.github/workflows/ci.yml`\n2. Uncomment the ecosystem in `.github/dependabot.yml`\n3. Update `CLAUDE.md` with your specific commands\n4. Add language-specific config files (package.json, pyproject.toml, etc.)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Setting Up Pre-commit Hooks\u003c/strong\u003e\u003c/summary\u003e\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md#pre-commit-hooks-optional) for instructions on setting up Husky and lint-staged.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Enabling GitHub Security Features\u003c/strong\u003e\u003c/summary\u003e\n\n**Automated (recommended):** Run the hardening script:\n\n```bash\nbash scripts/secure-repo.sh\n```\n\nThis enables Dependabot alerts, automated security fixes, branch protection (block force-push/deletion), tag protection, and delete-branch-on-merge in one command.\n\n**Manual:** In your repository Settings → Security:\n\n1. Enable **Secret scanning** — Detects API keys in commits\n2. Enable **Push protection** — Blocks pushes containing secrets\n3. Enable **Dependabot alerts** — Notifies of vulnerable dependencies\n4. Enable **Code scanning** — Finds vulnerabilities via CodeQL (public repos)\n\n**Pre-commit hooks:** Install the secret scanning hook:\n\n```bash\nbash templates/hooks/setup-hooks.sh\n```\n\nBlocks commits containing API keys, private keys, credentials, and custom forbidden tokens. Chains safely with existing hooks (husky, lint-staged, etc.).\n\n**Fork security:** See [docs/FORK-SECURITY.md](docs/FORK-SECURITY.md) for fork-specific security guidance (upstream push blocking, fork network data leakage, sync workflow).\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Creating Custom Slash Commands\u003c/strong\u003e\u003c/summary\u003e\n\nAdd Markdown files to `.claude/commands/`:\n\n```markdown\n# .claude/commands/my-command.md\n\nInstructions for Claude when this command is invoked...\n```\n\nThen use with `/project:my-command` in Claude Code.\n\n\u003c/details\u003e\n\n---\n\n## FAQ\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ I don't use Node.js. Will this work for me?\u003c/strong\u003e\u003c/summary\u003e\n\nYes. The template is language-agnostic. The CI workflow has commented sections for Python, Go, and Rust. Uncomment the one you need, or add your own. The directory structure (`src/`, `tests/`, etc.) works for any language.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Do I need to use Claude Code?\u003c/strong\u003e\u003c/summary\u003e\n\nNo. The template works with any workflow. The AI configuration files (CLAUDE.md, AGENTS.md, copilot-instructions.md) are just text files — they won't affect anything if you don't use AI tools. But if you do use them, your agents will be more effective.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ The CI workflow failed. What do I do?\u003c/strong\u003e\u003c/summary\u003e\n\nCommon causes:\n1. **No package.json/requirements.txt** — The workflow expects dependencies. Comment out the install step or add your dependency file.\n2. **No test script** — Add a test script or comment out the test step.\n3. **Wrong language section** — Make sure you uncommented the right section.\n\nCheck the Actions tab for specific error messages.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ How do I update after the template improves?\u003c/strong\u003e\u003c/summary\u003e\n\nRepositories created from templates don't auto-update. To get improvements:\n1. Check the [template repo](https://github.com/vbonk/repo-template) for changes\n2. Manually copy relevant updates to your project\n3. Or use the template again for new projects\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ I used \"Use this template\" but also have local customizations. What now?\u003c/strong\u003e\u003c/summary\u003e\n\nIf you created a repo via GitHub's template button but also have locally customized files (e.g., from a previous session), you have divergent git histories. Options:\n\n1. **Force push local work** (recommended if local is more complete):\n   ```bash\n   git push --force origin main\n   ```\n   This replaces the template files with your customized version.\n\n2. **Discard local and customize template**:\n   Clone the GitHub repo and run `/project:init-template` to customize interactively (this command is already included in repos created from the template).\n\n**To avoid this:** Use Workflow B (Local-First) when you have pre-planned customizations, or use Workflow A (GitHub Template) and customize afterward — don't mix both.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ Can I add template standards to someone else's repo I forked?\u003c/strong\u003e\u003c/summary\u003e\n\nYes! See Workflow F. Add your AI configuration files (CLAUDE.md, etc.) and exclude them from git tracking using `.git/info/exclude` so they don't pollute PRs to the upstream project.\n\n\u003c/details\u003e\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e▶ AI Security\u003c/strong\u003e\u003c/summary\u003e\n\nThis template includes prompt injection defenses — a first for GitHub templates:\n\n- **CODEOWNERS** protects AI config files (CLAUDE.md, AGENTS.md, .cursorrules, etc.) — changes require owner review\n- **PR body scanner** (opt-in workflow) detects common injection patterns in issue/PR text\n- **Hook templates** validate inputs before AI agents process them\n- **Documentation** in [docs/AI-SECURITY.md](docs/AI-SECURITY.md) covers attack vectors and best practices\n\nSee [docs/AI-SECURITY.md](docs/AI-SECURITY.md) for the full threat model.\n\n\u003c/details\u003e\n\n---\n\n## Show Your Support\n\nIf you created your repo with this template, add this badge to your README:\n\n```markdown\n[![Built with repo-template](https://img.shields.io/badge/Built%20with-repo--template-blue?style=flat-square)](https://github.com/vbonk/repo-template)\n```\n\n[![Built with repo-template](https://img.shields.io/badge/Built%20with-repo--template-blue?style=flat-square)](https://github.com/vbonk/repo-template)\n\n---\n\n## Contributing\n\nContributions to improve this template are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md).\n\n**Ideas for contributions:**\n- Language-specific add-on configs\n- Additional CI/CD patterns\n- Improved documentation\n- New custom slash commands\n\n---\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for:\n- How to report vulnerabilities\n- Security features included in this template\n- Recommended GitHub security settings\n\n---\n\n## License\n\n[MIT](LICENSE) — Use freely, attribution appreciated.\n\n---\n\n## Acknowledgments\n\nThis template incorporates best practices from:\n- [Anthropic's Claude Code documentation](https://www.anthropic.com/engineering/claude-code-best-practices)\n- [GitHub Actions security best practices](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)\n- Community feedback and real-world usage\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003csub\u003eThe institutional knowledge of a senior engineering team, delivered as a GitHub template.\u003c/sub\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvbonk%2Frepo-template","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvbonk%2Frepo-template","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvbonk%2Frepo-template/lists"}