Add open source project intake system

[michaeloboyle]

Summary

• GitHub issue template for structured project submissions (7 required fields + acknowledgments)
• 6 GitHub Actions workflows implementing the full intake lifecycle:
  • on-submission — auto-labels and posts welcome comment
  • scoring — parses /score commands, posts formatted score table
  • escalation-vote — tallies escalate/no-escalate votes with quorum
  • validation-vote — tallies approve/decline/defer votes, applies outcome labels
  • approve-project — registers approved projects in data/approved-projects.json
  • retraction — handles /retract proposals and /vote retract tallying
• Label setup script (scripts/setup-labels.sh) for 14 status + category labels
• Scoring template doc for committee reviewers
• Approved projects JSON registry

Implements the process defined in the Open Source Committee governance document.

Status

Draft — not tested, not ready for merge.

The workflows have not been exercised against real issues yet. Before merging:

• Open a test submission issue and verify on-submission.yml fires correctly
• Post a /score comment and verify parsing + summary
• Test /vote escalate and /vote no-escalate quorum logic
• Test /vote approve, /vote decline, /vote defer quorum logic
• Verify approved-projects.json updates on approval
• Test /retract and /vote retract flow
• Run scripts/setup-labels.sh against agenticsorg/community-projects
• Review workflow permissions (issues: write, contents: write)
• Confirm quorum value (currently hardcoded to 3) is appropriate for committee size

Test plan

1. Set up labels on fork: ./scripts/setup-labels.sh michaeloboyle/community-projects
2. Open a test issue using the template on the fork
3. Walk through the full lifecycle: score → escalation vote → validation vote → approval
4. Test retraction flow on the approved issue
5. Verify all edge cases: duplicate votes, invalid score formats, missing fields

🤖 Generated with Claude Code

[michaeloboyle]

Security Audit — 16 Findings (2 Critical, 4 High, 5 Medium, 3 Low, 2 Info)

Merge Blockers

SEC-001/002 — CRITICAL: Shell Injection Pattern
approve-project.yml and retraction.yml use core.exportVariable() to set PROJECT_ID and ISSUE_NUMBER, then interpolate them in shell run: steps. While current values are safe (integers), this establishes a dangerous pattern. Use core.setOutput() and step outputs instead.

SEC-003 — HIGH: No Access Control on Voting
Any GitHub user who can comment can cast /vote approve, /score, etc. No verification of org membership, team membership, or author_association. Three burner accounts can approve any project. This alone should block merge.

Remediation: Check context.payload.comment.author_association or verify membership in a open-source-committee GitHub Team.

SEC-004 — HIGH: Direct Push to Main
approve-project.yml commits and pushes directly to the default branch, bypassing branch protection. Should create a PR instead, or at minimum respect branch protection rules.

SEC-005 — HIGH: Race Condition on Registry
Concurrent approvals/retractions will checkout the same approved-projects.json, and the second git push fails silently. Also causes duplicate project IDs (computed from registry.length + 1). Use issue number as ID and atomic file API.

SEC-006 — HIGH: Actions Not Pinned to SHA
All actions use mutable major version tags (@v4, @v7). Pin to full SHA hashes and add Dependabot for updates.

Pre-Production

SEC-007 — MEDIUM: Markdown Injection via User Input
User-controlled "Full Name" rendered directly in comments. Sanitize inputs before embedding.

SEC-008 — MEDIUM: DoS via Comment Spam
Every /vote comment triggers a full workflow run that paginates all comments and posts a tally. Add concurrency groups and rate limiting.

SEC-009 — MEDIUM: No JSON Schema Validation
Registry read/write has no schema validation. Malformed file crashes workflows.

SEC-010 — MEDIUM: Tie-Breaking Favors Approval
1-1-1 vote results in APPROVED. Use strict majority (> not >=), default to DEFERRED on ties.

SEC-011 — MEDIUM: Retraction Cannot Be Opposed
Only /vote retract exists, no /vote no-retract. 3 of 10 members can retract without opposition.

Backlog

SEC-012 — LOW: Submitter can vote on own submission
SEC-013 — LOW: Bot comments not filtered from tally; logic bug in escalation regex (line 284 double-negative)
SEC-014 — LOW: setup-labels.sh uses --force without confirmation, no input validation
SEC-015 — INFO: contents: write permission broader than necessary
SEC-016 — INFO: No immutable audit log; edited comments retain counted votes

Recommended Priority

Priority	Findings
Before merge	SEC-003, SEC-006, SEC-001, SEC-002
Before production use	SEC-004, SEC-005, SEC-008, SEC-010, SEC-011
Short term	SEC-007, SEC-009, SEC-012, SEC-013
Backlog	SEC-014, SEC-015, SEC-016