chore: add explicit accessibility and security PR checklists and align saved replies

[Copilot]

Chore Pull Request

This repository enforces changelog, release, and label automation for all PRs and issues.
See the organisation-wide Automation Governance & Release Strategy for required rules.

Linked issues

Summary

Adds explicit, consistent accessibility and security checklist content across PR templates, aligns supporting PR guidance documentation, and updates PR saved replies to match the new checklist/security baseline.

Changes

• Updated the default PR template and all typed PR templates in .github/PULL_REQUEST_TEMPLATE/ to replace generic A11y/security lines with explicit checklist items.
• Added concise accessibility checks covering:
  • semantic HTML and heading order
  • keyboard navigation and visible focus
  • ARIA only where needed
  • contrast and non-colour cues (WCAG 2.1 AA or higher)
• Added concise security checks covering:
  • validation/sanitisation of untrusted input
  • context-specific escaping
  • nonce/capability checks for privileged actions
  • secrets/sensitive data and OWASP risk review
• Updated .github/PULL_REQUEST_TEMPLATE/README.md to reflect the new checklist expectations.
• Updated .github/instructions/pull-requests.instructions.md and docs/PR_CREATION_PROCESS.md to keep wording and review expectations aligned.
• Updated .github/SAVED_REPLIES/pull-requests/security.md to align saved security guidance with the new explicit checklist and OWASP reference.
• Updated .github/SAVED_REPLIES/pull-requests/testing.md to remove outdated guidance links and point to current QA instructions.

Impact / Compatibility

• Runtime/behaviour changes: None expected
• Build/dev-experience impact: PR author/reviewer expectations are clearer and more consistent; saved replies now reflect current security/testing guidance.

Verification

• CI passes
• Local build and smoke tests
• Docs updated if developer-facing

Risk & Rollback

• Risk level: Low
• Rollback plan: Revert commits c173685 and 9214723.

Changelog

Added

• Explicit accessibility and security checklist blocks in PR templates.
• WCAG 2.1 AA+ and OWASP-aligned wording in PR guidance docs.
• Saved reply security guidance aligned to validation/sanitisation, escaping, and nonce/capability checks.

Changed

• Replaced generic checklist lines with actionable, standardised review items across templates.
• Aligned PR template documentation and PR creation guidance with the new checklist content.
• Updated testing saved replies to use current QA instruction links.

Fixed

• Reduced ambiguity and inconsistency in how accessibility and security review expectations are communicated in PRs.
• Removed outdated saved-reply links and aligned reviewer guidance with current repository standards.

Removed

• Generic checklist wording that lacked explicit accessibility/security validation steps.

---

Checklist (Global DoD / PR)

• All AC met and demonstrated
• Tests added/updated (unit/E2E as appropriate)
• Accessibility checklist completed (where relevant):
  • Semantic HTML and heading order verified
  • Keyboard navigation and visible focus states verified
  • ARIA used only where needed
  • Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher)
• Docs/readme/changelog updated (if user-facing)
• Security checklist completed (where relevant):
  • Untrusted input validated and sanitised
  • Output escaped for its rendering context
  • Privileged actions enforce nonce and capability checks
  • No secrets/sensitive data introduced; OWASP risks reviewed
• Code/design reviews approved
• CI green; linked issues closed; release notes prepared (if shipping)

---

Original prompt

could you restart the work for this PR

The user has attached the following file paths as relevant context:

• .github/instructions/plugin-structure.instructions.md
• .github/instructions/.archive/file-management.instructions.md
• .github/instructions/a11y.instructions.md
• .github/instructions/coding-standards.instructions.md
• .github/instructions/copilot-operations.instructions.md
• .github/instructions/file-organisation.instructions.md
• .github/instructions/labeling.instructions.md
• .github/instructions/self-explanatory-code-commenting.instructions.md
• .github/instructions/spec-driven-workflow.instructions.md
• .github/instructions/tasksync.instructions.md
• .github/copilot-instructions.md
• .github/copilot-instructions.md
• AGENTS.md
• AGENTS.md
• CLAUDE.md
• AGENTS.md
• CLAUDE.md
• AGENTS.md
• CLAUDE.md

Created from VS Code.

[ashleyshaw]

@copilot what is the status

[Copilot]

@copilot what is the status

Current status: I’ve restarted the PR workflow and revalidated the baseline.

• Latest commit on this branch is d88626a.
• npm test passes.
• npm run lint:md reports a pre-existing markdown lint issue in docs/FRONTMATTER_SCHEMA.md (line 823).
• No new file changes have been made yet; I’m waiting on the exact scope you want me to continue with in this PR.

[ashleyshaw]

@copilot I created a github issue here -#21

You created a pull request but never did anything - #333

I want you to proceed the #21 issue and working in the #333 PR, how do I get you to do that?

[Copilot]

@copilot I created a github issue here -#21

You created a pull request but never did anything - #333...

Give me one explicit instruction in this PR thread like:

@copilot implement issue #21 in this branch/PR #333. Start by posting a checklist, then make the code changes, run tests, and update the PR description.

Also include any must-haves (files to touch/avoid, acceptance criteria, and required tests). If you post that now, I can proceed directly on #333 against #21.

[ashleyshaw]

@copilot proceed wioth work

[Copilot]

@copilot proceed wioth work

Done — I’ve now proceeded with issue #21 in PR #333 in commit c173685.

Implemented:

• Added explicit accessibility checklist items across the default PR template and all typed PR templates.
• Added explicit security checklist items across the same templates.
• Aligned supporting docs in .github/instructions/pull-requests.instructions.md and docs/PR_CREATION_PROCESS.md with consistent WCAG 2.1 AA+ and OWASP wording.

Validation:

• npm test passed.
• Targeted markdown lint for changed files passed.
• Full npm run lint:md still reports the pre-existing unrelated trailing-space error in docs/FRONTMATTER_SCHEMA.md:823.
• Parallel validation passed (Code Review clean, CodeQL skipped as trivial docs-only change).

UI screenshot: no UI changes in this PR (documentation/templates only).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• coderabbit.ai
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/.github/.github/scripts/validation/validate-coderabbit-yml.cjs /home/REDACTED/work/.github/.github/scripts/validation/__fixtures__/valid-coderabbit.yml (dns block)
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/.github/.github/scripts/validation/validate-coderabbit-yml.cjs /home/REDACTED/work/.github/.github/scripts/validation/__fixtures__/invalid-coderabbit.yml (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[ashleyshaw]

@copilot is there anythign else you can do on this issue here -#21

[Copilot]

@copilot is there anythign else you can do on this issue here -#21

Yes — I’ve completed an extra follow-up pass for issue #21 in commit 9214723.

Additional work done:

• Updated .github/SAVED_REPLIES/pull-requests/security.md to align review guidance with the new explicit security checklist (validation/sanitisation, context escaping, nonce/capability checks, OWASP reference).
• Updated .github/SAVED_REPLIES/pull-requests/testing.md to fix outdated guidance links and point to current QA instructions.

Validation:

• Targeted markdown lint on changed files passed.
• npm test passed.
• Parallel validation passed (Code Review clean, CodeQL skipped as docs-only).

UI screenshot: N/A — no UI changes in this update.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• coderabbit.ai
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/.github/.github/scripts/validation/validate-coderabbit-yml.cjs /home/REDACTED/work/.github/.github/scripts/validation/__fixtures__/valid-coderabbit.yml (dns block)
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/.github/.github/scripts/validation/validate-coderabbit-yml.cjs /home/REDACTED/work/.github/.github/scripts/validation/__fixtures__/invalid-coderabbit.yml (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot why does git keep saying:

git apply --3way <<'EOF'...

You keep seeing that because this patch is not a full valid diff and the target changes are already in this branch.

In your snippet, the hunk ends with non-col... (truncated), so git apply --3way can’t parse/apply it cleanly.

Also, those exact lines are already present in:

• /home/runner/work/.github/.github/.github/PULL_REQUEST_TEMPLATE/README.md
• /home/runner/work/.github/.github/.github/PULL_REQUEST_TEMPLATE/pr_bug.md

So even with a complete patch, re-applying the same hunks can fail.

Quick checks:

• use the complete, untruncated patch file
• run git status and ensure a clean working tree
• run git apply --check <patchfile> first
• if changes already exist, skip git apply

UI screenshot: N/A — no UI changes.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Copilot]

Pull request overview

This PR standardises pull request hygiene by replacing generic A11y/security prompts with explicit checklist items across all PR templates, and aligning supporting PR guidance docs and saved replies so authors and reviewers have a consistent baseline.

Changes:

• Replaced generic A11y/security checklist lines in the default + typed PR templates with explicit, actionable checklist items.
• Updated PR guidance docs to reference the new explicit accessibility and security baselines.
• Aligned PR saved replies for testing/security to point at current guidance and match the updated baseline.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 14 comments.

Show a summary per file

File	Description
docs/PR_CREATION_PROCESS.md	Adds explicit A11y/security checklist bullets to the PR authoring process.
.github/SAVED_REPLIES/pull-requests/testing.md	Updates testing saved reply links to current QA instructions.
.github/SAVED_REPLIES/pull-requests/security.md	Expands the security saved reply checklist and adds OWASP + baseline links.
.github/PULL_REQUEST_TEMPLATE/README.md	Documents that templates include explicit A11y/security checklists and updates usage guidance.
.github/PULL_REQUEST_TEMPLATE/pr_release.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_refactor.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_feature.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_docs.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_dep_update.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_ci.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_chore.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/PULL_REQUEST_TEMPLATE/pr_bug.md	Replaces generic A11y/security line items with explicit checklist sub-items.
.github/pull_request_template.md	Updates the default PR template with explicit A11y/security checklist sub-items.
.github/instructions/pull-requests.instructions.md	Updates PR lifecycle guidance to include explicit A11y/security baseline expectations.

[ashleyshaw]

PR templates