diff --git a/.github/PULL_REQUEST_TEMPLATE/README.md b/.github/PULL_REQUEST_TEMPLATE/README.md index 93cbb1c6..641ba7ca 100644 --- a/.github/PULL_REQUEST_TEMPLATE/README.md +++ b/.github/PULL_REQUEST_TEMPLATE/README.md @@ -65,7 +65,7 @@ These templates integrate with: 1. **Template Selection**: Choose the template that best matches your PR type 2. **Required Fields**: Complete all required sections in the template 3. **Branch Naming**: Follow the [branching strategy](../docs/BRANCHING_STRATEGY.md) for automatic detection -4. **A11y & Security**: Complete the WCAG 2.1 AA+ and OWASP-aligned checklist items before review +4. **A11y & Security**: Complete the WCAG 2.2 AA and OWASP-aligned checklist items before review 5. **Automation**: Let the system handle labeling and assignment - avoid manual changes ## ⚠️ Important Notes diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_docs.md b/.github/PULL_REQUEST_TEMPLATE/pr_docs.md index 0ea35d86..4adaf5b9 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_docs.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_docs.md @@ -85,7 +85,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_feature.md b/.github/PULL_REQUEST_TEMPLATE/pr_feature.md index 24ba1915..9bf39ec2 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_feature.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_feature.md @@ -68,7 +68,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA or higher) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md b/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md index e7b4b421..2c214466 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_hotfix.md @@ -75,7 +75,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md b/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md index 7bfc8b9d..5efb702c 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_refactor.md @@ -97,7 +97,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised diff --git a/.github/PULL_REQUEST_TEMPLATE/pr_release.md b/.github/PULL_REQUEST_TEMPLATE/pr_release.md index dd5d3d4c..94260017 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pr_release.md +++ b/.github/PULL_REQUEST_TEMPLATE/pr_release.md @@ -70,7 +70,7 @@ If no user-facing changelog entry is needed, apply the skip-changelog label to t - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised diff --git a/.github/SAVED_REPLIES/pull-requests/security.md b/.github/SAVED_REPLIES/pull-requests/security.md index 1e499aea..6240799e 100644 --- a/.github/SAVED_REPLIES/pull-requests/security.md +++ b/.github/SAVED_REPLIES/pull-requests/security.md @@ -17,14 +17,16 @@ Thank you for your contribution! Since this PR touches security-sensitive areas **Checklist:** -- [ ] Validate and sanitize all user input +- [ ] Validate and sanitise all untrusted input +- [ ] Escape output for the correct rendering context +- [ ] Enforce nonce and capability checks for privileged actions - [ ] Avoid exposing secrets or sensitive data -- [ ] Follow least privilege for permissions and tokens - [ ] Add or update security tests if appropriate **Resources:** -- [Security Guidelines](.github/instructions/security.md) +- [PR Security Baseline](../../instructions/pull-requests.instructions.md#6-pr-review--lifecycle) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) If you have questions about security best practices, please ask! ``` @@ -41,7 +43,9 @@ Thank you for your PR. We've identified a potential security vulnerability in th **What to Address:** - Ensure no secrets or credentials are exposed -- Validate all user input and outputs +- Validate and sanitise untrusted input +- Escape output for the correct rendering context +- Add nonce/capability checks where privileged actions are involved - Avoid command injection, directory traversal, or similar risks Once these concerns are addressed, let us know so we can proceed with merging. diff --git a/.github/SAVED_REPLIES/pull-requests/testing.md b/.github/SAVED_REPLIES/pull-requests/testing.md index 0be4b217..7f504c6c 100644 --- a/.github/SAVED_REPLIES/pull-requests/testing.md +++ b/.github/SAVED_REPLIES/pull-requests/testing.md @@ -19,7 +19,7 @@ Thank you for your contribution! Before we can merge this PR, we need to ensure - Add or update automated tests to cover your changes - Tests should verify both typical use and edge cases -- Please follow our [testing guidelines](.github/instructions/bats-tests-and-runner-scripts.md) +- Please follow our [testing guidelines](../../instructions/quality-assurance.instructions.md) **Checklist:** @@ -48,7 +48,7 @@ Thanks for including tests in this PR! There are a few ways we can improve test **Resources:** -- [Testing Guidelines](.github/instructions/bats-tests-and-runner-scripts.md) +- [Quality Assurance Instructions](../../instructions/quality-assurance.instructions.md) If you have questions about these suggestions, let us know! ``` diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index fbcb61cd..f78021f0 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -141,7 +141,7 @@ Include: - [ ] Semantic HTML and heading order verified - [ ] Keyboard navigation and visible focus states verified - [ ] ARIA used only where needed - - [ ] Contrast and non-colour cues reviewed (WCAG 2.1 AA or higher) + - [ ] Contrast and non-colour cues reviewed (WCAG 2.2 AA) - [ ] Docs/readme/changelog updated (if user-facing) - [ ] Security checklist completed (where relevant): - [ ] Untrusted input validated and sanitised diff --git a/docs/PR_CREATION_PROCESS.md b/docs/PR_CREATION_PROCESS.md index 310c8254..76127b7e 100644 --- a/docs/PR_CREATION_PROCESS.md +++ b/docs/PR_CREATION_PROCESS.md @@ -114,7 +114,7 @@ Each PR template includes a checklist. Ensure you: - [ ] Ran all tests and linters - [ ] Updated documentation (if needed) - [ ] Added/updated tests -- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.1 AA or higher) +- [ ] Completed accessibility checks (semantic structure, keyboard/focus, ARIA only when needed, contrast/non-colour cues; WCAG 2.2 AA) - [ ] Completed security checks (validation/sanitisation, context-specific escaping, nonce/capability checks where relevant, and OWASP risk review) - [ ] Linked issues - [ ] Provided screenshots or video (for UI changes)