Skip to content

Public release checklist

Use this checklist before making a Bestie repository public.

  • Decide canonical repo name and package name. Prefer bestie; avoid legacy ai-bestie unless intentionally kept for migration.
  • Add LICENSE.
  • Add public quickstart README.
  • Add CONTRIBUTING.md.
  • Add SECURITY.md.
  • Add CODE_OF_CONDUCT.md.
  • Add issue templates.
  • Add pull request template.
  • Add CI workflow.
  • Add Dependabot config.
  • Add .env.example with empty values only.
  • Ensure .gitignore excludes .bestie/, .env*, logs, databases, build outputs, and node_modules/.
  • Remove raw vendor notes, scraped docs, private planning notes, and local transcripts.
  • Run a secret scan before first push.
  • Run npm ci, npm run build, and npm test from a clean checkout.
  • Add CHANGELOG.md.
  • Add CODEOWNERS once maintainers are defined.
  • Enable GitHub secret scanning and push protection.
  • Enable Dependabot alerts and security updates.
  • Enable private vulnerability reporting.
  • Enable branch protection for main.
  • Create labels: bug, docs, good first issue, help wanted, security, privacy, telegram, memory, provider, mcp.
  • Create 3-5 good first issues before announcing publicly.
  • CodeQL workflow.
  • Release workflow.
  • npm publish workflow.
  • Docs site.
  • Community discussions.
  • Project board.
Terminal window
git status --short
git ls-files | rg '(^\.bestie/|\.env$|\.env\.|\.pem$|\.key$|\.sqlite$|\.db$|\.log$|raw|transcript)'
rg -n "(API_KEY|TOKEN|SECRET|PASSWORD|BEGIN (RSA|OPENSSH|PRIVATE)|sk-[A-Za-z0-9]|xox[baprs]-|ghp_|github_pat_|AIza)" -g '!node_modules' -g '!dist' -g '!package-lock.json'
npm ci
npm run build
npm test

Secret scans often catch placeholder names. Review hits manually and remove anything real.

Recommended public repo description:

Self-hosted AI companion CLI with local-first memory, Telegram support, and safety-minded tool permissions.

Recommended topics:

ai, cli, typescript, telegram-bot, local-first, llm, openai-compatible, privacy, mcp

Enable:

  • Issues
  • Dependabot alerts
  • Dependabot security updates
  • Secret scanning
  • Push protection
  • Private vulnerability reporting
  • Code scanning with CodeQL

Branch protection for main should require PR review, resolved conversations, passing status checks, block force pushes, and block branch deletion.