This page collects the public evidence that oss-signal is built for real open-source maintainer workflows.
Last verified: 2026-06-05T16:02:53Z
0.8.4 latest)oss-signal audits repository maintenance readiness and returns a score with concrete next steps. It is aimed at work maintainers actually do: documenting contribution paths, setting support boundaries, keeping CI visible, collecting useful issue context, and making security reporting easier.
The CLI supports two practical modes:
It also ships as a GitHub Action, so maintainers can gate repository hygiene in CI, show the result in the GitHub Actions step summary, upload a Markdown report as a workflow artifact, run inventory reports, and upload failed maintainer-readiness checks as SARIF for GitHub Code Scanning. This repository dogfoods the public Action tag through the Repository health and Repository inventory workflows.
The maintainer playbook documents the end-to-end workflow from audit to issue, pull request, CI gate, and Code Scanning evidence. The release process documents pre-release verification, tag consistency, npm publish checks, and post-release smoke tests.
The post-submission update records why the current npm package and Action tag may be newer than the version referenced during application submission.
The npm package is publicly available as oss-signal@0.8.4 with latest pointing at 0.8.4.
The npm downloads API returned 356 downloads for both last-week and last-month windows on 2026-06-05. Download counts can lag publication, so this is treated as supporting evidence rather than proof of broad adoption.
Clean-directory package execution returned:
{
"version": "0.8.4"
}
Local self-audit returned score 100, grade A. A clean unauthenticated public GitHub API smoke test was blocked by GitHub API 403 rate limiting during this verification pass, so the public GitHub-mode evidence is the successful GitHub Actions runs that use the public v0.8.4 Action tag with GITHUB_TOKEN.
Current public workflow status:
main pushes and a weekly schedule, with JSON artifact output and public Scorecard publishingv0.8.4 available as the current Action tagCITATION.cff is present for the repository citation UI--format jsonmain branch protection, private vulnerability reporting, dependency graph, automatic dependency submission, Dependabot alerts/security updates/grouped updates/malware alerts, secret scanning, and push protection are enabledThe npm registry returned 0.8.4 for both the package version and latest dist-tag on 2026-06-05T16:02:53Z. A clean install smoke test returned version 0.8.4. The 2026-06-05 download check returned 356 downloads for the last-week and last-month windows.
The public repository https://github.com/SalmonPlays/oss-signal-adoption-demo runs SalmonPlays/oss-signal@v0.8.4 from a separate workflow file:
oss-signal-adoption-demo-report, containing oss-signal-report.md, oss-signal.sarif, maintainer-follow-up.md, and oss-signal-trial.ymlThis is not claimed as independent third-party adoption because the repository is owned by SalmonPlays. It is evidence that a public Action tag works outside the main repository and can publish Markdown, SARIF, and Issue-ready maintainer-readiness reports from another public workflow. The demo workflow is refreshed after each release when the new tag is available.
The tool has been used to generate maintainer-readiness reports for public repositories and convert them into respectful cleanup issues:
| Repository | Report | Posted issue | Follow-up PR | Status |
|---|---|---|---|---|
platformatic/massimo |
report | https://github.com/platformatic/massimo/issues/159 | https://github.com/platformatic/massimo/pull/160 | open, mergeable |
supermarkt/checkjebon |
report | https://github.com/supermarkt/checkjebon/issues/22 | https://github.com/supermarkt/checkjebon/pull/23 | open, mergeable |
sammorrisdesign/interactive-feed |
report | https://github.com/sammorrisdesign/interactive-feed/issues/14 | https://github.com/sammorrisdesign/interactive-feed/pull/15 | open, mergeable |
flox/install-flox-action |
report | https://github.com/flox/install-flox-action/issues/204 | https://github.com/flox/install-flox-action/pull/205 | open, mergeable |
Grovanni/oss-signal |
report | https://github.com/Grovanni/oss-signal/issues/1 | N/A | open |
noctemlabs/signal-oss |
report | N/A | https://github.com/noctemlabs/signal-oss/pull/12 | open, mergeable |
Divyesh-5981/signal-oss |
report | https://github.com/Divyesh-5981/signal-oss/issues/5 | N/A | open |
These issues and pull requests are evidence of the intended maintainer workflow: run a deterministic audit, explain the missing signals, and give maintainers a small set of actionable improvements. Each PR is intentionally limited to documentation, GitHub templates, or a minimal CI workflow.
Prepared but not yet posted outreach candidates are tracked separately in outreach/peer-shortlist-2026-06.md and outreach. This prevents candidate research from being overstated as real external maintainer engagement.
The workflow now includes plan-output.md, which converts audit findings into a PR-sized sequence before a contributor posts externally. The example examples/github-plan.md uses the Grovanni/oss-signal field audit and shows suggested files plus acceptance criteria.
Additional focused external contribution:
icoretech/codex-action: https://github.com/icoretech/codex-action/pull/24 was merged on 2026-06-04 and updates Codex Action README examples so generated output is routed through environment variables before shell printing. The maintainer merge comment is public at https://github.com/icoretech/codex-action/pull/24#issuecomment-4623923361.The five field-audit follow-up PRs were still open when checked from GitHub on 2026-06-05T09:57:04Z. The Divyesh issue was posted on 2026-06-05T04:18:46Z and is not claimed as adoption unless the maintainer replies or acts. Open PRs are not claimed as accepted adoption unless a maintainer merges, replies, or otherwise endorses them.
The project now has labeled good-first-issue routes for outside contributors:
The repository also includes a GitHub Discussions category form for structured rule feedback, Action usage questions, and maintainer workflow adoption notes. The issue templates include adoption, trial-feedback, and maintainer-audit forms so users can share workflow-run evidence, neutral maintainer feedback, or report discussion without inventing the format.
Current public roadmap evidence:
From this repository:
npm run check
npm run audit:github
node src/cli.js . --format sarif --output docs/examples/self-audit.sarif
node src/cli.js --inventory docs/examples/inventory-targets.txt --format markdown --output docs/examples/inventory-report.md
node src/cli.js platformatic/massimo --format json
npm exec --yes --package=oss-signal@0.8.4 -- oss-signal --version
The current repository self-audit score is 100/100, the GitHub community profile health score is 100, and CI verifies the local GitHub Action wrapper. The public v0.8.4 Action tag is used by the repository health workflow for Markdown and SARIF output. The published npm 0.8.4 package has also been executed from a clean temporary directory, returning version 0.8.4.
Public CI evidence:
oss-signal does not claim that a repository is high quality or widely adopted. It measures maintainability signals that are visible in repository files and GitHub community profile metadata.