New Maintainer Onboarding (First 30 Days)¶
Welcome
A concise path to a healthy, secure, and welcoming project. Expect ~10–30 minutes for setup and one release cycle for validation.
- Week 1 — Foundations
Baseline docs, labels, triage schedule, branch protections & required checks.
- Week 2 — Security & Releases
SECURITY.md, embargo, signed releases, provenance & SBOM, Scorecard baseline.
- Week 3 — Community Routines
Community call + notes, good-first-issues, review workflow & SLAs.
- Week 4 — Plan & Report
90‑day roadmap, project update, verify LFDT required processes.
Week 1 — Foundations¶
- Ensure
GOVERNANCE.md,MAINTAINERS.md,CODE_OF_CONDUCT.md,CONTRIBUTING.mdexist and are linked from README - Set up labels and a triage schedule
- Enable branch protections and required CI checks
Week 2 — Security & Releases¶
- Add
SECURITY.mdwith private contact and embargo process - Configure signed releases, provenance, and SBOM generation
- Run OpenSSF Scorecard; capture baseline and fix high-impact items
Week 3 — Community Routines¶
- Host/join a community call; publish notes
- Tag and mentor
good first issueitems - Document PR review workflow and SLAs in CONTRIBUTING.md
Week 4 — Plan & Report¶
- Draft a 90-day lightweight roadmap and post it
- Publish a short project update (wins, risks, asks)
- Verify you meet LFDT required processes (updates, annual review, inactivity policy)
Quick Links¶
- Governance & roles →
GOVERNANCE.md,MAINTAINERS.md - Security policy →
SECURITY.md - Release process → Release checklist (Templates page)
- Community growth → Community playbook
Success Criteria¶
- Required docs present and discoverable
- CI protections enforced
- First signed release completed (or dry‑run)
- Scorecard baseline recorded
- Roadmap + update published